Microarchitectural timing channels enable implicit cross-security-boundary information leakage, undermining temporal isolation guarantees in secure systems. Method: This paper proposes the first full temporal isolation scheme for RISC-V, centered on an ISA-native timing fence instruction `fence.t` and a hardware-level full-state zeroing mechanism that systematically clears non-architectural core state to ensure history-independent context-switch latency bounds. Contribution/Results: We formalize the RISC-V ISA extension, adapt the seL4 microkernel, and implement the scheme in the open-source CVA6 processor. The solution eliminates all major on-core timing channels—including cache, branch predictor, and TLB-based channels—while incurring less than 1% performance overhead and negligible hardware cost. Crucially, it provides formally verifiable temporal isolation guarantees, establishing a foundation for high-assurance real-time and security-critical systems.

Microarchitectural timing channels enable unwanted information flow across security boundaries, violating fundamental security assumptions. They leverage timing variations of several state-holding microarchitectural components and have been demonstrated across instruction set architectures and hardware implementations. Analogously to memory protection, (Ge et al. 2019) have proposed time protection for preventing information leakage via timing channels. They also showed that time protection calls for hardware support. This work leverages the open and extensible RISC-V instruction set architecture (ISA) to introduce the temporal fence instruction fence.t, which provides the required mechanisms by clearing vulnerable microarchitectural state and guaranteeing a history-independent context-switch latency. We propose and discuss three different implementations of fence.t and implement them on an experimental version of the seL4 microkernel (Klein et al. 2014) and CVA6, an open-source, in-order, application class, 64-bit RISC-V core (Zaruba and Benini 2019). We find that a complete, systematic, ISA-supported erasure of all non-architectural core components is the most effective implementation while featuring a low implementation effort, a minimal performance overhead of less than 1%, and negligible hardware costs.