From d724167f862b43fe52756214b91b7b588926bc87 Mon Sep 17 00:00:00 2001 From: Tariq Kurd Date: Fri, 13 Dec 2024 13:10:17 +0100 Subject: [PATCH 1/9] clarify PTE fault exception priority, and add into instruction pages --- src/cheri-pte-ext.adoc | 9 ++++++++- src/hypervisor-integration.adoc | 4 ++-- src/insns/load_exceptions.adoc | 5 +++++ src/insns/store_exceptions.adoc | 5 +++++ src/riscv-integration.adoc | 6 +++--- 5 files changed, 23 insertions(+), 6 deletions(-) diff --git a/src/cheri-pte-ext.adoc b/src/cheri-pte-ext.adoc index a42f8c26..914591ec 100644 --- a/src/cheri-pte-ext.adoc +++ b/src/cheri-pte-ext.adoc @@ -100,7 +100,7 @@ If the CW bit is clear then: * When a capability load or AMO instruction is executed, the implementation clears the tag bit of the capability read from the virtual page. -* When CRG is clear, the "no capability state", a store page fault exception +* When CRG is clear, the "no capability state", a store/AMO page fault exception is raised when a capability store or AMO instruction is executed and the tag bit of the capability being written is set. * When CRG is set, the "pre-CW state", two schemes are permitted (also see <>): @@ -167,6 +167,13 @@ and the capability read from memory optionally has its tag set^1^. ^2^ See <>. +The exceptions added by {cheri_pte_ext_name}: + +* reuse the load page fault and store/AMO page fault exception cause values, +and so the cause of the exception can be determined by software by checking bit zero of <>, +<> etc. +* are all prioritized _above_ standard page fault exceptions. + [#section_hardware_pte_updates] === Enabling Software or Hardware PTE updates diff --git a/src/hypervisor-integration.adoc b/src/hypervisor-integration.adoc index 9e84649d..14062111 100644 --- a/src/hypervisor-integration.adoc +++ b/src/hypervisor-integration.adoc @@ -75,7 +75,7 @@ part of {cheri_base_ext_name} when the hypervisor extension is supported. Its CSR address is 0x64b. <> is updated following the same rules as <> for CHERI exceptions, -load page fault and store page fault exceptions which are taken in HS-mode. +load page fault and store/AMO page fault exceptions which are taken in HS-mode. The fields are identical to <> for CHERI exceptions. @@ -196,7 +196,7 @@ include::img/vstdcreg.edn[] The <> register is a VSXLEN-bit read-write register. <> is updated following the same rules as <> for CHERI exceptions, -load page fault and store page faults which are taken in VS-mode. +load page fault and store/AMO page faults which are taken in VS-mode. .Virtual supervisor trap value register [#vstval-format] diff --git a/src/insns/load_exceptions.adoc b/src/insns/load_exceptions.adoc index a894ed62..210ee97a 100644 --- a/src/insns/load_exceptions.adoc +++ b/src/insns/load_exceptions.adoc @@ -23,5 +23,10 @@ listed below; in this case, _CHERI data fault_ is reported in the <> or |============================================================================== + +If {cheri_pte_ext_name} is implemented, and virtual memory is enabled, then the state of +<>.CW and <>.CRG from the current virtual memory page, +together with <>.CRG may cause a CHERI page fault exception. +CHERI page fault exceptions are prioritized above standard page fault exceptions. ++ :!load_res: :!has_cap_data: diff --git a/src/insns/store_exceptions.adoc b/src/insns/store_exceptions.adoc index 836b413f..01e49a37 100644 --- a/src/insns/store_exceptions.adoc +++ b/src/insns/store_exceptions.adoc @@ -22,5 +22,10 @@ listed below; in this case, _CHERI data fault_ is reported in the <> or | Bounds violation | At least one byte accessed is outside the authority capability bounds, or the capability has <> bounds |============================================================================== + +If {cheri_pte_ext_name} is implemented, and virtual memory is enabled, then the state of +<>.CW and <>.CRG from the current virtual memory page may +cause a CHERI page fault exception. +CHERI page fault exceptions are prioritized above standard page fault exceptions. ++ :!store_cond: :!has_cap_data: diff --git a/src/riscv-integration.adoc b/src/riscv-integration.adoc index 315cadb3..993fe44a 100644 --- a/src/riscv-integration.adoc +++ b/src/riscv-integration.adoc @@ -834,9 +834,9 @@ CHERI violations have the following order in priority: If a load page fault is caused by a CHERI <> fault, then set bit zero of <> to 1 and all other bits to 0, otherwise set all bits to zero. -===== mtval2 values for Store Page Faults +===== mtval2 values for Store/AMO Page Faults -If a store page fault is caused by a CHERI <> fault, then set bit zero of <> to 1 and all other bits to 0, otherwise set all bits to zero. +If a store/AMO page fault is caused by a CHERI <> fault, then set bit zero of <> to 1 and all other bits to 0, otherwise set all bits to zero. [#supervisor-level-csrs-section] === Supervisor-Level CSRs @@ -1051,7 +1051,7 @@ address is 0x14b. which are delegated to S-mode. The fields are identical to <> for CHERI exceptions, and for load and -store page fault exceptions if {cheri_pte_ext_name} is implemented. +store/AMO page fault exceptions if {cheri_pte_ext_name} is implemented. NOTE: <> is not a standard RISC-V CSR, but <> is. From b5efdb6430f902c418e3c2ca837c4d92ae2a5d56 Mon Sep 17 00:00:00 2001 From: Tariq Kurd Date: Fri, 13 Dec 2024 16:56:19 +0100 Subject: [PATCH 2/9] clarify exception priorities --- src/cheri-pte-ext.adoc | 1 + src/riscv-integration.adoc | 17 ++++++++++++----- src/trigger-integration.adoc | 10 +++++++--- 3 files changed, 20 insertions(+), 8 deletions(-) diff --git a/src/cheri-pte-ext.adoc b/src/cheri-pte-ext.adoc index 914591ec..a5d20562 100644 --- a/src/cheri-pte-ext.adoc +++ b/src/cheri-pte-ext.adoc @@ -164,6 +164,7 @@ and the capability read from memory optionally has its tag set^1^. It is legal for the implementation to fault even if the tag is not set since this behavior is only an optimization for software. This means it is also legal to only check the tag under certain conditions and conservatively fault otherwise. Taking a trap when the tag is not set will introduce additional traps during revocation sweeps. + Checking the loaded tag affects the exception priority, see <>. ^2^ See <>. diff --git a/src/riscv-integration.adoc b/src/riscv-integration.adoc index 993fe44a..878970f1 100644 --- a/src/riscv-integration.adoc +++ b/src/riscv-integration.adoc @@ -698,7 +698,7 @@ _Reserved_ [[exception-priority]] .Synchronous exception priority in decreasing priority order. Entries added in {cheri_base_ext_name} are in *bold* -[%autowidth,float="center",align="center",cols="<,>,<",options="header"] +[float="center",align="center",cols="<1,>1,<8",options="header"] |=== |Priority |Exc.Code |Description |_Highest_ |3 |Instruction address breakpoint @@ -729,14 +729,21 @@ Load/store/AMO address breakpoint Optionally: + Load/store/AMO address misaligned | .>|13, 15, 5, 7 .<|During address translation for an explicit memory access: + -First encountered page fault or access fault +First encountered *CHERI PTE page fault*^12^, page fault or access fault | .>|5,7 .<|With physical address for an explicit memory access: + Load/store/AMO access fault -.>|_Lowest_ .>|4,6 .<|If not higher priority: + -Load/store/AMO address misaligned +| .>|4,6 .<|If not higher priority: + +.>|_Lowest_ .>|13 .<|If not higher priority: + +CHERI load PTE fault^3^ |=== -NOTE: The full details of the CHERI exceptions are in xref:cheri_exception_combs_descriptions[xrefstyle=short]. +^1^ The higher priority CHERI <> page fault covers capability loads or atomics where the loaded tag _is not_ checked, and all capability stores and atomics where the stored tag is set. + +^2^ CHERI <> page fault exceptions have the same priority against access faults as normal RISC-V page faults. If a normal RISC-V page fault _and_ a CHERI <> fault are both detected, then the CHERI fault takes priority. + +^3^ The lower priority <> fault only covers capability loads and atomics where the loaded tag _is_ checked. + +NOTE: The full details of the CHERI exceptions with cause value {cheri_excep_mcause} are in xref:cheri_exception_combs_descriptions[xrefstyle=short]. [#medeleg,reftext="medeleg"] ==== Machine Trap Delegation Register (medeleg) diff --git a/src/trigger-integration.adoc b/src/trigger-integration.adoc index db8b9a1f..ba261bd8 100644 --- a/src/trigger-integration.adoc +++ b/src/trigger-integration.adoc @@ -7,7 +7,7 @@ shown in xref:trigger-exception-priority[xrefstyle=short]. [[trigger-exception-priority]] .Synchronous exception priority (including triggers) in decreasing priority order. Entries added in {cheri_base_ext_name} are in *bold* -[%autowidth,float="center",align="center",cols="<,>,<,<",options="header"] +[float="center",align="center",cols="<1,>1,<4,<2",options="header"] |=== |Priority |Exc. Code |Description |Trigger |_Highest_ |3 + @@ -22,7 +22,7 @@ mcontrol/mcontrol6 after (on previous instruction) | .>|*{cheri_excep_mcause}* .<|*Prior to instruction address translation:* + *CHERI fault due to PCC checks (tag, execute permission, invalid address and bounds)* | | .>|12, 1 .<|During instruction address translation: + -First encountered page fault or access fault | +First encountered *CHERI PTE page fault*, page fault or access fault | | .>|1 .<|With physical address for instruction: + Instruction access fault | @@ -49,10 +49,14 @@ Environment break | | .>|4,6 .<|Optionally: + Load/store/AMO address misaligned | | .>|13, 15, 5, 7 .<|During address translation for an explicit memory access: + -First encountered page fault or access fault | +First encountered *CHERI <> page fault*, page fault or access fault | | .>|5,7 .<|With physical address for an explicit memory access: + Load/store/AMO access fault | | .>|4,6 .<|If not higher priority: + Load/store/AMO address misaligned | +| .>|13 .<|If not higher priority: + +CHERI load <> fault |_Lowest_ .>|3 .<| |mcontrol/mcontrol6 load data before |=== + +NOTE: See the notes beneath <> for details about CHERI <> page fault priority. \ No newline at end of file From 226a5d370d71df42fd037d7f982d2b642361ed36 Mon Sep 17 00:00:00 2001 From: Tariq Kurd Date: Fri, 13 Dec 2024 17:43:33 +0100 Subject: [PATCH 3/9] add CR --- src/trigger-integration.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/trigger-integration.adoc b/src/trigger-integration.adoc index ba261bd8..e09dccc9 100644 --- a/src/trigger-integration.adoc +++ b/src/trigger-integration.adoc @@ -59,4 +59,4 @@ CHERI load <> fault |_Lowest_ .>|3 .<| |mcontrol/mcontrol6 load data before |=== -NOTE: See the notes beneath <> for details about CHERI <> page fault priority. \ No newline at end of file +NOTE: See the notes beneath <> for details about CHERI <> page fault priority. From 7cd607d7adf0769746ce4fe727228b00f5d51380 Mon Sep 17 00:00:00 2001 From: Tariq Kurd Date: Fri, 13 Dec 2024 18:29:26 +0100 Subject: [PATCH 4/9] clear up exception priority (again) --- src/cheri-pte-ext.adoc | 7 +++---- src/insns/load_exceptions.adoc | 2 +- src/insns/store_exceptions.adoc | 2 +- 3 files changed, 5 insertions(+), 6 deletions(-) diff --git a/src/cheri-pte-ext.adoc b/src/cheri-pte-ext.adoc index a5d20562..e423b3c4 100644 --- a/src/cheri-pte-ext.adoc +++ b/src/cheri-pte-ext.adoc @@ -168,12 +168,11 @@ and the capability read from memory optionally has its tag set^1^. ^2^ See <>. -The exceptions added by {cheri_pte_ext_name}: - -* reuse the load page fault and store/AMO page fault exception cause values, +The exceptions added by {cheri_pte_ext_name} reuse the load page fault and store/AMO page fault exception cause values, and so the cause of the exception can be determined by software by checking bit zero of <>, <> etc. -* are all prioritized _above_ standard page fault exceptions. + +They are prioritized against the standard page fault exceptions as shown in <>. [#section_hardware_pte_updates] === Enabling Software or Hardware PTE updates diff --git a/src/insns/load_exceptions.adoc b/src/insns/load_exceptions.adoc index 210ee97a..13b3a5e2 100644 --- a/src/insns/load_exceptions.adoc +++ b/src/insns/load_exceptions.adoc @@ -26,7 +26,7 @@ listed below; in this case, _CHERI data fault_ is reported in the <> or If {cheri_pte_ext_name} is implemented, and virtual memory is enabled, then the state of <>.CW and <>.CRG from the current virtual memory page, together with <>.CRG may cause a CHERI page fault exception. -CHERI page fault exceptions are prioritized above standard page fault exceptions. +CHERI <> page fault exceptions are prioritized as shown in <>. + :!load_res: :!has_cap_data: diff --git a/src/insns/store_exceptions.adoc b/src/insns/store_exceptions.adoc index 01e49a37..3a636cac 100644 --- a/src/insns/store_exceptions.adoc +++ b/src/insns/store_exceptions.adoc @@ -25,7 +25,7 @@ listed below; in this case, _CHERI data fault_ is reported in the <> or If {cheri_pte_ext_name} is implemented, and virtual memory is enabled, then the state of <>.CW and <>.CRG from the current virtual memory page may cause a CHERI page fault exception. -CHERI page fault exceptions are prioritized above standard page fault exceptions. +CHERI <> page fault exceptions are prioritized as shown in <>. + :!store_cond: :!has_cap_data: From 78f593c83a5d935988a89f58e834b3a1edbd96a8 Mon Sep 17 00:00:00 2001 From: Tariq Kurd Date: Fri, 13 Dec 2024 19:05:45 +0100 Subject: [PATCH 5/9] improve mtval2 exception reporting --- src/insns/load_exceptions.adoc | 5 +++-- src/insns/store_exceptions.adoc | 4 ++-- src/riscv-integration.adoc | 18 ++++++++++++------ src/trigger-integration.adoc | 2 +- 4 files changed, 18 insertions(+), 11 deletions(-) diff --git a/src/insns/load_exceptions.adoc b/src/insns/load_exceptions.adoc index 13b3a5e2..de2b69eb 100644 --- a/src/insns/load_exceptions.adoc +++ b/src/insns/load_exceptions.adoc @@ -25,8 +25,9 @@ listed below; in this case, _CHERI data fault_ is reported in the <> or + If {cheri_pte_ext_name} is implemented, and virtual memory is enabled, then the state of <>.CW and <>.CRG from the current virtual memory page, -together with <>.CRG may cause a CHERI page fault exception. -CHERI <> page fault exceptions are prioritized as shown in <>. +together with <>.CRG may cause a CHERI <> page fault exception +in addition to a normal RISC-V page fault exception. +See <> for the exception reporting in this case. + :!load_res: :!has_cap_data: diff --git a/src/insns/store_exceptions.adoc b/src/insns/store_exceptions.adoc index 3a636cac..d3db318e 100644 --- a/src/insns/store_exceptions.adoc +++ b/src/insns/store_exceptions.adoc @@ -24,8 +24,8 @@ listed below; in this case, _CHERI data fault_ is reported in the <> or + If {cheri_pte_ext_name} is implemented, and virtual memory is enabled, then the state of <>.CW and <>.CRG from the current virtual memory page may -cause a CHERI page fault exception. -CHERI <> page fault exceptions are prioritized as shown in <>. +cause a CHERI <> page fault exception in addition to a normal RISC-V page fault. +See <> for the exception reporting in this case. + :!store_cond: :!has_cap_data: diff --git a/src/riscv-integration.adoc b/src/riscv-integration.adoc index 878970f1..c5b58ca4 100644 --- a/src/riscv-integration.adoc +++ b/src/riscv-integration.adoc @@ -739,7 +739,7 @@ CHERI load PTE fault^3^ ^1^ The higher priority CHERI <> page fault covers capability loads or atomics where the loaded tag _is not_ checked, and all capability stores and atomics where the stored tag is set. -^2^ CHERI <> page fault exceptions have the same priority against access faults as normal RISC-V page faults. If a normal RISC-V page fault _and_ a CHERI <> fault are both detected, then the CHERI fault takes priority. +^2^ CHERI <> page fault exceptions have the same priority against access faults as normal RISC-V page faults. If a normal RISC-V page fault _and_ a CHERI <> fault are both detected simultaneously, then both are recorded as shown in <> ^3^ The lower priority <> fault only covers capability loads and atomics where the loaded tag _is_ checked. @@ -837,13 +837,19 @@ CHERI violations have the following order in priority: . Invalid address violation . Bounds violation (_Lowest_) -===== mtval2 values for Load Page Faults +===== mtval2 values for Load/Store/AMO Page Faults -If a load page fault is caused by a CHERI <> fault, then set bit zero of <> to 1 and all other bits to 0, otherwise set all bits to zero. +Page faults can be caused by normal RISC-V page faults and also by CHERI <> faults. +If both are detected at once, then both are recorded. -===== mtval2 values for Store/AMO Page Faults - -If a store/AMO page fault is caused by a CHERI <> fault, then set bit zero of <> to 1 and all other bits to 0, otherwise set all bits to zero. +.mtval2 for page faults +[#mtval2-page-faults,width=55%,float="center",align="center",options=header] +|============================================================================== +| Fault | Value +| RISC-V page fault | 0 +| CHERI <> fault | 1 +| RISC-V page fault and CHERI <> fault | 2 +|============================================================================== [#supervisor-level-csrs-section] === Supervisor-Level CSRs diff --git a/src/trigger-integration.adoc b/src/trigger-integration.adoc index e09dccc9..6ad27d94 100644 --- a/src/trigger-integration.adoc +++ b/src/trigger-integration.adoc @@ -55,7 +55,7 @@ Load/store/AMO access fault | | .>|4,6 .<|If not higher priority: + Load/store/AMO address misaligned | | .>|13 .<|If not higher priority: + -CHERI load <> fault +CHERI load <> fault | |_Lowest_ .>|3 .<| |mcontrol/mcontrol6 load data before |=== From 54b0a454bcfc7d253f6bf0541befc1cdc0eb1ef3 Mon Sep 17 00:00:00 2001 From: Tariq Kurd Date: Fri, 13 Dec 2024 19:11:48 +0100 Subject: [PATCH 6/9] tidy up --- src/cheri-pte-ext.adoc | 4 ++-- src/riscv-integration.adoc | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/cheri-pte-ext.adoc b/src/cheri-pte-ext.adoc index e423b3c4..996fc259 100644 --- a/src/cheri-pte-ext.adoc +++ b/src/cheri-pte-ext.adoc @@ -169,10 +169,10 @@ and the capability read from memory optionally has its tag set^1^. ^2^ See <>. The exceptions added by {cheri_pte_ext_name} reuse the load page fault and store/AMO page fault exception cause values, -and so the cause of the exception can be determined by software by checking bit zero of <>, +and so the cause of the exception can be determined by software by checking the value in <>, <> etc. -They are prioritized against the standard page fault exceptions as shown in <>. +TThe behavior when multiple page fault types are detected at once is shown in <>. [#section_hardware_pte_updates] === Enabling Software or Hardware PTE updates diff --git a/src/riscv-integration.adoc b/src/riscv-integration.adoc index c5b58ca4..61f5fc56 100644 --- a/src/riscv-integration.adoc +++ b/src/riscv-integration.adoc @@ -739,7 +739,7 @@ CHERI load PTE fault^3^ ^1^ The higher priority CHERI <> page fault covers capability loads or atomics where the loaded tag _is not_ checked, and all capability stores and atomics where the stored tag is set. -^2^ CHERI <> page fault exceptions have the same priority against access faults as normal RISC-V page faults. If a normal RISC-V page fault _and_ a CHERI <> fault are both detected simultaneously, then both are recorded as shown in <> +^2^ CHERI <> page fault exceptions have the same priority against access faults as normal RISC-V page faults. If a normal RISC-V page fault _and_ a CHERI <> fault are both detected simultaneously, then both are recorded as shown in <>. ^3^ The lower priority <> fault only covers capability loads and atomics where the loaded tag _is_ checked. @@ -843,7 +843,7 @@ Page faults can be caused by normal RISC-V page faults and also by CHERI < Date: Fri, 13 Dec 2024 19:16:50 +0100 Subject: [PATCH 7/9] add note --- src/riscv-integration.adoc | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/riscv-integration.adoc b/src/riscv-integration.adoc index 61f5fc56..23823276 100644 --- a/src/riscv-integration.adoc +++ b/src/riscv-integration.adoc @@ -851,6 +851,11 @@ If both are detected at once, then both are recorded. | RISC-V page fault and CHERI <> fault | 2 |============================================================================== +NOTE: Reporting both allows the software the choice about which action to take first, for example a write to a + page with no write permission, _and_ the incorrect value of PTE.CRG requires two actions. + Software can then decide whether to prioritize the copy-on-write procedure to fix the lack of write + permission, or to sweep the page. + [#supervisor-level-csrs-section] === Supervisor-Level CSRs From b7e31690f3b86db60b8f6489c1b7e4ecac269423 Mon Sep 17 00:00:00 2001 From: Tariq Kurd Date: Mon, 16 Dec 2024 09:08:10 +0000 Subject: [PATCH 8/9] Update src/cheri-pte-ext.adoc Signed-off-by: Tariq Kurd --- src/cheri-pte-ext.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/cheri-pte-ext.adoc b/src/cheri-pte-ext.adoc index 996fc259..aa430e9e 100644 --- a/src/cheri-pte-ext.adoc +++ b/src/cheri-pte-ext.adoc @@ -172,7 +172,7 @@ The exceptions added by {cheri_pte_ext_name} reuse the load page fault and store and so the cause of the exception can be determined by software by checking the value in <>, <> etc. -TThe behavior when multiple page fault types are detected at once is shown in <>. +The behavior when multiple page fault types are detected at once is shown in <>. [#section_hardware_pte_updates] === Enabling Software or Hardware PTE updates From f10751edfbc5d1d3a38db9d2a78f4e9811738977 Mon Sep 17 00:00:00 2001 From: Tariq Kurd Date: Tue, 17 Dec 2024 12:00:58 +0000 Subject: [PATCH 9/9] Apply suggestions from code review Signed-off-by: Tariq Kurd --- src/hypervisor-integration.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/hypervisor-integration.adoc b/src/hypervisor-integration.adoc index 14062111..9e84649d 100644 --- a/src/hypervisor-integration.adoc +++ b/src/hypervisor-integration.adoc @@ -75,7 +75,7 @@ part of {cheri_base_ext_name} when the hypervisor extension is supported. Its CSR address is 0x64b. <> is updated following the same rules as <> for CHERI exceptions, -load page fault and store/AMO page fault exceptions which are taken in HS-mode. +load page fault and store page fault exceptions which are taken in HS-mode. The fields are identical to <> for CHERI exceptions. @@ -196,7 +196,7 @@ include::img/vstdcreg.edn[] The <> register is a VSXLEN-bit read-write register. <> is updated following the same rules as <> for CHERI exceptions, -load page fault and store/AMO page faults which are taken in VS-mode. +load page fault and store page faults which are taken in VS-mode. .Virtual supervisor trap value register [#vstval-format]