From b48c50e2249cf60e422923f48222a81467356062 Mon Sep 17 00:00:00 2001 From: Tariq Kurd Date: Wed, 5 Feb 2025 15:03:30 +0100 Subject: [PATCH 01/15] detection of out of range top --- src/cap-description.adoc | 13 +++++++++++++ src/insns/cadd_32bit.adoc | 3 ++- src/insns/cbld_32bit.adoc | 2 +- src/insns/malformed_clear_tag.adoc | 1 + src/insns/scss_32bit.adoc | 1 + 5 files changed, 18 insertions(+), 2 deletions(-) diff --git a/src/cap-description.adoc b/src/cap-description.adoc index 1cbc126a..3d9538d9 100644 --- a/src/cap-description.adoc +++ b/src/cap-description.adoc @@ -537,6 +537,18 @@ NOTE: A capability has infinite bounds if E=CAP_MAX_E and it is not malformed (see xref:section_cap_malformed[xrefstyle=short]); this check is equivalent to _b_=0 and _t_≥2^MXLEN^. +[#section_cap_malformed_top_gt_inf_top] +===== The Top Bound is Out Of Range + +The top bound of the <> is defined to be 2^MXLEN^. + +There are cases where the decoded bounds of a capability could, in theory, exceed this value. + +These cases are computationally expensive to detect without expanding the bounds, therefore +all instructions such as <> which expand bounds and output a capability will clear +the output tag if the top bound is out of range. + + [#section_cap_malformed] ===== Malformed Capability Bounds @@ -561,6 +573,7 @@ CHERI enforces the following invariants for all valid (i.e., tagged) capabilitie . The bounds are not malformed. . No reserved bit in the capability encoding is set. . The permissions can be legally produced by <>. +. The <> must be no greater than 2^XLEN^. A tagged capability that violates those invariants (i.e., a tagged but malformed capability or a tagged capability with any reserved bit set) can only possibly be caused by diff --git a/src/insns/cadd_32bit.adoc b/src/insns/cadd_32bit.adoc index 2b269e13..4b67a5e0 100644 --- a/src/insns/cadd_32bit.adoc +++ b/src/insns/cadd_32bit.adoc @@ -48,7 +48,8 @@ For <>, the address is incremented by the value in For <>, the address is incremented by the immediate value `imm`. -include::malformed_clear_tag.adoc[] +NOTE: This instruction sets `cd.tag=0` if `cs1` 's bounds are <>, +or if any of the reserved fields are set. Exceptions:: include::require_cre.adoc[] diff --git a/src/insns/cbld_32bit.adoc b/src/insns/cbld_32bit.adoc index 7ba1eefb..dd1e7867 100644 --- a/src/insns/cbld_32bit.adoc +++ b/src/insns/cbld_32bit.adoc @@ -30,7 +30,7 @@ Copy `cs2` to `cd` and set `cd.tag` to 1 if . `cs2` 's permissions and bounds are equal to or a subset of `cs1` 's, and . `cs2` 's <> is equal to or lower than `cs1` 's, and .. _This is only relevant if {cheri_levels_ext_name} is implemented._ -. `cs2` 's bounds are not <>, and all reserved fields are zero, and +. `cs2` 's bounds are not <>, and all reserved fields are zero, and the <> is in range, and . `cs2` 's permissions could have been legally produced by <>, and . All reserved bits in `cs2` 's metadata are 0; diff --git a/src/insns/malformed_clear_tag.adoc b/src/insns/malformed_clear_tag.adoc index 84a7009c..d68595d1 100644 --- a/src/insns/malformed_clear_tag.adoc +++ b/src/insns/malformed_clear_tag.adoc @@ -1,2 +1,3 @@ NOTE: This instruction sets `cd.tag=0` if `cs1` 's bounds are <>, +the <> is out of range, or if any of the reserved fields are set. diff --git a/src/insns/scss_32bit.adoc b/src/insns/scss_32bit.adoc index 17c882ac..ae63c99e 100644 --- a/src/insns/scss_32bit.adoc +++ b/src/insns/scss_32bit.adoc @@ -29,6 +29,7 @@ Description:: . `cs2` 's <> is equal to or lower than `cs1` 's .. _This is only relevant if {cheri_levels_ext_name} is implemented._ . neither `cs1` or `cs2` have bounds which are <>, and +. neither `cs1` or `cs2` have the <> out of range, and . neither `cs1` or `cs2` have any bits set in reserved fields, and . neither `cs1` or `cs2` have permissions that could not have been legally produced by <> From 055cc30b43db8cbe85ddf2894e4e2a475e4d696f Mon Sep 17 00:00:00 2001 From: Tariq Kurd Date: Wed, 5 Feb 2025 15:18:36 +0100 Subject: [PATCH 02/15] include cs1 in CBLD --- src/insns/cbld_32bit.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/insns/cbld_32bit.adoc b/src/insns/cbld_32bit.adoc index dd1e7867..4696f1ea 100644 --- a/src/insns/cbld_32bit.adoc +++ b/src/insns/cbld_32bit.adoc @@ -24,7 +24,7 @@ Description:: Copy `cs2` to `cd` and set `cd.tag` to 1 if . `cs1.tag` is set, and -. `cs1` 's bounds are not <>, and all reserved fields are zero, and +. `cs1` 's bounds are not <>, and all reserved fields are zero, and the <> is in range, and . `cs1` 's permissions could have been legally produced by <>, and . `cs1` is not sealed, and . `cs2` 's permissions and bounds are equal to or a subset of `cs1` 's, and From af587a16c8ed37c2ebeb0ac858de89ff2d727a44 Mon Sep 17 00:00:00 2001 From: Tariq Kurd Date: Wed, 5 Feb 2025 17:32:02 +0100 Subject: [PATCH 03/15] improved xrefs --- src/cap-description.adoc | 2 +- src/insns/cbld_32bit.adoc | 4 ++-- src/insns/malformed_clear_tag.adoc | 2 +- src/insns/scss_32bit.adoc | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/cap-description.adoc b/src/cap-description.adoc index 3d9538d9..8b8e29de 100644 --- a/src/cap-description.adoc +++ b/src/cap-description.adoc @@ -573,7 +573,7 @@ CHERI enforces the following invariants for all valid (i.e., tagged) capabilitie . The bounds are not malformed. . No reserved bit in the capability encoding is set. . The permissions can be legally produced by <>. -. The <> must be no greater than 2^XLEN^. +. The <>. A tagged capability that violates those invariants (i.e., a tagged but malformed capability or a tagged capability with any reserved bit set) can only possibly be caused by diff --git a/src/insns/cbld_32bit.adoc b/src/insns/cbld_32bit.adoc index 4696f1ea..b11fa903 100644 --- a/src/insns/cbld_32bit.adoc +++ b/src/insns/cbld_32bit.adoc @@ -24,13 +24,13 @@ Description:: Copy `cs2` to `cd` and set `cd.tag` to 1 if . `cs1.tag` is set, and -. `cs1` 's bounds are not <>, and all reserved fields are zero, and the <> is in range, and +. `cs1` 's bounds are not <>, and all reserved fields are zero, and the <>, and . `cs1` 's permissions could have been legally produced by <>, and . `cs1` is not sealed, and . `cs2` 's permissions and bounds are equal to or a subset of `cs1` 's, and . `cs2` 's <> is equal to or lower than `cs1` 's, and .. _This is only relevant if {cheri_levels_ext_name} is implemented._ -. `cs2` 's bounds are not <>, and all reserved fields are zero, and the <> is in range, and +. `cs2` 's bounds are not <>, and all reserved fields are zero, and the <>, and . `cs2` 's permissions could have been legally produced by <>, and . All reserved bits in `cs2` 's metadata are 0; diff --git a/src/insns/malformed_clear_tag.adoc b/src/insns/malformed_clear_tag.adoc index d68595d1..e6bfcc8b 100644 --- a/src/insns/malformed_clear_tag.adoc +++ b/src/insns/malformed_clear_tag.adoc @@ -1,3 +1,3 @@ NOTE: This instruction sets `cd.tag=0` if `cs1` 's bounds are <>, -the <> is out of range, +the <>, or if any of the reserved fields are set. diff --git a/src/insns/scss_32bit.adoc b/src/insns/scss_32bit.adoc index ae63c99e..9779bafc 100644 --- a/src/insns/scss_32bit.adoc +++ b/src/insns/scss_32bit.adoc @@ -29,7 +29,7 @@ Description:: . `cs2` 's <> is equal to or lower than `cs1` 's .. _This is only relevant if {cheri_levels_ext_name} is implemented._ . neither `cs1` or `cs2` have bounds which are <>, and -. neither `cs1` or `cs2` have the <> out of range, and +. neither `cs1` or `cs2` have the <>, and . neither `cs1` or `cs2` have any bits set in reserved fields, and . neither `cs1` or `cs2` have permissions that could not have been legally produced by <> From d6372727a84af17773d2958ac33e717555d40cb0 Mon Sep 17 00:00:00 2001 From: Tariq Kurd Date: Wed, 5 Feb 2025 17:07:11 +0000 Subject: [PATCH 04/15] Update src/cap-description.adoc Signed-off-by: Tariq Kurd --- src/cap-description.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/cap-description.adoc b/src/cap-description.adoc index 8b8e29de..5ecf6f49 100644 --- a/src/cap-description.adoc +++ b/src/cap-description.adoc @@ -573,7 +573,7 @@ CHERI enforces the following invariants for all valid (i.e., tagged) capabilitie . The bounds are not malformed. . No reserved bit in the capability encoding is set. . The permissions can be legally produced by <>. -. The <>. +. The <>. A tagged capability that violates those invariants (i.e., a tagged but malformed capability or a tagged capability with any reserved bit set) can only possibly be caused by From 45422c892d0f2b4db0c7bb2d451fb2a12744b660 Mon Sep 17 00:00:00 2001 From: Tariq Kurd Date: Wed, 5 Feb 2025 18:52:40 +0100 Subject: [PATCH 05/15] extend to JALR, load/store/atomic --- src/cap-description.adoc | 5 ++--- src/insns/addi16sp_16bit.adoc | 2 ++ src/insns/addi4spn_16bit.adoc | 2 ++ src/insns/atomic_exceptions.adoc | 3 ++- src/insns/cadd_32bit.adoc | 3 +-- src/insns/cbld_32bit.adoc | 4 ++-- src/insns/cbo_exceptions.adoc | 4 ++-- src/insns/jalr_32bit.adoc | 2 +- src/insns/load_exceptions.adoc | 4 ++-- src/insns/malformed_clear_tag.adoc | 1 - src/insns/scss_32bit.adoc | 2 +- src/insns/store_exceptions.adoc | 3 ++- src/riscv-integration.adoc | 8 +++----- 13 files changed, 22 insertions(+), 21 deletions(-) diff --git a/src/cap-description.adoc b/src/cap-description.adoc index 5ecf6f49..d5ebb866 100644 --- a/src/cap-description.adoc +++ b/src/cap-description.adoc @@ -537,7 +537,7 @@ NOTE: A capability has infinite bounds if E=CAP_MAX_E and it is not malformed (see xref:section_cap_malformed[xrefstyle=short]); this check is equivalent to _b_=0 and _t_≥2^MXLEN^. -[#section_cap_malformed_top_gt_inf_top] +[#section_top_out_of_range] ===== The Top Bound is Out Of Range The top bound of the <> is defined to be 2^MXLEN^. @@ -548,7 +548,6 @@ These cases are computationally expensive to detect without expanding the bounds all instructions such as <> which expand bounds and output a capability will clear the output tag if the top bound is out of range. - [#section_cap_malformed] ===== Malformed Capability Bounds @@ -573,7 +572,7 @@ CHERI enforces the following invariants for all valid (i.e., tagged) capabilitie . The bounds are not malformed. . No reserved bit in the capability encoding is set. . The permissions can be legally produced by <>. -. The <>. +. The <>. A tagged capability that violates those invariants (i.e., a tagged but malformed capability or a tagged capability with any reserved bit set) can only possibly be caused by diff --git a/src/insns/addi16sp_16bit.adoc b/src/insns/addi16sp_16bit.adoc index 03645123..f8b14179 100644 --- a/src/insns/addi16sp_16bit.adoc +++ b/src/insns/addi16sp_16bit.adoc @@ -26,6 +26,8 @@ include::wavedrom/c-int-reg-immed.adoc[] Add the non-zero sign-extended 6-bit immediate to the value in the stack pointer (`csp=c2`), where the immediate is scaled to represent multiples of 16 in the range (-512,496). Clear the tag if the resulting capability is unrepresentable or `csp` is sealed. +include::malformed_clear_tag_csp.adoc[] + {cheri_int_mode_name} Description:: Add the non-zero sign-extended 6-bit immediate to the value in the stack pointer (`sp=x2`), where the immediate is scaled to represent multiples of 16 in the range (-512,496). diff --git a/src/insns/addi4spn_16bit.adoc b/src/insns/addi4spn_16bit.adoc index 324049a8..f5223e6e 100644 --- a/src/insns/addi4spn_16bit.adoc +++ b/src/insns/addi4spn_16bit.adoc @@ -25,6 +25,8 @@ include::wavedrom/c-ciw.adoc[] Add a zero-extended non-zero immediate, scaled by 4, to the stack pointer, `csp`, and writes the result to `cd'`. This instruction is used to generate pointers to stack-allocated variables. Clear the tag if the resulting capability is unrepresentable or `csp` is sealed. +include::malformed_clear_tag_csp.adoc[] + {cheri_int_mode_name} Description:: Add a zero-extended non-zero immediate, scaled by 4, to the stack pointer, `sp`, and writes the result to `rd'`. This instruction is used to generate pointers to stack-allocated variables. diff --git a/src/insns/atomic_exceptions.adoc b/src/insns/atomic_exceptions.adoc index a05916dd..d1f58fd6 100644 --- a/src/insns/atomic_exceptions.adoc +++ b/src/insns/atomic_exceptions.adoc @@ -35,7 +35,8 @@ reported in the CAUSE field of <> or <>: | Seal violation | Authority capability is sealed | Permission violation | Authority capability does not grant <> or <>, or the AP field could not have been produced by <> | Invalid address violation | The effective address is invalid according to xref:section_invalid_addr_conv[xrefstyle=short] -| Bounds violation | At least one byte accessed is outside the authority capability bounds, or the capability has <> bounds +| Bounds violation | At least one byte accessed is outside the authority capability bounds, or the capability has <> bounds, or +the <> |============================================================================== :!cap_atomic: diff --git a/src/insns/cadd_32bit.adoc b/src/insns/cadd_32bit.adoc index 4b67a5e0..2b269e13 100644 --- a/src/insns/cadd_32bit.adoc +++ b/src/insns/cadd_32bit.adoc @@ -48,8 +48,7 @@ For <>, the address is incremented by the value in For <>, the address is incremented by the immediate value `imm`. -NOTE: This instruction sets `cd.tag=0` if `cs1` 's bounds are <>, -or if any of the reserved fields are set. +include::malformed_clear_tag.adoc[] Exceptions:: include::require_cre.adoc[] diff --git a/src/insns/cbld_32bit.adoc b/src/insns/cbld_32bit.adoc index b11fa903..54875836 100644 --- a/src/insns/cbld_32bit.adoc +++ b/src/insns/cbld_32bit.adoc @@ -24,13 +24,13 @@ Description:: Copy `cs2` to `cd` and set `cd.tag` to 1 if . `cs1.tag` is set, and -. `cs1` 's bounds are not <>, and all reserved fields are zero, and the <>, and +. `cs1` 's bounds are not <>, and all reserved fields are zero, and the <>, and . `cs1` 's permissions could have been legally produced by <>, and . `cs1` is not sealed, and . `cs2` 's permissions and bounds are equal to or a subset of `cs1` 's, and . `cs2` 's <> is equal to or lower than `cs1` 's, and .. _This is only relevant if {cheri_levels_ext_name} is implemented._ -. `cs2` 's bounds are not <>, and all reserved fields are zero, and the <>, and +. `cs2` 's bounds are not <>, and all reserved fields are zero, and the <>, and . `cs2` 's permissions could have been legally produced by <>, and . All reserved bits in `cs2` 's metadata are 0; diff --git a/src/insns/cbo_exceptions.adoc b/src/insns/cbo_exceptions.adoc index 1f79a737..41c685d0 100644 --- a/src/insns/cbo_exceptions.adoc +++ b/src/insns/cbo_exceptions.adoc @@ -32,8 +32,8 @@ ifdef::cbo_inval[] | Permission violation | Authority capability does not grant <>, <> or <>, or the AP field could not have been produced by <> endif::[] | Invalid address violation | The effective address is invalid according to xref:section_invalid_addr_conv[xrefstyle=short] -| Bounds violation | None of the bytes accessed are within the bounds, or the capability has <> bounds - +| Bounds violation | None of the bytes accessed are within the bounds, or the capability has <> bounds, or +the <> |============================================================================== diff --git a/src/insns/jalr_32bit.adoc b/src/insns/jalr_32bit.adoc index a9d9ca8a..3a051ca0 100644 --- a/src/insns/jalr_32bit.adoc +++ b/src/insns/jalr_32bit.adoc @@ -54,7 +54,7 @@ reported in the CAUSE field of <> or <>: | Permission violation | | ✔ | `cs1` does not grant <>, or the AP field could not have been produced by <> | Invalid address violation | ✔ | ✔ | The target address is invalid according to xref:section_invalid_addr_conv[xrefstyle=short] | Bounds violation | ✔ | ✔ | Minimum length instruction is not within the target capability's bounds, which will fail -if `cs1` has <> bounds in {cheri_cap_mode_name}. +if `cs1` has <> bounds or the <> in {cheri_cap_mode_name}. |============================================================================== include::pcrel_debug_warning.adoc[] diff --git a/src/insns/load_exceptions.adoc b/src/insns/load_exceptions.adoc index ab714c9d..d6527c72 100644 --- a/src/insns/load_exceptions.adoc +++ b/src/insns/load_exceptions.adoc @@ -19,8 +19,8 @@ listed below; in this case, _CHERI data fault_ is reported in the <> or | Seal violation | Authority capability is sealed | Permission violation | Authority capability does not grant <>, or the AP field could not have been produced by <> | Invalid address violation | The effective address is invalid according to xref:section_invalid_addr_conv[xrefstyle=short] -| Bounds violation | At least one byte accessed is outside the authority capability bounds, or the capability has <> bounds - +| Bounds violation | At least one byte accessed is outside the authority capability bounds, or the capability has <> bounds, +or the <> |============================================================================== + If virtual memory is enabled, then the state of <>.CW, diff --git a/src/insns/malformed_clear_tag.adoc b/src/insns/malformed_clear_tag.adoc index e6bfcc8b..84a7009c 100644 --- a/src/insns/malformed_clear_tag.adoc +++ b/src/insns/malformed_clear_tag.adoc @@ -1,3 +1,2 @@ NOTE: This instruction sets `cd.tag=0` if `cs1` 's bounds are <>, -the <>, or if any of the reserved fields are set. diff --git a/src/insns/scss_32bit.adoc b/src/insns/scss_32bit.adoc index 9779bafc..1c65b166 100644 --- a/src/insns/scss_32bit.adoc +++ b/src/insns/scss_32bit.adoc @@ -29,7 +29,7 @@ Description:: . `cs2` 's <> is equal to or lower than `cs1` 's .. _This is only relevant if {cheri_levels_ext_name} is implemented._ . neither `cs1` or `cs2` have bounds which are <>, and -. neither `cs1` or `cs2` have the <>, and +. neither `cs1` or `cs2` have the <>, and . neither `cs1` or `cs2` have any bits set in reserved fields, and . neither `cs1` or `cs2` have permissions that could not have been legally produced by <> diff --git a/src/insns/store_exceptions.adoc b/src/insns/store_exceptions.adoc index 5518ffde..2bd61754 100644 --- a/src/insns/store_exceptions.adoc +++ b/src/insns/store_exceptions.adoc @@ -19,7 +19,8 @@ listed below; in this case, _CHERI data fault_ is reported in the <> or | Seal violation | Authority capability is sealed | Permission violation | Authority capability does not grant <>, or the AP field could not have been produced by <> | Invalid address violation | The effective address is invalid according to xref:section_invalid_addr_conv[xrefstyle=short] -| Bounds violation | At least one byte accessed is outside the authority capability bounds, or the capability has <> bounds +| Bounds violation | At least one byte accessed is outside the authority capability bounds, or the capability has <> bounds, +or the <> |============================================================================== + If {cheri_pte_ext_name} is implemented, and virtual memory is enabled, then the state of diff --git a/src/riscv-integration.adoc b/src/riscv-integration.adoc index 6db65d92..6c96e354 100644 --- a/src/riscv-integration.adoc +++ b/src/riscv-integration.adoc @@ -26,25 +26,23 @@ privileged architecture specified in the RISC-V ISA. === Memory A hart supporting {cheri_base_ext_name} has a single byte-addressable address -space of 2^XLEN^ bytes for all memory accesses. Each memory region capable of +space of 2^MXLEN^ bytes for all memory accesses. Each memory region capable of holding a capability also stores a tag bit for each naturally aligned CLEN bits (e.g. 16 bytes in RV64), so that capabilities with their tag set can only be stored in naturally aligned addresses. Tags must be atomically bound to the data they protect. The memory address space is circular, so the byte at address -2^XLEN^ - 1 is adjacent to the byte at address zero. A capability's +2^MXLEN^ - 1 is adjacent to the byte at address zero. A capability's <> described in xref:section_cap_encoding[xrefstyle=short] is also circular, so address 0 is within the <> of a capability where address 2^MXLEN^ - 1 is within the bounds. However, the decoded top field of a capability is MXLEN + 1 bits wide and does *not* wrap, so a capability with base 2^MXLEN^ - 1 and top 2^MXLEN^ + 1 is not a subset of the <> capability and does not authorize access to the byte at address 0. -Like malformed bounds (see xref:section_cap_malformed[xrefstyle=short]), it is impossible for +The top bound being out of range (see xref:section_top_out_of_range[xrefstyle=short]) is similar to malformed bounds (see xref:section_cap_malformed[xrefstyle=short]), it is impossible for a CHERI core to generate a tagged capability with top > 2^MXLEN^. If such a capability exists then it must have been caused by a logic or memory fault. -Unlike malformed bounds, the top overflowing is not treated as a special case in the -architecture: normal bounds check rules should be followed. [#section_riscv_programmers_model] === Programmer's Model for {cheri_base_ext_name} From 09fe69cc577360f2c26885b400c3882a3865e8da Mon Sep 17 00:00:00 2001 From: Tariq Kurd Date: Wed, 5 Feb 2025 18:54:49 +0100 Subject: [PATCH 06/15] new files --- src/insns/malformed_clear_tag_csp.adoc | 2 ++ src/insns/malformed_top_range_clear_tag.adoc | 3 +++ 2 files changed, 5 insertions(+) create mode 100644 src/insns/malformed_clear_tag_csp.adoc create mode 100644 src/insns/malformed_top_range_clear_tag.adoc diff --git a/src/insns/malformed_clear_tag_csp.adoc b/src/insns/malformed_clear_tag_csp.adoc new file mode 100644 index 00000000..e29be66c --- /dev/null +++ b/src/insns/malformed_clear_tag_csp.adoc @@ -0,0 +1,2 @@ +NOTE: This instruction sets `cd.tag=0` if `csp` 's bounds are <>, +or if any of the reserved fields are set. diff --git a/src/insns/malformed_top_range_clear_tag.adoc b/src/insns/malformed_top_range_clear_tag.adoc new file mode 100644 index 00000000..2a69d977 --- /dev/null +++ b/src/insns/malformed_top_range_clear_tag.adoc @@ -0,0 +1,3 @@ +NOTE: This instruction sets `cd.tag=0` if `cs1` 's bounds are <>, +the <>, +or if any of the reserved fields are set. From 741871459db0bb94701b6fbd1c0100e7fb9c4b7b Mon Sep 17 00:00:00 2001 From: Tariq Kurd Date: Wed, 5 Feb 2025 17:10:14 +0000 Subject: [PATCH 07/15] FoF clarification (#517) if element zero is masked then don't take a cheri fault --- src/vector-integration.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/vector-integration.adoc b/src/vector-integration.adoc index a8cd3e23..88c03376 100644 --- a/src/vector-integration.adoc +++ b/src/vector-integration.adoc @@ -28,7 +28,7 @@ on _active_ elements. In the case of fault-only-first loads, a CHERI bounds violation is only taken if any bytes of element 0 are out of bounds, or if the CHERI bounds are <> and there are any _active_ elements. If another _active_ element causes a CHERI bounds violation then it is treated the same way as other exceptions, the trap is not taken and instead vl is reduced. -All other CHERI fault types, such as tag violations, are taken if there are any _active_ elements. +All other CHERI fault types, such as tag violations, are only taken if element zero is _active_. NOTE: Indexed loads in {cheri_cap_mode_name} check the bounds of every access against the authority capability in `cs1`. Therefore the approach of having a zero base From ec86701b594ad397b9fc525b21bfcaa14fc5bd03 Mon Sep 17 00:00:00 2001 From: Marno van der Maas <34654485+marnovandermaas@users.noreply.github.com> Date: Wed, 5 Feb 2025 19:10:27 +0000 Subject: [PATCH 08/15] Minor revision (#520) Some minor revisions that I found when scrolling through the document. --- readme.adoc | 6 +++++- src/instructions.adoc | 18 ++++++++++++++++++ 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/readme.adoc b/readme.adoc index 32c5e5b7..f0df1e8b 100644 --- a/readme.adoc +++ b/readme.adoc @@ -21,9 +21,13 @@ For guidelines on how to contribute, refer to the link:CONTRIBUTING.md[CONTRIBUT To build the document, you'll need the following tools installed on your system: * Make -* asciiDoctor-pdf, asciidoctor-bibtex, asciidoctor-diagram, and asciidoctor-mathematical * Docker + +If you want to build outside of Docker, you'll need some more tools: * Python3 +* asciiDoctor-pdf, asciidoctor-bibtex, asciidoctor-diagram, asciidoctor-mathematical and asciidoctor-sail +* bytefield-svg +* wavedrom-cli === Cloning the Repository diff --git a/src/instructions.adoc b/src/instructions.adoc index 9c7f8ff7..c501399f 100644 --- a/src/instructions.adoc +++ b/src/instructions.adoc @@ -22,6 +22,8 @@ extensions will eventually be listed in a CHERI profile. <<< === "{cheri_base_ext_name}" and "{cheri_default_ext_name}" Extensions for CHERI +These are the main instructions that are added by CHERI. + include::insns/cmv_32bit.adoc[] include::insns/modesw_32bit.adoc[] @@ -71,6 +73,8 @@ include::insns/store_32bit_cap.adoc[] <<< === RV32I/E and RV64I/E Base Integer Instruction Sets +There are a number of instructions that are already in RISC-V that have modified behavior when CHERI is included. + include::insns/auipc_32bit.adoc[] include::insns/condbr_32bit.adoc[] @@ -90,6 +94,8 @@ include::insns/dret.adoc[] <<< === "A" Standard Extension for Atomic Instructions +Atomic instructions and their interactions with CHERI. + include::insns/amo_32bit.adoc[] include::insns/amoswap_32bit_cap.adoc[] @@ -105,6 +111,8 @@ include::insns/store_cond_cap_32bit.adoc[] <<< === "Zicsr", Control and Status Register (CSR) Instructions +CSR instructions and how they interact with CHERI. + include::insns/csrrw_32bit.adoc[] include::insns/csrr_32bit.adoc[] @@ -112,6 +120,8 @@ include::insns/csrr_32bit.adoc[] <<< === "Zfh", "Zfhmin", "F" and "D" Standard Extension for Floating-Point +Floating point instructions and how CHERI affects them. + include::insns/load_32bit_fp.adoc[] include::insns/store_32bit_fp.adoc[] @@ -243,6 +253,8 @@ include::insns/store_16bit_cap_sprel.adoc[] <<< === "Zicbom", "Zicbop", "Zicboz" Standard Extensions for Base Cache Management Operations +Cache-related instructions and how CHERI affects them. + include::insns/cbo.clean.adoc[] include::insns/cbo.flush.adoc[] @@ -260,6 +272,8 @@ include::insns/prefetch.w.adoc[] <<< === "Zba" Extension for Bit Manipulation Instructions +Bit manipulation instruction reference. + include::insns/adduw_32bit.adoc[] include::insns/sh123add_32bit.adoc[] @@ -274,6 +288,8 @@ include::insns/sh4adduw_32bit.adoc[] [#Zcb,reftext="Zcb"] === "Zcb" Standard Extension For Code-Size Reduction +Code-size reduction instructions and how they interact with CHERI. + include::insns/load_16bit_Zcb.adoc[] include::insns/store_16bit_Zcb.adoc[] @@ -368,6 +384,8 @@ include::insns/zcmt_cmjt.adoc[] === "H" Extension for Hypervisor Support +Hypervisor instructions and the CHERI extensions. + include::insns/hypv-virt-load.adoc[] include::insns/hypv-virt-load-cap.adoc[] From 5b2714d670e74506bcb591e5d56238f157312474 Mon Sep 17 00:00:00 2001 From: Tariq Kurd Date: Thu, 6 Feb 2025 11:16:27 +0000 Subject: [PATCH 09/15] clarify mtval2/stval2/vstval2 handling (#518) they need to be updated on all exceptions, not just CHERI ones --------- Signed-off-by: Tariq Kurd --- src/hypervisor-integration.adoc | 4 ++- src/insns/atomic_exceptions.adoc | 2 +- src/insns/cbo_exceptions.adoc | 4 +-- src/insns/condbr_common.adoc | 2 +- src/insns/hypv-virt-loadx.adoc | 4 +-- src/insns/jalr_32bit.adoc | 2 +- src/insns/load_exceptions.adoc | 6 ++-- src/insns/mret_sret.adoc | 4 +-- src/insns/store_exceptions.adoc | 6 ++-- src/insns/zcmt_cmjalt.adoc | 2 +- src/insns/zcmt_cmjt.adoc | 2 +- src/riscv-integration.adoc | 53 ++++++++++++++++++++++++-------- src/trigger-integration.adoc | 8 ++--- 13 files changed, 64 insertions(+), 35 deletions(-) diff --git a/src/hypervisor-integration.adoc b/src/hypervisor-integration.adoc index e996788a..b99f0b17 100644 --- a/src/hypervisor-integration.adoc +++ b/src/hypervisor-integration.adoc @@ -182,7 +182,9 @@ part of {cheri_base_ext_name} when the hypervisor extension is supported. Its CSR address is 0x24b. <> is updated following the same rules as <> for CHERI exceptions -which are taken in VS-mode. +and <> which are delegated to VS-mode. +It is written to zero for all other exceptions, except as listed otherwise by other +future extensions. The fields are identical to <> for CHERI exceptions. diff --git a/src/insns/atomic_exceptions.adoc b/src/insns/atomic_exceptions.adoc index d1f58fd6..8f890aa0 100644 --- a/src/insns/atomic_exceptions.adoc +++ b/src/insns/atomic_exceptions.adoc @@ -24,7 +24,7 @@ All misaligned atomics cause a store/AMO address misaligned exception to allow s + When these instructions cause CHERI exceptions, _CHERI data fault_ is reported in the TYPE field and the following codes may be -reported in the CAUSE field of <> or <>: +reported in the CAUSE field of <>, <> or <>: <<< diff --git a/src/insns/cbo_exceptions.adoc b/src/insns/cbo_exceptions.adoc index 41c685d0..598664bd 100644 --- a/src/insns/cbo_exceptions.adoc +++ b/src/insns/cbo_exceptions.adoc @@ -1,7 +1,7 @@ Exceptions:: CHERI fault exceptions occur when the authorizing capability fails one of the checks -listed below; in this case, _CHERI data fault_ is reported in the <> or -<> TYPE field and the corresponding code is written to CAUSE. +listed below; in this case, _CHERI data fault_ is reported in the <>, +<> or <> TYPE field and the corresponding code is written to CAUSE. + ifdef::cbo_inval[] The CBIE bit in <> and <> indicates whether diff --git a/src/insns/condbr_common.adoc b/src/insns/condbr_common.adoc index 129861ad..03fb7849 100644 --- a/src/insns/condbr_common.adoc +++ b/src/insns/condbr_common.adoc @@ -2,4 +2,4 @@ Exceptions:: When the target address is not within the <>'s bounds, and the branch is taken, a _CHERI jump or branch fault_ is reported in the TYPE field and Bounds violation is reported in -the CAUSE field of <> or <>: +the CAUSE field of <>, <> or <>: diff --git a/src/insns/hypv-virt-loadx.adoc b/src/insns/hypv-virt-loadx.adoc index 60b4249d..3e004aa4 100644 --- a/src/insns/hypv-virt-loadx.adoc +++ b/src/insns/hypv-virt-loadx.adoc @@ -42,8 +42,8 @@ to `rd`. Exceptions:: CHERI fault exceptions occur when the authorizing capability fails one of the checks -listed below; in this case, _CHERI data fault_ is reported in the <> or -<> TYPE field and the corresponding code is written to CAUSE. +listed below; in this case, _CHERI data fault_ is reported in the <>, +<> or <>> TYPE field and the corresponding code is written to CAUSE. + [%autowidth,options=header,align=center] |============================================================================== diff --git a/src/insns/jalr_32bit.adoc b/src/insns/jalr_32bit.adoc index 3a051ca0..9fee0ba2 100644 --- a/src/insns/jalr_32bit.adoc +++ b/src/insns/jalr_32bit.adoc @@ -44,7 +44,7 @@ instruction following the jump is written to `rd`. Exceptions:: When these instructions cause CHERI exceptions, _CHERI jump or branch fault_ is reported in the TYPE field and the following codes may be -reported in the CAUSE field of <> or <>: +reported in the CAUSE field of <>, <> or <>: [%autowidth,options=header,align=center] |============================================================================== diff --git a/src/insns/load_exceptions.adoc b/src/insns/load_exceptions.adoc index d6527c72..42087f2a 100644 --- a/src/insns/load_exceptions.adoc +++ b/src/insns/load_exceptions.adoc @@ -9,8 +9,8 @@ to CLEN/8. + endif::[] CHERI fault exceptions occur when the authorizing capability fails one of the checks -listed below; in this case, _CHERI data fault_ is reported in the <> or -<> TYPE field and the corresponding code is written to CAUSE. +listed below; in this case, _CHERI data fault_ is reported in the <>, +<> or <> TYPE field and the corresponding code is written to CAUSE. + [%autowidth,options=header,align=center] |============================================================================== @@ -25,7 +25,7 @@ or the <> + If virtual memory is enabled, then the state of <>.CW, and, if {cheri_pte_ext_name} is implemented, <>.CRG, <>.U and <>.UCRG, -may cause a CHERI <> page fault exception in addition to a normal RISC-V page fault exception. +may cause a <> exception in addition to a normal RISC-V page fault exception. See <> for the exception reporting in this case. + :!load_res: diff --git a/src/insns/mret_sret.adoc b/src/insns/mret_sret.adoc index 1e8d7002..55789490 100644 --- a/src/insns/mret_sret.adoc +++ b/src/insns/mret_sret.adoc @@ -27,8 +27,8 @@ Exceptions:: CHERI fault exceptions occur when <> does not grant <> because <> and <> require access to privileged CSRs. When that exception occurs, _CHERI instruction fetch fault_ is reported in the TYPE field and the -Permission violation code is reported in the CAUSE field of <> or -<>. +Permission violation code is reported in the CAUSE field of <>, +<> or <>. Operation:: [source,SAIL,subs="verbatim,quotes"] diff --git a/src/insns/store_exceptions.adoc b/src/insns/store_exceptions.adoc index 2bd61754..75d94761 100644 --- a/src/insns/store_exceptions.adoc +++ b/src/insns/store_exceptions.adoc @@ -9,8 +9,8 @@ to CLEN/8. + endif::[] CHERI fault exceptions occur when the authorizing capability fails one of the checks -listed below; in this case, _CHERI data fault_ is reported in the <> or -<> TYPE field and the corresponding code is written to CAUSE. +listed below; in this case, _CHERI data fault_ is reported in the <>, +<> or <> TYPE field and the corresponding code is written to CAUSE. + [%autowidth,options=header,align=center] |============================================================================== @@ -25,7 +25,7 @@ or the <> + If {cheri_pte_ext_name} is implemented, and virtual memory is enabled, then the state of <>.CW and <>.CRG from the current virtual memory page may -cause a CHERI <> page fault exception in addition to a normal RISC-V page fault +cause a <> exception in addition to a normal RISC-V page fault when operating in user mode. See <> for the exception reporting in this case. + diff --git a/src/insns/zcmt_cmjalt.adoc b/src/insns/zcmt_cmjalt.adoc index 40bd00db..2cbca9a2 100644 --- a/src/insns/zcmt_cmjalt.adoc +++ b/src/insns/zcmt_cmjalt.adoc @@ -41,7 +41,7 @@ Requires <> to be tagged, not sealed, have <> and for the full XLE {cheri_cap_mode_name} Exceptions:: When these instructions cause CHERI exceptions, _CHERI instruction fetch fault_ is reported in the TYPE field and the following codes may be -reported in the CAUSE field of <> or <>: +reported in the CAUSE field of <>, <> or <>: [width="50%",options=header,cols="2,^1",align=center] |============================================================================== diff --git a/src/insns/zcmt_cmjt.adoc b/src/insns/zcmt_cmjt.adoc index f873f1ad..73ca4e2e 100644 --- a/src/insns/zcmt_cmjt.adoc +++ b/src/insns/zcmt_cmjt.adoc @@ -41,7 +41,7 @@ Requires <> to be tagged, not sealed, have <> and for the full XLE {cheri_cap_mode_name} Exceptions:: When these instructions cause CHERI exceptions, _CHERI instruction fetch fault_ is reported in the TYPE field and the following codes may be -reported in the CAUSE field of <> or <>: +reported in the CAUSE field of <>, <> or <>: [width="50%",options=header,cols="2,^1",align=center] |============================================================================== diff --git a/src/riscv-integration.adoc b/src/riscv-integration.adoc index 6c96e354..fee9dc33 100644 --- a/src/riscv-integration.adoc +++ b/src/riscv-integration.adoc @@ -422,6 +422,25 @@ include::generated/csr_renamed_purecap_mode_vs_table_body.adoc[] include::generated/csr_renamed_purecap_mode_u_table_body.adoc[] |=== +=== CHERI fault reporting + +CHERI faults require additional information to be reported. +The CSRs updated depend on the mode the trap is taken into, as shown in +<>. + +The additional information is written for CHERI faults and <>, and +is otherwise written to zero for all other exceptions, except as listed otherwise by other +future extensions. + +.CHERI fault reporting +[#cheri-fault-reporting,width=65%,float="center",align="center",options=header,cols="1,1,1"] +|============================================================================== +| Trap taken into | Faulting address | Additional CHERI fault information +| M-mode | <> | <> +| HS-mode / S-mode | <> | <> +| VS-mode | <> | <> +|============================================================================== + === Machine-Level CSRs {cheri_base_ext_name} extends some M-mode CSRs to hold capabilities or @@ -735,7 +754,7 @@ Load/store/AMO address breakpoint Optionally: + Load/store/AMO address misaligned | .>|13, 15, 5, 7 .<|During address translation for an explicit memory access: + -First encountered *CHERI PTE page fault*^23^, page fault or access fault +First encountered *<>*^23^, page fault or access fault | .>|5,7 .<|With physical address for an explicit memory access: + Load/store/AMO access fault | .>|4,6 .<|If not higher priority: + @@ -746,11 +765,11 @@ CHERI load PTE fault^4^ ^1^ PCC bounds are intended to be checked against all the bytes of fetched instructions. In the case of variable length instruction encoding, and that the fetch has failed to return any data, then only a minimum length instruction is checked against the PCC bounds. -^2^ The higher priority CHERI <> page fault covers capability loads or atomics where the loaded tag _is not_ checked, and all capability stores and atomics where the stored tag is set. +^2^ The higher priority <> covers capability loads or atomics where the loaded tag _is not_ checked, and all capability stores and atomics where the stored tag is set. -^3^ CHERI <> page fault exceptions have the same priority against access faults as normal RISC-V page faults. If a normal RISC-V page fault _and_ a CHERI <> fault are both detected simultaneously, then both are recorded as shown in <>. +^3^ <> exceptions have the same priority against access faults as normal RISC-V page faults. If a normal RISC-V page fault _and_ a <> are both detected simultaneously, then both are recorded as shown in <>. -^4^ The lower priority <> fault only covers capability loads and atomics where the loaded tag _is_ checked. +^4^ The lower priority <> only covers capability loads and atomics where the loaded tag _is_ checked. NOTE: The full details of the CHERI exceptions with cause value {cheri_excep_mcause} are in xref:cheri_exception_combs_descriptions[xrefstyle=short]. @@ -795,10 +814,16 @@ endif::[] The <> register is an MXLEN-bit read-write register, which is added as part of the Hypervisor extension cite:[riscv-priv-spec]. {cheri_base_ext_name} also requires the implementation of this CSR. -When a CHERI fault is taken into M-mode, <> is written +When a CHERI fault, or <>, is taken into M-mode, <> is written with additional CHERI-specific exception information with the format shown in xref:mtval2-format[xrefstyle=short] to assist software in handling the trap. +<> is written to zero for all other exceptions, except as listed otherwise by +the Hypervisor extension in cite:[riscv-priv-spec], or by other future extensions. + +NOTE: the use of <>/<>/<> may be irregular as the Hypervisor uses + <> and _htval_ for guest page addresses on guest page fault, and CHERI has no use for _htval_. + If <> is read-only zero for CHERI exceptions then <> is also read-only zero for CHERI exceptions. @@ -854,10 +879,10 @@ If both are detected at once, then both are recorded. .mtval2 for page faults [#mtval2-page-fault,width=70%,float="center",align="center",cols="2,1",options=header] |============================================================================== -| Fault | Value -| RISC-V page fault | 0 -| CHERI <> fault | 1 -| RISC-V page fault and CHERI <> fault | 2 +| Fault | Value +| RISC-V page fault | 0 +| <> | 1 +| RISC-V page fault and <> | 2 |============================================================================== NOTE: Reporting both allows the software the choice about which action to take first, for example a write to a @@ -1075,7 +1100,9 @@ part of {cheri_base_ext_name} when the implementation supports S-mode. Its CSR address is 0x14b. <> is updated following the same rules as <> for CHERI exceptions -which are delegated to S-mode. +and <> which are delegated to HS-mode or S-mode. +It is written to zero for all other exceptions, except as listed otherwise by other +future extensions. The fields are identical to <> for CHERI exceptions, and for load and store/AMO page fault exceptions if {cheri_pte_ext_name} is implemented. @@ -1265,8 +1292,8 @@ the instruction's behavior. . If T is invalid and A does not have infinite bounds (see xref:section_cap_encoding[xrefstyle=short]), then the instruction gives rise to a CHERI fault; the _CHERI jump or branch_ fault is reported in the TYPE field -and invalid address violation is reported in the CAUSE field of <> or -<>. +and invalid address violation is reported in the CAUSE field of <>, +<> or <>. . If T is invalid and A has infinite bounds (see xref:section_cap_encoding[xrefstyle=short]), then A's tag is unchanged and T is written into A's address field. Attempting to execute the instruction at @@ -1290,7 +1317,7 @@ instruction's behavior. . If any byte in R is invalid and A does not have infinite bounds (see xref:section_cap_encoding[xrefstyle=short]), then the instruction gives rise to a CHERI fault; the _CHERI data_ fault is reported in the TYPE field and invalid -address violation is reported in the CAUSE field of <> or <>. +address violation is reported in the CAUSE field of <>, <> or <>. . If any byte in R is invalid and A has infinite bounds (see xref:section_cap_encoding[xrefstyle=short]), the hart will raise an access fault or page fault as is usual in RISC-V. . Otherwise all bytes in R are valid and the instruction behaves as normal. diff --git a/src/trigger-integration.adoc b/src/trigger-integration.adoc index 12a798c1..7dbd1c2d 100644 --- a/src/trigger-integration.adoc +++ b/src/trigger-integration.adoc @@ -22,7 +22,7 @@ mcontrol/mcontrol6 after (on previous instruction) | .>|*{cheri_excep_mcause}* .<|*Prior to instruction address translation:* + *CHERI fault due to PCC checks (tag, execute permission, invalid address and bounds)* | | .>|12, 1 .<|During instruction address translation: + -First encountered *CHERI PTE page fault*, page fault or access fault | +First encountered *<>*, page fault or access fault | | .>|1 .<|With physical address for instruction: + Instruction access fault | @@ -49,14 +49,14 @@ Environment break | | .>|4,6 .<|Optionally: + Load/store/AMO address misaligned | | .>|13, 15, 5, 7 .<|During address translation for an explicit memory access: + -First encountered *CHERI <> page fault*, page fault or access fault | +First encountered *<>*, page fault or access fault | | .>|5,7 .<|With physical address for an explicit memory access: + Load/store/AMO access fault | | .>|4,6 .<|If not higher priority: + Load/store/AMO address misaligned | | .>|13 .<|If not higher priority: + -CHERI load <> fault | +<> | |_Lowest_ .>|3 .<| |mcontrol/mcontrol6 load data before |=== -NOTE: See the notes beneath <> for details about CHERI <> page fault priority. +NOTE: See the notes beneath <> for details about <> priority. From 1baa11a5fa08a0953a874aa6ca0669dee6a20d67 Mon Sep 17 00:00:00 2001 From: Alexander Richardson Date: Thu, 6 Feb 2025 18:13:24 -0800 Subject: [PATCH 10/15] Fix indentation of sub-items (#524) Move the note after the two sub-items to ensure asciidoc renders the document correctly. Fixes: https://github.com/riscv/riscv-cheri/issues/523 --- src/cheri-pte-ext.adoc | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/src/cheri-pte-ext.adoc b/src/cheri-pte-ext.adoc index fdcb13bb..6ba25a19 100644 --- a/src/cheri-pte-ext.adoc +++ b/src/cheri-pte-ext.adoc @@ -107,6 +107,9 @@ The CW bit indicates whether reading or writing capabilities with the tag set to the virtual page is permitted. When the CW bit is set, capabilities are written as usual, and capability reads are controlled by the CRG bit. +NOTE: The tag bit of the stored capability is checked _after_ it is potentially +cleared <>. + If the CW bit is clear then: * When a capability load or AMO instruction is executed, the implementation @@ -115,10 +118,6 @@ If the CW bit is clear then: is raised when a capability store or AMO instruction is executed and the tag bit of the capability being written is set. * When CRG is set, the "pre-CW state", two schemes are permitted (also see <>): - -NOTE: The tag bit of the stored capability is checked _after_ it is potentially -cleared <>. - ** The same behavior as when CRG is clear, allowing software interpretation of this state. ** When a capability store or AMO instruction is executed From aabff081ff1f8eda0a79964c8dcf10a5749822c6 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Fri, 7 Feb 2025 02:13:59 +0000 Subject: [PATCH 11/15] Replace bounds decoding ascii art with bytefield diagram (#526) Replace the ascii art with the bounds decoding diagram to make it clear how they are computed and what the resulting width of top and base. This PR replaces this: ``` top: t = { {1'b0, a[MXLEN - 1:E + MW]} + ct, T[MW - 1:0], {E{1'b0}} } base: b = { a[MXLEN - 1:E + MW] + cb, B[MW - 1:0], {E{1'b0}} } ``` With the bytefield figures in the attached image. Screenshot 2025-02-06 at 19 21 42 --- src/cap-description.adoc | 15 ++++++++++----- src/img/base-bound-dec.edn | 16 ++++++++++++++++ src/img/top-bound-dec.edn | 16 ++++++++++++++++ 3 files changed, 42 insertions(+), 5 deletions(-) create mode 100644 src/img/base-bound-dec.edn create mode 100644 src/img/top-bound-dec.edn diff --git a/src/cap-description.adoc b/src/cap-description.adoc index d5ebb866..a80c51b0 100644 --- a/src/cap-description.adoc +++ b/src/cap-description.adoc @@ -445,12 +445,17 @@ Reconstituting the top two bits of T: T[MW - 1:MW - 2] = B[MW - 1:MW - 2] + LCout + LMSB ``` -Decoding the bounds: +The bounds are decoded as shown in xref:top_bound_dec[xrefstyle=short] and +xref:base_bound_dec[xrefstyle=short]. + +.Decoding of the MXLEN+1 wide top (_t_) bound +[#top_bound_dec] +include::img/top-bound-dec.edn[] + +.Decoding of the MXLEN wide base (_b_) bound +[#base_bound_dec] +include::img/base-bound-dec.edn[] -``` -top: t = { {1'b0, a[MXLEN - 1:E + MW]} + ct, T[MW - 1:0], {E{1'b0}} } -base: b = { a[MXLEN - 1:E + MW] + cb, B[MW - 1:0], {E{1'b0}} } -``` The corrections c~t~ and c~b~ are calculated as as shown below using the definitions in xref:cap_encoding_ct[xrefstyle=short] and xref:cap_encoding_cb[xrefstyle=short]. diff --git a/src/img/base-bound-dec.edn b/src/img/base-bound-dec.edn new file mode 100644 index 00000000..cc386938 --- /dev/null +++ b/src/img/base-bound-dec.edn @@ -0,0 +1,16 @@ +[bytefield] +---- +(defattrs :plain [:plain {:font-family "M+ 1p Fallback" :font-size 25}]) +(def row-height 80) +(def row-header-fn nil) +(def left-margin 100) +(def right-margin 100) +(def boxes-per-row 32) +(draw-column-headers {:height 50 :font-size 22 :labels (reverse ["0" "" "" "" "" "" "" "" "" "" "E" "" "" "" "" "" "" "" "" "" "E+MW" "" "" "" "" "" "" "" "" "" "" "MXLEN-1"])}) + +(draw-box "a[MXLEN - 1:E + MW] + cb" {:span 12}) +(draw-box "B[MW - 1:0]" {:span 10}) +(draw-box "0" {:span 10}) + +(draw-box "MXLEN" {:span 32 :borders {}}) +---- diff --git a/src/img/top-bound-dec.edn b/src/img/top-bound-dec.edn new file mode 100644 index 00000000..eabef03d --- /dev/null +++ b/src/img/top-bound-dec.edn @@ -0,0 +1,16 @@ +[bytefield] +---- +(defattrs :plain [:plain {:font-family "M+ 1p Fallback" :font-size 25}]) +(def row-height 80) +(def row-header-fn nil) +(def left-margin 100) +(def right-margin 100) +(def boxes-per-row 32) +(draw-column-headers {:height 50 :font-size 22 :labels (reverse ["0" "" "" "" "" "" "" "" "" "" "E" "" "" "" "" "" "" "" "" "" "E+MW" "" "" "" "" "" "" "" "" "" "" "MXLEN"])}) + +(draw-box "{1'b0, a[MXLEN - 1:E + MW]} + ct" {:span 12}) +(draw-box "T[MW - 1:0]" {:span 10}) +(draw-box "0" {:span 10}) + +(draw-box "MXLEN+1" {:span 32 :borders {}}) +---- From d4e2ed3c033ad3311407c867872287c57dbb62b8 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Fri, 7 Feb 2025 14:07:00 +0000 Subject: [PATCH 12/15] Write note about traps for capability stores (#528) Add a note indicating that capability stores may trap in future extensions when the authorizing capability does not grant capability write permissions. Also remove outdated TODO. Fixes https://github.com/riscv/riscv-cheri/issues/476 --- src/riscv-integration.adoc | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/riscv-integration.adoc b/src/riscv-integration.adoc index fee9dc33..b361a8c0 100644 --- a/src/riscv-integration.adoc +++ b/src/riscv-integration.adoc @@ -222,8 +222,9 @@ capability written to memory is cleared if the authorizing capability does not grant permission to write capabilities (i.e. both <> and <> must be set in AP). -WARNING: #TODO: these cases may cause exceptions in the future - we need a way -for software to discover and/or control the behavior# +NOTE: Future extensions to {cheri_base_ext_name} may add mechanisms that cause +stores to raise exceptions when the authorizing capability does not grant both +<> and <>. [#section_existing_riscv_insns] === Existing RISC-V Instructions From 024e060b17b7c0fe3b124d383a3a9c37c3b6c4d8 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Fri, 7 Feb 2025 14:09:59 +0000 Subject: [PATCH 13/15] Remove xtdc CSRs zcherihybrid extension (#527) Fixes https://github.com/riscv/riscv-cheri/issues/519 --- src/csv/CHERI_CSR.csv | 3 --- src/hypervisor-integration.adoc | 16 ---------------- src/img/mtdcreg.edn | 22 --------------------- src/img/stdcreg.edn | 22 --------------------- src/img/vstdcreg.edn | 22 --------------------- src/riscv-hybrid-integration.adoc | 32 ------------------------------- 6 files changed, 117 deletions(-) delete mode 100644 src/img/mtdcreg.edn delete mode 100644 src/img/stdcreg.edn delete mode 100644 src/img/vstdcreg.edn diff --git a/src/csv/CHERI_CSR.csv b/src/csv/CHERI_CSR.csv index 9dfdc193..9d10265e 100644 --- a/src/csv/CHERI_CSR.csv +++ b/src/csv/CHERI_CSR.csv @@ -37,9 +37,6 @@ direct write if address didn't change","✔","","","","Zcmt","Jump Vector Table "dddc","0x7bc","","D","DRW","tag=0, otherwise undefined","Apply <>. Always update the CSR with <> even if the address didn't change.","Apply <> and update the CSR with the result if the address changed, direct write if address didn't change","","✔","","","{cheri_default_ext_name}, Sdext","Debug Default Data Capability (saved/restored on debug mode entry/exit)","","","","","","","","","","","","","","","","","","","","","" -"mtdc","0x74c","","M","MRW, <>","tag=0, otherwise undefined","Update the CSR using <>.","direct write","","","","","{cheri_default_ext_name}, M-mode","Machine Trap Data Capability (scratch register)","","","","","","","","","","","","","","","","","","","","","" -"stdc","0x163","","S","SRW, <>","tag=0, otherwise undefined","Update the CSR using <>.","direct write","","","","","{cheri_default_ext_name}, S-mode","Supervisor Trap Data Capability (scratch register)","","","","","","","","","","","","","","","","","","","","","" -"vstdc","0x245","","VS","HRW, <>","tag=0, otherwise undefined","Update the CSR using <>.","direct write","","","","","{cheri_default_ext_name}, H","Virtual Supervisor Trap Data Capability (scratch register)","","","","","","","","","","","","","","","","","","","","","" "ddc","0x416","","U","URW","<>","Apply <>. Always update the CSR with <> even if the address didn't change.","Apply <> and update the CSR with the result if the address changed, direct write if address didn't change","","✔","","","{cheri_default_ext_name}","User Default Data Capability","","","","","","","","","","","","","","","","","","","","","" diff --git a/src/hypervisor-integration.adoc b/src/hypervisor-integration.adoc index b99f0b17..7c3eb94e 100644 --- a/src/hypervisor-integration.adoc +++ b/src/hypervisor-integration.adoc @@ -146,22 +146,6 @@ The <> register is as defined in cite:[riscv-priv-spec]. It must additionally support the new exception code for CHERI exceptions that <> supports. -[#vstdc,reftext="vstdc"] -=== Virtual Supervisor Trap Default Capability Register (vstdc) - -The <> register is a capability width read/write register that is -VS-mode's version of supervisor register <>. This register is only -present when the implementation supports {cheri_default_ext_name}. - -{TAG_RESET_CSR} - -{REQUIRE_CRE_CSR} - -{REQUIRE_HYBRID_CSR} - -.Virtual supervisor trap default capability register -include::img/vstdcreg.edn[] - [#vstval,reftext="vstval"] === Virtual Supervisor Trap Value Register (vstval) diff --git a/src/img/mtdcreg.edn b/src/img/mtdcreg.edn deleted file mode 100644 index ba5d74da..00000000 --- a/src/img/mtdcreg.edn +++ /dev/null @@ -1,22 +0,0 @@ -[bytefield] ----- -(defattrs :plain [:plain {:font-family "M+ 1p Fallback" :font-size 21}]) -(def row-height 40) -(def row-header-fn nil) -(def left-margin 100) -(def right-margin 100) -(def boxes-per-row 34) -(draw-column-headers {:height 20 :font-size 18 :labels (reverse ["0" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "MXLEN-1" "" ""])}) - -(draw-box "Tag" {:span 1}) -(draw-box "" {:span 1 :borders {}}) - -(draw-box "mtdc (Metadata)" {:span 32}) - -(draw-box "" {:span 2 :borders {}}) - -(draw-box "mtdc (Address)" {:span 32}) - -(draw-box "" {:span 2 :borders {}}) -(draw-box "MXLEN" {:span 32 :borders {}}) ----- diff --git a/src/img/stdcreg.edn b/src/img/stdcreg.edn deleted file mode 100644 index 3aeff145..00000000 --- a/src/img/stdcreg.edn +++ /dev/null @@ -1,22 +0,0 @@ -[bytefield] ----- -(defattrs :plain [:plain {:font-family "M+ 1p Fallback" :font-size 21}]) -(def row-height 40) -(def row-header-fn nil) -(def left-margin 100) -(def right-margin 100) -(def boxes-per-row 34) -(draw-column-headers {:height 20 :font-size 18 :labels (reverse ["0" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "MXLEN-1" "" ""])}) - -(draw-box "Tag" {:span 1}) -(draw-box "" {:span 1 :borders {}}) - -(draw-box "stdc (Metadata)" {:span 32}) - -(draw-box "" {:span 2 :borders {}}) - -(draw-box "stdc (Address)" {:span 32}) - -(draw-box "" {:span 2 :borders {}}) -(draw-box "MXLEN" {:span 32 :borders {}}) ----- diff --git a/src/img/vstdcreg.edn b/src/img/vstdcreg.edn deleted file mode 100644 index e1b5180c..00000000 --- a/src/img/vstdcreg.edn +++ /dev/null @@ -1,22 +0,0 @@ -[bytefield] ----- -(defattrs :plain [:plain {:font-family "M+ 1p Fallback" :font-size 21}]) -(def row-height 40) -(def row-header-fn nil) -(def left-margin 100) -(def right-margin 100) -(def boxes-per-row 34) -(draw-column-headers {:height 20 :font-size 18 :labels (reverse ["0" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "MXLEN-1" "" ""])}) - -(draw-box "Tag" {:span 1}) -(draw-box "" {:span 1 :borders {}}) - -(draw-box "vstdc (Metadata)" {:span 32}) - -(draw-box "" {:span 2 :borders {}}) - -(draw-box "vstdc (Address)" {:span 32}) - -(draw-box "" {:span 2 :borders {}}) -(draw-box "MXLEN" {:span 32 :borders {}}) ----- diff --git a/src/riscv-hybrid-integration.adoc b/src/riscv-hybrid-integration.adoc index 3bd15786..78841c9d 100644 --- a/src/riscv-hybrid-integration.adoc +++ b/src/riscv-hybrid-integration.adoc @@ -429,22 +429,6 @@ Setting the MBE, SBE, or UBE field to a value that is not the reset value of MBE disables most CHERI features and instructions, as described in xref:section_cheri_disable[xrefstyle=short], while in that privilege mode. -[#mtdc,reftext="mtdc"] -==== Machine Trap Default Capability Register (mtdc) - -The <> register is a capability width read/write register dedicated -for use by machine mode. Typically, it is used to hold a data capability to a -machine-mode hart-local context space, to load into <>. - -{TAG_RESET_CSR} - -{REQUIRE_CRE_CSR} - -{REQUIRE_HYBRID_CSR} - -.Machine-mode trap data capability register -include::img/mtdcreg.edn[] - [#mseccfg,reftext="mseccfg"] ==== Machine Security Configuration Register (mseccfg) @@ -482,22 +466,6 @@ xref:section_cheri_disable[xrefstyle=short]. The reset value is 0. -[#stdc,reftext="stdc"] -==== Supervisor Trap Default Capability Register (stdc) - -The <> register is a capability width read/write register dedicated -for use by supervisor mode. Typically, it is used to hold a data capability to -a supervisor-mode hart-local context space, to load into <>. - -{TAG_RESET_CSR} - -{REQUIRE_CRE_CSR} - -{REQUIRE_HYBRID_CSR} - -.Supervisor trap data capability register (*stdc*) -include::img/stdcreg.edn[] - [#senvcfg,reftext="senvcfg"] ==== Supervisor Environment Configuration Register (senvcfg) From 1ab7e6ac4d664882073a9544bdc52b0434f085e9 Mon Sep 17 00:00:00 2001 From: Tariq Kurd Date: Fri, 7 Feb 2025 14:17:17 +0000 Subject: [PATCH 14/15] bump version number (#529) --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index b1b8a3f1..9fbdba17 100644 --- a/Makefile +++ b/Makefile @@ -18,7 +18,7 @@ GEN_SCRIPT = $(SCRIPTS_DIR)/generate_tables.py # Version and date DATE ?= $(shell date +%Y-%m-%d) -VERSION ?= v0.9.3 +VERSION ?= v0.9.4 REVMARK ?= Draft # Directories and files From 9d0d3ccbeae5f192e4a62b36dd23036141681e9f Mon Sep 17 00:00:00 2001 From: Tariq Kurd Date: Mon, 10 Feb 2025 17:14:40 +0100 Subject: [PATCH 15/15] scale back proposal --- src/cap-description.adoc | 12 ------------ src/insns/atomic_exceptions.adoc | 3 +-- src/insns/cbld_32bit.adoc | 4 ++-- src/insns/cbo_exceptions.adoc | 3 +-- src/insns/jalr_32bit.adoc | 2 +- src/insns/load_exceptions.adoc | 3 +-- src/insns/malformed_top_range_clear_tag.adoc | 3 +-- src/insns/scss_32bit.adoc | 1 - src/insns/store_exceptions.adoc | 3 +-- src/riscv-integration.adoc | 2 +- 10 files changed, 9 insertions(+), 27 deletions(-) diff --git a/src/cap-description.adoc b/src/cap-description.adoc index a80c51b0..1cef3b15 100644 --- a/src/cap-description.adoc +++ b/src/cap-description.adoc @@ -542,17 +542,6 @@ NOTE: A capability has infinite bounds if E=CAP_MAX_E and it is not malformed (see xref:section_cap_malformed[xrefstyle=short]); this check is equivalent to _b_=0 and _t_≥2^MXLEN^. -[#section_top_out_of_range] -===== The Top Bound is Out Of Range - -The top bound of the <> is defined to be 2^MXLEN^. - -There are cases where the decoded bounds of a capability could, in theory, exceed this value. - -These cases are computationally expensive to detect without expanding the bounds, therefore -all instructions such as <> which expand bounds and output a capability will clear -the output tag if the top bound is out of range. - [#section_cap_malformed] ===== Malformed Capability Bounds @@ -577,7 +566,6 @@ CHERI enforces the following invariants for all valid (i.e., tagged) capabilitie . The bounds are not malformed. . No reserved bit in the capability encoding is set. . The permissions can be legally produced by <>. -. The <>. A tagged capability that violates those invariants (i.e., a tagged but malformed capability or a tagged capability with any reserved bit set) can only possibly be caused by diff --git a/src/insns/atomic_exceptions.adoc b/src/insns/atomic_exceptions.adoc index 8f890aa0..68650b21 100644 --- a/src/insns/atomic_exceptions.adoc +++ b/src/insns/atomic_exceptions.adoc @@ -35,8 +35,7 @@ reported in the CAUSE field of <>, <> or <>: | Seal violation | Authority capability is sealed | Permission violation | Authority capability does not grant <> or <>, or the AP field could not have been produced by <> | Invalid address violation | The effective address is invalid according to xref:section_invalid_addr_conv[xrefstyle=short] -| Bounds violation | At least one byte accessed is outside the authority capability bounds, or the capability has <> bounds, or -the <> +| Bounds violation | At least one byte accessed is outside the authority capability bounds, or the capability has <> bounds |============================================================================== :!cap_atomic: diff --git a/src/insns/cbld_32bit.adoc b/src/insns/cbld_32bit.adoc index 54875836..7ba1eefb 100644 --- a/src/insns/cbld_32bit.adoc +++ b/src/insns/cbld_32bit.adoc @@ -24,13 +24,13 @@ Description:: Copy `cs2` to `cd` and set `cd.tag` to 1 if . `cs1.tag` is set, and -. `cs1` 's bounds are not <>, and all reserved fields are zero, and the <>, and +. `cs1` 's bounds are not <>, and all reserved fields are zero, and . `cs1` 's permissions could have been legally produced by <>, and . `cs1` is not sealed, and . `cs2` 's permissions and bounds are equal to or a subset of `cs1` 's, and . `cs2` 's <> is equal to or lower than `cs1` 's, and .. _This is only relevant if {cheri_levels_ext_name} is implemented._ -. `cs2` 's bounds are not <>, and all reserved fields are zero, and the <>, and +. `cs2` 's bounds are not <>, and all reserved fields are zero, and . `cs2` 's permissions could have been legally produced by <>, and . All reserved bits in `cs2` 's metadata are 0; diff --git a/src/insns/cbo_exceptions.adoc b/src/insns/cbo_exceptions.adoc index 598664bd..8c21779d 100644 --- a/src/insns/cbo_exceptions.adoc +++ b/src/insns/cbo_exceptions.adoc @@ -32,8 +32,7 @@ ifdef::cbo_inval[] | Permission violation | Authority capability does not grant <>, <> or <>, or the AP field could not have been produced by <> endif::[] | Invalid address violation | The effective address is invalid according to xref:section_invalid_addr_conv[xrefstyle=short] -| Bounds violation | None of the bytes accessed are within the bounds, or the capability has <> bounds, or -the <> +| Bounds violation | None of the bytes accessed are within the bounds, or the capability has <> bounds |============================================================================== diff --git a/src/insns/jalr_32bit.adoc b/src/insns/jalr_32bit.adoc index 9fee0ba2..89965525 100644 --- a/src/insns/jalr_32bit.adoc +++ b/src/insns/jalr_32bit.adoc @@ -54,7 +54,7 @@ reported in the CAUSE field of <>, <> or <>: | Permission violation | | ✔ | `cs1` does not grant <>, or the AP field could not have been produced by <> | Invalid address violation | ✔ | ✔ | The target address is invalid according to xref:section_invalid_addr_conv[xrefstyle=short] | Bounds violation | ✔ | ✔ | Minimum length instruction is not within the target capability's bounds, which will fail -if `cs1` has <> bounds or the <> in {cheri_cap_mode_name}. +if `cs1` has <> bounds in {cheri_cap_mode_name}. |============================================================================== include::pcrel_debug_warning.adoc[] diff --git a/src/insns/load_exceptions.adoc b/src/insns/load_exceptions.adoc index 42087f2a..5166be6f 100644 --- a/src/insns/load_exceptions.adoc +++ b/src/insns/load_exceptions.adoc @@ -19,8 +19,7 @@ listed below; in this case, _CHERI data fault_ is reported in the <>, | Seal violation | Authority capability is sealed | Permission violation | Authority capability does not grant <>, or the AP field could not have been produced by <> | Invalid address violation | The effective address is invalid according to xref:section_invalid_addr_conv[xrefstyle=short] -| Bounds violation | At least one byte accessed is outside the authority capability bounds, or the capability has <> bounds, -or the <> +| Bounds violation | At least one byte accessed is outside the authority capability bounds, or the capability has <> bounds |============================================================================== + If virtual memory is enabled, then the state of <>.CW, diff --git a/src/insns/malformed_top_range_clear_tag.adoc b/src/insns/malformed_top_range_clear_tag.adoc index 2a69d977..7710a2f8 100644 --- a/src/insns/malformed_top_range_clear_tag.adoc +++ b/src/insns/malformed_top_range_clear_tag.adoc @@ -1,3 +1,2 @@ -NOTE: This instruction sets `cd.tag=0` if `cs1` 's bounds are <>, -the <>, +NOTE: This instruction sets `cd.tag=0` if `cs1` 's bounds are <> or if any of the reserved fields are set. diff --git a/src/insns/scss_32bit.adoc b/src/insns/scss_32bit.adoc index 1c65b166..17c882ac 100644 --- a/src/insns/scss_32bit.adoc +++ b/src/insns/scss_32bit.adoc @@ -29,7 +29,6 @@ Description:: . `cs2` 's <> is equal to or lower than `cs1` 's .. _This is only relevant if {cheri_levels_ext_name} is implemented._ . neither `cs1` or `cs2` have bounds which are <>, and -. neither `cs1` or `cs2` have the <>, and . neither `cs1` or `cs2` have any bits set in reserved fields, and . neither `cs1` or `cs2` have permissions that could not have been legally produced by <> diff --git a/src/insns/store_exceptions.adoc b/src/insns/store_exceptions.adoc index 75d94761..c5573206 100644 --- a/src/insns/store_exceptions.adoc +++ b/src/insns/store_exceptions.adoc @@ -19,8 +19,7 @@ listed below; in this case, _CHERI data fault_ is reported in the <>, | Seal violation | Authority capability is sealed | Permission violation | Authority capability does not grant <>, or the AP field could not have been produced by <> | Invalid address violation | The effective address is invalid according to xref:section_invalid_addr_conv[xrefstyle=short] -| Bounds violation | At least one byte accessed is outside the authority capability bounds, or the capability has <> bounds, -or the <> +| Bounds violation | At least one byte accessed is outside the authority capability bounds, or the capability has <> bounds |============================================================================== + If {cheri_pte_ext_name} is implemented, and virtual memory is enabled, then the state of diff --git a/src/riscv-integration.adoc b/src/riscv-integration.adoc index b361a8c0..3d793f36 100644 --- a/src/riscv-integration.adoc +++ b/src/riscv-integration.adoc @@ -40,7 +40,7 @@ where address 2^MXLEN^ - 1 is within the bounds. However, the decoded top field of a capability is MXLEN + 1 bits wide and does *not* wrap, so a capability with base 2^MXLEN^ - 1 and top 2^MXLEN^ + 1 is not a subset of the <> capability and does not authorize access to the byte at address 0. -The top bound being out of range (see xref:section_top_out_of_range[xrefstyle=short]) is similar to malformed bounds (see xref:section_cap_malformed[xrefstyle=short]), it is impossible for +The top bound being out of range is similar to malformed bounds (see xref:section_cap_malformed[xrefstyle=short]), it is impossible for a CHERI core to generate a tagged capability with top > 2^MXLEN^. If such a capability exists then it must have been caused by a logic or memory fault.