From 74f05ec206e5152abb904e9b20460bd34856a642 Mon Sep 17 00:00:00 2001 From: Tariq Kurd Date: Wed, 3 Jul 2024 10:02:47 +0100 Subject: [PATCH] Swap sense of M-bit, so that 0 is cap mode (#305) It makes more sense for zero to mean cap mode, as it's the same as not having hybrid mode. Fixes https://github.com/riscv/riscv-cheri/issues/303 Co-authored-by: Alexander Richardson --- src/attributes.adoc | 2 ++ src/cap-description.adoc | 20 +++++++++----------- src/debug-integration.adoc | 10 +++------- src/riscv-hybrid-integration.adoc | 10 +++++----- 4 files changed, 19 insertions(+), 23 deletions(-) diff --git a/src/attributes.adoc b/src/attributes.adoc index 62063143..c7ebf5a4 100644 --- a/src/attributes.adoc +++ b/src/attributes.adoc @@ -67,6 +67,8 @@ endif::[] :TAG_RESET_CSR: The tag of the CSR must be reset to zero. The reset values of the metadata and address fields are UNSPECIFIED. :REQUIRE_CRE_CSR: Access to this CSR is illegal if CRE for the current mode is zero (see <>). +:CAP_MODE_VALUE: 0 +:INT_MODE_VALUE: 1 /////////////////////////////////////////////////////////////////////////////// // Cap definitions diff --git a/src/cap-description.adoc b/src/cap-description.adoc index d19e2524..c60bb05d 100644 --- a/src/cap-description.adoc +++ b/src/cap-description.adoc @@ -168,7 +168,7 @@ Quadrant 1 encodes permissions for executable capabilities and the <>. | 5 | ✔ | ✔ | | | | N/A | Data RW | 6-7 7+| reserved 8+| *Quadrant 1: Executable capabilities* -8+| bit[0] - <> (1-pass:attributes,quotes[{cheri_cap_mode_name}], 0-pass:attributes,quotes[{cheri_int_mode_name}]) +8+| bit[0] - <> ({CAP_MODE_VALUE}-pass:attributes,quotes[{cheri_cap_mode_name}], {INT_MODE_VALUE}-pass:attributes,quotes[{cheri_int_mode_name}]) | 0-1 | ✔ | ✔ | ✔ | ✔ | ✔ | Mode^1^ | Execute + ASR (see <>) | 2-3 | ✔ | | ✔ | ✔ | | Mode^1^ | Execute + Data & Cap RO | 4-5 | ✔ | ✔ | ✔ | ✔ | | Mode^1^ | Execute + Data & Cap RW @@ -559,6 +559,7 @@ expanded base is 0 and top is 2^MXLEN^. | Tag | zero | Capability is not valid | SDP | zeros | Grants no permissions | AP | zeros | Grants no permissions +| M | zero | No meaning since non-executable (MXLEN=64 only) | S | zero | Unsealed | EF | zero | Internal exponent format | L~8~ | zero | Top address reconstruction bit (MXLEN=32 only) @@ -570,16 +571,12 @@ expanded base is 0 and top is 2^MXLEN^. | Reserved | zeros | All reserved fields |============================================================================== -If {cheri_default_ext_name} is supported: - -* For MXLEN=32, the <> is set to zero (pass:attributes,quotes[{cheri_int_mode_name}]) in the AP field -* For MXLEN=64, the <> is set to zero (pass:attributes,quotes[{cheri_int_mode_name}]) in a separate M field - [#section_infinite_cap] ==== Infinite Capability The <> capability grants all permissions while its bounds also -cover the whole address space. +cover the whole address space. It includes <> and so includes the +<> if {cheri_default_ext_name} is supported. NOTE: The <> capability is also known as 'default', 'almighty', or 'root' capability. @@ -591,7 +588,7 @@ or 'root' capability. | Field | Value | Comment | Tag | one | Capability is valid | SDP | ones | Grants all permissions -| AP (MXLEN=32) | 0x8 (see xref:cap_perms_encoding32[xrefstyle=short]) +| AP (MXLEN=32) | 0x8/0x9^1^ (see xref:cap_perms_encoding32[xrefstyle=short]) | Grants all permissions | AP (MXLEN=64) | 0x1F (see xref:cap_perms_encoding64[xrefstyle=short]) | Grants all permissions @@ -606,10 +603,11 @@ or 'root' capability. | Reserved | zeros | All reserved fields |============================================================================== -If {cheri_default_ext_name} is supported: +^1^If {cheri_default_ext_name} is supported, then the <> capability must represent +pass:attributes,quotes[{cheri_int_mode_name}] for compatibility with standard RISC-V code. Therefore: -* For MXLEN=32, the <> is set to zero (pass:attributes,quotes[{cheri_int_mode_name}]) in the AP field -* For MXLEN=64, the <> is set to zero (pass:attributes,quotes[{cheri_int_mode_name}]) in a separate M field +* For MXLEN=32, the <> is set to {INT_MODE_VALUE} in the AP field, giving the value 0x9 +* For MXLEN=64, the <> is set to {INT_MODE_VALUE} in a separate M field which is _not shown_ in the table above. [#section_cap_representable_check, reftext="Representable Range"] === Representable Range Check diff --git a/src/debug-integration.adoc b/src/debug-integration.adoc index 33e2678a..d205cc01 100644 --- a/src/debug-integration.adoc +++ b/src/debug-integration.adoc @@ -176,13 +176,9 @@ include::img/dscratch1creg.edn[] The <> register is a CLEN-bit plus tag bit CSR only accessible in debug mode. -The reset value is the <> capability. - -If {cheri_default_ext_name} (see xref:section-cheri-execution-mode[xrefstyle=short]) is implemented: - -. the core enters pass:attributes,quotes[{cheri_cap_mode_name}] when entering debug mode -.. therefore <>.M is set whenever entering debug mode for any reason. -. the mode can be optionally switched using <>, and the result observed in <>.M. +The reset value is the <> capability with the <> set to {CAP_MODE_VALUE}, +regardless of whether {cheri_default_ext_name} (see xref:section-cheri-execution-mode[xrefstyle=short]) +is implemented: <> is read/write but with no writeable fields, and so writes are ignored. diff --git a/src/riscv-hybrid-integration.adoc b/src/riscv-hybrid-integration.adoc index 64d8ab54..e4da93c2 100644 --- a/src/riscv-hybrid-integration.adoc +++ b/src/riscv-hybrid-integration.adoc @@ -22,7 +22,7 @@ is a new unprivileged register: the default data capability, <>, that is used to authorise all data memory accesses when in pass:attributes,quotes[{cheri_int_mode_name}]. -The current CHERI execution mode is given by the mode (M) field of <> that +The current CHERI execution mode is given by the <> field of <> that is encoded as described in xref:section-cheri-execution-mode[xrefstyle=short]. The CHERI execution mode impacts the instruction set in the following ways: @@ -76,15 +76,15 @@ orthogonal to permissions as it can vary arbitrarily using <>. In both encodings: -* Mode (M)=1 indicates pass:attributes,quotes[{cheri_cap_mode_name}]. -* Mode (M)=0 indicates pass:attributes,quotes[{cheri_int_mode_name}]. +* Mode (M)={CAP_MODE_VALUE} indicates pass:attributes,quotes[{cheri_cap_mode_name}]. +* Mode (M)={INT_MODE_VALUE} indicates pass:attributes,quotes[{cheri_int_mode_name}]. The current CHERI execution mode is given by the <> of the <> and the CRE bits in <>, <>, and <> as follows: -* The Mode is pass:attributes,quotes[{cheri_cap_mode_name}] when the <> of the <> is 1, *and* the effective +* The Mode is pass:attributes,quotes[{cheri_cap_mode_name}] when the <> of the <> is {CAP_MODE_VALUE}, *and* the effective CRE=1 for the current privilege level -* The Mode is pass:attributes,quotes[{cheri_int_mode_name}] when the effective CRE=0 for the current privilege level *or* the <> of the <> is 0 +* The Mode is pass:attributes,quotes[{cheri_int_mode_name}] when the effective CRE=0 for the current privilege level *or* the <> of the <> is {INT_MODE_VALUE} When the <> can be set follows the rules defined by <>.