diff --git a/src/cap-description.adoc b/src/cap-description.adoc index 20e6f155..28a6a3b0 100644 --- a/src/cap-description.adoc +++ b/src/cap-description.adoc @@ -128,8 +128,8 @@ CLEN-bits is cleared. [#c_perm,reftext="C-permission"] Capability Permission \(C):: Allow reading capability data from memory if the -authorising capability also grants <>. Allow writing capability data to -memory if the authorising capability also grants <>. +authorizing capability also grants <>. Allow writing capability data to +memory if the authorizing capability also grants <>. [#x_perm,reftext="X-permission"] Execute Permission (X):: Allow instruction execution. @@ -140,15 +140,15 @@ If a capability grants <> and <>, but no <>, then a cap The rules specified by <> are followed when <> and <> are removed, so additional permissions may also be removed. Clearing a capability's <> and <> allows sharing a read-only version of a data structure (e.g. a tree or linked list) without making a copy. -NOTE: Implementations are allowed to retain invalid capability permissions loaded from memory instead of following the <> behaviour of reducing them to _no permissions_. +NOTE: Implementations are allowed to retain invalid capability permissions loaded from memory instead of following the <> behavior of reducing them to _no permissions_. [#asr_perm,reftext="ASR-permission"] Access System Registers Permission (ASR):: Allow read and write access to all privileged (M-mode and S-mode) CSRs. -If {tid_ext_name} is supported the <>, <>, <>, <>, <>, -<> registers are all considered privileged for the purposes of writing -and unprivileged for reading, and thus require ASR-permission for writes but not reads. -In all cases a suitable privilege mode is required for access. +If {tid_ext_name} is supported the <>, <>, <>, <>, <>, +<>, <>, <> registers are all considered privileged for the purposes +of writing and unprivileged for reading, and thus require ASR-permission for writes but +not reads. In all cases a suitable privilege mode is required for access. [#cap_permissions_encoding] ===== Permission Encoding @@ -295,7 +295,7 @@ references if that SDP bit is set because it "owns" that object. ifdef::cheri_v9_annotations[] WARNING: *CHERI v9:* There is now a 1-bit otype (sentry or unsealed) and the old CHERI v9 otype no longer exists. -The base CHERI-RISC-V standard does not have support for CHERI v9 CSEAL for sealed capabilities with object types and only has CSEALENTRY for sealed entry (sentry) capabilities. +The base CHERI-RISC-V standard does not have support for CHERI v9 CSEAL for sealed capabilities with object types and only has <> for sealed entry (sentry) capabilities. endif::[] This bit indicates the type of the capability: it is a sealed capability if the bit is 1 or unsealed if it is 0. @@ -507,7 +507,7 @@ disambiguate the location of the bounds with respect to an out-of-bounds address R is calculated relative to the base by subtracting 2^MW-2^ from B. If B, T or _a_[E + MW - 1:E] is less than R, it is inferred that they lie in the -2^E+MW^ aligned region above R labelled space~U~ in +2^E+MW^ aligned region above R labeled space~U~ in xref:cap_bounds_map[xrefstyle=short] and the corrections _c~t~_ and _c~b~_ are computed accordingly. The overall effect is that the address can roam 2^E+MW^/4 bytes below diff --git a/src/cheri-pte-ext.adoc b/src/cheri-pte-ext.adoc index 49e540d8..a42f8c26 100644 --- a/src/cheri-pte-ext.adoc +++ b/src/cheri-pte-ext.adoc @@ -87,7 +87,7 @@ include::img/sv48pte.edn[] [#sv57pte] include::img/sv57pte.edn[] -NOTE: The behaviour in this section isn't relevant if: +NOTE: The behavior in this section isn't relevant if: . The authorizing capability doesn't have <>, for loads, stores and AMOs. . {cheri_levels_ext_name} has cleared the stored tag, for stores and AMOs. @@ -161,7 +161,7 @@ and the capability read from memory optionally has its tag set^1^. |=== ^1^ The choice here is whether to take data dependent exceptions on loads or atomic operations. - It is legal for the implementation to fault even if the tag is not set since this behaviour is only an optimization for software. + It is legal for the implementation to fault even if the tag is not set since this behavior is only an optimization for software. This means it is also legal to only check the tag under certain conditions and conservatively fault otherwise. Taking a trap when the tag is not set will introduce additional traps during revocation sweeps. diff --git a/src/debug-integration.adoc b/src/debug-integration.adoc index 98923633..cabf25b4 100644 --- a/src/debug-integration.adoc +++ b/src/debug-integration.adoc @@ -126,7 +126,7 @@ When leaving debug mode, the capability in <> is unsealed and written into <>. A debugger may write <> to change where the hart resumes and its mode, permissions, sealing or bounds. -The legalisation of <> follows the same rules described for <>. +The legalization of <> follows the same rules described for <>. [#dscratch0,reftext="dscratch0"] ==== Debug Scratch Register 0 (dscratch0) diff --git a/src/hypervisor-integration.adoc b/src/hypervisor-integration.adoc index 917a7bee..46f276d8 100644 --- a/src/hypervisor-integration.adoc +++ b/src/hypervisor-integration.adoc @@ -225,7 +225,7 @@ include::img/vstval2reg.edn[] The hypervisor extension defines several integer load and store instructions (such as <>, <> and <>) that transfer the amount of integer data described in cite:[riscv-priv-spec] between the registers and memory as though -V=1. These instructions change behaviour depending on the CHERI execution mode +V=1. These instructions change behavior depending on the CHERI execution mode although the instruction's encoding remains unchanged. When in {cheri_cap_mode_name}, the hypervisor load and @@ -234,7 +234,7 @@ xref:section_existing_riscv_insns[xrefstyle=short]. In {cheri_int_mode_name}, the instructions behave as described in cite:[riscv-priv-spec] and rely on an *x* register operand providing the effective address for the memory access; the capability -authorising the memory access is <>. +authorizing the memory access is <>. The exception cases remain as described in xref:section_existing_riscv_insns[xrefstyle=short] regardless of the CHERI @@ -244,7 +244,7 @@ execution mode. Hypervisor virtual-machine load (<>) and store (<>) capability instructions read or write CLEN bits from memory as though V=1. These -instructions change behaviour depending on the CHERI execution mode although +instructions change behavior depending on the CHERI execution mode although the instruction's encoding remains unchanged. When in {cheri_cap_mode_name}, the hypervisor @@ -252,4 +252,4 @@ load and store capability instructions behave as described in xref:section_existing_riscv_insns[xrefstyle=short]. In {cheri_int_mode_name}, the instructions behave as rely on an *x* register operand providing the effective address for the memory -access and the capability authorising the memory access is <>. +access and the capability authorizing the memory access is <>. diff --git a/src/insns/acperm_32bit.adoc b/src/insns/acperm_32bit.adoc index bfa364cf..30a483ce 100644 --- a/src/insns/acperm_32bit.adoc +++ b/src/insns/acperm_32bit.adoc @@ -66,7 +66,7 @@ The rules from <> must be followed when removing permissions. ^1^ All the listed permissions in the set are either minimum or maximum. -The behaviour of currently illegal combinations from <> is to clear the permission if invalid (or in the case of <> set it to 0 (_local_)). +The behavior of currently illegal combinations from <> is to clear the permission if invalid (or in the case of <> set it to 0 (_local_)). * For RV64 all such combinations may be redefined by future extensions. * The RV32 only rules are added because they remove combinations which do not meet the encoding requirements for <>, or diff --git a/src/insns/amo_32bit.adoc b/src/insns/amo_32bit.adoc index f89e3fe1..37b5b220 100644 --- a/src/insns/amo_32bit.adoc +++ b/src/insns/amo_32bit.adoc @@ -29,12 +29,12 @@ Encoding:: include::wavedrom/amo.adoc[] {cheri_cap_mode_name} Description:: -Standard atomic instructions, authorised by the capability in `cs1`. +Standard atomic instructions, authorized by the capability in `cs1`. + include::load_store_c0.adoc[] {cheri_int_mode_name} Description:: -Standard atomic instructions, authorised by the capability in <>. +Standard atomic instructions, authorized by the capability in <>. include::atomic_exceptions.adoc[] diff --git a/src/insns/amoswap_32bit_cap.adoc b/src/insns/amoswap_32bit_cap.adoc index 0bf170c2..b654db5c 100644 --- a/src/insns/amoswap_32bit_cap.adoc +++ b/src/insns/amoswap_32bit_cap.adoc @@ -16,12 +16,12 @@ Encoding:: include::wavedrom/amoswap_cap.adoc[] {cheri_cap_mode_name} Description:: -Atomic swap of capability type, authorised by the capability in `cs1`. +Atomic swap of capability type, authorized by the capability in `cs1`. + include::load_store_c0.adoc[] {cheri_int_mode_name} Description:: -Atomic swap of capability type, authorised by the capability in <>. +Atomic swap of capability type, authorized by the capability in <>. :cap_atomic: diff --git a/src/insns/atomic_exceptions.adoc b/src/insns/atomic_exceptions.adoc index c3cdb9fe..a05916dd 100644 --- a/src/insns/atomic_exceptions.adoc +++ b/src/insns/atomic_exceptions.adoc @@ -2,7 +2,7 @@ Permissions:: ifdef::cap_atomic[] Requires the authorizing capability to be tagged and not sealed. + -Requires <> and <> in the authorising capability. +Requires <> and <> in the authorizing capability. + If <> is not granted then store the memory tag as zero, and load `cd.tag` as zero. + @@ -14,7 +14,7 @@ If `cd` is not sealed, this implicit <> also clears <> to obtai The stored tag is also set to zero if the authorizing capability does not have <> set but the stored data has a <> of 0 (see <>). endif::[] ifndef::cap_atomic[] -Requires <> and <> in the authorising capability. +Requires <> and <> in the authorizing capability. endif::[] + Requires all bytes of the access to be in capability bounds. diff --git a/src/insns/cbo.clean.adoc b/src/insns/cbo.clean.adoc index e3975b13..ae28e546 100644 --- a/src/insns/cbo.clean.adoc +++ b/src/insns/cbo.clean.adoc @@ -26,12 +26,12 @@ Encoding:: {cheri_cap_mode_name} Description:: A CBO.CLEAN instruction performs a clean operation on the cache block -whose effective address is the base address specified in `cs1`. The authorising +whose effective address is the base address specified in `cs1`. The authorizing capability for this operation is `cs1`. {cheri_int_mode_name} Description:: A CBO.CLEAN instruction performs a clean operation on the cache block whose -effective address is the base address specified in `rs1`. The authorising +effective address is the base address specified in `rs1`. The authorizing capability for this operation is <>. :cbo_clean_flush: diff --git a/src/insns/cbo.flush.adoc b/src/insns/cbo.flush.adoc index 104a717a..eb72f41c 100644 --- a/src/insns/cbo.flush.adoc +++ b/src/insns/cbo.flush.adoc @@ -26,12 +26,12 @@ Encoding:: {cheri_cap_mode_name} Description:: A CBO.FLUSH instruction performs a flush operation on the cache block -whose effective address is the base address specified in `cs1`. The authorising +whose effective address is the base address specified in `cs1`. The authorizing capability for this operation is `cs1`. {cheri_int_mode_name} Description:: A CBO.FLUSH instruction performs a flush operation on the cache block whose -effective address is the base address specified in `rs1`. The authorising +effective address is the base address specified in `rs1`. The authorizing capability for this operation is <>. :cbo_clean_flush: diff --git a/src/insns/cbo.inval.adoc b/src/insns/cbo.inval.adoc index ed56923c..83ccff34 100644 --- a/src/insns/cbo.inval.adoc +++ b/src/insns/cbo.inval.adoc @@ -26,13 +26,13 @@ Encoding:: {cheri_cap_mode_name} Description:: A CBO.INVAL instruction performs an invalidate operation on the cache block -whose effective address is the base address specified in `cs1`. The authorising +whose effective address is the base address specified in `cs1`. The authorizing capability for this operation is `cs1`. {cheri_int_mode_name} Description:: A CBO.INVAL instruction performs an invalidate operation on the cache block whose effective address is the base address specified in `rs1`. The -authorising capability for this operation in <>. +authorizing capability for this operation in <>. :cbo_inval: include::cbo_exceptions.adoc[] diff --git a/src/insns/cbo.zero.adoc b/src/insns/cbo.zero.adoc index 6d7b11e0..1e7c5830 100644 --- a/src/insns/cbo.zero.adoc +++ b/src/insns/cbo.zero.adoc @@ -29,7 +29,7 @@ A `cbo.zero` instruction performs stores of zeros to the full set of bytes corresponding to the cache block whose effective address is the base address specified in `cs1`. An implementation may or may not update the entire set of bytes atomically although each individual write must atomically clear the tag -bit of the corresponding aligned CLEN-bit location. The authorising capability +bit of the corresponding aligned CLEN-bit location. The authorizing capability for this operation is `cs1`. {cheri_int_mode_name} Description:: @@ -37,7 +37,7 @@ A `cbo.zero` instruction performs stores of zeros to the full set of bytes corresponding to the cache block whose effective address is the base address specified in `cs1`. An implementation may or may not update the entire set of bytes atomically although each individual write must atomically clear the tag -bit of the corresponding aligned CLEN-bit location. The authorising capability +bit of the corresponding aligned CLEN-bit location. The authorizing capability for this operation is <>. include::store_exceptions.adoc[] diff --git a/src/insns/cbo_exceptions.adoc b/src/insns/cbo_exceptions.adoc index 53fe4721..1f79a737 100644 --- a/src/insns/cbo_exceptions.adoc +++ b/src/insns/cbo_exceptions.adoc @@ -1,5 +1,5 @@ Exceptions:: -CHERI fault exceptions occur when the authorising capability fails one of the checks +CHERI fault exceptions occur when the authorizing capability fails one of the checks listed below; in this case, _CHERI data fault_ is reported in the <> or <> TYPE field and the corresponding code is written to CAUSE. + diff --git a/src/insns/hypv-virt-load-cap.adoc b/src/insns/hypv-virt-load-cap.adoc index e6f6497d..3a7a575a 100644 --- a/src/insns/hypv-virt-load-cap.adoc +++ b/src/insns/hypv-virt-load-cap.adoc @@ -19,7 +19,7 @@ include::wavedrom/hypv-virt-load-cap.adoc[] Load a CLEN+1 bit value from memory as though V=1; i.e., with the address translation and protection, and endianness, that apply to memory accesses in either VS-mode or VU-mode. The effective address is the address of `cs1`. The -authorising capability for the operation is `cs1`. A copy of the loaded value +authorizing capability for the operation is `cs1`. A copy of the loaded value is written to `cd`. + include::load_store_c0.adoc[] @@ -27,7 +27,7 @@ include::load_store_c0.adoc[] {cheri_int_mode_name} Description:: Load a CLEN+1 bit value from memory as though V=1; i.e., with the address translation and protection, and endianness, that apply to memory accesses in -either VS-mode and VU-mode. The effective address is `rs1`. The authorising +either VS-mode and VU-mode. The effective address is `rs1`. The authorizing capability for the operation is <>. A copy of the loaded value is written to `cd`. diff --git a/src/insns/hypv-virt-load.adoc b/src/insns/hypv-virt-load.adoc index 336b8102..25626d6d 100644 --- a/src/insns/hypv-virt-load.adoc +++ b/src/insns/hypv-virt-load.adoc @@ -66,7 +66,7 @@ include::wavedrom/hypv-virt-load.adoc[] {cheri_cap_mode_name} Description:: Performs a load as though V=1; i.e., with the address translation and protection, and endianness, that apply to memory accesses in either VS-mode or -VU-mode. The effective address is the address of `cs1`. The authorising +VU-mode. The effective address is the address of `cs1`. The authorizing capability for the operation is `cs1`. A copy of the loaded value is written to `rd`. + @@ -75,7 +75,7 @@ include::load_store_c0.adoc[] {cheri_int_mode_name} Description:: Performs a load as though V=1; i.e., with the address translation and protection, and endianness, that apply to memory accesses in either VS-mode or -VU-mode. The effective address is the is `rs1`. The authorising capability for +VU-mode. The effective address is the is `rs1`. The authorizing capability for the operation is <>. A copy of the loaded value is written to `rd`. include::load_exceptions.adoc[] diff --git a/src/insns/hypv-virt-loadx.adoc b/src/insns/hypv-virt-loadx.adoc index d35731d2..60b4249d 100644 --- a/src/insns/hypv-virt-loadx.adoc +++ b/src/insns/hypv-virt-loadx.adoc @@ -27,7 +27,7 @@ Performs a load with the *execute* permission taking the place of *read* permission during address translation and as though V=1; i.e., with the address translation and protection, and endianness, that apply to memory access in either VS-mode or VU-mode. The effective address is the address of `cs1`. The -authorising capability for the operation is `cs1`. A copy of the loaded value +authorizing capability for the operation is `cs1`. A copy of the loaded value is written to `rd`. + include::load_store_c0.adoc[] @@ -36,12 +36,12 @@ include::load_store_c0.adoc[] Performs a load with the *execute* permission taking the place of *read* permission during address translation and as though V=1; i.e., with the address translation and protection, and endianness, that apply to memory access in -either VS-mode or VU-mode. The effective address is `rs1`. The authorising +either VS-mode or VU-mode. The effective address is `rs1`. The authorizing capability for the operation is <>. A copy of the loaded value is written to `rd`. Exceptions:: -CHERI fault exceptions occur when the authorising capability fails one of the checks +CHERI fault exceptions occur when the authorizing capability fails one of the checks listed below; in this case, _CHERI data fault_ is reported in the <> or <> TYPE field and the corresponding code is written to CAUSE. + diff --git a/src/insns/hypv-virt-store-cap.adoc b/src/insns/hypv-virt-store-cap.adoc index 77373445..ec5a2e1c 100644 --- a/src/insns/hypv-virt-store-cap.adoc +++ b/src/insns/hypv-virt-store-cap.adoc @@ -19,7 +19,7 @@ include::wavedrom/hypv-virt-store-cap.adoc[] Store a CLEN+1 bit value in `cs2` to memory as though V=1; i.e., with the address translation and protection, and endianness, that apply to memory accesses in either VS-mode or VU-mode. The effective address is the address of -`cs1`. The authorising capability for the operation is `cs1`. +`cs1`. The authorizing capability for the operation is `cs1`. + include::load_store_c0.adoc[] @@ -27,7 +27,7 @@ include::load_store_c0.adoc[] Store a CLEN+1 bit value in `cs2` to memory as though V=1; i.e., with the address translation and protection, and endianness, that apply to memory accesses in either VS-mode or VU-mode. The effective address is the `rs1`. The -authorising capability for the operation is <>. +authorizing capability for the operation is <>. include::store_tag_perms.adoc[] diff --git a/src/insns/hypv-virt-store.adoc b/src/insns/hypv-virt-store.adoc index db71d367..3aada698 100644 --- a/src/insns/hypv-virt-store.adoc +++ b/src/insns/hypv-virt-store.adoc @@ -51,7 +51,7 @@ include::wavedrom/hypv-virt-store.adoc[] {cheri_cap_mode_name} Description:: Performs a store as though V=1; i.e., with the address translation and protection, and endianness, that apply to memory accesses in either VS-mode or -VU-mode. The effective address is the address of `cs1`. The authorising +VU-mode. The effective address is the address of `cs1`. The authorizing capability for the operation is `cs1`. A copy of `rs2` is written to memory at the location indicated by the effective address and the tag bit of each block of memory naturally aligned to CLEN/8 is cleared. @@ -61,7 +61,7 @@ include::load_store_c0.adoc[] {cheri_int_mode_name} Description:: Performs a store as though V=1; i.e., with address translation and protection, and endianness, that apply to memory accesses in either VS-mode or VU-mode. The -effective address is `rs1`. The authorising capability for the operation is +effective address is `rs1`. The authorizing capability for the operation is <>. A copy of `rs2` is written to memory at the location indicated by the effective address and the tag bit of each block of memory naturally aligned to CLEN/8 is cleared. diff --git a/src/insns/load_16bit.adoc b/src/insns/load_16bit.adoc index af330e1b..6b2a3d39 100644 --- a/src/insns/load_16bit.adoc +++ b/src/insns/load_16bit.adoc @@ -44,10 +44,10 @@ Encoding:: include::wavedrom/reg-based-ldnstr.adoc[] {cheri_cap_mode_name} Description:: -Standard load instructions, authorised by the capability in `cs1`. +Standard load instructions, authorized by the capability in `cs1`. {cheri_int_mode_name} Description:: -Standard load instructions, authorised by the capability in <>. +Standard load instructions, authorized by the capability in <>. include::load_exceptions.adoc[] diff --git a/src/insns/load_16bit_Zcb.adoc b/src/insns/load_16bit_Zcb.adoc index d3b82233..4871e1ed 100644 --- a/src/insns/load_16bit_Zcb.adoc +++ b/src/insns/load_16bit_Zcb.adoc @@ -41,10 +41,10 @@ Encoding:: include::wavedrom/reg-based-ldnstr-Zcb.adoc[] {cheri_cap_mode_name} Description:: -Subword load instructions, authorised by the capability in `cs1`. +Subword load instructions, authorized by the capability in `cs1`. {cheri_int_mode_name} Description:: -Subword load instructions, authorised by the capability in <>. +Subword load instructions, authorized by the capability in <>. include::load_exceptions.adoc[] diff --git a/src/insns/load_16bit_fp_dp.adoc b/src/insns/load_16bit_fp_dp.adoc index 3fa35707..dde3d8d2 100644 --- a/src/insns/load_16bit_fp_dp.adoc +++ b/src/insns/load_16bit_fp_dp.adoc @@ -27,7 +27,7 @@ include::wavedrom/c-sp-load-css-dp.adoc[] include::wavedrom/c-sp-load-css-dp-sprel.adoc[] {cheri_int_mode_name} Description:: -Standard floating point stack pointer relative load instructions, authorised by the capability in <>. +Standard floating point stack pointer relative load instructions, authorized by the capability in <>. NOTE: These instructions are available in RV64 {cheri_int_mode_name} only. In RV64 {cheri_cap_mode_name} they are remapped to <>/<>. diff --git a/src/insns/load_16bit_fp_sp.adoc b/src/insns/load_16bit_fp_sp.adoc index 2149c745..e5dec9de 100644 --- a/src/insns/load_16bit_fp_sp.adoc +++ b/src/insns/load_16bit_fp_sp.adoc @@ -22,7 +22,7 @@ include::wavedrom/c-sp-load-css-fp.adoc[] include::wavedrom/c-sp-load-css-fp-sprel.adoc[] {cheri_int_mode_name} Description:: -Standard floating point load instructions, authorised by the capability in <>. +Standard floating point load instructions, authorized by the capability in <>. NOTE: These instructions are available in RV32 {cheri_int_mode_name} only. In {cheri_cap_mode_name} they are remapped to <>/<>. diff --git a/src/insns/load_16bit_sprel.adoc b/src/insns/load_16bit_sprel.adoc index 334e2749..a8be7b74 100644 --- a/src/insns/load_16bit_sprel.adoc +++ b/src/insns/load_16bit_sprel.adoc @@ -41,10 +41,10 @@ Encoding:: include::wavedrom/c-sp-load-store.adoc[] {cheri_cap_mode_name} Description:: -Standard stack pointer relative load instructions, authorised by the capability in `csp`. +Standard stack pointer relative load instructions, authorized by the capability in `csp`. {cheri_int_mode_name} Description:: -Standard stack pointer relative load instructions, authorised by the capability in <>. +Standard stack pointer relative load instructions, authorized by the capability in <>. include::load_exceptions.adoc[] diff --git a/src/insns/load_32bit.adoc b/src/insns/load_32bit.adoc index a58a6c42..642d8fc8 100644 --- a/src/insns/load_32bit.adoc +++ b/src/insns/load_32bit.adoc @@ -66,7 +66,7 @@ include::wavedrom/load.adoc[] {cheri_cap_mode_name} Description:: Load integer data of the indicated size (byte, halfword, word, double-word) from memory. The effective address of the load is obtained by adding the -sign-extended 12-bit offset to the address of `cs1`. The authorising capability +sign-extended 12-bit offset to the address of `cs1`. The authorizing capability for the operation is `cs1`. A copy of the loaded value is written to `rd`. + include::load_store_c0.adoc[] @@ -74,7 +74,7 @@ include::load_store_c0.adoc[] {cheri_int_mode_name} Description:: Load integer data of the indicated size (byte, halfword, word, double-word) from memory. The effective address of the load is obtained by adding the -sign-extended 12-bit offset to `rs1`. The authorising capability for the +sign-extended 12-bit offset to `rs1`. The authorizing capability for the operation is <>. A copy of the loaded value is written to `rd`. include::load_exceptions.adoc[] diff --git a/src/insns/load_32bit_cap.adoc b/src/insns/load_32bit_cap.adoc index f1827a1c..9b7ec1f3 100644 --- a/src/insns/load_32bit_cap.adoc +++ b/src/insns/load_32bit_cap.adoc @@ -26,7 +26,7 @@ include::load_store_c0.adoc[] {cheri_int_mode_name} Description:: Loads a CLEN+1 bit value from memory and writes it to `cd`. The capability -authorising the operation is <>. The effective address of the memory +authorizing the operation is <>. The effective address of the memory access is obtained by adding `rs1` to the sign-extended 12-bit offset. include::load_tag_perms.adoc[] diff --git a/src/insns/load_32bit_fp.adoc b/src/insns/load_32bit_fp.adoc index 334dc890..fd974f1c 100644 --- a/src/insns/load_32bit_fp.adoc +++ b/src/insns/load_32bit_fp.adoc @@ -30,12 +30,12 @@ Encoding:: include::wavedrom/fpload.adoc[] {cheri_cap_mode_name} Description:: -Standard floating point load instructions, authorised by the capability in `cs1`. +Standard floating point load instructions, authorized by the capability in `cs1`. + include::load_store_c0.adoc[] {cheri_int_mode_name} Description:: -Standard floating point load instructions, authorised by the capability in <>. +Standard floating point load instructions, authorized by the capability in <>. :!cap_load: include::load_exceptions.adoc[] diff --git a/src/insns/load_cap_cap_description.adoc b/src/insns/load_cap_cap_description.adoc index 420bfce3..643b8ca9 100644 --- a/src/insns/load_cap_cap_description.adoc +++ b/src/insns/load_cap_cap_description.adoc @@ -1,2 +1,2 @@ {cheri_cap_mode_name} Description:: -Load capability instruction, authorised by the capability in `cs1`. Take a load address misaligned exception if not naturally aligned. +Load capability instruction, authorized by the capability in `cs1`. Take a load address misaligned exception if not naturally aligned. diff --git a/src/insns/load_cap_int_description.adoc b/src/insns/load_cap_int_description.adoc index 9f39e7fa..b5aea1f9 100644 --- a/src/insns/load_cap_int_description.adoc +++ b/src/insns/load_cap_int_description.adoc @@ -1,2 +1,2 @@ {cheri_int_mode_name} Description:: -Load capability instruction, authorised by the capability in <>. Take a load address misaligned exception if not naturally aligned. +Load capability instruction, authorized by the capability in <>. Take a load address misaligned exception if not naturally aligned. diff --git a/src/insns/load_exceptions.adoc b/src/insns/load_exceptions.adoc index ab197d78..a894ed62 100644 --- a/src/insns/load_exceptions.adoc +++ b/src/insns/load_exceptions.adoc @@ -8,7 +8,7 @@ Misaligned address fault exception when the effective address is not aligned to CLEN/8. + endif::[] -CHERI fault exceptions occur when the authorising capability fails one of the checks +CHERI fault exceptions occur when the authorizing capability fails one of the checks listed below; in this case, _CHERI data fault_ is reported in the <> or <> TYPE field and the corresponding code is written to CAUSE. + diff --git a/src/insns/load_res_32bit.adoc b/src/insns/load_res_32bit.adoc index 0fbe05c3..c958e0ec 100644 --- a/src/insns/load_res_32bit.adoc +++ b/src/insns/load_res_32bit.adoc @@ -36,12 +36,12 @@ Encoding:: include::wavedrom/load_res.adoc[] {cheri_cap_mode_name} Description:: -Load reserved instructions, authorised by the capability in `cs1`. +Load reserved instructions, authorized by the capability in `cs1`. + include::load_store_c0.adoc[] {cheri_int_mode_name} Description:: -Load reserved instructions, authorised by the capability in <>. +Load reserved instructions, authorized by the capability in <>. :load_res: diff --git a/src/insns/load_res_cap_32bit.adoc b/src/insns/load_res_cap_32bit.adoc index e9a2ebf7..2ad7e214 100644 --- a/src/insns/load_res_cap_32bit.adoc +++ b/src/insns/load_res_cap_32bit.adoc @@ -16,13 +16,13 @@ Encoding:: include::wavedrom/load_res_cap.adoc[] {cheri_cap_mode_name} Description:: -Load reserved instructions, authorised by the capability in `cs1`. +Load reserved instructions, authorized by the capability in `cs1`. All misaligned load reservations cause a load address misaligned exception to allow software emulation (Zam extension, see cite:[riscv-unpriv-spec]). + include::load_store_c0.adoc[] {cheri_int_mode_name} Description:: -Load reserved instructions, authorised by the capability in <>. +Load reserved instructions, authorized by the capability in <>. All misaligned load reservations cause a load address misaligned exception to allow software emulation (Zam extension, see cite:[riscv-unpriv-spec]). include::load_tag_perms.adoc[] diff --git a/src/insns/prefetch.i.adoc b/src/insns/prefetch.i.adoc index 9fa061be..8d42861b 100644 --- a/src/insns/prefetch.i.adoc +++ b/src/insns/prefetch.i.adoc @@ -31,7 +31,7 @@ A PREFETCH.I instruction indicates to hardware that the cache block whose effective address is the sum of the base address specified in `cs1` and the sign-extended offset encoded in imm[11:0], where imm[4:0] equals 0b00000, is likely to be accessed by an instruction fetch in the near future. The encoding -is only valid if imm[4:0]=0. The authorising capability for this operation is +is only valid if imm[4:0]=0. The authorizing capability for this operation is `cs1`. This instruction does not throw any exceptions. However, following xref:CHERI_SPEC[xrefstyle=short], this instruction does not perform a prefetch if it is not authorized by `cs1`. @@ -41,7 +41,7 @@ A PREFETCH.I instruction indicates to hardware that the cache block whose effective address is the sum of the base address specified in `rs1` and the sign-extended offset encoded in imm[11:0], where imm[4:0] equals 0b00000, is likely to be accessed by an instruction fetch in the near future. The encoding -is only valid if imm[4:0]=0. The authorising capability for this operation is +is only valid if imm[4:0]=0. The authorizing capability for this operation is <>. :prefetch_insn: PREFETCH.I diff --git a/src/insns/prefetch.r.adoc b/src/insns/prefetch.r.adoc index 13ff323d..346ccc27 100644 --- a/src/insns/prefetch.r.adoc +++ b/src/insns/prefetch.r.adoc @@ -31,7 +31,7 @@ A PREFETCH.R instruction indicates to hardware that the cache block whose effective address is the sum of the base address specified in `cs1` and the sign-extended offset encoded in imm[11:0], where imm[4:0] equals 0b00000, is likely to be accessed by a data read (i.e. load) in the near future. The -encoding is only valid if imm[4:0]=0. The authorising capability for this +encoding is only valid if imm[4:0]=0. The authorizing capability for this operation is `cs1`. This instruction does not throw any exceptions. However, in following xref:CHERI_SPEC[xrefstyle=short], this instruction does not perform a prefetch if it is not authorized by `cs1`. @@ -41,7 +41,7 @@ A PREFETCH.R instruction indicates to hardware that the cache block whose effective address is the sum of the base address specified in `rs1` and the sign-extended offset encoded in imm[11:0], where imm[4:0] equals 0b00000, is likely to be accessed by a data read (i.e. load) in the near future. The -encoding is only valid if imm[4:0]=0. The authorising capability for this +encoding is only valid if imm[4:0]=0. The authorizing capability for this operation is <>. :prefetch_insn: PREFETCH.R diff --git a/src/insns/prefetch.w.adoc b/src/insns/prefetch.w.adoc index 2452bf8c..64896733 100644 --- a/src/insns/prefetch.w.adoc +++ b/src/insns/prefetch.w.adoc @@ -31,7 +31,7 @@ A PREFETCH.W instruction indicates to hardware that the cache block whose effective address is the sum of the base address specified in `cs1` and the sign-extended offset encoded in imm[11:0], where imm[4:0] equals 0b00000, is likely to be accessed by a data write (i.e. store) in the near future. The -encoding is only valid if imm[4:0]=0. The authorising capability for this +encoding is only valid if imm[4:0]=0. The authorizing capability for this operation is `cs1`. This instruction does not throw any exceptions. However, following xref:CHERI_SPEC[xrefstyle=short], this instruction does not perform a prefetch if it is not authorized by `cs1`. @@ -41,7 +41,7 @@ A PREFETCH.W instruction indicates to hardware that the cache block whose effective address is the sum of the base address specified in `rs1` and the sign-extended offset encoded in imm[11:0], where imm[4:0] equals 0b00000, is likely to be accessed by a data write (i.e. store) in the near future. The -encoding is only valid if imm[4:0]=0. The authorising capability for this +encoding is only valid if imm[4:0]=0. The authorizing capability for this operation is <>. :prefetch_insn: PREFETCH.W diff --git a/src/insns/prefetch_cap_checks.adoc b/src/insns/prefetch_cap_checks.adoc index 4c310711..48f02de7 100644 --- a/src/insns/prefetch_cap_checks.adoc +++ b/src/insns/prefetch_cap_checks.adoc @@ -1,5 +1,5 @@ In either mode, {prefetch_insn} does not perform a memory access -if one or more of the following conditions of the authorising capability are met: +if one or more of the following conditions of the authorizing capability are met: * The tag is not set * The sealed bit is set diff --git a/src/insns/store_16bit.adoc b/src/insns/store_16bit.adoc index b6abae2c..88211b67 100644 --- a/src/insns/store_16bit.adoc +++ b/src/insns/store_16bit.adoc @@ -45,10 +45,10 @@ Encoding:: include::wavedrom/c-cs-format-ls.adoc[] {cheri_cap_mode_name} Description:: -Standard store instructions, authorised by the capability in `cs1`. +Standard store instructions, authorized by the capability in `cs1`. {cheri_int_mode_name} Description:: -Standard store instructions, authorised by the capability in <>. +Standard store instructions, authorized by the capability in <>. include::store_exceptions.adoc[] diff --git a/src/insns/store_16bit_Zcb.adoc b/src/insns/store_16bit_Zcb.adoc index 3a0ef75c..7de25337 100644 --- a/src/insns/store_16bit_Zcb.adoc +++ b/src/insns/store_16bit_Zcb.adoc @@ -32,10 +32,10 @@ Encoding:: include::wavedrom/reg-based-str-Zcb.adoc[] {cheri_cap_mode_name} Description:: -Subword store instructions, authorised by the capability in `cs1`. +Subword store instructions, authorized by the capability in `cs1`. {cheri_int_mode_name} Description:: -Subword store instructions, authorised by the capability in <>. +Subword store instructions, authorized by the capability in <>. include::store_exceptions.adoc[] diff --git a/src/insns/store_16bit_fp_dp.adoc b/src/insns/store_16bit_fp_dp.adoc index a23be279..4f6714c8 100644 --- a/src/insns/store_16bit_fp_dp.adoc +++ b/src/insns/store_16bit_fp_dp.adoc @@ -30,10 +30,10 @@ include::wavedrom/c-sp-store-css-fp-dp.adoc[] include::wavedrom/c-sp-store-css-fp-dp-sprel.adoc[] {cheri_cap_mode_name} Description:: -Standard floating point stack pointer relative store instructions, authorised by the capability in `cs1` or `csp`. +Standard floating point stack pointer relative store instructions, authorized by the capability in `cs1` or `csp`. {cheri_int_mode_name} Description:: -Standard floating point stack pointer relative store instructions, authorised by the capability in <>. +Standard floating point stack pointer relative store instructions, authorized by the capability in <>. NOTE: These instructions are available in RV64 {cheri_int_mode_name} only. In RV64 {cheri_cap_mode_name} they are remapped to <>/<>. diff --git a/src/insns/store_16bit_fp_sp.adoc b/src/insns/store_16bit_fp_sp.adoc index b511e5e5..5432ef71 100644 --- a/src/insns/store_16bit_fp_sp.adoc +++ b/src/insns/store_16bit_fp_sp.adoc @@ -25,7 +25,7 @@ include::wavedrom/c-sp-store-css-fp.adoc[] include::wavedrom/c-sp-store-css-fp-sprel.adoc[] {cheri_int_mode_name} Description:: -Standard floating point store instructions, authorised by the capability in <>. +Standard floating point store instructions, authorized by the capability in <>. NOTE: These instructions are available in RV32 {cheri_int_mode_name} only. In {cheri_cap_mode_name} they are remapped to <>/<>. diff --git a/src/insns/store_16bit_sprel.adoc b/src/insns/store_16bit_sprel.adoc index 1c99f1e2..6eec10a3 100644 --- a/src/insns/store_16bit_sprel.adoc +++ b/src/insns/store_16bit_sprel.adoc @@ -45,10 +45,10 @@ Encoding:: include::wavedrom/c-sp-load-store-css.adoc[] {cheri_cap_mode_name} Description:: -Standard stack pointer relative store instructions, authorised by the capability in `csp`. +Standard stack pointer relative store instructions, authorized by the capability in `csp`. {cheri_int_mode_name} Description:: -Standard stack pointer relative store instructions, authorised by the capability in <>. +Standard stack pointer relative store instructions, authorized by the capability in <>. include::store_exceptions.adoc[] diff --git a/src/insns/store_32bit.adoc b/src/insns/store_32bit.adoc index 49f02245..a3aa08d9 100644 --- a/src/insns/store_32bit.adoc +++ b/src/insns/store_32bit.adoc @@ -51,7 +51,7 @@ include::wavedrom/store.adoc[] {cheri_cap_mode_name} Description:: Store integer data of the indicated size (byte, halfword, word, double-word) to memory. The effective address of the store is obtained by adding the -sign-extended 12-bit offset to the address of `cs1`. The authorising capability +sign-extended 12-bit offset to the address of `cs1`. The authorizing capability for the operation is `cs1`. A copy of `rs2` is written to memory at the location indicated by the effective address and the tag bit of each block of memory naturally aligned to CLEN/8 is cleared. @@ -61,7 +61,7 @@ include::load_store_c0.adoc[] {cheri_int_mode_name} Description:: Store integer data of the indicated size (byte, halfword, word, double-word) to memory. The effective address of the store is obtained by adding the -sign-extended 12-bit offset to `rs1`. The authorising capability for the +sign-extended 12-bit offset to `rs1`. The authorizing capability for the operation is <>. A copy of `rs2` is written to memory at the location indicated by the effective address and the tag bit of each block of memory naturally aligned to CLEN/8 is cleared. diff --git a/src/insns/store_32bit_cap.adoc b/src/insns/store_32bit_cap.adoc index 4b7a4267..8d2e9430 100644 --- a/src/insns/store_32bit_cap.adoc +++ b/src/insns/store_32bit_cap.adoc @@ -26,7 +26,7 @@ include::load_store_c0.adoc[] {cheri_int_mode_name} Description:: Store the CLEN+1 bit value in `cs2` to memory. The capability -authorising the operation is <>. The effective address of the memory +authorizing the operation is <>. The effective address of the memory access is obtained by adding `rs1` to the sign-extended 12-bit offset. include::store_tag_perms.adoc[] diff --git a/src/insns/store_32bit_fp.adoc b/src/insns/store_32bit_fp.adoc index 2ab24c3a..80dcb44d 100644 --- a/src/insns/store_32bit_fp.adoc +++ b/src/insns/store_32bit_fp.adoc @@ -30,12 +30,12 @@ Encoding:: include::wavedrom/fpstore.adoc[] {cheri_cap_mode_name} Description:: -Standard floating point store instructions, authorised by the capability in `cs1`. +Standard floating point store instructions, authorized by the capability in `cs1`. + include::load_store_c0.adoc[] {cheri_int_mode_name} Description:: -Standard floating point store instructions, authorised by the capability in <>. +Standard floating point store instructions, authorized by the capability in <>. include::store_exceptions.adoc[] diff --git a/src/insns/store_cap_int_description.adoc b/src/insns/store_cap_int_description.adoc index 26301d68..b8d8a5c8 100644 --- a/src/insns/store_cap_int_description.adoc +++ b/src/insns/store_cap_int_description.adoc @@ -1,2 +1,2 @@ {cheri_int_mode_name} Description:: -Store capability instruction, authorised by the capability in <>. Take a store/AMO address misaligned fault if not naturally aligned. +Store capability instruction, authorized by the capability in <>. Take a store/AMO address misaligned fault if not naturally aligned. diff --git a/src/insns/store_cond_32bit.adoc b/src/insns/store_cond_32bit.adoc index 92d85dce..993d8ea7 100644 --- a/src/insns/store_cond_32bit.adoc +++ b/src/insns/store_cond_32bit.adoc @@ -36,12 +36,12 @@ Encoding:: include::wavedrom/store_cond.adoc[] {cheri_cap_mode_name} Description:: -Store conditional instructions, authorised by the capability in `cs1`. +Store conditional instructions, authorized by the capability in `cs1`. + include::load_store_c0.adoc[] {cheri_int_mode_name} Description:: -Store conditional instructions, authorised by the capability in <>. +Store conditional instructions, authorized by the capability in <>. :store_cond: diff --git a/src/insns/store_cond_cap_32bit.adoc b/src/insns/store_cond_cap_32bit.adoc index 088784b5..406907b8 100644 --- a/src/insns/store_cond_cap_32bit.adoc +++ b/src/insns/store_cond_cap_32bit.adoc @@ -16,13 +16,13 @@ Encoding:: include::wavedrom/store_cond_cap.adoc[] {cheri_cap_mode_name} Description:: -Store conditional instructions, authorised by the capability in `cs1`. +Store conditional instructions, authorized by the capability in `cs1`. All misaligned store conditionals cause a store/AMO address misaligned exception to allow software emulation (Zam extension, see cite:[riscv-unpriv-spec]). + include::load_store_c0.adoc[] {cheri_int_mode_name} Description:: -Store conditional instructions, authorised by the capability in <>. +Store conditional instructions, authorized by the capability in <>. All misaligned store conditionals cause a store/AMO address misaligned exception to allow software emulation (Zam extension, see cite:[riscv-unpriv-spec]). :store_cond: diff --git a/src/insns/store_exceptions.adoc b/src/insns/store_exceptions.adoc index ccec3bcf..836b413f 100644 --- a/src/insns/store_exceptions.adoc +++ b/src/insns/store_exceptions.adoc @@ -8,7 +8,7 @@ Misaligned address fault exception when the effective address is not aligned to CLEN/8. + endif::[] -CHERI fault exceptions occur when the authorising capability fails one of the checks +CHERI fault exceptions occur when the authorizing capability fails one of the checks listed below; in this case, _CHERI data fault_ is reported in the <> or <> TYPE field and the corresponding code is written to CAUSE. + diff --git a/src/instructions.adoc b/src/instructions.adoc index 0814ecfd..9c7f8ff7 100644 --- a/src/instructions.adoc +++ b/src/instructions.adoc @@ -119,7 +119,7 @@ include::insns/store_32bit_fp.adoc[] <<< === "C" Standard Extension for Compressed Instructions -One group of 16-bit encodings are remapped to different instructions dependant +One group of 16-bit encodings are remapped to different instructions dependent upon the CHERI execution mode, MXLEN and which extensions are supported. NOTE: Zcf and Zilsd are incompatible @@ -330,7 +330,7 @@ when the <> bounds are set narrowly to the local function only in {cheri_ca NOTE: Zcmt defines that the fetch from the jump table is from instruction memory. The overall instruction executed is effectively 48-bit, with 16-bits from <>/<>, the other 32-bits (for RV32) from the table. - Therefore <> is used to authorise the fetch in {cheri_int_mode_name}, as the fetch is designated to be from instruction memory in cite:[riscv-unpriv-spec]. + Therefore <> is used to authorize the fetch in {cheri_int_mode_name}, as the fetch is designated to be from instruction memory in cite:[riscv-unpriv-spec]. NOTE: In {cheri_cap_mode_name} the implementation doesn't need to expand and bounds check against <> on every access, it is sufficient to decode the valid accessible range of entries after every write to <>, and then check that the accessed entry is in that range. diff --git a/src/introduction.adoc b/src/introduction.adoc index 81932744..6c513286 100644 --- a/src/introduction.adoc +++ b/src/introduction.adoc @@ -120,7 +120,7 @@ and {cheri_pte_ext_name} are optional extensions in addition to We refer to software as _purecap_ if it utilizes CHERI capabilities for all memory accesses -- including loads, stores and instruction fetches -- rather than integer addresses. Purecap software requires the CHERI RISC-V hart to -support {cheri_base_ext_name}. We refer to software as _Hybrid_ if it uses +support {cheri_base_ext_name}. We refer to software as _hybrid_ if it uses integer addresses *or* CHERI capabilities for memory accesses. Hybrid software requires the CHERI RISC-V hart to support {cheri_base_ext_name} and {cheri_default_ext_name}. diff --git a/src/level-ext.adoc b/src/level-ext.adoc index c1060966..f5ee449e 100644 --- a/src/level-ext.adoc +++ b/src/level-ext.adoc @@ -138,7 +138,7 @@ NOTE: if W=0 or C=0 then SL is irrelevant [#section_ext_cheri_multiple_levels] === Extending {cheri_levels_ext_name} to more than two levels -When `LVLBITS>1`, the behaviour of <> can no longer use masking to adjust the <> or <>, but instead must perform an integer minimum operation on those `LVLBITS`-wide fields. +When `LVLBITS>1`, the behavior of <> can no longer use masking to adjust the <> or <>, but instead must perform an integer minimum operation on those `LVLBITS`-wide fields. The <> field of the resulting capability is set to `min(rs2[CL], cs1[CL])` (equivalent to `rs2[CL] & cs1[CL]` for `LVLBITS=1`). Similarly, <> is set to `min(rs2[SL], cs1[SL])` (equivalent to `rs2[SL] & cs1[SL]` for `LVLBITS=1`). diff --git a/src/riscv-hybrid-integration.adoc b/src/riscv-hybrid-integration.adoc index 848ce1f5..02db6277 100644 --- a/src/riscv-hybrid-integration.adoc +++ b/src/riscv-hybrid-integration.adoc @@ -19,16 +19,16 @@ integer variants of the RISC-V ISA (RV32I and RV64I). compatibility with the base RISC-V ISA while saving instruction encoding space. There are two execution modes: {cheri_cap_mode_name} and {cheri_int_mode_name}. Additionally, there is a new unprivileged register: the default data capability, <>, that is -used to authorise all data memory accesses when in +used to authorize all data memory accesses when in {cheri_int_mode_name}. The current CHERI execution mode is given by the <> field of <> that -is encoded as described in xref:section-cheri-execution-mode[xrefstyle=short]. +is encoded as described in xref:m_bit[xrefstyle=short]. The CHERI execution mode impacts the instruction set in the following ways: -* The authorising capability used to execute memory access instructions. -In {cheri_int_mode_name}, <> is implicitly used. In {cheri_cap_mode_name}, the authorising +* The authorizing capability used to execute memory access instructions. +In {cheri_int_mode_name}, <> is implicitly used. In {cheri_cap_mode_name}, the authorizing capability is supplied as an explicit *c* operand register to the instruction. * The set of instructions that is available for execution. Some instructions are available in {cheri_int_mode_name} but not {cheri_cap_mode_name} and vice-versa (see @@ -40,7 +40,7 @@ implementations that support {cheri_base_ext_name}, but not The CHERI execution mode is effectively an extension to some RISC-V instruction encodings. For example, the encoding of an instruction like <> remains -unchanged, but the mode indicates whether the capability authorising the load +unchanged, but the mode indicates whether the capability authorizing the load is the register operand `cs1` ({cheri_cap_mode_name}). The mode is shown in the assembly syntax. @@ -52,10 +52,10 @@ implementations supporting both {cheri_base_ext_name} and Setting both registers to <> ensures that: * All permissions are granted -* The bounds authorise accesses to the entire address space i.e base is 0 and +* The bounds authorize accesses to the entire address space i.e base is 0 and top is 2^MXLEN^ -[#m_bit,reftext="M-bit"] +[#m_bit,reftext="CHERI Execution Mode Encoding"] === CHERI Execution Mode Encoding {cheri_default_ext_name} adds a new CHERI execution Mode field (M) to @@ -90,7 +90,7 @@ When the <> can be set, the rules defined by <> must be followed. ==== Observing the CHERI Execution Mode The effective CHERI execution mode is given by the values of some CSRs and the -<> from the PCC. The following code sequences demonstrate how a program +<> from the <>. The following code sequences demonstrate how a program can observe the current, effective CHERI execution mode depending on the machine's privilege mode. @@ -122,20 +122,20 @@ Additionally, the behavior of some existing instructions changes depending on th ==== Capability Load and Store Instructions -The load and store capability instructions change behaviour depending on the +The load and store capability instructions change behavior depending on the CHERI execution mode although the instruction's encoding remains unchanged. The load capability instruction is <>. When the CHERI execution mode is {cheri_cap_mode_name}; the instruction behaves as described in xref:section_cap_instructions[xrefstyle=short]. -In {cheri_int_mode_name}, the capability authorising the memory access +In {cheri_int_mode_name}, the capability authorizing the memory access is <>, so the effective address is obtained by adding the *x* register to the sign-extended offset. The store capability instruction is <>. When the CHERI execution mode is {cheri_cap_mode_name}; the instruction behaves as described in xref:section_cap_instructions[xrefstyle=short]. -In {cheri_int_mode_name}, the capability authorising the memory access +In {cheri_int_mode_name}, the capability authorizing the memory access is <>, so the effective address is obtained by adding the *x* register to the sign-extended offset. @@ -161,18 +161,18 @@ and similarly for <> when in {cheri_cap_mode_name}. This instruction === Existing RISC-V Instructions The CHERI execution mode introduced in {cheri_default_ext_name} affects the -behaviour of instructions that have at least one memory address operand. When +behavior of instructions that have at least one memory address operand. When in {cheri_cap_mode_name}, the address input or output operands may include *c* registers. When in {cheri_int_mode_name}, the address input or output operands are *x/f/v* registers; the tag and metadata of that register are implicitly set to 0. ==== Control Transfer Instructions -The unconditional jump instructions change behaviour depending on the CHERI +The unconditional jump instructions change behavior depending on the CHERI execution mode although the instruction's encoding remains unchanged. The jump and link instruction <> when the CHERI execution mode is -Capability; behaves as described in +{cheri_cap_mode_name}; behaves as described in xref:section_existing_riscv_insns[xrefstyle=short]. When the mode is {cheri_int_mode_name}. In this case, the address of the instruction following the jump (*pc* + 4) is written to an *x* register; that register's @@ -198,7 +198,7 @@ misaligned. ==== Conditional Branches -The behaviour is as shown in xref:condbr-purecap[xrefstyle=short]. +The behavior is as shown in xref:condbr-purecap[xrefstyle=short]. ==== Load and Store Instructions @@ -209,7 +209,7 @@ Loads and stores behave as described in xref:section_existing_riscv_insns[xrefstyle=short] when in {cheri_cap_mode_name}. In {cheri_int_mode_name}, the instructions behave as described in the RISC-V base ISA and rely on *x* operands -only. The capability authorising the memory access is <> and the memory +only. The capability authorizing the memory access is <> and the memory address is given by sign-extending the 12-bit immediate offset and adding it to the base address in the *x* register operand. @@ -354,7 +354,7 @@ NOTE: The effective CRE is always 1 in debug mode. Disabling CHERI register access has no effect on implicit accesses or security checks. The last capability installed in <> and <> before disabling -CHERI register access will be used to authorise instruction execution and data +CHERI register access will be used to authorize instruction execution and data memory accesses. [NOTE] @@ -508,7 +508,7 @@ The reset value is 0. ==== Default Data Capability (ddc) The <> CSR is a read-write capability register implicitly used as an -operand to authorise all data memory accesses when the current CHERI mode is +operand to authorize all data memory accesses when the current CHERI mode is {cheri_int_mode_name}. This register must be readable in any implementation. Its reset value is the <> capability. diff --git a/src/riscv-integration.adoc b/src/riscv-integration.adoc index aa7023b4..776ba28c 100644 --- a/src/riscv-integration.adoc +++ b/src/riscv-integration.adoc @@ -39,7 +39,7 @@ also circular, so address 0 is within the <> of where address 2^MXLEN^ - 1 is within the bounds. However, the decoded top field of a capability is MXLEN + 1 bits wide and does *not* wrap, so a capability with base 2^MXLEN^ - 1 and top 2^MXLEN^ + 1 is not a subset of the -<> capability and does not authorise access to the byte at address 0. +<> capability and does not authorize access to the byte at address 0. Like malformed bounds (see xref:section_cap_malformed[xrefstyle=short]), it is impossible for a CHERI core to generate a tagged capability with top > 2^MXLEN^. If such a capability exists then it must have been caused by a logic or memory fault. @@ -68,7 +68,7 @@ capability. [#pcc,reftext="pcc"] ==== PCC - The Program Counter Capability -An authorising capability with appropriate permissions is required to execute +An authorizing capability with appropriate permissions is required to execute instructions in {cheri_base_ext_name}. Therefore, the unprivileged program counter (*pc*) register is extended so that it is able to hold a capability. The extended register is called the program counter capability (<>). The @@ -178,17 +178,17 @@ endif::[] ==== Capability Load and Store Instructions A load capability instruction, <>, reads CLEN bits from memory together with -its tag and writes the result to a *c* register. The capability authorising the +its tag and writes the result to a *c* register. The capability authorizing the memory access is provided in a *c* source register, so the effective address is obtained by incrementing that capability with the sign-extended 12-bit offset. A store capability instruction, <>, writes CLEN bits and the tag in a *c* register -to memory. The capability authorising the memory access is provided in a *c* +to memory. The capability authorizing the memory access is provided in a *c* source register, so the effective address is obtained by incrementing that capability with the sign-extended 12-bit offset. <> and <> instructions cause CHERI exceptions if the -authorising capability fails any of the following checks: +authorizing capability fails any of the following checks: * The tag is zero * The capability is sealed @@ -218,14 +218,14 @@ misaligned bits without a tag, use integer loads and stores. [#tags_cleared_by_permissions] For loads, the tag of the capability loaded from memory is cleared if the -authorising capability does not grant permission to read capabilities (i.e. +authorizing capability does not grant permission to read capabilities (i.e. both <> and <> must be set in AP). For stores, the tag of the -capability written to memory is cleared if the authorising capability does not +capability written to memory is cleared if the authorizing capability does not grant permission to write capabilities (i.e. both <> and <> must be set in AP). WARNING: #TODO: these cases may cause exceptions in the future - we need a way -for software to discover and/or control the behaviour# +for software to discover and/or control the behavior# [#section_existing_riscv_insns] === Existing RISC-V Instructions @@ -253,7 +253,7 @@ written to a *c* register. Control transfer instructions operate as described in the base RISC-V ISA. They also may cause metadata updates and/or cause exceptions in addition -to the base behaviour as described below. +to the base behavior as described below. ===== Unconditional Jumps @@ -305,13 +305,13 @@ Integer load and store instructions transfer the amount of integer data describe the base RISC-V ISA between the registers and memory. For example, <> and <> load 64-bit and 32-bit values respectively from memory into an *x* register. However, the address operands for load and store instructions are -interpreted differently in {cheri_base_ext_name}: the capability authorising +interpreted differently in {cheri_base_ext_name}: the capability authorizing the access is in the *c* register operand and the memory address is given by incrementing the address of that capability by the sign-extended 12-bit immediate offset. All load and store instructions cause CHERI exceptions if the -authorising capability fails any of the following checks: +authorizing capability fails any of the following checks: * The tag is set * The capability is unsealed @@ -338,7 +338,7 @@ is outside the <> of a CSR capability being wri This section describes how the CSR instructions operate on these CSRs in {cheri_base_ext_name}. -The CLEN-bit CSRs are summarised in xref:clen_csr_summary[xrefstyle=short]. +The CLEN-bit CSRs are summarized in xref:clen_csr_summary[xrefstyle=short]. [#zicsr-section-purecap] ==== CSR Instructions @@ -362,7 +362,7 @@ When <> and <> instructions are accessing a capability width CSR, such as <>, then the destination operand is a *c* register and the source operand is an *x* register. Therefore, the instructions atomically read CLEN bits from the CSR, calculate the final address using standard RISC-V -behaviour (set bits, clear bits, etc.), and that final address is written to the +behavior (set bits, clear bits, etc.), and that final address is written to the CSR capability's address field. The update typically uses the semantics of a <> instruction which clears the tag if the capability is sealed, or if the updated address is not representable. <> shows the @@ -544,12 +544,12 @@ capability. Its reset value is the <> capability. .Machine exception program counter capability register include::img/mepccreg.edn[] -Capabilities written to <> must be legalised by implicitly zeroing bit +Capabilities written to <> must be legalized by implicitly zeroing bit **mepcc[0]**. Additionally, if an implementation allows IALIGN to be either 16 or 32, then whenever IALIGN=32, the capability read from <> -must be legalised by implicitly zeroing **mepcc[1]**. Therefore, the -capability read or written has its tag bit cleared if the legalised address is -not within the <> or if the legalisation +must be legalized by implicitly zeroing **mepcc[1]**. Therefore, the +capability read or written has its tag bit cleared if the legalized address is +not within the <> or if the legalization changes the address and the capability is sealed. NOTE: When reading or writing a sealed capability in <>, the diff --git a/src/scripts/generate_tables.py b/src/scripts/generate_tables.py index 03d35ec0..350f74d9 100755 --- a/src/scripts/generate_tables.py +++ b/src/scripts/generate_tables.py @@ -125,7 +125,7 @@ def update(self, row): elif i == self.function_idx: # Drop references to DDC authorization in the purecap table. cell_value = cell_value.replace(" via int pointer", " via capability register") - cell_value = cell_value.replace(", authorise with DDC", "") + cell_value = cell_value.replace(", authorize with DDC", "") out_str += '|' + cell_value self.file.write(out_str + '\n') diff --git a/src/summary.adoc b/src/summary.adoc index 5e44155f..0f25edc0 100644 --- a/src/summary.adoc +++ b/src/summary.adoc @@ -1,13 +1,13 @@ == Quick Start This document describes the RISC-V extensions for supporting CHERI capabilities in hardware. -Capabilities can be used to provide memory safety, mitigating up to 70% of memory safety issues cite:[msrc-cheri-eval], as well as to provide efficient compartmentalisation. +Capabilities can be used to provide memory safety, mitigating up to 70% of memory safety issues cite:[msrc-cheri-eval], as well as to provide efficient compartmentalization. The extensions are split into the core features required for a working capability system ({cheri_base_ext_name}), and features required to support a mix-and-match of binaries compiled for CHERI and unchanged binaries ({cheri_default_ext_name}). Some other smaller extensions are described that provide additional functionality relevant to CHERI. === Capability Properties -Capabilities are 2*XLEN (which we call CLEN) bit structures, containing all the information required to identify and authorise access to a region of memory. +Capabilities are 2*XLEN (which we call CLEN) bit structures, containing all the information required to identify and authorize access to a region of memory. This includes: * An XLEN bit address, describing where the capability currently points. @@ -38,7 +38,7 @@ This means the following state is added: * Tags in registers, caches, and memory: ** Every register has a one-bit tag, indicating whether the capability in the register is valid to be dereferenced. - This tag is cleared if the register is written as an integer. + Among other reasons, this tag is cleared if the register is written as an integer. ** The tags are also tracked through the memory subsystem: every aligned CLEN-bits wide region has a non-addressable one-bit tag, which the hardware manages atomically with the data. The tag is cleared if the memory region is ever written other than using a capability store from a tagged capability register. @@ -46,12 +46,12 @@ This means the following state is added: === Checking Memory -Every memory access performed by a CHERI core must be authorised by a capability. +Every memory access performed by a CHERI core must be authorized by a capability. It is explicitly defined for every instruction where to find the capability to check against. In _purecap_ code, where all pointers are individual capabilities, the capability and address are used together, so e.g. `lw t0, 16(csp)` loads a word from memory, getting the address and bounds from the `csp` register. -For code that has not yet been fully adapted to CHERI (_hybrid_ code), the processor can run in a pointer mode (not to be confused with a privilege mode) where the authorising capability is instead taken from a special CSR: the default data capability (<>). +For code that has not yet been fully adapted to CHERI (_hybrid_ code), the processor can run in a pointer mode (not to be confused with a privilege mode) where the authorizing capability is instead taken from a special CSR: the default data capability (<>). -Instruction fetch is also authorised by a capability: the program counter capability (<>) which extends PC. +Instruction fetch is also authorized by a capability: the program counter capability (<>) which extends PC. This allows code fetch to be bounded, preventing a wide range of attacks that subvert control flow with integer data. Where {cheri_default_ext_name} is supported, the <> also contains the <> indicating whether the processor is running in integer or capability pointer mode. Changing the bounds used for instruction fetch or the pointer mode can be as easy as performing a capability-based jump (<> in capability pointer mode). diff --git a/src/system.adoc b/src/system.adoc index e56d7019..cb43bf4e 100644 --- a/src/system.adoc +++ b/src/system.adoc @@ -44,7 +44,7 @@ All writes from the system port to the memory must clear any memory tags to foll image::large_cheri_system.drawio.png[width=80%,align=center] In the case of a large CHERI SoC with caches, all the cached memory visible to the CHERI CPUs must support tags. -All memory is backed up by DRAM, and standard DRAM does not offer 129-bit words and so a typical system will have a tag cache IP. +All memory is backed up by DRAM, and standard DRAM does not offer CLEN+1 bit words and so a typical system will have a tag cache IP. A region of DRAM is reserved for CHERI tag storage. diff --git a/src/tables.adoc b/src/tables.adoc index 13868135..b9ef0520 100644 --- a/src/tables.adoc +++ b/src/tables.adoc @@ -99,7 +99,7 @@ written when executing <>, <>, <>, <> or <> regardless of the CHERI execution mode. CLEN bits are always written when using <> regardless of the CHERI execution mode. -NOTE: Implementations which allow misa.C to be writable need to legalise *Xepcc* +NOTE: Implementations which allow misa.C to be writable need to legalize *Xepcc* on _reading_ if the misa.C value has changed since the value was written as this can cause the read value of bit [1] to change state. @@ -136,7 +136,7 @@ include::generated/csr_permission_table_body.adoc[] == Instructions and CHERI Execution Mode xref:cap_mode_insns[xrefstyle=short], xref:legacy_mode_insns[xrefstyle=short] -and xref:both_mode_insns[xrefstyle=short] summarise on which +and xref:both_mode_insns[xrefstyle=short] summarize on which <> each instruction may be executed in. diff --git a/src/tid-ext.adoc b/src/tid-ext.adoc index 5a9980cc..79ce7644 100644 --- a/src/tid-ext.adoc +++ b/src/tid-ext.adoc @@ -77,10 +77,10 @@ include::img/stidreg.edn[] The <> register is a VSLEN-bit read-write register. It is VS-mode's version of supervisor register <> used to identify the current thread in virtual supervisor mode. As other Virtual Supervisor registers -when V=1, <> substitutes for the usual <>, so that +when V=1, <> substitutes for <>, so that instructions that normally read or modify <> actually access <> instead. When V=0, <> does not directly affect the -behaviour of the machine. +behavior of the machine. The reset value of this register is UNSPECIFIED. @@ -128,13 +128,13 @@ include::img/stidcreg.edn[] ==== Virtual Supervisor Thread Identifier Capability (vstidc) The <> register is a CLEN-bit read-write capability register. -It is the capability extension of the <> register used to +It is the capability extension of the <> register used to identify the current thread in virtual supervisor mode. As other Virtual Supervisor registers when V=1, <> substitutes -for the usual <>, so that instructions that normally read or modify +for <>, so that instructions that normally read or modify <> actually access <> instead. When V=0, <> does not directly affect the -behaviour of the machine. +behavior of the machine. On reset the tag of <> will be set to 0 and the remainder of the data is UNSPECIFIED. @@ -229,11 +229,11 @@ overhead of this is not bearable for CHERI systems with many compartments. The RISC-V ABI includes a _thread pointer (tp)_ register, which is not usable for the purpose of reliably identifying the current thread because the tp register is a general purpose register and can be changed arbitrarily -by untrusted code. Therefore, this specification offers three additional CSRs +by untrusted code. Therefore, this specification offers additional CSRs that facilitate a trusted source for the thread ID. All registers are readable from their respective privilege levels and writeable with <>. This extension extends <>, <>, <> and <> to their respective capability variants <>, <>, <> and <>. This presents software with the freedom to still use these registers with capabilities or leave the metadata -untouched and only use the registers to storage integers. +untouched and only use the registers to store integers. diff --git a/src/vector-integration.adoc b/src/vector-integration.adoc index 5988a80d..ef322be9 100644 --- a/src/vector-integration.adoc +++ b/src/vector-integration.adoc @@ -11,7 +11,7 @@ NOTE: A future extension may allow tags to be stored in vector registers. because the vector registers do not hold capabilities, so the tags of any copied capabilities will be set to 0 in the destination memory. -Vector loads and stores all follow the behaviour as described in +Vector loads and stores all follow the behavior as described in xref:section_int_load_store_insns[xrefstyle=short]. The assembly syntax of all vector loads and stores are updated in