From 72924b5d3a7f2403a2c40c22249267ab9bcb7bdc Mon Sep 17 00:00:00 2001 From: Tariq Kurd Date: Tue, 2 Jul 2024 11:32:01 +0200 Subject: [PATCH 1/4] swap sense of M-bit --- src/attributes.adoc | 2 ++ src/cap-description.adoc | 21 ++++++++++----------- src/debug-integration.adoc | 10 +++------- src/riscv-hybrid-integration.adoc | 10 +++++----- 4 files changed, 20 insertions(+), 23 deletions(-) diff --git a/src/attributes.adoc b/src/attributes.adoc index 62063143..e0a5179b 100644 --- a/src/attributes.adoc +++ b/src/attributes.adoc @@ -67,6 +67,8 @@ endif::[] :TAG_RESET_CSR: The tag of the CSR must be reset to zero. The reset values of the metadata and address fields are UNSPECIFIED. :REQUIRE_CRE_CSR: Access to this CSR is illegal if CRE for the current mode is zero (see <>). +:CAP_MODE: 0 +:INT_MODE: 1 /////////////////////////////////////////////////////////////////////////////// // Cap definitions diff --git a/src/cap-description.adoc b/src/cap-description.adoc index d19e2524..cd5b779e 100644 --- a/src/cap-description.adoc +++ b/src/cap-description.adoc @@ -167,8 +167,8 @@ Quadrant 1 encodes permissions for executable capabilities and the <>. | 4 | | ✔ | | | | N/A | Data WO | 5 | ✔ | ✔ | | | | N/A | Data RW | 6-7 7+| reserved -8+| *Quadrant 1: Executable capabilities* -8+| bit[0] - <> (1-pass:attributes,quotes[{cheri_cap_mode_name}], 0-pass:attributes,quotes[{cheri_int_mode_name}]) +8+| *Quadrant 1: Executable capabilities{INT_MODE} +8+| bit[0] - <> ({CAP_MODE}-pass:attributes,quotes[{cheri_cap_mode_name}], {INT_MODE}-pass:attributes,quotes[{cheri_int_mode_name}]) | 0-1 | ✔ | ✔ | ✔ | ✔ | ✔ | Mode^1^ | Execute + ASR (see <>) | 2-3 | ✔ | | ✔ | ✔ | | Mode^1^ | Execute + Data & Cap RO | 4-5 | ✔ | ✔ | ✔ | ✔ | | Mode^1^ | Execute + Data & Cap RW @@ -570,16 +570,14 @@ expanded base is 0 and top is 2^MXLEN^. | Reserved | zeros | All reserved fields |============================================================================== -If {cheri_default_ext_name} is supported: - -* For MXLEN=32, the <> is set to zero (pass:attributes,quotes[{cheri_int_mode_name}]) in the AP field -* For MXLEN=64, the <> is set to zero (pass:attributes,quotes[{cheri_int_mode_name}]) in a separate M field +NOTE: <> is not a code capability, and so the CHERI execution mode is not encoded. [#section_infinite_cap] ==== Infinite Capability The <> capability grants all permissions while its bounds also -cover the whole address space. +cover the whole address space. It includes <> and so includes the +<> if {cheri_default_ext_name} is supported. NOTE: The <> capability is also known as 'default', 'almighty', or 'root' capability. @@ -591,7 +589,7 @@ or 'root' capability. | Field | Value | Comment | Tag | one | Capability is valid | SDP | ones | Grants all permissions -| AP (MXLEN=32) | 0x8 (see xref:cap_perms_encoding32[xrefstyle=short]) +| AP (MXLEN=32) | 0x8^1^ (see xref:cap_perms_encoding32[xrefstyle=short]) | Grants all permissions | AP (MXLEN=64) | 0x1F (see xref:cap_perms_encoding64[xrefstyle=short]) | Grants all permissions @@ -606,10 +604,11 @@ or 'root' capability. | Reserved | zeros | All reserved fields |============================================================================== -If {cheri_default_ext_name} is supported: +^1^If {cheri_default_ext_name} is supported, then the <> capability must represent +pass:attributes,quotes[{cheri_int_mode_name}] for compatibility with standard RISC-V code. Therefore: -* For MXLEN=32, the <> is set to zero (pass:attributes,quotes[{cheri_int_mode_name}]) in the AP field -* For MXLEN=64, the <> is set to zero (pass:attributes,quotes[{cheri_int_mode_name}]) in a separate M field +* For MXLEN=32, the <> is set to {INT_MODE} in the AP field, giving the value 0x9 +* For MXLEN=64, the <> is set to {INT_MODE} in a separate M field which is _not shown_ in the table above. [#section_cap_representable_check, reftext="Representable Range"] === Representable Range Check diff --git a/src/debug-integration.adoc b/src/debug-integration.adoc index 33e2678a..1e0fe16f 100644 --- a/src/debug-integration.adoc +++ b/src/debug-integration.adoc @@ -176,13 +176,9 @@ include::img/dscratch1creg.edn[] The <> register is a CLEN-bit plus tag bit CSR only accessible in debug mode. -The reset value is the <> capability. - -If {cheri_default_ext_name} (see xref:section-cheri-execution-mode[xrefstyle=short]) is implemented: - -. the core enters pass:attributes,quotes[{cheri_cap_mode_name}] when entering debug mode -.. therefore <>.M is set whenever entering debug mode for any reason. -. the mode can be optionally switched using <>, and the result observed in <>.M. +The reset value is the <> capability with the <> set to {CAP_MODE}, +regardless of whether {cheri_default_ext_name} (see xref:section-cheri-execution-mode[xrefstyle=short]) +is implemented: <> is read/write but with no writeable fields, and so writes are ignored. diff --git a/src/riscv-hybrid-integration.adoc b/src/riscv-hybrid-integration.adoc index 64d8ab54..370a7664 100644 --- a/src/riscv-hybrid-integration.adoc +++ b/src/riscv-hybrid-integration.adoc @@ -22,7 +22,7 @@ is a new unprivileged register: the default data capability, <>, that is used to authorise all data memory accesses when in pass:attributes,quotes[{cheri_int_mode_name}]. -The current CHERI execution mode is given by the mode (M) field of <> that +The current CHERI execution mode is given by the <> field of <> that is encoded as described in xref:section-cheri-execution-mode[xrefstyle=short]. The CHERI execution mode impacts the instruction set in the following ways: @@ -76,15 +76,15 @@ orthogonal to permissions as it can vary arbitrarily using <>. In both encodings: -* Mode (M)=1 indicates pass:attributes,quotes[{cheri_cap_mode_name}]. -* Mode (M)=0 indicates pass:attributes,quotes[{cheri_int_mode_name}]. +* Mode (M)={CAP_MODE} indicates pass:attributes,quotes[{cheri_cap_mode_name}]. +* Mode (M)={INT_MODE} indicates pass:attributes,quotes[{cheri_int_mode_name}]. The current CHERI execution mode is given by the <> of the <> and the CRE bits in <>, <>, and <> as follows: -* The Mode is pass:attributes,quotes[{cheri_cap_mode_name}] when the <> of the <> is 1, *and* the effective +* The Mode is pass:attributes,quotes[{cheri_cap_mode_name}] when the <> of the <> is {CAP_MODE}, *and* the effective CRE=1 for the current privilege level -* The Mode is pass:attributes,quotes[{cheri_int_mode_name}] when the effective CRE=0 for the current privilege level *or* the <> of the <> is 0 +* The Mode is pass:attributes,quotes[{cheri_int_mode_name}] when the effective CRE=0 for the current privilege level *or* the <> of the <> is {INT_MODE} When the <> can be set follows the rules defined by <>. From fee0a982ee5518de56b36d89799ef1e326a4a347 Mon Sep 17 00:00:00 2001 From: Tariq Kurd Date: Tue, 2 Jul 2024 11:38:04 +0200 Subject: [PATCH 2/4] fix typo --- src/cap-description.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/cap-description.adoc b/src/cap-description.adoc index cd5b779e..0d6ece87 100644 --- a/src/cap-description.adoc +++ b/src/cap-description.adoc @@ -167,7 +167,7 @@ Quadrant 1 encodes permissions for executable capabilities and the <>. | 4 | | ✔ | | | | N/A | Data WO | 5 | ✔ | ✔ | | | | N/A | Data RW | 6-7 7+| reserved -8+| *Quadrant 1: Executable capabilities{INT_MODE} +8+| *Quadrant 1: Executable capabilities* 8+| bit[0] - <> ({CAP_MODE}-pass:attributes,quotes[{cheri_cap_mode_name}], {INT_MODE}-pass:attributes,quotes[{cheri_int_mode_name}]) | 0-1 | ✔ | ✔ | ✔ | ✔ | ✔ | Mode^1^ | Execute + ASR (see <>) | 2-3 | ✔ | | ✔ | ✔ | | Mode^1^ | Execute + Data & Cap RO From e344f4791d31b944cfb08846240dad5e4acf1ba2 Mon Sep 17 00:00:00 2001 From: Tariq Kurd Date: Tue, 2 Jul 2024 18:32:05 +0200 Subject: [PATCH 3/4] apply Alex's suggestions --- src/attributes.adoc | 4 ++-- src/cap-description.adoc | 9 ++++----- src/debug-integration.adoc | 2 +- src/riscv-hybrid-integration.adoc | 8 ++++---- 4 files changed, 11 insertions(+), 12 deletions(-) diff --git a/src/attributes.adoc b/src/attributes.adoc index e0a5179b..c7ebf5a4 100644 --- a/src/attributes.adoc +++ b/src/attributes.adoc @@ -67,8 +67,8 @@ endif::[] :TAG_RESET_CSR: The tag of the CSR must be reset to zero. The reset values of the metadata and address fields are UNSPECIFIED. :REQUIRE_CRE_CSR: Access to this CSR is illegal if CRE for the current mode is zero (see <>). -:CAP_MODE: 0 -:INT_MODE: 1 +:CAP_MODE_VALUE: 0 +:INT_MODE_VALUE: 1 /////////////////////////////////////////////////////////////////////////////// // Cap definitions diff --git a/src/cap-description.adoc b/src/cap-description.adoc index 0d6ece87..04b9688b 100644 --- a/src/cap-description.adoc +++ b/src/cap-description.adoc @@ -168,7 +168,7 @@ Quadrant 1 encodes permissions for executable capabilities and the <>. | 5 | ✔ | ✔ | | | | N/A | Data RW | 6-7 7+| reserved 8+| *Quadrant 1: Executable capabilities* -8+| bit[0] - <> ({CAP_MODE}-pass:attributes,quotes[{cheri_cap_mode_name}], {INT_MODE}-pass:attributes,quotes[{cheri_int_mode_name}]) +8+| bit[0] - <> ({CAP_MODE_VALUE}-pass:attributes,quotes[{cheri_cap_mode_name}], {INT_MODE_VALUE}-pass:attributes,quotes[{cheri_int_mode_name}]) | 0-1 | ✔ | ✔ | ✔ | ✔ | ✔ | Mode^1^ | Execute + ASR (see <>) | 2-3 | ✔ | | ✔ | ✔ | | Mode^1^ | Execute + Data & Cap RO | 4-5 | ✔ | ✔ | ✔ | ✔ | | Mode^1^ | Execute + Data & Cap RW @@ -559,6 +559,7 @@ expanded base is 0 and top is 2^MXLEN^. | Tag | zero | Capability is not valid | SDP | zeros | Grants no permissions | AP | zeros | Grants no permissions +| M | zero | No meaning since non-executable (MXLEN=64 only) | S | zero | Unsealed | EF | zero | Internal exponent format | L~8~ | zero | Top address reconstruction bit (MXLEN=32 only) @@ -570,8 +571,6 @@ expanded base is 0 and top is 2^MXLEN^. | Reserved | zeros | All reserved fields |============================================================================== -NOTE: <> is not a code capability, and so the CHERI execution mode is not encoded. - [#section_infinite_cap] ==== Infinite Capability @@ -607,8 +606,8 @@ or 'root' capability. ^1^If {cheri_default_ext_name} is supported, then the <> capability must represent pass:attributes,quotes[{cheri_int_mode_name}] for compatibility with standard RISC-V code. Therefore: -* For MXLEN=32, the <> is set to {INT_MODE} in the AP field, giving the value 0x9 -* For MXLEN=64, the <> is set to {INT_MODE} in a separate M field which is _not shown_ in the table above. +* For MXLEN=32, the <> is set to {INT_MODE_VALUE} in the AP field, giving the value 0x9 +* For MXLEN=64, the <> is set to {INT_MODE_VALUE} in a separate M field which is _not shown_ in the table above. [#section_cap_representable_check, reftext="Representable Range"] === Representable Range Check diff --git a/src/debug-integration.adoc b/src/debug-integration.adoc index 1e0fe16f..d205cc01 100644 --- a/src/debug-integration.adoc +++ b/src/debug-integration.adoc @@ -176,7 +176,7 @@ include::img/dscratch1creg.edn[] The <> register is a CLEN-bit plus tag bit CSR only accessible in debug mode. -The reset value is the <> capability with the <> set to {CAP_MODE}, +The reset value is the <> capability with the <> set to {CAP_MODE_VALUE}, regardless of whether {cheri_default_ext_name} (see xref:section-cheri-execution-mode[xrefstyle=short]) is implemented: diff --git a/src/riscv-hybrid-integration.adoc b/src/riscv-hybrid-integration.adoc index 370a7664..e4da93c2 100644 --- a/src/riscv-hybrid-integration.adoc +++ b/src/riscv-hybrid-integration.adoc @@ -76,15 +76,15 @@ orthogonal to permissions as it can vary arbitrarily using <>. In both encodings: -* Mode (M)={CAP_MODE} indicates pass:attributes,quotes[{cheri_cap_mode_name}]. -* Mode (M)={INT_MODE} indicates pass:attributes,quotes[{cheri_int_mode_name}]. +* Mode (M)={CAP_MODE_VALUE} indicates pass:attributes,quotes[{cheri_cap_mode_name}]. +* Mode (M)={INT_MODE_VALUE} indicates pass:attributes,quotes[{cheri_int_mode_name}]. The current CHERI execution mode is given by the <> of the <> and the CRE bits in <>, <>, and <> as follows: -* The Mode is pass:attributes,quotes[{cheri_cap_mode_name}] when the <> of the <> is {CAP_MODE}, *and* the effective +* The Mode is pass:attributes,quotes[{cheri_cap_mode_name}] when the <> of the <> is {CAP_MODE_VALUE}, *and* the effective CRE=1 for the current privilege level -* The Mode is pass:attributes,quotes[{cheri_int_mode_name}] when the effective CRE=0 for the current privilege level *or* the <> of the <> is {INT_MODE} +* The Mode is pass:attributes,quotes[{cheri_int_mode_name}] when the effective CRE=0 for the current privilege level *or* the <> of the <> is {INT_MODE_VALUE} When the <> can be set follows the rules defined by <>. From 80898af5aa4407b7aec9005520e1f106d33a8e2e Mon Sep 17 00:00:00 2001 From: Tariq Kurd Date: Wed, 3 Jul 2024 09:22:29 +0100 Subject: [PATCH 4/4] Update src/cap-description.adoc Co-authored-by: Alexander Richardson Signed-off-by: Tariq Kurd --- src/cap-description.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/cap-description.adoc b/src/cap-description.adoc index 04b9688b..c60bb05d 100644 --- a/src/cap-description.adoc +++ b/src/cap-description.adoc @@ -588,7 +588,7 @@ or 'root' capability. | Field | Value | Comment | Tag | one | Capability is valid | SDP | ones | Grants all permissions -| AP (MXLEN=32) | 0x8^1^ (see xref:cap_perms_encoding32[xrefstyle=short]) +| AP (MXLEN=32) | 0x8/0x9^1^ (see xref:cap_perms_encoding32[xrefstyle=short]) | Grants all permissions | AP (MXLEN=64) | 0x1F (see xref:cap_perms_encoding64[xrefstyle=short]) | Grants all permissions