diff --git a/cfi_backward.adoc b/cfi_backward.adoc index 1438b32..1d4e0bd 100644 --- a/cfi_backward.adoc +++ b/cfi_backward.adoc @@ -97,7 +97,7 @@ The Zicfiss extension introduces the following instructions: ** `SSRDP` - encoded using `MOP.R.28` * Perform an atomic swap from a shadow stack location (See <>) -** `SSAMOSWAP` +** `SSAMOSWAP.W` and `SSAMOSWAP.D` When a `MOP.RR.7` or `MOP.R.28` encoding is not utilized by the Zicfiss extension, the instruction adheres to its Zimop-defined behavior, unless it is @@ -646,11 +646,6 @@ back_cfi_not_active: [[SSAMOSWAP]] === Atomic Swap from a shadow stack location -The `SSAMOSWAP` instruction performs an atomic swap operation between the `XLEN` -bits of the `src` register and the `XLEN` bits located on the shadow stack at the -address specified in the `addr` register. The resulting value from the swap -operation is then stored into the register specified in the `dst` operand. - [wavedrom, , ] .... {reg: [ @@ -665,18 +660,19 @@ operation is then stored into the register specified in the `dst` operand. ], config:{lanes: 1, hspace:1024}} .... -The `SSAMOSWAP` instruction requires the virtual address in `addr` to have a -shadow stack attribute (see <>). If the virtual address is not XLEN -aligned, then `SSAMOSWAP` causes a store/AMO access-fault exception. If the -memory reference by the `ssp` is not idempotent, then `SSAMOSWAP` causes a -store/AMO access-fault exception. The operation of the `SSAMOSWAP` instructions -is as follows: +For RV32, `SSAMOSWAP.W` atomically loads a 32-bit data value from address of a +shadow stack location in `rs1`, puts the loaded value into register `rd`, and +stores the 32-bit value held in `rs2` to the original address in `rs1`. +`SSAMOSWAP.D` (RV64 only) is similar to `SSAMOSWAP.W` but operates on 64-bit +data values. -.`SSAMOSWAP` operation +.`SSAMOSWAP.W` for RV32 and `SSAMOSWAP.D` (RV64 only) operation [listing] ---- if privilege_mode != M && menvcfg.SSE == 0 raise illegal-instruction exception + if S-mode not implemented + raise illegal-instruction exception else if privilege_mode == U && senvcfg.SSE == 0 raise illegal-instruction exception else if privilege_mode == VS && henvcfg.SSE == 0 @@ -689,19 +685,46 @@ is as follows: endif ---- -Just as for AMOs in the A extension, `SSAMOSWAP` requires that the address -held in `rs1` be naturally aligned to the size of the operand (i.e., 16-byte -aligned for __quadwords__, eight-byte aligned for __doublewords__, and four-byte -aligned for __words__). And the same exception options apply if the address is -not naturally aligned. +For RV64, `SSAMOSWAP.W` atomically loads a 32-bit data value from address of a +shadow stack location in `rs1`, sign-extends the loaded value and puts it in +`rd`, and stores the lower 32 bits of the value held in `rs2` to the original +address in `rs1`. -Just as for AMOs in the A extension, the `SSAMOSWAP` optionally provides release -consistency semantics, using the `aq` and `rl` bits, to help implement -multiprocessor synchronization. The memory operation performed by an -`SSAMOSWAP`, has acquire semantics if `aq=1` and has release semantics if `rl=1`. +.`SSAMOSWAP.W` for RV64 +[listing] +---- + if privilege_mode != M && menvcfg.SSE == 0 + raise illegal-instruction exception + if S-mode not implemented + raise illegal-instruction exception + else if privilege_mode == U && senvcfg.SSE == 0 + raise illegal-instruction exception + else if privilege_mode == VS && henvcfg.SSE == 0 + raise virtual instruction exception + else if privilege_mode == VU && senvcfg.SSE == 0 + raise virtual instruction exception + else + temp[31:0] = mem[X(rs1)] + X(rd) = SignExtend(temp[31:0]) + mem[X(rs1)] = X(rs2)[31:0] + endif +---- <<< +If the memory referenced by `rs1` is not idempotent, then `SSAMOSWAP.W/D` +causes a store/AMO access-fault exception. + +Just as for AMOs in the A extension, `SSAMOSWAP.W/D` requires that the address +held in `rs1` be naturally aligned to the size of the operand (i.e., eight-byte +aligned for __doublewords__, and four-byte aligned for __words__). The same +exception options apply if the address is not naturally aligned. + +Just as for AMOs in the A extension, `SSAMOSWAP.W/D` optionally provides +release consistency semantics, using the `aq` and `rl` bits, to help implement +multiprocessor synchronization. An `SSAMOSWAP.W/D` operation has acquire +semantics if `aq=1` and release semantics if `rl=1`. + [NOTE] ==== Stack switching is a common operation in user programs as well as supervisor @@ -725,14 +748,14 @@ follows: # a0 hold pointer to top of new shadow stack to switch to stack_switch: ssrdp ra - beqz ra, 2f # skip if Zicfiss not active - ssamoswap ra, x0, (a0) # ra=*[a0] and *[a0]=0 - beq ra, a0, 1f # [a0] must be == [ra] - unimp # else crash -1: addi ra, ra, XLEN/8 # pop the checkpoint - csrrw ra, ssp, ra # swap ssp: ra=ssp, ssp=ra - addi ra, ra, -(XLEN/8) # checkpoint = "old ssp - XLEN/8" - ssamoswap x0, ra, (ra) # Save checkpoint at "old ssp - XLEN/8" + beqz ra, 2f # skip if Zicfiss not active + ssamoswap.d ra, x0, (a0) # ra=*[a0] and *[a0]=0 + beq ra, a0, 1f # [a0] must be == [ra] + unimp # else crash +1: addi ra, ra, XLEN/8 # pop the checkpoint + csrrw ra, ssp, ra # swap ssp: ra=ssp, ssp=ra + addi ra, ra, -(XLEN/8) # checkpoint = "old ssp - XLEN/8" + ssamoswap.d x0, ra, (ra) # Save checkpoint at "old ssp - XLEN/8" 2: ---- @@ -746,10 +769,10 @@ restore it prior to returning from the trap. When a new shadow stack is created by the supervisor, it needs to store a checkpoint at the highest address on that stack. This enables the shadow stack -pointer to be switched using the process outlined in this note. The `SSAMOSWAP` -instruction can be used to store this checkpoint. When the old value at the -memory location operated on by `SSAMOSWAP` is not required, `rd` can be set to -`x0`. +pointer to be switched using the process outlined in this note. The +`SSAMOSWAP.W/D` instruction can be used to store this checkpoint. When the old +value at the memory location operated on by `SSAMOSWAP.W/D` is not required, +`rd` can be set to `x0`. ==== <<< @@ -766,15 +789,15 @@ encoding `R=0`, `W=1`, and `X=0`, is defined to represent an SS page. When If `satp.MODE` (or `vsatp.MODE` when `V=1`) is set to `Bare` and the effective privilege mode is below M, shadow stack memory accesses are prohibited, and shadow stack instructions will raise a store/AMO access-fault exception. At -privilege mode M, any memory access by an `SSAMOSWAP` instruction will result in -a store/AMO access-fault exception. +effective privilege mode M, any memory access by an `SSAMOSWAP.W/D` instruction +will result in a store/AMO access-fault exception. Memory mapped as an SS page cannot be written to by instructions other than -`SSAMOSWAP`, `SSPUSH`, and `C.SSPUSH`. Attempts will raise a store/AMO page-fault -exception. Implicit accesses, including instruction fetches to an SS page, are -not permitted. Such accesses will raise an access-fault exception appropriate -to the access type. However, the shadow stack is readable by all instructions -that only load from memory. +`SSAMOSWAP.W/D`, `SSPUSH`, and `C.SSPUSH`. Attempts will raise a store/AMO +page-fault exception. Implicit accesses, including instruction fetches to an SS +page, are not permitted. Such accesses will raise an access-fault exception +appropriate to the access type. However, the shadow stack is readable by all +instructions that only load from memory. [NOTE] ==== @@ -808,6 +831,8 @@ of implicit access subjected to single- or VS-stage address translation. The access type is classified as a store/AMO in the event of an access-fault, page-fault, or guest-page fault exception triggered by shadow stack instructions. +<<< + Shadow stack instructions are restricted to accessing shadow stack (`pte.xwr=010b`) pages. Should a shadow stack instruction access a page that is not designated as a shadow stack page and is not marked as read-only diff --git a/cfi_forward.adoc b/cfi_forward.adoc index c6c00e2..a432e5e 100644 --- a/cfi_forward.adoc +++ b/cfi_forward.adoc @@ -355,6 +355,8 @@ fields that hold the previous `ELP`, and are updated as specified in ], config:{lanes: 4, hspace:1024}} .... +<<< + Access to the `SPELP` field introduced by Zicfilp accesses the homonymous fields of `mstatus` when `V=0` and the homonymous fields of `vsstatus` when `V=1`. @@ -421,6 +423,8 @@ apply to M-mode. state remains `NO_LP_EXPECTED`. * The `LPAD` instruction operates as a no-op. +<<< + ==== Debug Control and Status (`dcsr`) .Debug Control and Status (`dcsr`) @@ -494,6 +498,8 @@ but without forward-edge CFI protection, when the Zicfilp extension is not implemented or is not enabled. ==== +<<< + [[LP_INST]] === Landing pad instruction