From 8a389e5a4eb966759addf2911a9fb83ed681959b Mon Sep 17 00:00:00 2001 From: Tariq Kurd Date: Thu, 17 Oct 2024 14:17:55 +0200 Subject: [PATCH 01/20] apply rules in order --- src/insns/acperm_32bit.adoc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/insns/acperm_32bit.adoc b/src/insns/acperm_32bit.adoc index b2e7a98b..07714f04 100644 --- a/src/insns/acperm_32bit.adoc +++ b/src/insns/acperm_32bit.adoc @@ -40,6 +40,8 @@ These cases are defined to return useful minimal sets of permissions, which may + NOTE: Future extensions may allow more combinations of permissions, especially for MXLEN=64. +All rules are applied in the order shown on this page. + The common rules are: . <> cannot be set without <> being set From 583b476cec68f953db6dc74a9177d70495ee8b78 Mon Sep 17 00:00:00 2001 From: Tariq Kurd Date: Tue, 29 Oct 2024 15:16:20 +0100 Subject: [PATCH 02/20] overhaul of ACPERM rules --- src/insns/acperm_32bit.adoc | 77 +++++++++++++++++++++---------------- 1 file changed, 43 insertions(+), 34 deletions(-) diff --git a/src/insns/acperm_32bit.adoc b/src/insns/acperm_32bit.adoc index 07714f04..ae671eee 100644 --- a/src/insns/acperm_32bit.adoc +++ b/src/insns/acperm_32bit.adoc @@ -29,43 +29,52 @@ ACPERM performs the following operations: format shown in xref:acperm_bit_field[xrefstyle=short]. . Calculate the bitwise AND of the bit field with the mask `rs2`. . If the AP and <> field in `cs1` could not have been produced by <> then -clear all AP permissions and the <>, and skip the next step +clear all AP permissions, and the <> to {CAP_MODE_VALUE}. Skip the next step. +.. If {cheri_levels_ext_name} is implemented then also set <> to 0 (_local_). . Clear AP permissions as required to meet the rules below. -. Encode the AP permissions for MXLEN=32 according to <>. +. Encode the AP permissions for RV32 according to <>. . Copy `cs1` to `cd`, and update the AP and SDP fields with the newly calculated versions. . Set `cd.tag=0` if `cs1` is sealed or if any reserved fields of `cs1` are set. -+ -Some combinations of permissions cannot be encoded for MXLEN=32, and are not useful when MXLEN=64. -These cases are defined to return useful minimal sets of permissions, which may be no permissions. -+ -NOTE: Future extensions may allow more combinations of permissions, especially for MXLEN=64. - -All rules are applied in the order shown on this page. - -The common rules are: - -. <> cannot be set without <> being set -.. Clear <> unless <> is set -. <> cannot be set without at least one of <> or <> being set. -.. Clear <> unless <> or <> are set. -. <> cannot be set without <> being set -.. Clear <> unless <> is set -. <> cannot be set without <> being set -.. Clear <> unless <> is set. -. <> cannot be set without <> being set -.. Zero <> unless <> is set. -. <> cannot be set without <> being set -.. Zero <> unless <> is set. - -NOTE: The combination of <> clear and <> set is reserved for future extensions. - -The MXLEN=32 additional rules are: - -. Clear <> unless _all_ other permissions are set -. Clear <> and <> if <> is not set -. Clear <> if <> _is_ set, but <> _is not_ set. -. Clear <> if <> and <> are set, and <> and <> are both clear. -. If removing <> results in unrepresentable permissions, then set <> and <> only. + +The rules from <> must be followed When removing permissions. + +[#acperm_rules] +.ACPERM common rules +[%autowidth,float="center",align="center",cols="2,3,3",options="header"] +|=== +| Rule | Permission | Only valid if +| 1 | <> | <> or <> +3+| See <> for rules 2-5 (RV32 only) +| 6 | <> | <> and <> +| 7 | <> | <> and <> +| 8 | <> | <> and <> +| 9 | <> | <> +| 10 | <> | <> +3+| See <> for rule 12 (RV32 only) +|=== + +The behaviour of currently illegal combinations from <> is to clear the permission if invalid (or in the case of <> set it to 0 (_local_)). + +* For RV64 all such combinations may be redefined by future extensions. +* For RV32 none of these combinations are possible. + +RV32 needs additional rules as some combinations which are legal on RV64 are not possible on RV32. +These rules are specifically to meet the encoding requirements for <>, or +<> if <> is implemented. + +[#acperm_rules_rv32] +.ACPERM RV32 additional rules +[%autowidth,float="center",align="center",cols="2,2,3",options="header"] +|=== +| Rule | Permission | Only valid if +| 2 | <> | <> +| 3 | <> | <> +| 4 | <> | not(<>) or (<> and not(<>)) +| 5 | <> | <> or (<> and <> and <>) +| 11 | <> | All other permissions are set. +|=== + +In all cases invalid permissions from <> are cleared. .Capability permissions bit field [#acperm_bit_field] From 428609398bc1b107a8c7a64f567cbc916c2a9627 Mon Sep 17 00:00:00 2001 From: Tariq Kurd Date: Tue, 29 Oct 2024 15:20:24 +0100 Subject: [PATCH 03/20] fix xref --- src/insns/acperm_32bit.adoc | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/src/insns/acperm_32bit.adoc b/src/insns/acperm_32bit.adoc index ae671eee..40a75043 100644 --- a/src/insns/acperm_32bit.adoc +++ b/src/insns/acperm_32bit.adoc @@ -30,7 +30,7 @@ format shown in xref:acperm_bit_field[xrefstyle=short]. . Calculate the bitwise AND of the bit field with the mask `rs2`. . If the AP and <> field in `cs1` could not have been produced by <> then clear all AP permissions, and the <> to {CAP_MODE_VALUE}. Skip the next step. -.. If {cheri_levels_ext_name} is implemented then also set <> to 0 (_local_). +.. If <> is implemented then also set <> to 0 (_local_). . Clear AP permissions as required to meet the rules below. . Encode the AP permissions for RV32 according to <>. . Copy `cs1` to `cd`, and update the AP and SDP fields with the newly calculated versions. @@ -42,14 +42,14 @@ The rules from <> must be followed When removing permissions. .ACPERM common rules [%autowidth,float="center",align="center",cols="2,3,3",options="header"] |=== -| Rule | Permission | Only valid if -| 1 | <> | <> or <> +| Rule | Permission | Only valid if +| 1 | <> | <> or <> 3+| See <> for rules 2-5 (RV32 only) -| 6 | <> | <> and <> -| 7 | <> | <> and <> -| 8 | <> | <> and <> -| 9 | <> | <> -| 10 | <> | <> +| 6 | <> | <> and <> +| 7 | <> | <> and <> +| 8 | <> | <> and <> +| 9 | <> | <> +| 10 | <> | <> 3+| See <> for rule 12 (RV32 only) |=== From 82697c38910530036580a2fd9edadbb6cadaa1fc Mon Sep 17 00:00:00 2001 From: Tariq Kurd Date: Tue, 29 Oct 2024 15:34:58 +0100 Subject: [PATCH 04/20] split rules --- src/insns/acperm_32bit.adoc | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/src/insns/acperm_32bit.adoc b/src/insns/acperm_32bit.adoc index 40a75043..85994271 100644 --- a/src/insns/acperm_32bit.adoc +++ b/src/insns/acperm_32bit.adoc @@ -45,11 +45,11 @@ The rules from <> must be followed When removing permissions. | Rule | Permission | Only valid if | 1 | <> | <> or <> 3+| See <> for rules 2-5 (RV32 only) -| 6 | <> | <> and <> -| 7 | <> | <> and <> -| 8 | <> | <> and <> -| 9 | <> | <> -| 10 | <> | <> +| 7 | <> | <> and <> +| 8 | <> | <> and <> +| 9 | <> | <> and <> +| 10 | <> | <> +| 11 | <> | <> 3+| See <> for rule 12 (RV32 only) |=== @@ -70,8 +70,9 @@ These rules are specifically to meet the encoding requirements for <> | <> | 3 | <> | <> | 4 | <> | not(<>) or (<> and not(<>)) -| 5 | <> | <> or (<> and <> and <>) -| 11 | <> | All other permissions are set. +| 5 | <> | <> or <> +| 6 | <> | <> == <> == <> +| 12 | <> | All other permissions are set. |=== In all cases invalid permissions from <> are cleared. From 00bd30483719ff405cad0b17bc04a94e23ed7ec4 Mon Sep 17 00:00:00 2001 From: Tariq Kurd Date: Tue, 29 Oct 2024 16:33:55 +0100 Subject: [PATCH 05/20] Update src/insns/acperm_32bit.adoc Co-authored-by: Alexander Richardson Signed-off-by: Tariq Kurd --- src/insns/acperm_32bit.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/insns/acperm_32bit.adoc b/src/insns/acperm_32bit.adoc index 85994271..7029997a 100644 --- a/src/insns/acperm_32bit.adoc +++ b/src/insns/acperm_32bit.adoc @@ -36,7 +36,7 @@ clear all AP permissions, and the <> to {CAP_MODE_VALUE}. Skip the next s . Copy `cs1` to `cd`, and update the AP and SDP fields with the newly calculated versions. . Set `cd.tag=0` if `cs1` is sealed or if any reserved fields of `cs1` are set. -The rules from <> must be followed When removing permissions. +The rules from <> must be followed when removing permissions. [#acperm_rules] .ACPERM common rules From 7c3e72acee355a678aafba1b2a357f2dacca86cd Mon Sep 17 00:00:00 2001 From: Tariq Kurd Date: Tue, 29 Oct 2024 16:53:07 +0100 Subject: [PATCH 06/20] reformat into 1 table --- src/insns/acperm_32bit.adoc | 46 +++++++++++++------------------------ 1 file changed, 16 insertions(+), 30 deletions(-) diff --git a/src/insns/acperm_32bit.adoc b/src/insns/acperm_32bit.adoc index 7029997a..115284b9 100644 --- a/src/insns/acperm_32bit.adoc +++ b/src/insns/acperm_32bit.adoc @@ -40,42 +40,28 @@ The rules from <> must be followed when removing permissions. [#acperm_rules] .ACPERM common rules -[%autowidth,float="center",align="center",cols="2,3,3",options="header"] +[%autowidth,float="center",align="center",cols="3,3,3",options="header"] |=== -| Rule | Permission | Only valid if -| 1 | <> | <> or <> -3+| See <> for rules 2-5 (RV32 only) -| 7 | <> | <> and <> -| 8 | <> | <> and <> -| 9 | <> | <> and <> -| 10 | <> | <> -| 11 | <> | <> -3+| See <> for rule 12 (RV32 only) +| Rule | Permission | Only valid if +| 1 (RV32 only) | <> | All other permissions are set. +| 2 | <> | <> or <> +| 3 (RV32 only) | <> | <> +| 4 (RV32 only) | <> | <> +| 5 (RV32 only) | <> | not(<>) or (<> and not(<>)) +| 6 (RV32 only) | <> | <> or <> +| 7 (RV32 only) | <> | <> == <> == <> +| 8 | <> | <> and <> +| 9 | <> | <> and <> +| 10 | <> | <> and <> +| 11 | <> | <> +| 12 | <> | <> |=== The behaviour of currently illegal combinations from <> is to clear the permission if invalid (or in the case of <> set it to 0 (_local_)). * For RV64 all such combinations may be redefined by future extensions. -* For RV32 none of these combinations are possible. - -RV32 needs additional rules as some combinations which are legal on RV64 are not possible on RV32. -These rules are specifically to meet the encoding requirements for <>, or -<> if <> is implemented. - -[#acperm_rules_rv32] -.ACPERM RV32 additional rules -[%autowidth,float="center",align="center",cols="2,2,3",options="header"] -|=== -| Rule | Permission | Only valid if -| 2 | <> | <> -| 3 | <> | <> -| 4 | <> | not(<>) or (<> and not(<>)) -| 5 | <> | <> or <> -| 6 | <> | <> == <> == <> -| 12 | <> | All other permissions are set. -|=== - -In all cases invalid permissions from <> are cleared. +* For the RV32 only rules none of these combinations are possible to meet the encoding requirements for <>, or +<> if <> is implemented. In all cases invalid permissions are cleared. .Capability permissions bit field [#acperm_bit_field] From 6cf17b281f44ef0a5cdbcd6e1203b3a0d8eba6b9 Mon Sep 17 00:00:00 2001 From: Tariq Kurd Date: Tue, 29 Oct 2024 16:59:14 +0100 Subject: [PATCH 07/20] correct SL -> CL --- src/insns/acperm_32bit.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/insns/acperm_32bit.adoc b/src/insns/acperm_32bit.adoc index 115284b9..599b0365 100644 --- a/src/insns/acperm_32bit.adoc +++ b/src/insns/acperm_32bit.adoc @@ -30,7 +30,7 @@ format shown in xref:acperm_bit_field[xrefstyle=short]. . Calculate the bitwise AND of the bit field with the mask `rs2`. . If the AP and <> field in `cs1` could not have been produced by <> then clear all AP permissions, and the <> to {CAP_MODE_VALUE}. Skip the next step. -.. If <> is implemented then also set <> to 0 (_local_). +.. If <> is implemented then also set <> to 0 (_local_). . Clear AP permissions as required to meet the rules below. . Encode the AP permissions for RV32 according to <>. . Copy `cs1` to `cd`, and update the AP and SDP fields with the newly calculated versions. From 02af1396fa92ca93d882ee5455dc260fe22f3f56 Mon Sep 17 00:00:00 2001 From: Tariq Kurd Date: Tue, 29 Oct 2024 19:06:00 +0100 Subject: [PATCH 08/20] fix Lawrence feedback --- src/insns/acperm_32bit.adoc | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/insns/acperm_32bit.adoc b/src/insns/acperm_32bit.adoc index 599b0365..5737a78a 100644 --- a/src/insns/acperm_32bit.adoc +++ b/src/insns/acperm_32bit.adoc @@ -47,12 +47,12 @@ The rules from <> must be followed when removing permissions. | 2 | <> | <> or <> | 3 (RV32 only) | <> | <> | 4 (RV32 only) | <> | <> -| 5 (RV32 only) | <> | not(<>) or (<> and not(<>)) +| 5 (RV32 only) | <> | not(<>) or <> | 6 (RV32 only) | <> | <> or <> -| 7 (RV32 only) | <> | <> == <> == <> -| 8 | <> | <> and <> -| 9 | <> | <> and <> -| 10 | <> | <> and <> +| 7 | <> | <> and <> +| 8 | <> | <> and <> +| 9 (RV32 only) | <> | <> == <> == <> +| 10 | <> | <> and <> | 11 | <> | <> | 12 | <> | <> |=== From 54da195d657b1831bc92e1d433e18fa461b2e23d Mon Sep 17 00:00:00 2001 From: Tariq Kurd Date: Tue, 29 Oct 2024 19:08:33 +0100 Subject: [PATCH 09/20] make SL depend on C only --- src/insns/acperm_32bit.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/insns/acperm_32bit.adoc b/src/insns/acperm_32bit.adoc index 5737a78a..41d39c30 100644 --- a/src/insns/acperm_32bit.adoc +++ b/src/insns/acperm_32bit.adoc @@ -52,7 +52,7 @@ The rules from <> must be followed when removing permissions. | 7 | <> | <> and <> | 8 | <> | <> and <> | 9 (RV32 only) | <> | <> == <> == <> -| 10 | <> | <> and <> +| 10 | <> | <> | 11 | <> | <> | 12 | <> | <> |=== From fdaae709d79eab024f706546f6e1dbea11a55e76 Mon Sep 17 00:00:00 2001 From: Tariq Kurd Date: Tue, 29 Oct 2024 20:19:48 +0100 Subject: [PATCH 10/20] remove clearing of CL --- src/insns/acperm_32bit.adoc | 1 - 1 file changed, 1 deletion(-) diff --git a/src/insns/acperm_32bit.adoc b/src/insns/acperm_32bit.adoc index 41d39c30..f2baab25 100644 --- a/src/insns/acperm_32bit.adoc +++ b/src/insns/acperm_32bit.adoc @@ -30,7 +30,6 @@ format shown in xref:acperm_bit_field[xrefstyle=short]. . Calculate the bitwise AND of the bit field with the mask `rs2`. . If the AP and <> field in `cs1` could not have been produced by <> then clear all AP permissions, and the <> to {CAP_MODE_VALUE}. Skip the next step. -.. If <> is implemented then also set <> to 0 (_local_). . Clear AP permissions as required to meet the rules below. . Encode the AP permissions for RV32 according to <>. . Copy `cs1` to `cd`, and update the AP and SDP fields with the newly calculated versions. From 2c940c503556afb5c7d162a525c2cb40ff7ebaee Mon Sep 17 00:00:00 2001 From: Tariq Kurd Date: Thu, 31 Oct 2024 12:03:13 +0100 Subject: [PATCH 11/20] Apply suggestions from code review clarify confusing text Signed-off-by: Tariq Kurd --- src/insns/acperm_32bit.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/insns/acperm_32bit.adoc b/src/insns/acperm_32bit.adoc index f2baab25..2f9cad76 100644 --- a/src/insns/acperm_32bit.adoc +++ b/src/insns/acperm_32bit.adoc @@ -59,8 +59,8 @@ The rules from <> must be followed when removing permissions. The behaviour of currently illegal combinations from <> is to clear the permission if invalid (or in the case of <> set it to 0 (_local_)). * For RV64 all such combinations may be redefined by future extensions. -* For the RV32 only rules none of these combinations are possible to meet the encoding requirements for <>, or -<> if <> is implemented. In all cases invalid permissions are cleared. +* The RV32 only rules are added because they remove combinations which do not meet the encoding requirements for <>, or +<> if <> is implemented. .Capability permissions bit field [#acperm_bit_field] From b950a5d47429d48858d3aabc9a72ff489ec47f26 Mon Sep 17 00:00:00 2001 From: Tariq Kurd Date: Thu, 31 Oct 2024 18:15:01 +0100 Subject: [PATCH 12/20] fix removing SL from quadrant 1 --- src/insns/acperm_32bit.adoc | 2 +- src/level-ext.adoc | 10 ++++++---- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/src/insns/acperm_32bit.adoc b/src/insns/acperm_32bit.adoc index 2f9cad76..a1f602e7 100644 --- a/src/insns/acperm_32bit.adoc +++ b/src/insns/acperm_32bit.adoc @@ -50,7 +50,7 @@ The rules from <> must be followed when removing permissions. | 6 (RV32 only) | <> | <> or <> | 7 | <> | <> and <> | 8 | <> | <> and <> -| 9 (RV32 only) | <> | <> == <> == <> +| 9 (RV32 only) | <> | (<> == <> == <>) and (<> == ∞) | 10 | <> | <> | 11 | <> | <> | 12 | <> | <> diff --git a/src/level-ext.adoc b/src/level-ext.adoc index f100ca96..aabfef72 100644 --- a/src/level-ext.adoc +++ b/src/level-ext.adoc @@ -74,14 +74,14 @@ endif::[] 11+| bit[0] - <> ({CAP_MODE_VALUE}-{cheri_cap_mode_name}, {INT_MODE_VALUE}-{cheri_int_mode_name}) |Bits[4:3]| R | W | C | LM | EL | SL | X | ASR | Mode^1^ | | 0-1 | ✔ | ✔ | ✔ | ✔ | ✔ | ∞ | ✔ | ✔ | Mode^1^ | Execute + ASR (see <>) -| 2-3 | ✔ | | ✔ | ✔ | ✔ | ∞ | ✔ | | Mode^1^ | Execute + Data & Cap RO +| 2-3 | ✔ | | ✔ | ✔ | ✔ | ∞^1^| ✔ | | Mode^1^ | Execute + Data & Cap RO | 4-5 | ✔ | ✔ | ✔ | ✔ | ✔ | ∞ | ✔ | | Mode^1^ | Execute + Data & Cap RW -| 6-7 | ✔ | ✔ | | | | N/A | ✔ | | Mode^1^ | Execute + Data RW +| 6-7 | ✔ | ✔ | | | | ∞^1^| ✔ | | Mode^1^ | Execute + Data RW 11+| *Quadrant 2: Restricted capability data read/write* 11+| bit[2] = write, bit[1:0] = store level. R and C implicitly granted, LM dependent on W permission. |Bits[4:3]| R | W | C | LM | EL | SL | X | ASR | Mode^1^ | | 0-2 10+| reserved -| 3 | ✔ | | ✔ | | | N/A | | | N/A | Data & Cap R0 (without <>) +| 3 | ✔ | | ✔ | | | ∞^1^ | | | N/A | Data & Cap R0 (without <>) | 4 | ✔ | ✔ | ✔ | ✔ | | _(3)_ | | | N/A | Reserved for `LVLBITS=2` | 5 | ✔ | ✔ | ✔ | ✔ | | _(2)_ | | | N/A | Reserved for `LVLBITS=2` | 6 | ✔ | ✔ | ✔ | ✔ | | 1 | | | N/A | Data & Cap RW (with store _local_, no <>) @@ -91,13 +91,15 @@ endif::[] 11+| _Reserved bits for future extensions must be 1 so they are implicitly granted_ |Bits[4:3]| R | W | C | LM | EL | SL | X | ASR | Mode^1^ | | 0-2 10+| reserved -| 3 | ✔ | | ✔ | ✔ | ✔ | N/A | | | N/A | Data & Cap R0 +| 3 | ✔ | | ✔ | ✔ | ✔ | ∞^1^ | | | N/A | Data & Cap R0 | 4 | ✔ | ✔ | ✔ | ✔ | ✔ | _(3)_ | | | N/A | Reserved for `LVLBITS=2` | 5 | ✔ | ✔ | ✔ | ✔ | ✔ | _(2)_ | | | N/A | Reserved for `LVLBITS=2` | 6 | ✔ | ✔ | ✔ | ✔ | ✔ | 1 | | | N/A | Data & Cap RW (with store _local_) | 7 | ✔ | ✔ | ✔ | ✔ | ✔ | 0 | | | N/A | Data & Cap RW (no store _local_) |============================================================================== +^1^ SL isn't applicable in these cases, but is specified as ∞ to help the definition of <> + [#section_cap_level_change] === Changing capability levels and permissions While capability levels (<>) are conceptually a label on the capability rather than a permission granted by the capability, they are adjusted using the <> instruction. From 02148bdc2a33d145e36f86c901760d7230fc0392 Mon Sep 17 00:00:00 2001 From: Tariq Kurd Date: Thu, 31 Oct 2024 18:28:57 +0100 Subject: [PATCH 13/20] fix table formatting --- src/insns/acperm_32bit.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/insns/acperm_32bit.adoc b/src/insns/acperm_32bit.adoc index a1f602e7..dbb3f575 100644 --- a/src/insns/acperm_32bit.adoc +++ b/src/insns/acperm_32bit.adoc @@ -39,7 +39,7 @@ The rules from <> must be followed when removing permissions. [#acperm_rules] .ACPERM common rules -[%autowidth,float="center",align="center",cols="3,3,3",options="header"] +[float="center",align="center",cols="2,2,3",options="header"] |=== | Rule | Permission | Only valid if | 1 (RV32 only) | <> | All other permissions are set. From 28a9a6ded0c5ea8f7a40519a7016eb32fa6261f1 Mon Sep 17 00:00:00 2001 From: Tariq Kurd Date: Fri, 1 Nov 2024 19:20:37 +0100 Subject: [PATCH 14/20] add note about CL changing on sealed caps --- src/cap-description.adoc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/cap-description.adoc b/src/cap-description.adoc index 6bfef8dd..bb57434f 100644 --- a/src/cap-description.adoc +++ b/src/cap-description.adoc @@ -308,6 +308,8 @@ around. The only way of clearing the type bit of a capability is by rebuilding it via a superset capability with <>. {cheri_base_ext_name} does not offer an unseal instruction. +NOTE: The <> field can be reduced even if the capability is sealed, see <>. + For code capabilities, the sealing bit is used to implement immutable capabilities that describe function entry points, known as sealed entry (sentry) capabilities. Such capabilities can be leveraged to establish a form of control-flow integrity between mutually distrusting code. A program may jump to a From 354e91306b57b29a7f70bda1cc78d323bbda01ed Mon Sep 17 00:00:00 2001 From: Tariq Kurd Date: Fri, 1 Nov 2024 19:24:01 +0100 Subject: [PATCH 15/20] remove duplicate word --- src/cap-description.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/cap-description.adoc b/src/cap-description.adoc index bb57434f..4392828b 100644 --- a/src/cap-description.adoc +++ b/src/cap-description.adoc @@ -30,7 +30,7 @@ specifications must provide key primitives, such as permissions and bounds, from this specification while using a different encoding that, for example, changes the granularity of bounds or adds new features. For simplicity of expression, the text is written as if this was the only possible capability -encoding possible for CHERI RISC-V. +encoding for CHERI RISC-V. [#section_cap_encoding] === Capability Encoding From 5ef0606bf0ebe309eb0fe8071eb41bc0169aa2b6 Mon Sep 17 00:00:00 2001 From: Tariq Kurd Date: Mon, 4 Nov 2024 09:57:01 +0000 Subject: [PATCH 16/20] Update src/level-ext.adoc Co-authored-by: Alexander Richardson Signed-off-by: Tariq Kurd --- src/level-ext.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/level-ext.adoc b/src/level-ext.adoc index aabfef72..82e97d2c 100644 --- a/src/level-ext.adoc +++ b/src/level-ext.adoc @@ -81,7 +81,7 @@ endif::[] 11+| bit[2] = write, bit[1:0] = store level. R and C implicitly granted, LM dependent on W permission. |Bits[4:3]| R | W | C | LM | EL | SL | X | ASR | Mode^1^ | | 0-2 10+| reserved -| 3 | ✔ | | ✔ | | | ∞^1^ | | | N/A | Data & Cap R0 (without <>) +| 3 | ✔ | | ✔ | | | 0^1^ | | | N/A | Data & Cap R0 (without <>) | 4 | ✔ | ✔ | ✔ | ✔ | | _(3)_ | | | N/A | Reserved for `LVLBITS=2` | 5 | ✔ | ✔ | ✔ | ✔ | | _(2)_ | | | N/A | Reserved for `LVLBITS=2` | 6 | ✔ | ✔ | ✔ | ✔ | | 1 | | | N/A | Data & Cap RW (with store _local_, no <>) From b8680f8a540899fdef20ef8e748f2426db658c40 Mon Sep 17 00:00:00 2001 From: Tariq Kurd Date: Mon, 4 Nov 2024 09:57:33 +0000 Subject: [PATCH 17/20] Update src/insns/acperm_32bit.adoc Co-authored-by: Alexander Richardson Signed-off-by: Tariq Kurd --- src/insns/acperm_32bit.adoc | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/insns/acperm_32bit.adoc b/src/insns/acperm_32bit.adoc index dbb3f575..47810ae2 100644 --- a/src/insns/acperm_32bit.adoc +++ b/src/insns/acperm_32bit.adoc @@ -34,7 +34,11 @@ clear all AP permissions, and the <> to {CAP_MODE_VALUE}. Skip the next s . Encode the AP permissions for RV32 according to <>. . Copy `cs1` to `cd`, and update the AP and SDP fields with the newly calculated versions. . Set `cd.tag=0` if `cs1` is sealed or if any reserved fields of `cs1` are set. - ++ +Some combinations of permissions cannot be encoded for MXLEN=32, and are not useful when MXLEN=64. +These cases are defined to return useful minimal sets of permissions, which may be no permissions. ++ +NOTE: Future extensions may allow more combinations of permissions, especially for MXLEN=64. The rules from <> must be followed when removing permissions. [#acperm_rules] From 9b684d259985e4ff6858b42def40cd03d5739439 Mon Sep 17 00:00:00 2001 From: Tariq Kurd Date: Mon, 4 Nov 2024 09:57:59 +0000 Subject: [PATCH 18/20] Update src/level-ext.adoc Co-authored-by: Alexander Richardson Signed-off-by: Tariq Kurd --- src/level-ext.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/level-ext.adoc b/src/level-ext.adoc index 82e97d2c..829eb74f 100644 --- a/src/level-ext.adoc +++ b/src/level-ext.adoc @@ -91,7 +91,7 @@ endif::[] 11+| _Reserved bits for future extensions must be 1 so they are implicitly granted_ |Bits[4:3]| R | W | C | LM | EL | SL | X | ASR | Mode^1^ | | 0-2 10+| reserved -| 3 | ✔ | | ✔ | ✔ | ✔ | ∞^1^ | | | N/A | Data & Cap R0 +| 3 | ✔ | | ✔ | ✔ | ✔ | 0^1^ | | | N/A | Data & Cap R0 | 4 | ✔ | ✔ | ✔ | ✔ | ✔ | _(3)_ | | | N/A | Reserved for `LVLBITS=2` | 5 | ✔ | ✔ | ✔ | ✔ | ✔ | _(2)_ | | | N/A | Reserved for `LVLBITS=2` | 6 | ✔ | ✔ | ✔ | ✔ | ✔ | 1 | | | N/A | Data & Cap RW (with store _local_) From 49d85cac7393108f0b61aa93cd3657355f2ec31c Mon Sep 17 00:00:00 2001 From: Tariq Kurd Date: Mon, 4 Nov 2024 09:58:15 +0000 Subject: [PATCH 19/20] Update src/level-ext.adoc Co-authored-by: Alexander Richardson Signed-off-by: Tariq Kurd --- src/level-ext.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/level-ext.adoc b/src/level-ext.adoc index 829eb74f..9b3a8c2a 100644 --- a/src/level-ext.adoc +++ b/src/level-ext.adoc @@ -98,7 +98,7 @@ endif::[] | 7 | ✔ | ✔ | ✔ | ✔ | ✔ | 0 | | | N/A | Data & Cap RW (no store _local_) |============================================================================== -^1^ SL isn't applicable in these cases, but is specified as ∞ to help the definition of <> +^1^ SL isn't applicable in these cases, but reports this value in <> to simplify the rules followed by <> [#section_cap_level_change] === Changing capability levels and permissions From 8b6c370476ebc4a937f27d85c65f8e37ba382b51 Mon Sep 17 00:00:00 2001 From: Tariq Kurd Date: Mon, 4 Nov 2024 13:56:10 +0100 Subject: [PATCH 20/20] swap rules 9 and 10, update (former) rules 9, and change quadrant 1 6-7 value of SL to match the rules --- src/insns/acperm_32bit.adoc | 9 ++++++--- src/level-ext.adoc | 4 ++-- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/src/insns/acperm_32bit.adoc b/src/insns/acperm_32bit.adoc index 47810ae2..c2cfdc88 100644 --- a/src/insns/acperm_32bit.adoc +++ b/src/insns/acperm_32bit.adoc @@ -43,7 +43,7 @@ The rules from <> must be followed when removing permissions. [#acperm_rules] .ACPERM common rules -[float="center",align="center",cols="2,2,3",options="header"] +[float="center",align="center",cols="2,2,4",options="header"] |=== | Rule | Permission | Only valid if | 1 (RV32 only) | <> | All other permissions are set. @@ -54,12 +54,15 @@ The rules from <> must be followed when removing permissions. | 6 (RV32 only) | <> | <> or <> | 7 | <> | <> and <> | 8 | <> | <> and <> -| 9 (RV32 only) | <> | (<> == <> == <>) and (<> == ∞) -| 10 | <> | <> +| 9 | <> | <> +| 10 (RV32 only) | <> | (<> and <> and <> and (<> == ∞)) or + + (not(<> and not(<>) and not(<>) and (<>==0)))^1^ | 11 | <> | <> | 12 | <> | <> |=== +^1^ All the listed permissions in the set are either minimum or maximum. + The behaviour of currently illegal combinations from <> is to clear the permission if invalid (or in the case of <> set it to 0 (_local_)). * For RV64 all such combinations may be redefined by future extensions. diff --git a/src/level-ext.adoc b/src/level-ext.adoc index 9b3a8c2a..c8164b60 100644 --- a/src/level-ext.adoc +++ b/src/level-ext.adoc @@ -76,7 +76,7 @@ endif::[] | 0-1 | ✔ | ✔ | ✔ | ✔ | ✔ | ∞ | ✔ | ✔ | Mode^1^ | Execute + ASR (see <>) | 2-3 | ✔ | | ✔ | ✔ | ✔ | ∞^1^| ✔ | | Mode^1^ | Execute + Data & Cap RO | 4-5 | ✔ | ✔ | ✔ | ✔ | ✔ | ∞ | ✔ | | Mode^1^ | Execute + Data & Cap RW -| 6-7 | ✔ | ✔ | | | | ∞^1^| ✔ | | Mode^1^ | Execute + Data RW +| 6-7 | ✔ | ✔ | | | | 0^1^| ✔ | | Mode^1^ | Execute + Data RW 11+| *Quadrant 2: Restricted capability data read/write* 11+| bit[2] = write, bit[1:0] = store level. R and C implicitly granted, LM dependent on W permission. |Bits[4:3]| R | W | C | LM | EL | SL | X | ASR | Mode^1^ | @@ -98,7 +98,7 @@ endif::[] | 7 | ✔ | ✔ | ✔ | ✔ | ✔ | 0 | | | N/A | Data & Cap RW (no store _local_) |============================================================================== -^1^ SL isn't applicable in these cases, but reports this value in <> to simplify the rules followed by <> +^1^ SL isn't applicable in these cases, but this value is reported by <> to simplify the rules followed by <> [#section_cap_level_change] === Changing capability levels and permissions