From aaf875b2a62334d40c410f068be98a47eba4fb5d Mon Sep 17 00:00:00 2001 From: Tariq Kurd Date: Tue, 29 Oct 2024 09:46:01 +0100 Subject: [PATCH 1/6] local/global clarification --- src/insns/atomic_exceptions.adoc | 2 +- src/insns/load_tag_perms.adoc | 2 +- src/level-ext.adoc | 4 +++- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/src/insns/atomic_exceptions.adoc b/src/insns/atomic_exceptions.adoc index 6969e952..9146b209 100644 --- a/src/insns/atomic_exceptions.adoc +++ b/src/insns/atomic_exceptions.adoc @@ -8,7 +8,7 @@ If <> is not granted then store the memory tag as zero, and load `cd.tag + If the authorizing capability does not grant <>, and the tag of `cd` is 1 and `cd` is not sealed, then an implicit <> clearing <> and <> is performed to obtain the intermediate permissions on `cd` (see <>). + -If the authorizing capability does not grant <>, and the tag of `cd` is 1, then an implicit <> clearing <> and restricting <> to the level of the authorizing capability is performed to obtain the final permissions on `cd` (see <>). +If the authorizing capability does not grant <>, the authorizing <> is _local_ and the tag of `cd` is 1, then an implicit <> clearing <> and restricting the <> to the level of the authorizing capability is performed to obtain the final permissions on `cd` (see <>). + endif::[] ifndef::cap_atomic[] diff --git a/src/insns/load_tag_perms.adoc b/src/insns/load_tag_perms.adoc index 3ab397c2..e40962ab 100644 --- a/src/insns/load_tag_perms.adoc +++ b/src/insns/load_tag_perms.adoc @@ -4,7 +4,7 @@ The tag value written to `cd` is 0 if the tag of the memory location loaded is + If the authorizing capability does not grant <>, and the tag of `cd` is 1 and `cd` is not sealed, then an implicit <> clearing <> and <> is performed to obtain the intermediate permissions on `cd`. + -If the authorizing capability does not grant <>, and the tag of `cd` is 1, then an implicit <> clearing <> and restricting <> to the level of the authorizing capability is performed to obtain the final permissions on `cd`. +If the authorizing capability does not grant <>, the authorizing <> is _local_ and the tag of `cd` is 1, then an implicit <> clearing <> and restricting the <> to the level of the authorizing capability is performed to obtain the final permissions on `cd`. NOTE: Missing <> does not affect untagged values since this could result in surprising bit patterns when copying non-capability data. Similarly, sealed capabilities are not modified as they are not directly dereferenceable. diff --git a/src/level-ext.adoc b/src/level-ext.adoc index f100ca96..eb625ff9 100644 --- a/src/level-ext.adoc +++ b/src/level-ext.adoc @@ -24,7 +24,7 @@ NOTE: The <> diagram shows t NOTE: {cheri_levels_ext_name} requires that LVLBITS≥1 although LVLBITS>1 is considered an experimental enhancement of this extension. See <> for the mechanics when LVLBITS>1. -[#section_cap_level,reftext="capability level"] +[#section_cap_level,reftext="Capability Level (CL)"] ==== Capability Level (CL) The Capability Level (CL) is a new field added to the capability encoding, as shown in xref:section_cap_encoding[xrefstyle=short]. @@ -108,6 +108,8 @@ This avoids the need for a dedicated instruction and allows reducing the level a [#section_cap_level_summary] === Capability level summary table +NOTE: A capability with <>=1 is *global* and with <>=0 is *local*. + .{cheri_levels_ext_name} `LVLBITS=1` summary table for stored capabilities [#cap_level_store_summary,width="100%",options=header,halign=center,cols="1,1,1,1,5"] |============================================================================== From f33298fe3abe846981c541e5b0dfcbb8409d2d74 Mon Sep 17 00:00:00 2001 From: Tariq Kurd Date: Tue, 29 Oct 2024 09:58:41 +0100 Subject: [PATCH 2/6] add local comment --- src/insns/store_tag_perms.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/insns/store_tag_perms.adoc b/src/insns/store_tag_perms.adoc index acd0683c..c53b0783 100644 --- a/src/insns/store_tag_perms.adoc +++ b/src/insns/store_tag_perms.adoc @@ -2,4 +2,4 @@ Tag of the written capability value:: The capability written to memory has the tag set to 0 if the tag of `cs2` is 0 or if the authorizing capability (<> or `cs1`) does not grant <>. + -The stored tag is also set to zero if the authorizing capability does not have <> set but the stored data has a <> of 0. +The stored tag is also set to zero if the authorizing capability does not have <> set but the stored data has a <> of 0 (_local_). From d7b97dd5233c9a48a177aacf4c97528ad1d2ce5e Mon Sep 17 00:00:00 2001 From: Tariq Kurd Date: Tue, 29 Oct 2024 11:28:08 +0100 Subject: [PATCH 3/6] fix SL to N/A if there's no W permission --- src/level-ext.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/level-ext.adoc b/src/level-ext.adoc index eb625ff9..c221ce98 100644 --- a/src/level-ext.adoc +++ b/src/level-ext.adoc @@ -74,7 +74,7 @@ endif::[] 11+| bit[0] - <> ({CAP_MODE_VALUE}-{cheri_cap_mode_name}, {INT_MODE_VALUE}-{cheri_int_mode_name}) |Bits[4:3]| R | W | C | LM | EL | SL | X | ASR | Mode^1^ | | 0-1 | ✔ | ✔ | ✔ | ✔ | ✔ | ∞ | ✔ | ✔ | Mode^1^ | Execute + ASR (see <>) -| 2-3 | ✔ | | ✔ | ✔ | ✔ | ∞ | ✔ | | Mode^1^ | Execute + Data & Cap RO +| 2-3 | ✔ | | ✔ | ✔ | ✔ | N/A | ✔ | | Mode^1^ | Execute + Data & Cap RO | 4-5 | ✔ | ✔ | ✔ | ✔ | ✔ | ∞ | ✔ | | Mode^1^ | Execute + Data & Cap RW | 6-7 | ✔ | ✔ | | | | N/A | ✔ | | Mode^1^ | Execute + Data RW 11+| *Quadrant 2: Restricted capability data read/write* From 4739fa1339fd3c56b7d33b31fe2b6a2d931713e5 Mon Sep 17 00:00:00 2001 From: Tariq Kurd Date: Tue, 29 Oct 2024 16:27:45 +0100 Subject: [PATCH 4/6] Update src/level-ext.adoc Co-authored-by: Alexander Richardson Signed-off-by: Tariq Kurd --- src/level-ext.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/level-ext.adoc b/src/level-ext.adoc index c221ce98..47e310aa 100644 --- a/src/level-ext.adoc +++ b/src/level-ext.adoc @@ -108,7 +108,7 @@ This avoids the need for a dedicated instruction and allows reducing the level a [#section_cap_level_summary] === Capability level summary table -NOTE: A capability with <>=1 is *global* and with <>=0 is *local*. +NOTE: A capability with <>=1 is _global_ and with <>=0 is _local_. .{cheri_levels_ext_name} `LVLBITS=1` summary table for stored capabilities [#cap_level_store_summary,width="100%",options=header,halign=center,cols="1,1,1,1,5"] From dd55039607c1f1bd11aabe1ab0e93c84050320fb Mon Sep 17 00:00:00 2001 From: Tariq Kurd Date: Tue, 29 Oct 2024 18:45:53 +0100 Subject: [PATCH 5/6] remove CL comment --- src/insns/atomic_exceptions.adoc | 2 +- src/insns/load_tag_perms.adoc | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/insns/atomic_exceptions.adoc b/src/insns/atomic_exceptions.adoc index 9146b209..ce69bd41 100644 --- a/src/insns/atomic_exceptions.adoc +++ b/src/insns/atomic_exceptions.adoc @@ -8,7 +8,7 @@ If <> is not granted then store the memory tag as zero, and load `cd.tag + If the authorizing capability does not grant <>, and the tag of `cd` is 1 and `cd` is not sealed, then an implicit <> clearing <> and <> is performed to obtain the intermediate permissions on `cd` (see <>). + -If the authorizing capability does not grant <>, the authorizing <> is _local_ and the tag of `cd` is 1, then an implicit <> clearing <> and restricting the <> to the level of the authorizing capability is performed to obtain the final permissions on `cd` (see <>). +If the authorizing capability does not grant <>, and the tag of `cd` is 1, then an implicit <> clearing <> and restricting the <> to the level of the authorizing capability is performed to obtain the final permissions on `cd` (see <>). + endif::[] ifndef::cap_atomic[] diff --git a/src/insns/load_tag_perms.adoc b/src/insns/load_tag_perms.adoc index e40962ab..db1323f0 100644 --- a/src/insns/load_tag_perms.adoc +++ b/src/insns/load_tag_perms.adoc @@ -4,7 +4,7 @@ The tag value written to `cd` is 0 if the tag of the memory location loaded is + If the authorizing capability does not grant <>, and the tag of `cd` is 1 and `cd` is not sealed, then an implicit <> clearing <> and <> is performed to obtain the intermediate permissions on `cd`. + -If the authorizing capability does not grant <>, the authorizing <> is _local_ and the tag of `cd` is 1, then an implicit <> clearing <> and restricting the <> to the level of the authorizing capability is performed to obtain the final permissions on `cd`. +If the authorizing capability does not grant <>, and the tag of `cd` is 1, then an implicit <> clearing <> and restricting the <> to the level of the authorizing capability is performed to obtain the final permissions on `cd`. NOTE: Missing <> does not affect untagged values since this could result in surprising bit patterns when copying non-capability data. Similarly, sealed capabilities are not modified as they are not directly dereferenceable. From 447ee8f333cd45fe1b440222676fa9026010b47f Mon Sep 17 00:00:00 2001 From: Tariq Kurd Date: Tue, 29 Oct 2024 18:48:12 +0100 Subject: [PATCH 6/6] change SL in quadrant 1 2-3 back to infinity --- src/level-ext.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/level-ext.adoc b/src/level-ext.adoc index 47e310aa..16351805 100644 --- a/src/level-ext.adoc +++ b/src/level-ext.adoc @@ -74,7 +74,7 @@ endif::[] 11+| bit[0] - <> ({CAP_MODE_VALUE}-{cheri_cap_mode_name}, {INT_MODE_VALUE}-{cheri_int_mode_name}) |Bits[4:3]| R | W | C | LM | EL | SL | X | ASR | Mode^1^ | | 0-1 | ✔ | ✔ | ✔ | ✔ | ✔ | ∞ | ✔ | ✔ | Mode^1^ | Execute + ASR (see <>) -| 2-3 | ✔ | | ✔ | ✔ | ✔ | N/A | ✔ | | Mode^1^ | Execute + Data & Cap RO +| 2-3 | ✔ | | ✔ | ✔ | ✔ | ∞ | ✔ | | Mode^1^ | Execute + Data & Cap RO | 4-5 | ✔ | ✔ | ✔ | ✔ | ✔ | ∞ | ✔ | | Mode^1^ | Execute + Data & Cap RW | 6-7 | ✔ | ✔ | | | | N/A | ✔ | | Mode^1^ | Execute + Data RW 11+| *Quadrant 2: Restricted capability data read/write*