Skip to content

Commit

Permalink
Introduce load-capability generation traps
Browse files Browse the repository at this point in the history
Co-authored-by: Jessica Clarke <[email protected]>
  • Loading branch information
nwf-msr and jrtc27 committed Nov 2, 2021
1 parent 7a8e0ad commit 4276a5e
Show file tree
Hide file tree
Showing 4 changed files with 117 additions and 26 deletions.
55 changes: 41 additions & 14 deletions src/cheri_insts.sail
Original file line number Diff line number Diff line change
Expand Up @@ -1495,11 +1495,25 @@ function handle_load_cap_via_cap(cd, auth_idx, auth_val, vaddrBits) = {
let c = mem_read_cap(addr, aq, aq & rl, false);
match c {
MemValue(v) => {
let cr = if ptw_info.ptw_lc == PTW_LC_CLEAR
then {v with tag = false} /* strip the tag */
else {v with tag = v.tag & auth_val.permit_load_cap};
C(cd) = cr;
RETIRE_SUCCESS
match ptw_info.ptw_lc {
PTW_LC_OK => {
C(cd) = { v with tag = v.tag & auth_val.permit_load_cap };
RETIRE_SUCCESS
},
PTW_LC_CLEAR => {
C(cd) = { v with tag = false };
RETIRE_SUCCESS
},
PTW_LC_TRAP => {
if v.tag then {
handle_mem_exception(vaddrBits, E_Extension(EXC_LOAD_CAP_PAGE_FAULT));
RETIRE_FAIL
} else {
C(cd) = v;
RETIRE_SUCCESS
}
}
}
},
MemException(e) => {handle_mem_exception(vaddrBits, e); RETIRE_FAIL }
}
Expand Down Expand Up @@ -1724,15 +1738,28 @@ if not(auth_val.tag) then {
let c = mem_read_cap(addr, aq, aq & rl, false);
match c {
MemValue(v) => {
let cr = if ptw_info.ptw_lc == PTW_LC_CLEAR
then {v with tag = false} /* strip the tag */
else {
/* the Sail model currently reserves virtual addresses */
load_reservation(addr);
{v with tag = v.tag & auth_val.permit_load_cap}
};
C(cd) = cr;
RETIRE_SUCCESS
match ptw_info.ptw_lc {
PTW_LC_OK => {
load_reservation(addr);
C(cd) = { v with tag = v.tag & auth_val.permit_load_cap };
RETIRE_SUCCESS
},
PTW_LC_CLEAR => {
load_reservation(addr);
C(cd) = { v with tag = false };
RETIRE_SUCCESS
},
PTW_LC_TRAP => {
if v.tag then {
handle_mem_exception(vaddrBits, E_Extension(EXC_LOAD_CAP_PAGE_FAULT));
RETIRE_FAIL
} else {
load_reservation(addr);
C(cd) = v;
RETIRE_SUCCESS
}
}
}
},
MemException(e) => {handle_mem_exception(vaddrBits, e); RETIRE_FAIL }
}
Expand Down
60 changes: 50 additions & 10 deletions src/cheri_pte.sail
Original file line number Diff line number Diff line change
Expand Up @@ -93,22 +93,40 @@ bitfield PTE_Bits : pteAttribs = {
* state cached and then observe a CW=1 CD=1 PTE, no PTE write is necessary.
* On the other hand, if CW=0 is observed, the store operation must trap.
*
* SV32: There are no extension bits available, so we hard-code the result to
* CW=1 CR=1 CD=1.
* The intended semantics for capability loads are as follows.
*
* CR CRT CRG Action
*
* 0 0 0 Capability loads strip tags
* 0 1 0 Capability loads trap (on set tag)
* 0 X 1 [Reserved]
*
* 1 0 0 Capability loads succeed: no traps or tag clearing
* 1 0 1 [Reserved]
* 1 1 G Capability loads trap if G mismatches [ms]ccsr.[su]gclg, where
* the compared bit is keyed off of this PTE's U. sccsr is
* used if the machine has Supervisor mode, otherwise mccsr.
*
* Sv32: There are no extension bits available, so we hard-code the result to
* CW=1 CR=1 CD=1 CRT=0 CRG=0
*/
type extPte = bits(10)

bitfield Ext_PTE_Bits : extPte = {
CapWrite : 9, /* Permit capability stores */
CapRead : 8, /* Permit capability loads */
CapDirty : 7, /* Capability Dirty flag */
CapReadTrap : 6, /* Trap on capability loads; see above table */
CapReadGen : 5, /* When load-cap gens. are in use, the "local" gen. bit */
}

/*
* CapWrite = 1,
* CapRead = 1,
* CapDirty = 1,
* bits 0 .. 6 = 0
* CapWrite = 1,
* CapRead = 1,
* CapDirty = 1,
* CapReadTrap = 0,
* CapReadGen = 0,
* bits 0 .. 4 = 0
*/
let default_sv32_ext_pte : extPte = 0b1110000000

Expand All @@ -119,7 +137,10 @@ function isPTEPtr(p : pteAttribs, ext : extPte) -> bool = {

function isInvalidPTE(p : pteAttribs, ext : extPte) -> bool = {
let a = Mk_PTE_Bits(p);
a.V() == 0b0 | (a.W() == 0b1 & a.R() == 0b0)
let e = Mk_Ext_PTE_Bits(ext);
a.V() == 0b0 | (a.W() == 0b1 & a.R() == 0b0) |
(e.CapRead() == 0b0 & e.CapReadGen() == 0b1) |
(e.CapRead() == 0b1 & e.CapReadGen() == 0b1 & e.CapReadTrap() == 0b0)
}

union PTE_Check = {
Expand All @@ -135,6 +156,26 @@ function checkPTEPermission_SC(e, ext_ptw) = {
else PTE_Check_Failure(ext_ptw, EPTWF_CAP_ERR)
}

/*
* Assuming we're allowed to load from this page, modulate our cap response
*/
val checkPTEPermission_LC : (PTE_Bits, Ext_PTE_Bits, ext_ptw) -> PTE_Check effect { escape, rreg }
function checkPTEPermission_LC(p, e, ext_ptw) =
match (e.CapRead(), e.CapReadTrap(), e.CapReadGen()) {
(0b0, 0b0, 0b0) => PTE_Check_Success(ext_ptw_lc_join(ext_ptw, PTW_LC_CLEAR)), /* Clear tag for "unmodified" no-LC case */
(0b0, 0b1, 0b0) => PTE_Check_Success(ext_ptw_lc_join(ext_ptw, PTW_LC_TRAP)), /* Trap on tag load for "modified" no-LC case */
(0b0, _ , 0b1) => internal_error("Bad PTE not caught by isInvalidPTE"),
(0b1, 0b0, 0b0) => PTE_Check_Success(ext_ptw_lc_join(ext_ptw, PTW_LC_OK)), /* Unmodified LC case: go ahead */
(0b1, 0b0, 0b1) => internal_error("Bad PTE not caught by isInvalidPTE"),
(0b1, 0b1, lclg) => {
/* Compare local CLG against the pte.U-selected, not mode-selected, global CLG bit */
let ccsr = if haveSupMode() then sccsr else mccsr;
let gclg : bits(1) = if p.U() == 0b1 then ccsr.ugclg() else ccsr.sgclg();
let ptwl = if lclg == gclg then PTW_LC_OK else PTW_LC_TRAP;
PTE_Check_Success(ext_ptw_lc_join(ext_ptw, ptwl))
}
}

function checkPTEPermission(ac : AccessType(ext_access_type), priv : Privilege, mxr : bool, do_sum : bool, p : PTE_Bits, ext : extPte, ext_ptw : ext_ptw) -> PTE_Check = {
/*
* Although in many cases MXR doesn't make sense for capabilities, we honour
Expand Down Expand Up @@ -185,7 +226,6 @@ function checkPTEPermission(ac : AccessType(ext_access_type), priv : Privilege,
};

/* Load side */
let ptw_lc = if e.CapRead() == 0b1 then PTW_LC_OK else PTW_LC_CLEAR;
let res : PTE_Check = match res {
PTE_Check_Failure(_, _) => res,
PTE_Check_Success(ext_ptw) => match ac {
Expand All @@ -194,8 +234,8 @@ function checkPTEPermission(ac : AccessType(ext_access_type), priv : Privilege,
Write(_) => res,
ReadWrite(Data, _) => res,

Read(Cap) => PTE_Check_Success(ext_ptw_lc_join(ext_ptw, ptw_lc)),
ReadWrite(Cap, _) => PTE_Check_Success(ext_ptw_lc_join(ext_ptw, ptw_lc))
Read(Cap) => checkPTEPermission_LC(p, e, ext_ptw),
ReadWrite(Cap, _) => checkPTEPermission_LC(p, e, ext_ptw)
}
};

Expand Down
12 changes: 10 additions & 2 deletions src/cheri_riscv_types.sail
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,10 @@ enum ext_ptw_lc = {
PTW_LC_OK,

/* PTE settings require clearing tags */
PTW_LC_CLEAR
PTW_LC_CLEAR,

/* PTE settings require us to trap */
PTW_LC_TRAP
}

struct ext_ptw = {
Expand All @@ -83,7 +86,12 @@ function ext_ptw_lc_join(e : ext_ptw, l : ext_ptw_lc) -> ext_ptw =
{ e with ptw_lc =
match l {
PTW_LC_OK => e.ptw_lc,
PTW_LC_CLEAR => l
PTW_LC_CLEAR => match e.ptw_lc {
PTW_LC_OK => PTW_LC_CLEAR,
PTW_LC_CLEAR => PTW_LC_CLEAR,
PTW_LC_TRAP => PTW_LC_TRAP
},
PTW_LC_TRAP => PTW_LC_TRAP
}
}

Expand Down
16 changes: 16 additions & 0 deletions src/cheri_sys_regs.sail
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,8 @@
/* Capability control csr */

bitfield ccsr : xlenbits = {
ugclg : 3, /* Global Cap Load Gen bit for User pages */
sgclg : 2, /* Global Cap Load Gen bit for System (not User) pages */
d : 1, /* dirty */
e : 0 /* enable */
}
Expand All @@ -78,6 +80,20 @@ register uccsr : ccsr
function legalize_ccsr(csrp : Privilege, c : ccsr, v : xlenbits) -> ccsr = {
// write only the defined bits, leaving the other bits untouched
let v = Mk_ccsr(v);

let c : ccsr = match csrp {
User => {
// No bits defined for uccsr
c
},
_ => {
// GCLG bits defined for both m- and s-ccsr
let c = update_ugclg(c, v.ugclg());
let c = update_sgclg(c, v.sgclg());
c
}
};

/* For now these bits are not really supported so hardwired to true */
let c = update_d(c, 0b1);
let c = update_e(c, 0b1);
Expand Down

0 comments on commit 4276a5e

Please sign in to comment.