CW and CD bits in PTE

[andresag01]

The CHERI specification adds two bits (CW and CD) to the RISC-V PTEs to control capabilities being written into pages. However, raising the appropriate exceptions is dependent on the stored data tag value when executing store-capability instructions. In some hardware implementations, the stored data arrives late in the pipeline, which may cause problems because these exceptions in connection with CW and CD would have to be resolved very late.

An alternative to eliminate the store-capability dependency on the stored tag data is to always raise the exception when CD is 0, but this would not work well with memcpy which relies on store-capability instructions.

Another alternative is to:

• Automatically clear the tag when CW is 0, and
• Always raise the exception when CW is 1 and CD is 0

But this causes compatibility problems with existing software that does not consider whether a page has CW set to 1 or 0.

[rwatson]

Tagging @nwf, as there is considerable complexity around this topic. It’s not just an issue of “compatibility problems” but also functionality around temporal safety techniques, and Wes has the most recent thinking on the tradeoffs here [which also come up in our Morello work].

[andresag01]

As discussed, the options for implementing CW are:

• Raise trap when CW is clear
• Automatically clear tags written to memory when CW is clear

The options for implementing CD are:

• Raise trap when CD is clear, a store-cap instruction is executed and the capability written to memory has its tag set
• Get the hardware to automatically set CD when a store-cap instruction is executed and the capability written to memory has its tag set
• Allow not implementing CD.