From 634f200dc0f0b6339cb1f4005ae923583ba48624 Mon Sep 17 00:00:00 2001 From: Tariq Kurd Date: Wed, 12 Feb 2025 17:45:27 +0000 Subject: [PATCH] CHERI PTE fault description overhaul (#531) The previous definitions really weren't very clear. No spec changes, just clarifying the doc. --- src/cheri-pte-ext.adoc | 51 +++++++++++++++++++++------------ src/hypervisor-integration.adoc | 8 ++---- src/insns/load_exceptions.adoc | 6 ++-- src/insns/store_exceptions.adoc | 6 ++-- src/riscv-integration.adoc | 26 ++++++++++------- 5 files changed, 56 insertions(+), 41 deletions(-) diff --git a/src/cheri-pte-ext.adoc b/src/cheri-pte-ext.adoc index 6ba25a19..409485b3 100644 --- a/src/cheri-pte-ext.adoc +++ b/src/cheri-pte-ext.adoc @@ -26,6 +26,19 @@ NOTE: The description below assumes that {cheri_pte_ext_name} has been implement The minimum level of PTE support is to set CW to 1 in all PTEs intended for storing capabilities (i.e. private anonymous mappings) and leave <>.UCRG and CRG in all PTEs set to 0, which will allow capabilities with their tags set to be loaded and stored successfully. +[#cheri_pte_fault] +=== CHERI PTE page faults + +CHERI adds the concept of _CHERI PTE page faults_. +These reuse the load page fault and store/AMO page fault exception causes, and write additional +information to <>/<>/<>. + +Page faults are considered to be _CHERI PTE page faults_ if the `Xtval2` register is written with a non-zero value. + +NOTE: It is possible for both a _normal_ page fault and a _CHERI PTE page fault_ to both trigger at once, as represented in the `Xtval2` value, as shown in <>. + +All RV64 harts with virtual memory can raise _CHERI store/AMO PTE page faults_. +Only harts which implement {cheri_pte_ext_name} can raise _CHERI load PTE page faults_. [#limit_cap_prop] === Limiting Capability Propagation @@ -114,7 +127,7 @@ If the CW bit is clear then: * When a capability load or AMO instruction is executed, the implementation clears the tag bit of the capability read from the virtual page. -* When CRG is clear, the "no capability state", a store/AMO page fault exception +* When CRG is clear, the "no capability state", a <> exception is raised when a capability store or AMO instruction is executed and the tag bit of the capability being written is set. * When CRG is set, the "pre-CW state", two schemes are permitted (also see <>): @@ -144,9 +157,9 @@ visible. When CW is set, the CRG bit indicates the current generation of the virtual memory page with regards to the ongoing capability revocation cycle. Two schemes are permitted: -* A load page fault exception is raised when a capability load or AMO instruction is executed +* A <> exception is raised when a capability load or AMO instruction is executed with <> granted and the virtual page's CRG bit does not equal <>.UCRG in user mode. -* A load page fault exception is raised when a capability load or AMO instruction is executed +* A <> exception is raised when a capability load or AMO instruction is executed with <> granted and the virtual page's CRG bit does not equal <>.UCRG in user mode. and the capability read from memory optionally has its tag set^1^. @@ -154,36 +167,36 @@ and the capability read from memory optionally has its tag set^1^. .Summary of Load CW and CRG behavior in the PTEs [%autowidth,float="center",align="center",cols="<,<,<,<",options="header"] |=== -|PTE.CW |PTE.U|PTE.CRG |Load/AMO -| 0 | X | X | Clear loaded tag -| 1 | 1 |≠ <>.UCRG | Page fault, or page fault if tag is set^1^ -| 1 | 1 |= <>.UCRG | Normal operation -| 1 | 0 | X | Normal operation^2^ +|PTE.CW |PTE.U|PTE.CRG^1^ |Load/AMO +| 0 | X | X | Clear loaded tag +| 1 | 1 |≠ <>.UCRG | <>, or <> if tag is set^2^ +| 1 | 1 |= <>.UCRG^1^ | Normal operation +| 1 | 0 | X | Normal operation^3^ |=== -^1^ The choice here is whether to take data dependent exceptions on loads or atomic operations. +^1^ If {cheri_pte_ext_name} is _not_ implemented then PTE.CRG and <>.UCRG are always both zero, and so always match. Therefore <> _are not_ possible. + +^2^ The choice here is whether to take data dependent exceptions on loads or atomic operations. It is legal for the implementation to fault even if the tag is not set since this behavior is only an optimization for software. This means it is also legal to only check the tag under certain conditions and conservatively fault otherwise. Taking a trap when the tag is not set will introduce additional traps during revocation sweeps. Checking the loaded tag affects the exception priority, see <>. -^2^ A future version of this specification may check an SCRG bit in <> for kernel revocation. +^3^ A future version of this specification may check an SCRG bit in <> for kernel revocation. [[pte_cw_crg_store_summary]] .Summary of Store CW and CRG behavior in the PTEs [%autowidth,float="center",align="center",cols="<,<,<",options="header"] |=== -|PTE.CW |PTE.CRG |Store/AMO -| 0 | 0 | Page fault if stored tag is set -| 0 | 1 | Page fault if stored tag is set, or <> -| 1 | X | Normal operation +|PTE.CW |PTE.CRG|Store/AMO +| 0 | 0^1^ | <> if stored tag is set +| 0 | 1 | <> if stored tag is set, or <> +| 1 | X | Normal operation |=== -The exceptions added by {cheri_pte_ext_name} reuse the load page fault and store/AMO page fault exception cause values, -and so the cause of the exception can be determined by software by checking the value in <>, -<> etc. +^1^ If {cheri_pte_ext_name} is _not_ implemented then PTE.CRG is zero. + Therefore <> _are_ possible. -The behavior when multiple page fault types are detected at once is shown in <>. [#section_hardware_pte_updates] === Enabling Software or Hardware PTE updates @@ -191,7 +204,7 @@ The behavior when multiple page fault types are detected at once is shown in <>. * If only _Svadu_ is implemented, or enabled through henvcfg.ADUE or menvcfg.ADUE, then do the hardware update of setting PTE.CW=1 and setting PTE.CRG=<>.UCRG as described in <>. [#xstatus_pte] diff --git a/src/hypervisor-integration.adoc b/src/hypervisor-integration.adoc index 7c3eb94e..ef4738dd 100644 --- a/src/hypervisor-integration.adoc +++ b/src/hypervisor-integration.adoc @@ -151,8 +151,8 @@ additionally support the new exception code for CHERI exceptions that The <> register is a VSXLEN-bit read-write register. -<> is updated following the same rules as <> for CHERI exceptions, -load page fault and store page faults which are taken in VS-mode. +<> is updated following the same rules as <> for CHERI exceptions +and <> which are delegated to VS-mode. .Virtual supervisor trap value register [#vstval-format] @@ -166,12 +166,10 @@ part of {cheri_base_ext_name} when the hypervisor extension is supported. Its CSR address is 0x24b. <> is updated following the same rules as <> for CHERI exceptions -and <> which are delegated to VS-mode. +and <> which are delegated to VS-mode. It is written to zero for all other exceptions, except as listed otherwise by other future extensions. -The fields are identical to <> for CHERI exceptions. - NOTE: <> is not a standard RISC-V CSR, but <> is. .Virtual supervisor trap value register 2 diff --git a/src/insns/load_exceptions.adoc b/src/insns/load_exceptions.adoc index da0a87fa..e4394039 100644 --- a/src/insns/load_exceptions.adoc +++ b/src/insns/load_exceptions.adoc @@ -23,9 +23,9 @@ listed below; in this case, _CHERI data fault_ is reported in the <>, |============================================================================== + -If virtual memory is enabled, then the state of <>.CW, -and, if {cheri_pte_ext_name} is implemented, <>.CRG, <>.U and <>.UCRG, -may cause a <> exception in addition to a normal RISC-V page fault exception. +If virtual memory is enabled on an RV64 hart, and {cheri_pte_ext_name} is implemented, +then the state of <>.CW, <>.CRG, <>.U and <>.UCRG, +may cause a <> exception in addition to a normal RISC-V page fault exception. See <> for the exception reporting in this case. + :!load_res: diff --git a/src/insns/store_exceptions.adoc b/src/insns/store_exceptions.adoc index c5573206..d3098a86 100644 --- a/src/insns/store_exceptions.adoc +++ b/src/insns/store_exceptions.adoc @@ -22,9 +22,9 @@ listed below; in this case, _CHERI data fault_ is reported in the <>, | Bounds violation | At least one byte accessed is outside the authority capability bounds, or the capability has <> bounds |============================================================================== + -If {cheri_pte_ext_name} is implemented, and virtual memory is enabled, then the state of -<>.CW and <>.CRG from the current virtual memory page may -cause a <> exception in addition to a normal RISC-V page fault +If virtual memory is enabled on an RV64 hart, then the state of <>.CW, +and, if {cheri_pte_ext_name} is implemented, <>.CRG from the current virtual memory page may +cause a <> exception in addition to a normal RISC-V page fault when operating in user mode. See <> for the exception reporting in this case. + diff --git a/src/riscv-integration.adoc b/src/riscv-integration.adoc index 7ce638d0..8e7965e8 100644 --- a/src/riscv-integration.adoc +++ b/src/riscv-integration.adoc @@ -431,7 +431,7 @@ CHERI faults require additional information to be reported. The CSRs updated depend on the mode the trap is taken into, as shown in <>. -The additional information is written for CHERI faults and <>, and +The additional information is written for CHERI faults and <>, and is otherwise written to zero for all other exceptions, except as listed otherwise by other future extensions. @@ -712,9 +712,9 @@ Environment call from S-mode + _Reserved_ + Environment call from M-mode + Instruction page fault + -Load page fault + +Load page fault^1^ + _Reserved_ + -Store/AMO page fault + +Store/AMO page fault^2^ + _Reserved_ + _Designated for custom use_ + *CHERI fault* + @@ -724,6 +724,9 @@ _Designated for custom use_ + _Reserved_ |=== +^1^ Includes <> for RV64 harts with virtual memory if {cheri_pte_ext_name} is implemented. + +^2^ Includes <> for RV64 harts with virtual memory. + [[exception-priority]] .Synchronous exception priority in decreasing priority order. Entries added in {cheri_base_ext_name} are in *bold* [float="center",align="center",cols="<1,>1,<8",options="header"] @@ -762,7 +765,7 @@ First encountered *<>*^23^, page fault or ac Load/store/AMO access fault | .>|4,6 .<|If not higher priority: + .>|_Lowest_ .>|13 .<|If not higher priority: + -CHERI load PTE fault^4^ +CHERI load PTE page fault^4^ |=== ^1^ PCC bounds are intended to be checked against all the bytes of fetched instructions. @@ -1070,9 +1073,10 @@ Environment call from U-mode + Environment call from S-mode + _Reserved_ + Instruction page fault + -Load page fault + +Load page fault^1^ + _Reserved_ + -Store/AMO page fault + +Store/AMO page fault^2^ + + _Reserved_ + _Designated for custom use_ + *CHERI fault* + @@ -1082,6 +1086,9 @@ _Designated for custom use_ + _Reserved_ |=== +^1^ Includes <> for RV64 harts with virtual memory if {cheri_pte_ext_name} is implemented. + +^2^ Includes <> for RV64 harts with virtual memory. + [#stval,reftext="stval"] ==== Supervisor Trap Value Register (stval) @@ -1089,7 +1096,7 @@ The <> register is an SXLEN-bit read-write register formatted as shown in xref:stval-format[xrefstyle=short]. <> is updated following the same rules as <> for CHERI exceptions -which are delegated to S-mode. +and <> which are delegated to HS-mode or S-mode. .Supervisor trap value register [#stval-format] @@ -1103,13 +1110,10 @@ part of {cheri_base_ext_name} when the implementation supports S-mode. Its CSR address is 0x14b. <> is updated following the same rules as <> for CHERI exceptions -and <> which are delegated to HS-mode or S-mode. +and <> which are delegated to HS-mode or S-mode. It is written to zero for all other exceptions, except as listed otherwise by other future extensions. -The fields are identical to <> for CHERI exceptions, and for load and -store/AMO page fault exceptions if {cheri_pte_ext_name} is implemented. - NOTE: <> is not a standard RISC-V CSR, but <> is. .Supervisor trap value register 2