split MODESW into MODESW.CAP and MODESW.INT (#406)

MODESW is difficult to implement in higher performance implementations
as it causes a lot of uncertainty in pre-decode and decode about which
mode is currently being entered. It also causes a long sequential path
through a wide-issue decode packet, compared with entering a specific
mode which makes it much easier to determine the mode for each
instruction.

Therefore it is split into two which directly enter the named mode
MODESW.CAP for cap mode and MODESW.INT for int mode, so that
instructions can be decoded much more easily.

It was only a single encoding before to try and reduced the 16-bit
encoding space for C.MODESW. This is guaranteed not to be accepted
without showing significant code-size reduction or performance
improvement as part of the standardisation process.

Only using 32-bit encodings means we can add a second encoding, and so
be specific about which mode to enter.

---------

Co-authored-by: Andrés Amaya Garcia <[email protected]>

src/csv/CHERI_ISA.csv

@@ -52,8 +52,8 @@
 "GCTYPE","✔","✔","","","","✔","✔","Both","","","","","","","","","","","","","","","","","OP","1-src 1-dst","","","Get capability type","","","","","","","",""
 "SCMODE","✔","✔","","","","✔","","Both","","","","","","","","","","","","","","","","","OP","1-src 1-dst","","","Set the mode bit of a capability, no permissions required","","","","","","","",""
 "GCMODE","✔","✔","","","","✔","","Both","","","","","","","","","","","","","","","","","OP","1-src 1-dst","","","Get the mode bit of a capability, no permissions required","","","","","","","",""
-"MODESW","✔","✔","","","","✔","","Both","","","","","","","","","","","","","","","","","OP","no operands","","","Directly switch mode ({cheri_int_mode_name}/ {cheri_cap_mode_name})","mode==D (optional)","","","","","","",""
-"C.MODESW","✔","✔","","","","✔","","Both","","","","","","","","","","","","","","","","","C1","no operands","","","Directly switch mode ({cheri_int_mode_name}/ {cheri_cap_mode_name})","mode==D (optional)","","","","","","",""
+"MODESW.CAP","✔","✔","","","","✔","","Both","","","","","","","","","","","","","","","","","OP","no operands","","","Directly switch mode into {cheri_cap_mode_name}","mode==D (optional)","","","","","","",""
+"MODESW.INT","✔","✔","","","","✔","","Both","","","","","","","","","","","","","","","","","OP","no operands","","","Directly switch mode into {cheri_int_mode_name}","mode==D (optional)","","","","","","",""
 "C.ADDI16SP","✔","✔","","","","✔","✔","Both","","","","✔","","","","","","","","","","","","","C0","","","","ADD immediate to stack pointer, CADD in Capability Mode","","","","","","","",""
 "C.ADDI4SPN","✔","✔","","","","✔","✔","Both","","","","✔","","","","","","","","","","","","","C0","","","","ADD immediate to stack pointer, CADDI in Capability Mode","","","","","","","",""
 "C.MV","✔","✔","","","","✔","✔","Both","","","","✔","","","","","","","","","","","","","C2","","","","Register Move, cap reg move in Capability Mode","","","","","","","",""

src/debug-integration.adoc

@@ -108,8 +108,8 @@ include::img/dpccreg.edn[]
 Upon entry to debug mode, cite:[riscv-debug-spec], does not specify how to
 update the PC, and says PC relative instructions may be illegal. This concept
 is extended to include any instruction which reads or updates <<pcc>>, which refers to
-all jumps, conditional branches and <<AUIPC>>. The exception is <<MODESW>>
-which _is_ supported if {cheri_default_ext_name} is implemented, see <<dinfc>>
+all jumps, conditional branches and <<AUIPC>>. The exceptions are <<MODESW_CAP>> and <<MODESW_INT>>
+which _are_ supported if {cheri_default_ext_name} is implemented, see <<dinfc>>
 for details.
 
 As a result, the value of <<pcc>> is UNSPECIFIED in debug mode according
@@ -180,8 +180,8 @@ The reset value is the <<infinite-cap>> capability.
 If {cheri_default_ext_name} is implemented:
 
 * The <<m_bit>> is reset to {cheri_int_mode_name} ({INT_MODE_VALUE}).
-* The debugger can set the <<m_bit>> to {cheri_cap_mode_name} ({CAP_MODE_VALUE}) by executing <<MODESW>> from the program buffer
-** if <<MODESW>> is not supported in debug mode then the same can be done by reading the CSR, using <<SCMODE>> and then writing the CSR.
+* The debugger can set the <<m_bit>> to {cheri_cap_mode_name} ({CAP_MODE_VALUE}) by executing <<MODESW_CAP>> from the program buffer
+** if <<MODESW_CAP>> is not supported in debug mode then the same can be done by reading the CSR, using <<SCMODE>> and then writing the CSR.
 ** This only needs doing once after resetting the core.
 * The <<m_bit>> is used on debug mode entry to determine which CHERI execution mode to enter.
 

src/insns/modesw_32bit.adoc

@@ -1,20 +1,33 @@
 <<<
 
-[#MODESW,reftext="MODESW"]
-==== MODESW
+[#MODESW_INT,reftext="MODESW.INT"]
+==== MODESW.INT
+See <<MODESW_CAP>>.
 
-include::new_encoding_note.adoc[]
+[#MODESW_CAP,reftext="MODESW.CAP"]
+==== MODESW.CAP
 
 Synopsis::
-{cheri_cap_mode_name}/{cheri_int_mode_name} switching (MODESW), 32-bit encoding
+Switch execution mode to {cheri_cap_mode_name} (MODESW.CAP), or {cheri_int_mode_name} (MODESW.INT), 32-bit encodings
 
 Mnemonic::
-`modesw`
+`modesw.cap` +
+`modesw.int`
 
 Encoding::
 include::wavedrom/modesw_32bit.adoc[]
 
-include::modesw_common.adoc[]
+Description::
+Set the hart's current CHERI execution mode in <<pcc>>.
++
+* MODESW.CAP: If the current mode in <<pcc>> is {cheri_int_mode_name} ({INT_MODE_VALUE}), then the <<m_bit>> in <<pcc>> is set to {cheri_cap_mode_name} ({CAP_MODE_VALUE}). Otherwise no effect.
+* MODESW.INT: If the current mode in <<pcc>> is {cheri_cap_mode_name} ({CAP_MODE_VALUE}), then the <<m_bit>> in <<pcc>> is set to {cheri_int_mode_name} ({INT_MODE_VALUE}). Otherwise no effect.
+
+NOTE: Implementations may optionally support executing <<MODESW_CAP>> and <<MODESW_INT>> from the
+program buffer while in debug mode. If supported them the <<m_bit>> in
+<<dinfc>> is set accordingly and used to control which mode to enter next time debug
+mode is entered. The CHERI execution mode is only controlled by the <<m_bit>>
+of <<dinfc>> in debug mode.
 
 Exceptions::
 include::require_cre.adoc[]

src/insns/wavedrom/modesw_32bit.adoc

@@ -7,6 +7,6 @@
   {bits: 3,  name: 'funct3',  attr: ['3', 'MSW=001'], type: 8},
   {bits: 5,  name: 'funct5',  attr: ['5', 'MSW=00000'], type: 4},
   {bits: 5,  name: 'funct5',  attr: ['5', 'MSW=00000'], type: 3},
-  {bits: 7,  name: 'funct7',  attr: ['7', 'MSW=0001001'], type: 3},
+  {bits: 7,  name: 'funct7',  attr: ['7', 'MSW.CAP=0001001', 'MSW.INT=0001010'], type: 3},
 ]}
 ....

src/insns/zcmt_cmjalt.adoc

@@ -25,7 +25,7 @@ Encoding::
 
 [NOTE]
 
-  For this encoding to decode as <<<CM.JALT>>, _index>=32_, otherwise it decodes as <<CM.JT>>.
+  For this encoding to decode as <<CM.JALT>>, _index&#8805;32_, otherwise it decodes as <<CM.JT>>.
 
 {cheri_cap_mode_name} Description::
 Redirect instruction fetch via the jump table defined by the indexing via `jvtc.address+ index*XLEN/8`, checking every byte of the jump table access against <<jvtc>> bounds (not against <<pcc>>) and requiring <<x_perm>>. Link to `cra`.

src/instructions.adoc

@@ -212,8 +212,6 @@ include::insns/addi16sp_16bit.adoc[]
 
 include::insns/addi4spn_16bit.adoc[]
 
-include::insns/modesw_16bit.adoc[]
-
 include::insns/jalr_16bit.adoc[]
 
 include::insns/jr_16bit.adoc[]

src/riscv-hybrid-integration.adoc

@@ -151,11 +151,12 @@ unprivileged *x* register.
 
 ==== Mode Change Instructions
 
-A new CHERI execution mode switch (<<MODESW>>) instruction allows software
-to toggle the hart's current CHERI execution mode. If the current mode in the
-<<pcc>> is {cheri_int_mode_name}, then the mode after executing <<MODESW>> is {cheri_cap_mode_name}
-and vice-versa. This instruction effectively writes the CHERI execution mode
-bit M of the capability currently installed in the <<pcc>>.
+New CHERI execution mode switch instructions, <<MODESW_CAP>> and
+<<MODESW_INT>>, allow software
+to change the hart's current <<m_bit>> in <<pcc>>. If the current mode in the
+<<pcc>> is {cheri_int_mode_name}, then the mode after executing <<MODESW_CAP>> is {cheri_cap_mode_name}
+and similarly for <<MODESW_INT>> when in {cheri_cap_mode_name}. This instruction effectively writes the CHERI execution mode
+<<m_bit>> of the capability currently installed in the <<pcc>>.
 
 === Existing RISC-V Instructions
 
@@ -277,17 +278,17 @@ All CSR instructions cause CHERI exceptions if the <<pcc>> does not grant
 A new debug default data capability (<<dddc>>) CSR is added at the CSR number
 shown in xref:default-csrnames-added[xrefstyle=short].
 
-{cheri_default_ext_name} optionally allows <<MODESW>> to execute in debug mode.
+{cheri_default_ext_name} optionally allows <<MODESW_CAP>> and <<MODESW_INT>> to execute in debug mode.
 
 When entering debug mode, whether the core enters {cheri_int_mode_name} or
 {cheri_cap_mode_name} is controlled by the <<m_bit>> in <<dinfc>>.
 Implementations may optionally support switching CHERI execution mode by
-executing <<MODESW>> from the program buffer.
+executing <<MODESW_CAP>> or <<MODESW_INT>> from the program buffer.
 
 The current mode can be read from <<dinfc>>.
 
 ifdef::cheri_v9_annotations[]
-NOTE: *CHERI v9 Note:* The mode change instruction <<MODESW>> is new
+NOTE: *CHERI v9 Note:* The mode change instructions <<MODESW_CAP>> and <<MODESW_INT>> are new
 and the requirement to optionally support it in debug mode is also new.
 endif::[]
 

src/summary.adoc

@@ -55,7 +55,7 @@ Instruction fetch is also authorised by a capability: the program counter capabi
 This allows code fetch to be bounded, preventing a wide range of attacks that subvert control flow with integer data.
 Where {cheri_default_ext_name} is supported, the <<pcc>> also contains the <<m_bit,mode bit>> indicating whether the processor is running in integer or capability pointer mode.
 Changing the bounds used for instruction fetch or the pointer mode can be as easy as performing a capability-based jump (<<JALR>> in capability pointer mode).
-A <<MODESW>> instruction and compressed version is also added to allow cheap mode switching.
+<<MODESW_CAP>> and <<MODESW_INT>> instructions are also added to allow cheap mode switching.
 
 Exception codes are added for CHERI-specific exceptions on fetch, jumps, and memory access.
 No other exception paths are added: in particular, capability manipulations do not trap, but may clear the tag on the result capability if the operation is not permitted.

src/tables.adoc

@@ -171,7 +171,7 @@ include::generated/legacy_mnemonic_insns_table_body.adoc[]
 include::generated/xlen_dependent_encoding_insns_table_body.adoc[]
 |==============================================================================
 
-NOTE: <<MODESW>> and <<SCMODE>> only exist in {cheri_cap_mode_name} if
+NOTE: <<MODESW_CAP>>, <<MODESW_INT>> and <<SCMODE>> only exist in {cheri_cap_mode_name} if
 {cheri_int_mode_name} is _also_ present. A hart does not support the <<m_bit>>
 if it does not implement the {cheri_default_ext_name} extension.