Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
delete sstatus.SCRG, make PTE.CW mandatory
Browse files Browse the repository at this point in the history
tariqkurd-repo committed Jan 10, 2025
1 parent a819544 commit f4e728e
Showing 3 changed files with 38 additions and 35 deletions.
66 changes: 34 additions & 32 deletions src/cheri-pte-ext.adoc
Original file line number Diff line number Diff line change
@@ -1,25 +1,29 @@
[#section_sv_cheri]
[#cheri_pte_ext]
== "{cheri_pte_ext_name}" Extension for CHERI Page-Based Virtual-Memory Systems (RV64 only)
== Extending Page-Based Virtual-Memory Systems for CHERI (RV64 only), including "{cheri_pte_ext_name}"

CHERI is a security mechanism that is generally orthogonal to page-based
virtual-memory management as defined in cite:[riscv-priv-spec].
However, it is helpful in CHERI harts to extend RISC-V's virtual-memory
management to facilitate capability revocation and control the flow of
capabilities in memory at the page granularity. For this reason, the
{cheri_pte_ext_name} extension adds new bits to RISC-V's Page Table Entry (PTE)
format.
NOTE: _Sv32_ (for RV32) does not have any spare PTE bits, and so no features from this chapter can be implemented.

NOTE: There is no explicit mechanism for enabling or disabling {cheri_pte_ext_name}. A VM-enabled legacy (non-CHERI) OS running in {cheri_int_mode_name} will not load or store capabilities, and so the default state of CW=0 causing loaded capabilities to have their tags cleared, and stored capabilities with their tags set to cause a page fault, won't occur.
In CHERI harts the Page Table Entry (PTE) format is extended to control the flow of capabilities in memory (see <<limit_cap_prop>>).
This is achieved by adding the PTE.CW bit described below and is a mandatory feature when any virtual memory translation scheme (_Sv39_, _Sv48_ or _Sv57_) is implemented on an RV64 system.
By default PTE.CW=0 which will prevent legacy OSs from being able to load or store tagged capabilities without software modification.

A CHERI-aware OS running a VM-enabled OS is strongly recommended to support {cheri_pte_ext_name}, and the minimum level of support is to set CW to 1 in all PTEs intended for storing capabilities (i.e. anonymous mappings) and leave <<sstatusreg_pte,sstatus>>.SCRG/UCRG and CRG in all PTEs set to 0, which will allow capabilities with their tags set to be loaded and stored successfully.
Additionally the {cheri_pte_ext_name} extension adds the ability to perform capability revocation of user mode pages (see <<cap_revocation>>) by adding the PTE.CRG bit, and <<sstatusreg_pte,sstatus>>.UCRG as described below.

Therefore when implementing any RV64 virtual memory translation scheme (_Sv39_, _Sv48_ or _Sv57_) and {cheri_base_ext_name}, implementing {cheri_pte_ext_name} is strongly recommended.
NOTE: {cheri_pte_ext_name} is strongly recommended but not mandatory as a future version of this specification may specify an improved method.

NOTE: It is possible to detect the presence of {cheri_pte_ext_name} in software, by configuring a page table entry without programming CW and without setting <<sstatusreg_pte,sstatus>>.SCRG/UCRG, and testing for an exception on storing a tagged capability.
NOTE: There is no explicit mechanism for enabling or disabling {cheri_pte_ext_name}. Its presence can be tested for by probing the existence of <<sstatusreg_pte,sstatus>>.UCRG.

NOTE: _Sv32_ (for RV32) does not have any spare PTE bits, and so this extension cannot be implemented.
NOTE: A future version of this specification may include kernel revocation which may require an <<sstatusreg_pte,sstatus>>.SCRG bit.

The remainder of this chapter specifies the behavior of PTE.CW, PTE.CRG and <<sstatusreg_pte,sstatus>>.UCRG.

If {cheri_pte_ext_name} is _not_ implemented then PTE.CRG and <<sstatusreg_pte,sstatus>>.UCRG are considered to exist but to be read-only-zero for the purpose of the specification, however a CHERI-aware hart running a VM-enabled OS is strongly recommended to support {cheri_pte_ext_name}.

This comment has been minimized.

Copy link
@jrtc27

jrtc27 Jan 10, 2025

Collaborator

Why? This means you can’t use them for something else in future.


The minimum level of PTE support is to set CW to 1 in all PTEs intended for storing capabilities (i.e. anonymous mappings) and leave <<sstatusreg_pte,sstatus>>.UCRG and CRG in all PTEs set to 0, which will allow capabilities with their tags set to be loaded and stored successfully.


[#limit_cap_prop]
=== Limiting Capability Propagation

Page table enforcement can allow the operating system to limit the flow
@@ -46,6 +50,7 @@ a natural solution.
^*^ _allocated using mmap_

[#cap_revocation]
=== Capability Revocation

Page table enforcement can accelerate concurrent capability revocation
@@ -108,15 +113,11 @@ If the CW bit is clear then:
NOTE: The tag bit of the stored capability is checked _after_ it is potentially
cleared <<tags_cleared_by_permissions,due to lack of permissions>>.

NOTE: Two capability revocation generation bits (CRG) are implemented in <<sstatusreg_pte,sstatus>>,
one for kernel-space code running in supervisor mode (SCRG) and one for user-space code running
in user mode (UCRG). The relevant bit to use is only controlled by the current operating mode.

** The same behavior as when CRG is clear, allowing software interpretation
of this state.
** When a capability store or AMO instruction is executed
and the tag bit of the capability being written is set, the
implementation sets the CW bit and assigns the CRG bit equal to <<sstatusreg_pte,sstatus>>.SCRG/UCRG.
implementation sets the CW bit and assigns the CRG bit equal to <<sstatusreg_pte,sstatus>>.UCRG.
+
The PTE update must be
atomic with respect to other accesses to the PTE, and must atomically check
@@ -139,24 +140,25 @@ When CW is set, the CRG bit indicates the current generation of the virtual memo
regards to the ongoing capability revocation cycle. Two schemes are permitted:

* A load page fault exception is raised when a capability load or AMO instruction is executed
with <<c_perm>> granted and the virtual page's CRG bit does not equal <<sstatusreg_pte,sstatus>>.SCRG/UCRG.
with <<c_perm>> granted and the virtual page's CRG bit does not equal <<sstatusreg_pte,sstatus>>.UCRG in user mode.
* A load page fault exception is raised when a capability load or AMO instruction is executed
with <<c_perm>> granted and the virtual page's CRG bit does not equal <<sstatusreg_pte,sstatus>>.SCRG/UCRG.
with <<c_perm>> granted and the virtual page's CRG bit does not equal <<sstatusreg_pte,sstatus>>.UCRG in user mode.
and the capability read from memory optionally has its tag set^1^.
[[pte_cw_crg_load_summary]]
.Summary of Load CW and CRG behavior in the PTEs
[%autowidth,float="center",align="center",cols="<,<,<,<",options="header"]
|===
|PTE.CW |Mode^1^ |PTE.CRG |Load/AMO
|PTE.CW |Mode^1^ |PTE.CRG |Load/AMO
| 0 | S/U | X | Clear loaded tag
| 1 | S |&#8800; <<sstatusreg_pte,sstatus>>.SCRG | Page fault, or page fault if tag is set^1^
| 1 | U |&#8800; <<sstatusreg_pte,sstatus>>.UCRG | Page fault, or page fault if tag is set^1^
| 1 | S |= <<sstatusreg_pte,sstatus>>.SCRG | Normal operation
| 1 | U |= <<sstatusreg_pte,sstatus>>.UCRG | Normal operation
| 1 | U |= <<sstatusreg_pte,sstatus>>.UCRG | Normal operation
| 1 | S | X | Normal operation^2^
|===

^1^ This is the current privilege mode, not the effective mode of the access and so is not affected by <<sstatusreg_pte>>.SUM.
^1^ This is the current privilege mode, not the effective mode of the access and so is not affected by <<sstatusreg_pte,sstatus>>.SUM.

^2^ A future version of this specification may check an SCRG bit in <<sstatusreg_pte,sstatus>> for kernel revocation.

[[pte_cw_crg_store_summary]]
.Summary of Store CW and CRG behavior in the PTEs
@@ -189,18 +191,18 @@ The decision about whether to take exceptions on capability stores with the tag
These cause PTE Accessed and Dirty updates to be done in software, via the exception handler, or by a hardware mechanism respectively.

* If only _Svade_ is implemented, or enabled through henvcfg.ADUE or menvcfg.ADUE, then take a page fault.
* If only _Svadu_ is implemented, or enabled through henvcfg.ADUE or menvcfg.ADUE, then do the hardware update of setting PTE.CW=1 and setting PTE.CRG=<<sstatusreg_pte,sstatus>>.SCRG/UCRG as described in <<section_extending_pte>>.
* If only _Svadu_ is implemented, or enabled through henvcfg.ADUE or menvcfg.ADUE, then do the hardware update of setting PTE.CW=1 and setting PTE.CRG=<<sstatusreg_pte,sstatus>>.UCRG as described in <<section_extending_pte>>.
[#xstatus_pte]
=== Extending the Supervisor (sstatus) and Virtual Supervisor (vsstatus) Status Registers

The <<sstatusreg_pte,sstatus>> and <<vsstatusreg_pte,vsstatus>> CSRs are extended to include the new Capability Read Generation (CRG) bit as shown.

When V=1 <<vsstatusreg_pte,vsstatus>>.SCRG/UCRG is in effect.
When V=1 <<vsstatusreg_pte,vsstatus>>.UCRG is in effect.

<<mstatusreg_pte,mstatus>>.SCRG/UCRG also exist. Reading or writing them is equivalent to reading or writing <<sstatusreg_pte,sstatus>>.SCRG/UCRG.
<<mstatusreg_pte,mstatus>>.UCRG also exists. Reading or writing it is equivalent to reading or writing <<sstatusreg_pte,sstatus>>.UCRG.

NOTE: As there is no M-mode translation available in RISC-V, there is no current software use for <<mstatusreg_pte,mstatus>>.SCRG/UCRG or an M-mode equivalent bit.
NOTE: As there is no M-mode translation available in RISC-V, there is no current software use for <<mstatusreg_pte,mstatus>>.UCRG or an M-mode equivalent bit in the future.

This comment has been minimized.

Copy link
@jrtc27

jrtc27 Jan 10, 2025

Collaborator

This note is confused. sstatus is a subset of mstatus’s state, so mstatus.UCRG does exist, and for mstatus.MPRV+mstatus.SUM it will access as if user mode just like S-mode and can fault the same way. What isn’t present is an mstatus.MCRG, which I think is what this is trying to get at? But that’s not so remarkable when sstatus.SCRG doesn’t either.

It is _only_ included not to break the rule that <<sstatusreg_pte,sstatus>> is required to be a subset of <<mstatusreg_pte,mstatus>>.


@@ -242,7 +244,7 @@ It is _only_ included not to break the rule that <<sstatusreg_pte,sstatus>> is r
{bits: 1, name: 'MDT'},
{bits: 18, name: 'WPRI'},
{bits: 1, name: 'UCRG'},
{bits: 1, name: 'SCRG'},
{bits: 1, name: 'WPRI'},
{bits: 1, name: 'SD'},
], config:{lanes: 4, hspace:1024}}
....
@@ -273,7 +275,7 @@ It is _only_ included not to break the rule that <<sstatusreg_pte,sstatus>> is r
{bits: 2, name: 'UXL[1:0]'},
{bits: 27, name: 'WPRI'},
{bits: 1, name: 'UCRG'},
{bits: 1, name: 'SCRG'},
{bits: 1, name: 'WPRI'},
{bits: 1, name: 'SD'},
], config:{lanes: 4, hspace:1024}}
....
@@ -301,7 +303,7 @@ It is _only_ included not to break the rule that <<sstatusreg_pte,sstatus>> is r
{bits: 2, name: 'UXL[1:0]'},
{bits: 27, name: 'WPRI'},
{bits: 1, name: 'UCRG'},
{bits: 1, name: 'SCRG'},
{bits: 1, name: 'WPRI'},
{bits: 1, name: 'SD'}
], config:{lanes: 4, hspace:1024}}
....
4 changes: 2 additions & 2 deletions src/insns/load_exceptions.adoc
Original file line number Diff line number Diff line change
@@ -25,8 +25,8 @@ listed below; in this case, _CHERI data fault_ is reported in the <<mtval2>> or
+
If {cheri_pte_ext_name} is implemented, and virtual memory is enabled, then the state of
<<cheri_pte_ext,PTE>>.CW and <<cheri_pte_ext,PTE>>.CRG from the current virtual memory page,
together with <<sstatusreg_pte,sstatus>>.SCRG/UCRG may cause a CHERI <<cheri_pte_ext,PTE>> page fault exception
in addition to a normal RISC-V page fault exception.
together with <<sstatusreg_pte,sstatus>>.UCRG may cause a CHERI <<cheri_pte_ext,PTE>> page fault exception
in addition to a normal RISC-V page fault exception when operating in user mode.
See <<mtval2-page-fault>> for the exception reporting in this case.
+
:!load_res:
3 changes: 2 additions & 1 deletion src/insns/store_exceptions.adoc
Original file line number Diff line number Diff line change
@@ -24,7 +24,8 @@ listed below; in this case, _CHERI data fault_ is reported in the <<mtval2>> or
+
If {cheri_pte_ext_name} is implemented, and virtual memory is enabled, then the state of
<<cheri_pte_ext,PTE>>.CW and <<cheri_pte_ext,PTE>>.CRG from the current virtual memory page may
cause a CHERI <<cheri_pte_ext,PTE>> page fault exception in addition to a normal RISC-V page fault.
cause a CHERI <<cheri_pte_ext,PTE>> page fault exception in addition to a normal RISC-V page fault
when operating in user mode.
See <<mtval2-page-fault>> for the exception reporting in this case.
+
:!store_cond:

0 comments on commit f4e728e

Please sign in to comment.