Merge Zcheri_mode and Zcheri_legacy

The main reason for a separate Zcheri_mode extensions is that it freed
up a bit from the 32-bit capability format. With a new 32-bit
permissions encoding (#155), we
need less than a full bit for the mode since it is only required for
executable capabilities rather than fully orthogonal. Removing the
separate Zcheri_mode extension simplifies the architecture and will
allow for further simplification of the CME architectural state.

Co-authored-by: Tariq Kurd <[email protected]>
Co-authored-by: Andres Amaya Garcia <[email protected]>

Reviewed By: andresag01

Pull Request: #161

Makefile

@@ -70,9 +70,8 @@ GEN_SRC = $(GEN_DIR)/both_mode_insns_table_body.adoc               \
           $(GEN_DIR)/legacy_mnemonic_insns_table_body.adoc         \
           $(GEN_DIR)/legacy_mode_insns_table_body.adoc             \
           $(GEN_DIR)/xlen_dependent_encoding_insns_table_body.adoc \
-          $(GEN_DIR)/Zabhlrsc_insns_table_body.adoc               \
+          $(GEN_DIR)/Zabhlrsc_insns_table_body.adoc                \
           $(GEN_DIR)/Zcheri_legacy_insns_table_body.adoc           \
-          $(GEN_DIR)/Zcheri_mode_insns_table_body.adoc             \
           $(GEN_DIR)/Zcheri_purecap_insns_table_body.adoc
 
 # AsciiDoctor command

src/attributes.adoc

@@ -40,12 +40,10 @@ endif::[]
 // Top-level CHERI definitions
 ///////////////////////////////////////////////////////////////////////////////
 
-// Base CHERI extension without the mode bit in capability format
+// Base CHERI extension (without the mode bit in capability format)
 :cheri_base_ext_name:      Zcheri_purecap
-// CHERI extension adding support for Legacy Mode
+// CHERI extension adding support for legacy mode (and mode bit)
 :cheri_legacy_ext_name:    Zcheri_legacy
-// CHERI extension adding support for the mode bit in the capability format
-:cheri_mode_ext_name:      Zcheri_mode
 // Extension for CHERI PTE bits
 :cheri_pte_ext_name:       Zcheri_pte
 // Extension for CHERI capabilities in vector registers
@@ -56,7 +54,6 @@ endif::[]
 
 :c_cheri_base_ext_names:   C or Zca, {cheri_base_ext_name}
 :c_cheri_legacy_ext_names: C or Zca, {cheri_legacy_ext_name}
-:c_cheri_mode_ext_names:   C or Zca, {cheri_mode_ext_name}
 
 :non-csrrw-or:  <<CSRRWI>>, <<CSRRS>>, <<CSRRSI>>, <<CSRRC>> or <<CSRRCI>>
 :non-csrrw-and:  <<CSRRWI>>, <<CSRRS>>, <<CSRRSI>>, <<CSRRC>> and <<CSRRCI>>

src/cap-description.adoc

@@ -74,6 +74,7 @@ Execute Permission (X):: Allow instruction execution.
 [#asr_perm,reftext="ASR-permission"]
 Access System Registers Permission (ASR):: Allow access to privileged CSRs.
 
+[#cap_permissions_encoding]
 ===== Permission Encoding
 
 The bit width of the permissions field depends on the value of XLENMAX as shown
@@ -92,7 +93,7 @@ Therefore, it is only possible to encode a subset of all combinations.
 ^| 64      ^| {cap_rv64_perms_width} ^| Separate bits for each permission, and the Mode bit is not included
 |==============================================================================
 
-NOTE: While XLENMAX=32 currently uses the same number of bits for permission encodings, it also includes the mode bit of {cheri_mode_ext_name} which is separate for XLENMAX=64.
+NOTE: While XLENMAX=32 currently uses the same number of bits for permission encodings, it also includes the mode bit of {cheri_legacy_ext_name} which is separate for XLENMAX=64.
 
 For XLENMAX=32, the permissions encoding is split into four quadrants.
 The quadrant is taken from bits [4:3] of the permissions encoding.

src/debug-integration.adoc

@@ -52,7 +52,7 @@ Upon entry to debug mode, cite:[riscv-debug-spec], does not specify how to
 update the PC, and says PC relative instructions may be illegal. This concept
 is extended to include any instruction which reads or updates <<pcc>>, which refers to
 all jumps, conditional branches and <<AUIPC>>. The exception is <<MODESW>>
-which _is_ supported if {cheri_mode_ext_name} is implemented, see <<dinfc>>
+which _is_ supported if {cheri_legacy_ext_name} is implemented, see <<dinfc>>
 for details.
 
 As a result, the value of <<pcc>> is UNSPECIFIED in debug mode according
@@ -120,7 +120,7 @@ The <<dinfc>> register is a CLEN-bit plus tag bit CSR only accessible in debug m
 
 The reset value is the <<infinite-cap>> capability.
 
-If {cheri_mode_ext_name} (see xref:chapter-Zcheri-mode) is implemented:
+If {cheri_legacy_ext_name} (see xref:section-cheri-execution-mode) is implemented:
 
 . the core enters Capability Mode when entering debug mode
 .. therefore <<dinfc>>.M is set whenever entering debug mode for any reason.

src/insns/modesw_16bit.adoc

@@ -26,7 +26,7 @@ Exceptions::
 None
 
 Prerequisites::
-{c_cheri_mode_ext_names}
+{c_cheri_legacy_ext_names}
 
 Operation (after expansion to 32-bit encodings)::
  See <<MODESW>>

src/insns/modesw_32bit.adoc

@@ -20,7 +20,7 @@ NOTE: Support of MODESW is optional in debug mode. If it is supported then
  it updates <<dinfc>>.M instead of <<pcc>>.M to show the currrent mode.
 
 Prerequisites::
-{cheri_mode_ext_name}
+{cheri_legacy_ext_name}
 
 Operation::
 [source,SAIL,subs="verbatim,quotes"]

src/insns/scmode_32bit.adoc

@@ -32,7 +32,7 @@ TODO: Should we require execute permission for both RV32 and RV64?
 ======
 
 Prerequisites::
-{cheri_mode_ext_name}
+{cheri_legacy_ext_name}
 
 Operation ::
 [source,SAIL,subs="verbatim,quotes"]

src/instructions.adoc

@@ -20,7 +20,7 @@ NOTE: Not all RISC-V extensions have been checked against CHERI. Compatible
 extensions will eventually be listed in a CHERI profile.
 
 <<<
-=== "Zcheri_purecap", "Zcheri_legacy" and "Zcheri_mode" Extensions for CHERI
+=== "Zcheri_purecap" and "Zcheri_legacy" Extensions for CHERI
 
 include::insns/cmv_32bit.adoc[]
 

src/introduction.adoc

@@ -86,8 +86,8 @@ the RISC-V ISA. The resulting extended ISA is not
 backwards-compatible with RISC-V
 {cheri_legacy_ext_name}:: Extends {cheri_base_ext_name} with features to ensure
 that the ISA extended with CHERI allows backwards binary compatibility with
-RISC-V
-{cheri_mode_ext_name}:: Adds a mode bit in the encoding of capabilities to
+RISC-V.
+It also adds a mode bit in the encoding of capabilities to
 allow changing the current CHERI execution mode using indirect jump
 instructions
 {cheri_pte_ext_name}:: CHERI extension for RISC-V harts supporting page-based
@@ -99,10 +99,9 @@ vector registers, intended for vectorised memory copying
 CAUTION: The extension names are provisional and subject to change.
 
 {cheri_base_ext_name} is defined as the base extension which all CHERI RISC-V
-implementations must support. {cheri_legacy_ext_name}, {cheri_mode_ext_name}
+implementations must support. {cheri_legacy_ext_name}
 and {cheri_pte_ext_name} are optional extensions in addition to
-{cheri_base_ext_name}. {cheri_mode_ext_name} requires supporting both
-{cheri_base_ext_name} and {cheri_legacy_ext_name}.
+{cheri_base_ext_name}.
 
 If a standard vector extension is present (indicated in this document as "V",
 but it could equally be one of the subsets defined by a Zve* extension) then
@@ -114,8 +113,8 @@ memory accesses -- including loads, stores and instruction fetches -- rather
 than integer addresses. Purecap software requires the CHERI RISC-V hart to
 support {cheri_base_ext_name}. We refer to software as _hybrid_ if it uses
 integer addresses *or* CHERI capabilities for memory accesses. Hybrid software
-requires the CHERI RISC-V hart to support {cheri_base_ext_name},
-{cheri_legacy_ext_name} and {cheri_mode_ext_name}.
+requires the CHERI RISC-V hart to support {cheri_base_ext_name} and
+{cheri_legacy_ext_name}.
 
 See xref:riscv-extensions[xrefstyle=short] for compatibility with other RISC-V
 extensions.

src/riscv-cheri.adoc

@@ -50,8 +50,6 @@ include::cheri-pte-ext.adoc[]
 
 include::riscv-legacy-integration.adoc[]
 
-include::riscv-mode-integration.adoc[]
-
 include::instructions.adoc[]
 
 include::tables.adoc[]

src/riscv-legacy-integration.adoc

@@ -1,18 +1,13 @@
 == "Zcheri_legacy" Extension for CHERI Legacy Mode
 
-ifdef::cheri_v9_annotations[]
-NOTE: *CHERI v9 Note:* This feature is new and different from CHERI v9's
-per-privilege enable bits.
-endif::[]
-
 {cheri_legacy_ext_name} is an optional extension to {cheri_base_ext_name}.
 Implementations that support {cheri_base_ext_name} and {cheri_legacy_ext_name}
 define a variant of the CHERI ISA that is fully binary compatible with
 existing RISC-V code.
 
 Key features in {cheri_legacy_ext_name} include a definition of a CHERI execution mode, a new
 unprivileged register, additional instructions and extensions to some existing
-CSRs enabling disable CHERI features. The remainder of this section describes
+CSRs enabling CHERI features. The remainder of this section describes
 these features in detail as well as their integration with the primary base
 integer variants of the RISC-V ISA (RV32I and RV64I).
 
@@ -56,12 +51,35 @@ Setting both registers to <<infinite-cap>> ensures that:
 * The bounds authorise accesses to the entire address space i.e base is 0 and
 top is 2^XLENMAX^
 
+[#section-cheri-execution-mode]
+=== CHERI Execution Mode Encoding
+
+{cheri_legacy_ext_name} adds a new CHERI execution mode bit (M) to
+capabilities. In RV32, the mode is encoded in the permissions field as
+described in xref:cap_permissions_encoding[xrefstyle=short]. In RV64, a new
+mode bit field is added to the capability format as shown in
+xref:cap_encoding_xlen64_mode[xrefstyle=short]. The current CHERI execution
+mode is given by the M bit of the <<pcc>> and the CRE bits in <<mseccfg>>,
+<<menvcfg>>, and <<senvcfg>> as follows:
+
+* The mode is Capability when the M bit of the <<pcc>> is 1 and the effective
+CRE=1 for the current privilege level
+* The mode is Legacy when the effective CRE=0 for the current privilege level or the M bit of the <<pcc>> is 0
+
+.Capability encoding when XLENMAX=64 and {cheri_legacy_ext_name} is supported
+[#cap_encoding_xlen64_mode]
+include::img/cap-encoding-xlen64-mode.edn[]
+
+For RV64, the M bit can be set to 1 when the capability does not grant <<x_perm>>.
+In this case, the M bit is superfluous, so the encoding may be used to support additional features in future extensions.
+
+The M bit is 0 in both the <<null-cap>> and <<infinite-cap>> capabilities.
+
 [#section_legacy_ext_instructions]
 === Zcheri_legacy Instructions
 
-{cheri_legacy_ext_name} does not introduce new instructions to the base RISC-V
-integer ISA. However, the behavior of some existing instructions changes
-depending on the current CHERI execution mode.
+{cheri_legacy_ext_name} introduces a small number of new <<section_mode_cap_instructions,mode-switching instructions>> to the base RISC-V integer ISA.
+Additionally, the behavior of some existing instructions changes depending on the current CHERI execution mode.
 
 ==== Capability Load and Store Instructions
 
@@ -82,6 +100,20 @@ In Legacy Mode, the capability authorising the memory access
 is <<ddc>>, so the effective address is obtained by adding the *x* register to
 the sign-extended offset.
 
+==== Capability Manipulation Instructions
+
+A new <<SCMODE>> instruction allows setting a capability's CHERI execution
+mode to the indicated value. The output is written to an unprivileged *c*
+register, not <<pcc>>.
+
+==== Mode Change Instructions
+
+A new CHERI execution mode switch (<<MODESW>>) instruction allows software
+to toggle the hart's current CHERI execution mode. If the current mode in the
+<<pcc>> is Legacy, then the mode after executing <<MODESW>> is Capability
+and vice-versa. This instruction effectively writes the CHERI execution mode
+bit M of the capability currently installed in the <<pcc>>.
+
 === Existing RISC-V Instructions
 
 The CHERI execution mode introduced in {cheri_legacy_ext_name} affects the
@@ -112,6 +144,9 @@ written to the <<pcc>> address and a representability check is performed. The
 address of the instruction following the jump (*pc* + 4) is written to an *x*
 register; that register's tag and capability metadata are zeroed.
 
+{cheri_legacy_ext_name} allows changing the current CHERI execution mode when
+executing <<JALR>> from Capability Mode.
+
 <<JAL>> and <<JALR>> cause CHERI exceptions when a minimum sized instruction
 at the target address is not within the bounds of the <<pcc>>. An
 instruction address misaligned exception is raised when the target address is
@@ -199,6 +234,18 @@ xref:legacy-csrnames-added[xrefstyle=short].
 A new debug default data capability (<<dddc>>) CSR is added at the CSR number
 shown in xref:legacy-csrnames-added[xrefstyle=short].
 
+{cheri_legacy_ext_name} optionally allows <<MODESW>> to execute in debug mode.
+
+When entering debug mode, the core always enters Capability Mode.
+
+. the mode can be optionally switched using <<MODESW>>.
+. the current mode can always be observed in <<dinfc>>.M.
+
+ifdef::cheri_v9_annotations[]
+NOTE: *CHERI v9 Note:* The mode change instruction <<MODESW>> is new
+and the requirement to optionally support it in debug mode is also new.
+endif::[]
+
 [#dddc,reftext="dddc"]
 === Debug Default Data Capability (dddc)
 
@@ -225,6 +272,9 @@ so it does not need to be able to hold all possible invalid addresses.
 === Disabling CHERI Registers
 
 ifdef::cheri_v9_annotations[]
+NOTE: *CHERI v9 Note:* This feature is new and different from CHERI v9's
+per-privilege enable bits.
+
 NOTE: *CHERI v9 Note:* The rules for excepting have been tightened here. Also,
 it is not possible to disable CHERI checks completely.
 endif::[]
@@ -233,8 +283,8 @@ endif::[]
 registers.  The following occurs when executing code in a privilege mode that
 has CHERI register access disabled:
 
-* The CHERI instructions in xref:section_cap_instructions[xrefstyle=short] (and
-xref:instruction-modes[xrefstyle=short] if {cheri_mode_ext_name} is supported)
+* The CHERI instructions in xref:section_cap_instructions[xrefstyle=short] and
+xref:instruction-modes[xrefstyle=short]
 cause illegal instruction exceptions
 * Executing CSR instructions accessing any capability wide CSR
 addresses (xref:csr-numbers-section[xrefstyle=short]) cause illegal