From b1a705d7d5ad70e3bc49598f953547d55aab8c4f Mon Sep 17 00:00:00 2001 From: Tariq Kurd Date: Thu, 28 Nov 2024 16:43:01 +0100 Subject: [PATCH 1/6] fix https://github.com/riscv/riscv-cheri/issues/455 --- src/riscv-integration.adoc | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/src/riscv-integration.adoc b/src/riscv-integration.adoc index 2672b3ce..e73329b6 100644 --- a/src/riscv-integration.adoc +++ b/src/riscv-integration.adoc @@ -1188,11 +1188,16 @@ this section describes how invalid address handling must be supported in {cheri_base_ext_name} when accessing CSRs, branching and jumping, and accessing memory. -===== Accessing CSRs +===== Updating CSRs -The following procedure must be used when executing instructions, such -as <>, that write a capability A to a CSR that cannot hold all invalid -addresses: +The procedure below must be used when update a CSR with a capability A, and the CSR cannot +hold all invalid addresses, under the following circumstances: + +* executing instructions, such as <> +* hardware updates to CSRs such as storing the <> (which becomes capability A) into + <>/<> etc. when taking an exception. + +The procedure is: . If A's address is invalid and A does not have infinite bounds (see xref:section_cap_encoding[xrefstyle=short]), then A's tag is set to 0. From 573820097f09c733ee1122fecf29a7a53a5f810d Mon Sep 17 00:00:00 2001 From: Tariq Kurd Date: Fri, 29 Nov 2024 18:10:02 +0100 Subject: [PATCH 2/6] clarify that tag clearing is only needed if the address actually changes --- src/riscv-integration.adoc | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/riscv-integration.adoc b/src/riscv-integration.adoc index e73329b6..bc4b3e91 100644 --- a/src/riscv-integration.adoc +++ b/src/riscv-integration.adoc @@ -1199,8 +1199,9 @@ hold all invalid addresses, under the following circumstances: The procedure is: -. If A's address is invalid and A does not have infinite bounds (see -xref:section_cap_encoding[xrefstyle=short]), then A's tag is set to 0. +. If A's address is invalid, A does not have infinite bounds (see +xref:section_cap_encoding[xrefstyle=short]), and A's address has been modified due +to illegal address conversion, then A's tag is set to 0. . Write the final (potentially modified) version of capability A to the CSR e.g. <>, <>, etc. From 4b5928afcd90a145a1c29a3375bc6f1dd4cd59f5 Mon Sep 17 00:00:00 2001 From: Tariq Kurd Date: Mon, 2 Dec 2024 12:29:14 +0100 Subject: [PATCH 3/6] add some flexibility --- src/riscv-integration.adoc | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/riscv-integration.adoc b/src/riscv-integration.adoc index bc4b3e91..4629c757 100644 --- a/src/riscv-integration.adoc +++ b/src/riscv-integration.adoc @@ -1200,11 +1200,13 @@ hold all invalid addresses, under the following circumstances: The procedure is: . If A's address is invalid, A does not have infinite bounds (see -xref:section_cap_encoding[xrefstyle=short]), and A's address has been modified due -to illegal address conversion, then A's tag is set to 0. +xref:section_cap_encoding[xrefstyle=short]), then A's tag is set to 0. . Write the final (potentially modified) version of capability A to the CSR e.g. <>, <>, etc. +NOTE: When A's address is invalid and happens to match an invalid address which the CSR +can hold, then it is implementation defined whether to clear A's tag. + ===== Branches and Jumps Control transfer instructions jump or branch to a capability A which can be: From 8924587cc19c8c4a0795faa4b3c5362c45537a4a Mon Sep 17 00:00:00 2001 From: Tariq Kurd Date: Fri, 6 Dec 2024 11:30:49 +0000 Subject: [PATCH 4/6] Update src/riscv-integration.adoc Co-authored-by: Nathaniel Wesley Filardo Signed-off-by: Tariq Kurd --- src/riscv-integration.adoc | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/riscv-integration.adoc b/src/riscv-integration.adoc index 4629c757..b3f551c1 100644 --- a/src/riscv-integration.adoc +++ b/src/riscv-integration.adoc @@ -1190,8 +1190,9 @@ accessing memory. ===== Updating CSRs -The procedure below must be used when update a CSR with a capability A, and the CSR cannot -hold all invalid addresses, under the following circumstances: +Some capability-holding CSRs are unable to hold arbitrary addresses. +For a given such CSR, addresses that cannot be stored are termed "invalid". +Some situations may appear to require that the CSR come to hold a capability with an invalid address: * executing instructions, such as <> * hardware updates to CSRs such as storing the <> (which becomes capability A) into From 98a11f5855af026d568a7a25ff68b5117446994b Mon Sep 17 00:00:00 2001 From: Tariq Kurd Date: Fri, 6 Dec 2024 11:30:56 +0000 Subject: [PATCH 5/6] Update src/riscv-integration.adoc Co-authored-by: Nathaniel Wesley Filardo Signed-off-by: Tariq Kurd --- src/riscv-integration.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/riscv-integration.adoc b/src/riscv-integration.adoc index b3f551c1..ab0ca562 100644 --- a/src/riscv-integration.adoc +++ b/src/riscv-integration.adoc @@ -1198,9 +1198,9 @@ Some situations may appear to require that the CSR come to hold a capability wit * hardware updates to CSRs such as storing the <> (which becomes capability A) into <>/<> etc. when taking an exception. -The procedure is: +In order to satisfy the definitions of such CSRs and preserve capability system invariants, the following procedure must be used as part of write-back to the CSR: -. If A's address is invalid, A does not have infinite bounds (see +. If A's address is invalid and A does not have infinite bounds (see xref:section_cap_encoding[xrefstyle=short]), then A's tag is set to 0. . Write the final (potentially modified) version of capability A to the CSR e.g. <>, <>, etc. From eb98561c0c0c0099220a5deb77349e73076f2f45 Mon Sep 17 00:00:00 2001 From: Tariq Kurd Date: Fri, 6 Dec 2024 13:06:56 +0100 Subject: [PATCH 6/6] make wording match the risc-v spec more closely --- src/riscv-integration.adoc | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/riscv-integration.adoc b/src/riscv-integration.adoc index ab0ca562..08ea3119 100644 --- a/src/riscv-integration.adoc +++ b/src/riscv-integration.adoc @@ -1190,9 +1190,11 @@ accessing memory. ===== Updating CSRs -Some capability-holding CSRs are unable to hold arbitrary addresses. -For a given such CSR, addresses that cannot be stored are termed "invalid". -Some situations may appear to require that the CSR come to hold a capability with an invalid address: +Some capability-holding CSRs need not be able to hold all invalid virtual addresses. +Prior to writing to those CSRs, implementations may convert an invalid address into some other invalid address that the CSR is capable of holding. +This is problematic for CHERI as updating the address may invalidate the bounds as a result, if the bounds are not those of the <> capability. + +Some situations may require that a CSR may be updated to hold a capability with an invalid address: * executing instructions, such as <> * hardware updates to CSRs such as storing the <> (which becomes capability A) into