CAndPerms: permit clearing GL on sealed caps #83
Conversation
|
@nwf either p[topm is fine from microarchitecture perspective. Option 1 is a little easier to implement & verify but the difference is not huge. |
|
If either works for uarch I think sw preference is for option 2 so lets go with that! |
|
The third option, which is easiest for software, is to treat whatever you have and whatever you have minus G as the only representable things and make CAndPerm do the same thing is does currently when the exact intersection is not representable. |
|
@davidchisnall what you're suggesting would be the same as forcing all bits of the mask except GL to one if the capability is sealed. Isn't it likely to be a programmer error to try to clear non-GL permissions on a sealed capability? If so that proposal would allow the error to go undetected. On the other hand if the programmer wants to clear permissions on unsealed capabilities and leave sealed ones alone (except GL) that would be useful. |
nwf
force-pushed
the
202411-candperm-seal-gl
branch
from
01263b2
to
b98eecf
Compare
nwf
force-pushed
the
202411-candperm-seal-gl
branch
from
b98eecf
to
19092ec
Compare
src/cheri_insts.sail
Outdated
| * Sealed caps clear the tag unless the mask is all ones (~mask == zeros()) | ||
| * or has the global permission clear. This relies on the prop_null_noperms | ||
| * property to ensure that perm_global is a one-hot vector. |
There was a problem hiding this comment.
| * Sealed caps clear the tag unless the mask is all ones (~mask == zeros()) | |
| * or has the global permission clear. This relies on the prop_null_noperms | |
| * property to ensure that perm_global is a one-hot vector. | |
| * CAndPerms on a sealed cap clears the tag unless the mask is all ones | |
| * or has *only* the global permission clear. Here `perm_global` is a | |
| * vector of zeros except for the global permission bit. To construct this | |
| * we rely on the fact that `null_cap` has all zero permissions. |
Hopefully this is clearer. I removed the mention of prop_null_noperms as I thought it might just be confusing to people reading the arch doc. Good to have, though!
nwf
force-pushed
the
202411-candperm-seal-gl
branch
2 times, most recently
from
393fdfd
to
65b5499
Compare
nwf
force-pushed
the
202411-candperm-seal-gl
branch
from
65b5499
to
70d2380
Compare
But require that all other bits in the mask provided to CAndPerms be 1 in order for a tagged sealed input to result in a tagged sealed output. Co-authored-by: Robert Norton <[email protected]>
nwf
force-pushed
the
202411-candperm-seal-gl
branch
from
70d2380
to
aa84b6d
Compare
Sigh, sorry. This was originally "~(mask | perm_global) == zeros()" and had one too many inversions applied.
Sigh, sorry. This was originally "~(mask | perm_global) == zeros()" and had one too many inversions applied.
Address #70. This is not ready to merge, in that it hasn't yet decided between the two options:
CAndPermson a sealed operand must be all-ones or all-ones-but-GLGLbit.Shuffle the comment delimiters around to pick between the two. I believe either is fine from a security perspective; option 1 imposes stronger requirements on the program(mer) while the later tolerates some... incidental correctness. If one is clearly better for microarchitecture, tho', that could be the deciding factor.
Pinging @kliuMsft.