Date: Mon, 22 Oct 2012 06:35:35 GMT From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 218793 for review Message-ID: <201210220635.q9M6ZZZ6082301@skunkworks.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://p4web.freebsd.org/@@218793?ac=10 Change 218793 by rwatson@rwatson_svr_ctsrd_mipsbuild on 2012/10/20 10:00:09 First of several changes to update the CheriBSD headers for CHERI ISAv2; in this pass, header files are (generally) updated based on definition changes, excluding instruction changes: - Revision (I think) to split a first 64-bit field into two 32-bit fields for the permissions and reserved bits, so swap in code. Not 100% sure this is right, endianness is confusing. - C26 has been returned to the pool of general-purpose registers, so include it in saved frame state for user threads. On the other hand, we're no longer saving TSC, so remove saving of C28. - Expand comments on C25 use, and how we plan to return it to the register pool once life is better. - A few other useful comments on cp2_frame. - Remove old permission definitions; define new ones. - Comment that we now likely no longer require the unpriv capability, since we can clear capability registers, but leave it for now, until the code is updated. - Update definitions further for the reserved register juggle. - There is a possible bug in the CHERI ISAv2 spec, so don't quite use the exception codes listed (KDC is probably not the same exception code as EPCC). Affected files ... .. //depot/projects/ctsrd/cheribsd/src/sys/mips/include/cheri.h#6 edit .. //depot/projects/ctsrd/cheribsd/src/sys/mips/include/cheriasm.h#6 edit .. //depot/projects/ctsrd/cheribsd/src/sys/mips/include/cherireg.h#5 edit Differences ... ==== //depot/projects/ctsrd/cheribsd/src/sys/mips/include/cheri.h#6 (text+ko) ==== @@ -1,5 +1,5 @@ /*- - * Copyright (c) 2011 Robert N. M. Watson + * Copyright (c) 2011-2012 Robert N. M. Watson * All rights reserved. * * This software was developed by SRI International and the University of @@ -42,8 +42,8 @@ */ #define CAPABILITY_SIZE 32 struct chericap { + uint32_t c_reserved; uint32_t c_uperms; - uint32_t c_reserved; union { uint64_t c_otype; uint64_t c_eaddr; @@ -68,25 +68,30 @@ struct chericap cf_c0; /* - * General-purpose capabilities -- note, numbering is from v1.3 of - * the CHERI ISA spec. v1.4 is expected to renumber the specific - * purpose capabilities to be at the bottom, rather than the top, of - * the capability register space (per Ross Anderson's suggestion). + * General-purpose capabilities -- note, numbering is from v1.7 of the + * CHERI ISA spec (ISAv2). + * + * XXXRW: Currently, C25 is used in-kernel to maintain a saved UDC + * (C0), and so not part of cp2_frame. This will change in the + * future. */ struct chericap cf_c1, cf_c2, cf_c3, cf_c4; struct chericap cf_c5, cf_c6, cf_c7; struct chericap cf_c8, cf_c9, cf_c10, cf_c11, cf_c12; struct chericap cf_c13, cf_c14, cf_c15, cf_c16, cf_c17; struct chericap cf_c18, cf_c19, cf_c20, cf_c21, cf_c22; - struct chericap cf_c23, cf_c24; + struct chericap cf_c23, cf_c24, cf_c26; /* * Special-purpose capability registers that must be preserved on a - * user context switch. Note that KT0, KT1, KCC, and KDC are omitted. + * user context switch. Note that KRC0, KRC1, KCC, and KDC are + * omitted. */ - struct chericap cf_tsc; + /* XXXRW: Gone in v1.7: struct chericap cf_tsc; */ - /* Program counter capability. */ + /* + * Program counter capability -- extracted from exception frame EPCC. + */ struct chericap cf_pcc; }; CTASSERT(sizeof(struct cp2_frame) == (27 * CAPABILITY_SIZE)); ==== //depot/projects/ctsrd/cheribsd/src/sys/mips/include/cheriasm.h#6 (text+ko) ==== @@ -49,7 +49,7 @@ andi reg, reg, SR_KSU_USER; \ beq reg, $0, 64f; \ nop; \ - cmove $c25, $c0; \ + cmove $c27, $c0; \ cmove $c0, $c30; \ 64: @@ -103,6 +103,8 @@ * XXXRW: It woudld be nice to make calls to these conditional on actual CP2 * coprocessor use, similar to on-demand context management for other MIPS * coprocessors (e.g., FP). + * + * XXXRW: Note hard-coding of UDC here. */ #define SAVE_CP2_CONTEXT(treg, base) \ SAVE_U_PCB_CP2REG(treg, $c25, CHERI_CR_C0_OFF, base); \ @@ -130,7 +132,7 @@ SAVE_U_PCB_CP2REG(treg, $c22, CHERI_CR_C22_OFF, base); \ SAVE_U_PCB_CP2REG(treg, $c23, CHERI_CR_C23_OFF, base); \ SAVE_U_PCB_CP2REG(treg, $c24, CHERI_CR_C24_OFF, base); \ - SAVE_U_PCB_CP2REG(treg, $c28, CHERI_CR_TSC_OFF, base); \ + SAVE_U_PCB_CP2REG(treg, $c26, CHERI_CR_C26_OFF, base); \ SAVE_U_PCB_CP2REG(treg, $c31, CHERI_CR_PCC_OFF, base) #define RESTORE_CP2_CONTEXT(treg, base) \ @@ -159,7 +161,7 @@ RESTORE_U_PCB_CP2REG(treg, $c22, CHERI_CR_C22_OFF, base); \ RESTORE_U_PCB_CP2REG(treg, $c23, CHERI_CR_C23_OFF, base); \ RESTORE_U_PCB_CP2REG(treg, $c24, CHERI_CR_C24_OFF, base); \ - RESTORE_U_PCB_CP2REG(treg, $c28, CHERI_CR_TSC_OFF, base); \ + RESTORE_U_PCB_CP2REG(treg, $c26, CHERI_CR_C26_OFF, base); \ RESTORE_U_PCB_CP2REG(treg, $c31, CHERI_CR_PCC_OFF, base) #endif /* _MIPS_INCLUDE_CHERIASM_H_ */ ==== //depot/projects/ctsrd/cheribsd/src/sys/mips/include/cherireg.h#5 (text+ko) ==== @@ -39,43 +39,39 @@ * but perhaps it should be. */ #define CHERI_PERM_NON_EPHEMERAL 0x0001 -#define CHERI_PERM_ACCESS_CR31 0x0002 -#define CHERI_PERM_ACCESS_CR30 0x0004 -#define CHERI_PERM_ACCESS_CR29 0x0008 -#define CHERI_PERM_ACCESS_CR28 0x0010 -#define CHERI_PERM_RESERVED1 0x0020 -#define CHERI_PERM_RESERVED2 0x0040 -#define CHERI_PERM_RESERVED3 0x0080 -#define CHERI_PERM_SEAL 0x0100 -#define CHERI_PERM_STORE_EPHEMERAL_CAPABILITY 0x0200 -#define CHERI_PERM_LOAD 0x0400 -#define CHERI_PERM_STORE 0x0800 -#define CHERI_PERM_LOAD_CAP 0x1000 -#define CHERI_PERM_STORE_CAP 0x2000 -#define CHEIR_PERM_EXECUTE 0x4000 +#define CHEIR_PERM_EXECUTE 0x0002 +#define CHERI_PERM_LOAD 0x0004 +#define CHERI_PERM_STORE 0x0008 +#define CHERI_PERM_LOAD_CAP 0x0010 +#define CHERI_PERM_STORE_CAP 0x0020 +#define CHERI_PERM_STORE_EPHEM_CAP 0x0040 +#define CHERI_PERM_SEAL 0x0080 +#define CHERI_PERM_SETTYPE 0x0100 +#define CHERI_PERM_RESERVED1 0x0200 +#define CHERI_PERM_ACCESS_EPCC 0x0400 +#define CHERI_PERM_ACCESS_KDC 0x0800 +#define CHERI_PERM_ACCESS_KCC 0x1000 +#define CHERI_PERM_ACCESS_KR1C 0x2000 +#define CHERI_PERM_ACCESS_KR2C 0x4000 -/* - * XXXRW: Should this include CHERI_UNSEALED? - */ #define CHERI_PERM_PRIV \ - (CHERI_PERM_NON_EPHEMERAL | CHERI_PERM_ACCESS_CR31 | \ - CHERI_PERM_ACCESS_CR30 | CHERI_PERM_ACCESS_CR29 | \ - CHERI_PERM_ACCESS_CR28 | CHERI_PERM_SEAL | \ - CHERI_PERM_STORE_EPHEMERAL_CAPABILITY | CHERI_PERM_LOAD | \ - CHERI_PERM_STORE | CHERI_PERM_LOAD_CAP | CHERI_PERM_STORE_CAP | \ - CHEIR_PERM_EXECUTE) + (CHERI_PERM_NON_EPHEMERAL | CHERI_PERM_EXECUTE | \ + CHERI_PERM_LOAD | CHERI_PERM_STORE | CHERI_PERM_LOAD_CAP | \ + CHERI_PERM_STORE_CAP | CHERI_PERM_STORE_EPHEM_CAP | \ + CHERI_PERM_SEAL | CHERI_PERM_SETTYPE | CHERI_PERM_RESERVED1 | \ + CHERI_PERM_ACCESS_EPCC | CHERI_PERM_ACCESS_KDC | \ + CHERI_PERM_ACCESS_KCC | CHERI_PERM_ACCESS_KR1C | \ + CHERI_PERM_ACCESS_KR2C) #define CHERI_PERM_USER \ - (CHERI_PERM_NON_EPHEMERAL | CHERI_PERM_SEAL | \ - CHERI_PERM_STORE_EPHEMERAL_CAPABILITY | CHERI_PERM_LOAD | \ - CHERI_PERM_STORE | CHERI_PERM_LOAD_CAP | CHERI_PERM_STORE_CAP | \ - CHEIR_PERM_EXECUTE) + (CHERI_PERM_NON_EPHEMERAL | CHERI_PERM_EXECUTE | \ + CHERI_PERM_LOAD | CHERI_PERM_STORE | CHERI_PERM_LOAD_CAP | \ + CHERI_PERM_STORE_CAP | CHERI_PERM_STORE_EPHEM_CAP | \ + CHERI_PERM_SEAL | CHERI_PERM_SETTYPE) /* * Definition for kernel "privileged" capability able to name the entire * address space. - * - * XXXRW: Perhaps CHERI_UCAP_UNPRIV_LENGTH should actually just cover useg. */ #define CHERI_CAP_PRIV_UPERMS CHERI_PERM_PRIV #define CHERI_CAP_PRIV_OTYPE 0x0 @@ -94,6 +90,9 @@ /* * Definition for capability unable to name any resources. This is suitable * for filling capability registers that should hold no privilege. + * + * XXXRW: Probably no longer required in CHERI ISAv2 as we can clear + * registers. */ #define CHERI_CAP_NOPRIV_UPERMS 0x0 #define CHERI_CAP_NOPRIV_OTYPE 0x0 @@ -129,19 +128,32 @@ #define CHERI_CR_C22 22 #define CHERI_CR_C23 23 #define CHERI_CR_C24 24 -#define CHERI_CR_UDC 25 /* UDC: user data capability (saved C0). */ -#define CHERI_CR_KT0 26 /* KT0: temporary kernel capability. */ -#define CHERI_CR_KT1 27 /* KT1: temporary kernel capability. */ -#define CHERI_CR_TSC 28 /* TSC: trusted stack capability. */ -#define CHERI_CR_KCC 29 /* KCC: kernel code capability. */ -#define CHERI_CR_KDC 30 /* KDC: kernel data capability. */ -#define CHERI_CR_EPCC 31 /* EPCC: exception program counter cap. */ +#define CHERI_CR_C25 25 +#define CHERI_CR_C26 26 +#define CHERI_CR_C27 27 +#define CHERI_CR_C28 28 +#define CHERI_CR_C29 29 +#define CHERI_CR_C30 30 +#define CHERI_CR_C31 31 -#define CHERI_CR_CT0 CHERI_CR_C10 /* CT0: temporary capability. */ +/* + * XXXRW: Note that UDC is used by the kernel to hold the saved user data + * capability during kernel execution. In the future, this will change -- + * instead we will swap with KR2C, and save it to a frame to be used as needed + * later. In the mean time, userspace agrees not to use C25. + */ +#define CHERI_CR_RCC CHERI_CR_C24 /* Return code capability. */ +#define CHERI_CR_UDC CHERI_CR_C25 /* User data capability. */ +#define CHERI_CR_IDC CHERI_CR_C26 /* Invoked data capability.*/ +#define CHERI_CR_KR1C CHERI_CR_C27 /* Kernel reserved capability 1. */ +#define CHERI_CR_KR2C CHERI_CR_C28 /* Kernel reserved capability 2. */ +#define CHERI_CR_KCC CHERI_CR_C29 /* Kernel code capability. */ +#define CHERI_CR_KDC CHERI_CR_C30 /* Kernel data capability. */ +#define CHERI_CR_EPCC CHERI_CR_C31 /* Exception program counter cap. */ /* * Offsets of registers in struct cp2_frame -- must match the definition in - * cp2.h. Observe the discontinuity after $udc. + * cheri.h. */ #define CHERI_CR_C0_OFF 0 #define CHERI_CR_C1_OFF 1 @@ -168,7 +180,41 @@ #define CHERI_CR_C22_OFF 22 #define CHERI_CR_C23_OFF 23 #define CHERI_CR_C24_OFF 24 -#define CHERI_CR_TSC_OFF 25 +#define CHERI_CR_C26_OFF 25 #define CHERI_CR_PCC_OFF 26 +/* + * List of CHERI capability cause code constants, which are used to + * disambiguate various CP2 exceptions. + * + * XXXRW: I wonder if we really need different permissions for each exception- + * handling capability. + * + * XXXRW: Curiously non-contiguous. + * + * XXXRW: KDC is listed as 0x1a in the spec, which collides with EPCC. Not + * sure what is actually used. + */ +#define CHERI_EXCCODE_NONE 0x00 +#define CHERI_EXCCODE_LENGTH 0x01 +#define CHERI_EXCCODE_TAG 0x02 +#define CHERI_EXCCODE_SEAL 0x03 +#define CHERI_EXCCODE_TYPE 0x04 +#define CHERI_EXCCODE_CALL 0x05 +#define CHERI_EXCCODE_RETURN 0x06 +#define CHERI_EXCCODE_NON_EPHEM 0x10 +#define CHERI_EXCCODE_PERM_EXEXCUTE 0x11 +#define CHERI_EXCCODE_PERM_LOAD 0x12 +#define CHERI_EXCCODE_PERM_STORE 0x13 +#define CHERI_EXCCODE_PERM_LOADCAP 0x14 +#define CHERI_EXCCODE_PERM_STORECAP 0x15 +#define CHERI_EXCCODE_STORE_EPHEM 0x16 +#define CHERI_EXCCODE_PERM_SEAL 0x17 +#define CHERI_EXCCODE_PERM_SETTYPE 0x18 +#define CHERI_EXCCODE_ACCESS_EPCC 0x1a +#define CHERI_EXCCODE_ACCESS_KDC 0x1b /* XXXRW */ +#define CHERI_EXCCODE_ACCESS_KCC 0x1c +#define CHERI_EXCCODE_ACCESS_KR1C 0x1d +#define CHERI_EXCCODE_ACCESS_KR2C 0x1e + #endif /* _MIPS_INCLUDE_CHERIREG_H_ */
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201210220635.q9M6ZZZ6082301>