From 9561ffff9b238294f75ba8fcb91f77f7edcb4597 Mon Sep 17 00:00:00 2001 From: Alexander Richardson Date: Fri, 1 Nov 2024 16:10:14 -0400 Subject: [PATCH] Clarify interaction of levels with sealed capabilities (#439) Sealed capabilities should only have their `CL` changed, but not the `EL` permission. See also https://github.com/CHERIoT-Platform/cheriot-sail/issues/14 Co-authored-by: Tariq Kurd --- src/cap-description.adoc | 2 ++ src/insns/atomic_exceptions.adoc | 3 ++- src/insns/load_tag_perms.adoc | 3 +++ src/level-ext.adoc | 18 +++++++----------- 4 files changed, 14 insertions(+), 12 deletions(-) diff --git a/src/cap-description.adoc b/src/cap-description.adoc index 6bfef8dd..bb57434f 100644 --- a/src/cap-description.adoc +++ b/src/cap-description.adoc @@ -308,6 +308,8 @@ around. The only way of clearing the type bit of a capability is by rebuilding it via a superset capability with <>. {cheri_base_ext_name} does not offer an unseal instruction. +NOTE: The <> field can be reduced even if the capability is sealed, see <>. + For code capabilities, the sealing bit is used to implement immutable capabilities that describe function entry points, known as sealed entry (sentry) capabilities. Such capabilities can be leveraged to establish a form of control-flow integrity between mutually distrusting code. A program may jump to a diff --git a/src/insns/atomic_exceptions.adoc b/src/insns/atomic_exceptions.adoc index 0e1f8031..c3cdb9fe 100644 --- a/src/insns/atomic_exceptions.adoc +++ b/src/insns/atomic_exceptions.adoc @@ -8,7 +8,8 @@ If <> is not granted then store the memory tag as zero, and load `cd.tag + If the authorizing capability does not grant <>, and the tag of `cd` is 1 and `cd` is not sealed, then an implicit <> clearing <> and <> is performed to obtain the intermediate permissions on `cd` (see <>). + -If the authorizing capability does not grant <>, and the tag of `cd` is 1, then an implicit <> clearing <> and restricting the <> to the level of the authorizing capability is performed to obtain the final permissions on `cd` (see <>). +If the authorizing capability does not grant <>, and the tag of `cd` is 1, then an implicit <> restricting the <> to the level of the authorizing capability is performed. +If `cd` is not sealed, this implicit <> also clears <> to obtain the final permissions on `cd` (see <> and <>). + The stored tag is also set to zero if the authorizing capability does not have <> set but the stored data has a <> of 0 (see <>). endif::[] diff --git a/src/insns/load_tag_perms.adoc b/src/insns/load_tag_perms.adoc index db1323f0..b3fdd6c3 100644 --- a/src/insns/load_tag_perms.adoc +++ b/src/insns/load_tag_perms.adoc @@ -5,6 +5,9 @@ The tag value written to `cd` is 0 if the tag of the memory location loaded is If the authorizing capability does not grant <>, and the tag of `cd` is 1 and `cd` is not sealed, then an implicit <> clearing <> and <> is performed to obtain the intermediate permissions on `cd`. + If the authorizing capability does not grant <>, and the tag of `cd` is 1, then an implicit <> clearing <> and restricting the <> to the level of the authorizing capability is performed to obtain the final permissions on `cd`. ++ +If the authorizing capability does not grant <>, and the tag of `cd` is 1, then an implicit <> restricting the <> to the level of the authorizing capability is performed. +If `cd` is not sealed, this implicit <> also clears <> to obtain the final permissions on `cd` (see <>). NOTE: Missing <> does not affect untagged values since this could result in surprising bit patterns when copying non-capability data. Similarly, sealed capabilities are not modified as they are not directly dereferenceable. diff --git a/src/level-ext.adoc b/src/level-ext.adoc index e8711721..14e1dbb4 100644 --- a/src/level-ext.adoc +++ b/src/level-ext.adoc @@ -122,20 +122,16 @@ NOTE: A capability with <>=1 is _global_ and with <1`, the behaviour of <> can no longer use masking to adjust the <> or <>, but instead must perform an integer minimum operation on those `LVLBITS`-wide fields.