Skip to content

Commit

Permalink
reorder capability chapter
Browse files Browse the repository at this point in the history
Show the encoding first so it is easier to find.

Signed-off-by: Axel Heider <[email protected]>
  • Loading branch information
Axel Heider committed Jan 26, 2024
1 parent b2697e2 commit c78a270
Showing 1 changed file with 71 additions and 68 deletions.
139 changes: 71 additions & 68 deletions src/cap-description.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,37 @@ define XLENMAX to be widest XLEN that the implementation supports.
XLENMAX without including the tag bit. The value of CLEN is always calculated
based on XLENMAX regardless of the effective XLEN value.

[#section_cap_encoding]
=== Capability Encoding

ifdef::cheri_v9_annotations[]
NOTE: *CHERI v9 Note:* The encoding changes eliminate the concept of the
in-memory format, and also increase precision for RV32. When EF=0, T and B
are now shifted right rather than left within the address. Also, the bounds
decoding for XLENMAX=32 uses a trick (see bit T8) to save one bit when encoding
the exponent.
endif::[]

The components of a capability except the tag are encoded as shown in
xref:cap_encoding_xlen32[xrefstyle=short] for XLENMAX=32 and
xref:cap_encoding_xlen64[xrefstyle=short] for XLENMAX=64. Each memory location
or register able to hold a capability must also store the tag as out of band
information that software cannot directly set or clear. The capability metadata
is held in the most significant bits and the address is held in the least
significant bits.

.Capability encoding for XLENMAX=32
[#cap_encoding_xlen32]
include::img/cap-encoding-xlen32.edn[]

.Capability encoding for XLENMAX=64
[#cap_encoding_xlen64]
include::img/cap-encoding-xlen64.edn[]

Reserved bits are available for future extensions to {cheri_base_ext_name}.

NOTE: Reserved bits must be 0 in valid capabilities.

=== Components of a Capability

Capabilities contain the software accessible fields described in this section.
Expand All @@ -40,6 +71,8 @@ _capability_ wide in this specification.
[#section_cap_perms]
==== Architectural Permissions (AP)

===== Description

ifdef::cheri_v9_annotations[]
WARNING: *CHERI v9 Note:* The permissions are encoded differently in this
specification.
Expand Down Expand Up @@ -75,7 +108,7 @@ Execute Permission (X):: Allow instruction execution.
[#asr_perm,reftext="ASR-permission"]
Access System Registers Permission (ASR):: Allow access to privileged CSRs.

===== Permission Encoding
===== Encoding

The bit width of the permissions field depends on the value of XLENMAX as shown
in xref:perms_bit_width[xrefstyle=short]. A {cap_rv32_perms_width}-bit vector
Expand Down Expand Up @@ -192,7 +225,9 @@ also seals the return address capability (if any) since it is the entry point
to the caller function.

[#section_cap_bounds]
==== Bounds
==== Bounds (EF, T, TE, B, BE)

===== Concept

ifdef::cheri_v9_annotations[]
NOTE: *CHERI v9 Note:* The bounds mantissa width is different in XLENMAX=32.
Expand Down Expand Up @@ -262,52 +297,8 @@ xref:exp_bit_width[xrefstyle=short].
NOTE: The address and bounds must be representable in valid capabilities i.e.
when the tag is set (see xref:section_cap_malformed[xrefstyle=short]).

==== Address

XLENMAX integer value that encodes the byte-address of a memory location.

.Address widths depending on XLENMAX
[#address_bit_width,options=header,align="center",width="55%"]
|==============================================================================
^| XLENMAX ^| Address width
^| 32 ^| {cap_rv32_addr_width}
^| 64 ^| {cap_rv64_addr_width}
|==============================================================================

==== Reserved Bits

Reserved bits available for future extensions to {cheri_base_ext_name}.

NOTE: Reserved bits must be 0 in valid capabilities.

[#section_cap_encoding]
=== Capability Encoding

ifdef::cheri_v9_annotations[]
NOTE: *CHERI v9 Note:* The encoding changes eliminate the concept of the
in-memory format, and also increase precision for RV32. When EF=0, T and B
are now shifted right rather than left within the address. Also, the bounds
decoding for XLENMAX=32 uses a trick (see bit T8) to save one bit when encoding
the exponent.
endif::[]

The components of a capability are encoded as shown in
xref:cap_encoding_xlen32[xrefstyle=short] and
xref:cap_encoding_xlen64[xrefstyle=short] when XLENMAX=32 and XLENMAX=64
respectively.

.Capability encoding when XLENMAX=32
[#cap_encoding_xlen32]
include::img/cap-encoding-xlen32.edn[]

.Capability encoding when XLENMAX=64
[#cap_encoding_xlen64]
include::img/cap-encoding-xlen64.edn[]

Each memory location or register able to hold a capability must also store the
tag as out of band information that software cannot directly set or clear. The
capability metadata is held in the most significant bits and the address
is held in the least significant bits.
[#section_cap_bounds_decoding]
===== Decoding

The metadata is encoded in a compressed format cite:[woodruff2019cheri]. It
uses a floating point representation to encode the bounds relative to the
Expand Down Expand Up @@ -426,6 +417,38 @@ if ( (E < (CAP_MAX_E - 1)) & (t[XLENMAX: XLENMAX - 1] - b[XLENMAX - 1] > 1) )
That is, invert the most significant bit of _t_ if the decoded length of the
capability is larger than E.

[#section_cap_malformed]
===== Malformed Bounds

A capability is _malformed_ if its encoding does not describe a valid
capability because its bounds cannot be correctly decoded. The following check
indicates whether a capability is malformed.

```
malformedMSB = (E == CAP_MAX_E && B[MW - 1:MW - 2] != 0)
|| (E == CAP_MAX_E - 1 && B[MW - 1] != 0)
malformedLSB = (E < 0)
malformed = !EF && (malformedMSB || malformedLSB)
```

NOTE: The check is for malformed _bounds_, so it does not include reserved
bits!

Capabilities with malformed bounds are always invalid anywhere in the system
i.e. their tags are always 0.

==== Address

XLENMAX integer value that encodes the byte-address of a memory location.

.Address widths depending on XLENMAX
[#address_bit_width,options=header,align="center",width="55%"]
|==============================================================================
^| XLENMAX ^| Address width
^| 32 ^| {cap_rv32_addr_width}
^| 64 ^| {cap_rv64_addr_width}
|==============================================================================

[#section_null_inf_cap]
=== NULL and Infinite Capabilities

Expand Down Expand Up @@ -533,23 +556,3 @@ xref:section_cap_encoding[xrefstyle=short].
This gives useful guarantees, such that if an executed instruction is in
<<pcc>> bounds, then it is also guaranteed that the next linear instruction
is _representable_.

[#section_cap_malformed]
=== Malformed Capability Bounds

A capability is _malformed_ if its encoding does not describe a valid
capability because its bounds cannot be correctly decoded. The following check
indicates whether a capability is malformed.

```
malformedMSB = (E == CAP_MAX_E && B[MW - 1:MW - 2] != 0)
|| (E == CAP_MAX_E - 1 && B[MW - 1] != 0)
malformedLSB = (E < 0)
malformed = !EF && (malformedMSB || malformedLSB)
```

NOTE: The check is for malformed _bounds_, so it does not include reserved
bits!

Capabilities with malformed bounds are always invalid anywhere in the system
i.e. their tags are always 0.

0 comments on commit c78a270

Please sign in to comment.