Skip to content

Version 1.0 Release

Latest
Latest

Choose a tag to compare

View all tags
@rmn30 rmn30 released this 03 Nov 12:19
· 8 commits to main since this release
v1.0
b9e7ab7
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

First stable release of the CHERIoT Architecture, as implemented in CHERIoT-Ibex 1.0 Release. The following changes have been made since 0.5 (the original public release MSR-TR-2023-6):

  • Issue #20, PR #26 Capability stores now clear the tag of the stored value instead of raising an exception in case of a store-local violation (i.e. an attempt to store a non-global capability via a capability without the store-local permission). Tag clearing is preferable for software because it removes the possibility of a trap when copying untrusted inputs. It is also likely easier to implement in hardware. The capability exception code that was previously used for this (0x16) is now reserved.
  • PR #33 The relocations for AUICGP and AUIPCC are unified and the CHERIoT-specific relocations are now named with CHERIOT, rather than CHERI, as the prefix.
  • Issue #23, Issue #18, PR #37 Jumps and branches no longer include bounds checks. Instead, any PCC bounds error will be detected on the subsequent instruction fetch at the target. To avoid problems with unrepresentable capabilities the tag of the value stored in EPCC is cleared for instruction fetch bounds exceptions.
  • Issue #30, PR #37 Validate MEPCC and MTCC on write. If either of these is written with a sealed or non-executable capability then the tag is cleared. If the least significant bit of MEPCC.address is set on write then it is cleared and the tag is cleared. If either of the two least significant bits of MTCC.address is set on write then they are cleared and the tag is cleared. This simplifies both ISA and hardware and avoids potential violations of capability monotonicity due to mtvec and mepc legalization. vectored interrupt mode is explicitly unsupported.
  • PR #38 Fix reversed T and B fields in the capability encoding diagram (Figure 7.2). There was an inconsistency between the Sail implementation and this document about the locations of the T and B fields in the capability encoding. The document had the T and B fields swapped compared to the Sail (which matches the Ibex implementation) so we treat the Sail as canonical and update the document to match i.e. B is in bits 0 to 8 of the metadata word and T is in 9 to 17.
  • PR #44 Fix two long-standing nits regarding transitive permissions:
    • Issue #13 If we clear the tag on a loaded capability because the authority lacks PERMIT_LOAD_STORE_CAPABILITY, we do not also attenuate the loaded capability’s permissions as per PERMIT_LOAD_GLOBAL and PERMIT_LOAD_MUTABLE, as the result is an untagged bit pattern anyway. The old behavior may have been confusing to humans or debuggers.
    • Issue #14 When loading a sealed capability through an authority lacking PERMIT_LOAD_GLOBAL, the loaded capability will lack GLOBAL but will retain PERMIT_LOAD_GLOBAL if present under seal. This is more in line with our handling of PERMIT_LOAD_MUTABLE, which does not modify sealed capabilities. Software accepting sealed capabilities must be prepared to receive local (that is, GLOBAL-lacking) variants, even if none were ever explicitly constructed.
  • Issue #15, PR #49 Document stack high water mark. Make it explicitly 16-byte aligned and point out the unaligned write spanning mshwmb corner case, which we do not require hardware to handle.
  • PR #54 Create backward sentries for function returns and add more checks in CJAL. Because CHERIoT allows manipulating the status of the interrupt through a function call (and function return) by encoding the interrupt type in the otype, the following attack can occur: A caller calling an interrupt-disabling callee can set the return sentry of the callee to the same callee. This means, the callee will call itself on return all the while operating with interrupts disabled. This will lead to infinite repeated calls to the callee with interrupts disabled, violating availability. This attack can be prevented in CHERIoT by adding two new “backwards-edge” sentries and adding more checks on CJALR.
    • Issue #85, PR #86 Relaxes the original change to better support code outlining, by allowing CJALR to create unsealed return addresses when its (output) link register is not CRA. See the discussion in Section 7.13.2.
  • Issue #71, PR #87 CUnseal now no longer requires exact equality between sealed input otype and authority address. Instead, it merely requires that the otype of the sealed input is within bounds to yield a tagged result. The address of a sealing-root capability is now meaningful only to CSeal.
  • Issue #72,PR #74 Introduce CSetBoundsRoundDown to facilitate constructing representable slices of buffers.
  • Issue #70,PR #83 CAndPerm can now clear GLOBAL on sealed caps, so long as that is the only bit being cleared. Previously, this was possible by round-tripping to memory, loading back through an authority lacking PERMIT_LOAD_GLOBAL (recall PR #44 and Issue #14 above), but not directly as a register-to-register operation. Presently, we require that the mask provided to CAndPerm be all-1s except possibly GLOBAL; that is, feeding the result of CGetPerm on a sealed capability to CAndPerm will still clear the tag of the result.
  • PR #97 Introduce the CHERIOT_CCALL relocation. This addresses difficulties with relaxation of compartment call relocations as per CHERIoT-Platform/llvm-project/pull/114.
  • PR #104, PR #105 Modify the scalar calling convention ABI to more efficiently use capability registers for small records and 64-bit floating values.
  • PR #112 Change LLVM attribute prefix from cheri_ to cheriot_.
Assets 3
Loading