{load, store}Capability permissions not used

[atrieu]

Hi,

Thanks for open-sourcing this project. While reading the files and trying to understand the project structure, I noticed that the {load, store}Capability permissions are not used, therefore it seems possible to load/store a capability from/to memory without having the corresponding permission.

I believe a fix would be to add the following checks in the capCheck function.

      } elsewhen (operation === LsuOperationType.LOAD && stage.value(Data.LOAD_CAP) && !cap.perms.load && !cap.perms.loadCapability) {
        except(ExceptionCause.PermitLoadCapabilityViolation)
      } elsewhen (operation === LsuOperationType.STORE && stage.value(Data.STORE_CAP) && !cap.perms.store && !cap.perms.storeCapability) {
        except(ExceptionCause.PermitStoreCapabilityViolation)

I can open a PR if that's the correct fix. I'm not sure how to test and run programs using capabilities as it's not documented, do you have any guides ?

[martonbognar]

Thank you for raising this issue!

Unfortunately, the person who originally implemented the capability extensions is no longer working with us, so I will have to reverse engineer some things here. It would be great if we could document this a bit better (and fix potential issues), so all comments and suggestions are very welcome!

After a short discussion with @otenkosol2, he thinks you might be right about the issue and should maybe even simplify it like:

} elsewhen (operation === LsuOperationType.LOAD && stage.value(Data.LOAD_CAP) && !cap.perms.loadCapability {
    ...

About testing the implementation: there are some capability-specific tests in the src/main/scala/riscv/plugins/cheri/tests directory, you can run these from the root folder with:

make -C tests/ CUSTOM_TESTS_DIR=../src/main/scala/riscv/plugins/cheri/tests/

I suspect that before this, you need to install a CHERI-LLVM toolchain and replace the path for clang in src/main/scala/riscv/plugins/cheri/tests/Makefile.include. However, I can't get the tests to compile; depending on the compilation flags used I get either error: instruction requires the following: Not Capability Mode or error: instruction requires the following: Capability Mode for different instructions. If you maybe have an idea what's going wrong there, that would be great! :)

[atrieu]

Thanks for the information!

Yes, Thomas is right, the load permission can be removed from the condition since it would already be checked earlier. I just kept it for completeness since the CHERI specification says that the loadCapability permission requires the load permission.

All tests pass except for Pcc.S and Scr.S which I also do not manage to compile with the same error instruction requires the following: Capability Mode :/ I have no idea what that means either unfortunately.

I will try to make a PR in the next few days with some documentation/comments I have written while trying to understand the code.

[martonbognar]

I think sticking to the specification might make sense for these checks if you think it helps clarity (of course, it might come with a small hardware overhead if it doesn't get optimized away).

Too bad about the failing tests, but thanks for your effort! Looking forward to the PR!