(Go: >> BACK << -|- >> HOME <<)
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Generic hardware revocation support? #254

Open
jonwoodruff opened this issue May 17, 2024 · 1 comment
Open

Generic hardware revocation support? #254

jonwoodruff opened this issue May 17, 2024 · 1 comment

Comments

@jonwoodruff
Copy link
Contributor
jonwoodruff commented May 17, 2024
edited
Loading

It is possible that CHERI-RISC-V implementations may have hardware acceleration for revocation, and it would be nice to have a generic extension that supports several strategies of hardware temporal safety/revocation acceleration.

For example, CHERIoT supports a hardware revocation bitmap such that, when memory is marked in the bitmap as "revoked", all capabilities that are loaded henceforth whose base points into the revoked range will have their tags cleared. This has the property that the revoked memory becomes instantly impossible to reference.

In addition, one could imagine a DMA engine that sweeps memory, performing "capability revoked" checks concurrent to the main CPU.

In the way of an example, potentially, such an extension might allow incrementing the generation in a CSR, and indicating areas of revoked memory using an instruction with a capability operand that points to the range of addresses to be freed/revoked. The architecture might guarantee (either by hardware or m-mode software) that objects marked as revoked in generation - 2 is available to reuse. (Generation-1 would be "being swept/revoked now", and current generation is still being marked.) An architecture similar to CHERIoT would need hardware support for painting the shadow map corresponding to the addresses in the capability presented in the new instruction.

Care might be taken to ensure that memory can be considered free to reuse without having to start another sweep, as the above design indicates. Maybe a "all revocations done" CSR flag would do the trick, letting you know that Generation-1 is free to reuse.
@davidchisnall
Copy link

For big cores, this absolutely does not want to be part of the core ISA. It is most likely to be implemented in the hardware data mover and so should not be specified until that has been specified architecturally (e.g. Intel QAT).

The CHERIoT design originated from scaling down a design for a 128-core system with CHERI, MTE, and a hardware data mover. The composition with MTE-like tagging is an important step because it means that all revocation state is architectural (expressed in the capability, memory colouring, or page-table state). Even then, there are a lot of subtle corner cases and there are some interesting implications on the memory model.

If you want to get to hardware revocation for MMU systems, start with memory colouring. Make sure you add the atomic decrement colour and check if zero instruction.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@davidchisnall @jonwoodruff