Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Exception caused when SS instructions access non-SS pages #178

Merged
merged 2 commits into from
Nov 4, 2023
+86 −135
Merged

Exception caused when SS instructions access non-SS pages #178

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0ac708f
exception caused when SS instructions access non-SS pages
ved-rivos Nov 2, 2023
630c414
report access type as store/amo for ss-instructions
ved-rivos Nov 4, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 24 additions & 18 deletions cfi_backward.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -786,15 +786,18 @@ page. When `menvcfg.SSE=0`, this encoding remains reserved. When `V=1` and

The following faults may occur:

. If the accessed page is a shadow stack page:
. If the accessed page is a shadow stack page (`pte.xwr=010b`):
.. Stores other than `SSAMOSWAP`, `SSPUSH`, and `C.SSPUSH` cause store/AMO
access-fault exception.
.. Implicit accesses cause an access-fault exception corresponding to the
original access type.
. If the accessed page is not a shadow stack page or if the page is in
non-idempotent memory:
. If the accessed page is read-write (`pte.xwr=?11b`) or execute-only
(`pte.xwr=100b`) page or if the page is in non-idempotent memory:
.. `SSAMOSWAP`, `C.SSPUSH`, and `SSPUSH` cause a store/AMO access-fault.
.. `C.SSPOPCHK` and `SSPOPCHK` cause a load access-fault.
. If the accessed page has read-only (`pte.xwr=001b`) permissions:
.. `SSAMOSWAP`, `C.SSPUSH`, and `SSPUSH` cause a store/AMO page-fault.
.. `C.SSPOPCHK` and `SSPOPCHK` cause a load page-fault.

[NOTE]
====
Expand All @@ -818,9 +821,15 @@ On implementations where address-misaligned exception is prioritized higher than
access-fault exception, a trap handler that emulates misaligned stores must
cause an access-fault exception if store is being made to a shadow stack page.

Shadow stack instructions cause an access-fault if the accessed page is not a
shadow stack page or if the page is in non-idempotent memory to similarly
indicate fatality.
Shadow stack instructions cause an access-fault if the accessed page is
read-writeable or is executable or if the page is in non-idempotent memory to
similarly indicate fatality.

Shadow stack instructions cause a page-fault if the accessed page is read-only
to support copy-on-write (COW) of a shadow stack page. If the page had been
marked as read-only due to the page being tracked for COW, the page fault
handler, in response to the page fault, creates a copy of the page and updates
the `pte.xwr` to `010b` to designate the each copy as a shadow stack page.

While the specification mandates that an access-fault exception shall be
generated when either single-stage or VS-stage address translation is invoked
Expand All @@ -847,14 +856,14 @@ cite:[PRIV] is modified as follows:
PAGESIZE` and go to step 2.

5. A leaf PTE has been found. If the memory access is by a shadow stack
instruction and `pte.xwr != 010b`, then cause an access-fault exception
corresponding to the access type. If the memory access is either a
non-shadow-stack store/AMO or an implicit access, and `pte.xwr == 010b`, then
an access-fault exception is raised, corresponding to the original access type.
If the requested memory access is not allowed by the `pte.r`, `pte.w`, `pte.x`,
and `pte.u` bits, given the current privilege mode and the value of the `SUM`
and `MXR` fields of the `mstatus` register, stop and raise a page-fault
exception corresponding to the original access type.
instruction and `pte.xwr != 010b` or `pte.xwr != 001b`, then cause an
access-fault exception corresponding to the access type. If the memory access
is either a non-shadow-stack store/AMO or an implicit access, and
`pte.xwr == 010b`, then cause an access-fault exception corresponding to the
original access type. If the requested memory access is not allowed by the
`pte.r`, `pte.w`, `pte.x`, and `pte.u` bits, given the current privilege mode
and the value of the `SUM` and `MXR` fields of the `mstatus` register, stop
and raise a page-fault exception corresponding to the original access type.

The PMA checks are extended to require memory referenced by `SSAMOSWAP`, `SSPUSH`,
`C.SSPUSH`, `C.SSPOPCHK`, and `SSPOPCHK` to be idempotent.
Expand All @@ -881,10 +890,7 @@ Shadow stacks are expected to be bounded on each end using guard pages, so that
no two shadow stacks are adjacent to each other. This guards against accidentally
underflowing or overflowing from one shadow stack to another. Traditionally,
a guard page for a stack is a page that is inaccessible to the process owning
the stack. For shadow stacks, the guard page may also be a non-shadow-stack
page that is otherwise accessible to the process owning the shadow stack
because shadow stack loads and stores to non-shadow-stack pages cause an
access-fault exception.
the stack.
====

The G-stage address translation and protections remain unaffected by the Zicfiss
Expand Down