1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
|
------------------------------------------------------------------------------
-- --
-- GNAT COMPILER COMPONENTS --
-- --
-- I N T E R F A C E S . C H E R I --
-- --
-- S p e c --
-- --
-- Copyright (C) 2023-2024, AdaCore --
-- --
-- GNAT is free software; you can redistribute it and/or modify it under --
-- terms of the GNU General Public License as published by the Free Soft- --
-- ware Foundation; either version 3, or (at your option) any later ver- --
-- sion. GNAT is distributed in the hope that it will be useful, but WITH- --
-- OUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY --
-- or FITNESS FOR A PARTICULAR PURPOSE. --
-- --
-- As a special exception under Section 7 of GPL version 3, you are granted --
-- additional permissions described in the GCC Runtime Library Exception, --
-- version 3.1, as published by the Free Software Foundation. --
-- --
-- You should have received a copy of the GNU General Public License and --
-- a copy of the GCC Runtime Library Exception along with this program; --
-- see the files COPYING3 and COPYING.RUNTIME respectively. If not, see --
-- <http://www.gnu.org/licenses/>. --
-- --
-- GNAT was originally developed by the GNAT team at New York University. --
-- Extensive contributions were provided by Ada Core Technologies Inc. --
-- --
------------------------------------------------------------------------------
-- This package provides bindings to CHERI intrinsics and some common
-- operations on capabilities.
with System;
with System.Storage_Elements;
package Interfaces.CHERI with
Preelaborate,
No_Elaboration_Code_All
is
use type System.Storage_Elements.Integer_Address;
subtype Capability is System.Address;
type Bounds_Length is range 0 .. System.Memory_Size - 1 with
Size => System.Word_Size;
----------------------------
-- Capability Permissions --
----------------------------
type Permissions_Mask is mod System.Memory_Size with
Size => System.Word_Size;
Global : constant Permissions_Mask := 16#0001#;
Executive : constant Permissions_Mask := 16#0002#;
Mutable_Load : constant Permissions_Mask := 16#0040#;
Compartment_Id : constant Permissions_Mask := 16#0080#;
Branch_Sealed_Pair : constant Permissions_Mask := 16#0100#;
Access_System_Registers : constant Permissions_Mask := 16#0200#;
Permit_Unseal : constant Permissions_Mask := 16#0400#;
Permit_Seal : constant Permissions_Mask := 16#0800#;
Permit_Store_Local : constant Permissions_Mask := 16#1000#;
Permit_Store_Capability : constant Permissions_Mask := 16#2000#;
Permit_Load_Capability : constant Permissions_Mask := 16#4000#;
Permit_Execute : constant Permissions_Mask := 16#8000#;
Permit_Store : constant Permissions_Mask := 16#1_0000#;
Permit_Load : constant Permissions_Mask := 16#2_0000#;
function "and"
(Cap : Capability;
Mask : Permissions_Mask)
return Capability
with
Import, Convention => Intrinsic,
External_Name => "__builtin_cheri_perms_and";
-- Perform a bitwise-AND of a capability permissions and the specified
-- mask, returning the new capability.
function Get_Permissions (Cap : Capability) return Permissions_Mask with
Import, Convention => Intrinsic,
External_Name => "__builtin_cheri_perms_get";
-- Get the permissions of a capability
function Clear_Permissions
(Cap : Capability;
Mask : Permissions_Mask)
return Capability is
(Cap and not Mask);
-- Clear the specified permissions of a capability, returning the new
-- capability.
function Has_All_Permissions
(Cap : Capability;
Permissions : Permissions_Mask)
return Boolean is
((Get_Permissions (Cap) and Permissions) = Permissions);
-- Query whether all of the specified permission bits are set in a
-- capability's permissions flags.
-----------------------
-- Common Intrinsics --
-----------------------
function Capability_With_Address
(Cap : Capability;
Addr : System.Storage_Elements.Integer_Address)
return Capability
with
Import, Convention => Intrinsic,
External_Name => "__builtin_cheri_address_set";
-- Return a new capability with the same bounds and permissions as Cap,
-- with the address set to Addr.
function Get_Address
(Cap : Capability)
return System.Storage_Elements.Integer_Address
with
Import, Convention => Intrinsic,
External_Name => "__builtin_cheri_address_get";
-- Get the address of a capability
procedure Set_Address
(Cap : in out Capability;
Addr : System.Storage_Elements.Integer_Address)
with
Import, Convention => Intrinsic,
External_Name => "__builtin_cheri_address_set";
-- Set the address of a capability
function Get_Base
(Cap : Capability)
return System.Storage_Elements.Integer_Address
with
Import, Convention => Intrinsic,
External_Name => "__builtin_cheri_base_get";
-- Get the lower bound of a capability
function Get_Offset (Cap : Capability) return Bounds_Length with
Import, Convention => Intrinsic,
External_Name => "__builtin_cheri_offset_get";
-- Get the difference between the address and the lower bound of a
-- capability.
procedure Set_Offset
(Cap : in out Capability;
Offset : Bounds_Length)
with
Import, Convention => Intrinsic,
External_Name => "__builtin_cheri_offset_set";
-- Set the address relative to the lower bound of a capability
function Capability_With_Offset
(Cap : Capability;
Value : Bounds_Length)
return Capability
with
Import, Convention => Intrinsic,
External_Name => "__builtin_cheri_offset_set";
-- Set the address relative to the lower bound of a capability, returning
-- the new capability.
function Increment_Offset
(Cap : Capability;
Value : Bounds_Length)
return Capability
with
Import, Convention => Intrinsic,
External_Name => "__builtin_cheri_offset_increment";
-- Increment the address of a capability by the specified amount,
-- returning the new capability.
function Get_Length (Cap : Capability) return Bounds_Length with
Import, Convention => Intrinsic,
External_Name => "__builtin_cheri_length_get";
-- Get the length of a capability's bounds
function Clear_Tag (Cap : Capability) return Capability with
Import, Convention => Intrinsic,
External_Name => "__builtin_cheri_tag_clear";
-- Clear the capability validity tag, returning the new capability
function Get_Tag (Cap : Capability) return Boolean with
Import, Convention => Intrinsic,
External_Name => "__builtin_cheri_tag_get";
-- Get the validty tag of a capability
function Is_Valid (Cap : Capability) return Boolean is (Get_Tag (Cap));
-- Check whether a capability is valid
function Is_Invalid (Cap : Capability) return Boolean is
(not Is_Valid (Cap));
-- Check whether a capability is invalid
function Is_Equal_Exact (A, B : Capability) return Boolean with
Import, Convention => Intrinsic,
External_Name => "__builtin_cheri_equal_exact";
-- Check for bit equality between two capabilities
function Is_Subset (A, B : Capability) return Boolean with
Import, Convention => Intrinsic,
External_Name => "__builtin_cheri_subset_test";
-- Returns True if capability A is a subset or equal to capability B
--------------------
-- Bounds Setting --
--------------------
function Capability_With_Bounds
(Cap : Capability;
Length : Bounds_Length)
return Capability
with
Import, Convention => Intrinsic,
External_Name => "__builtin_cheri_bounds_set";
-- Narrow the bounds of a capability so that the lower bound is the
-- current address and the upper bound is suitable for the Length,
-- returning the new capability.
--
-- Note that the effective bounds of the returned capability may be wider
-- than the range Get_Address (Cap) .. Get_Address (Cap) + Length - 1 due
-- to capability compression, but they will always be a subset of the
-- original bounds.
function Capability_With_Exact_Bounds
(Cap : Capability;
Length : Bounds_Length)
return Capability
with
Import, Convention => Intrinsic,
External_Name => "__builtin_cheri_bounds_set_exact";
-- Narrow the bounds of a capability so that the lower bound is the
-- current address and the upper bound is suitable for the Length,
-- returning the new capability.
--
-- This is similar to Capability_With_Bounds but will clear the capability
-- tag in the returned capability if the bounds cannot be set exactly, due
-- to capability compression.
function Capability_With_Address_And_Bounds
(Cap : Capability;
Address : System.Storage_Elements.Integer_Address;
Length : Bounds_Length)
return Capability is
(Capability_With_Bounds
(Capability_With_Address (Cap, Address), Length));
-- Set the address and narrow the bounds of the capability so that the
-- lower bound is Address and the upper bound is Address + Length,
-- returning the new capability.
--
-- Note that the effective bounds of the returned capability may be wider
-- than the range Address .. Address + Length - 1 due to capability
-- compression, but they will always be a subset of the original bounds.
function Capability_With_Address_And_Exact_Bounds
(Cap : Capability;
Address : System.Storage_Elements.Integer_Address;
Length : Bounds_Length)
return Capability is
(Capability_With_Exact_Bounds
(Capability_With_Address (Cap, Address), Length));
-- Set the address and narrow the bounds of the capability so that the
-- lower bound is Address and the upper bound is Address + Length,
-- returning the new capability.
--
-- This is similar to Capability_With_Address_And_Bounds but will clear the
-- capability tag in the returned capability if the bounds cannot be set
-- exactly, due to capability compression.
procedure Set_Bounds
(Cap : in out Capability;
Length : Bounds_Length)
with
Import, Convention => Intrinsic,
External_Name => "__builtin_cheri_bounds_set";
-- Narrow the bounds of a capability so that the lower bound is the
-- current address and the upper bound is suitable for the Length.
--
-- Note that the effective bounds of the output capability may be wider
-- than the range Get_Address (Cap) .. Get_Address (Cap) + Length - 1 due
-- to capability compression, but they will always be a subset of the
-- original bounds.
procedure Set_Exact_Bounds
(Cap : in out Capability;
Length : Bounds_Length)
with
Import, Convention => Intrinsic,
External_Name => "__builtin_cheri_bounds_set_exact";
-- Narrow the bounds of a capability so that the lower bound is the
-- current address and the upper bound is suitable for the Length.
--
-- This is similar to Set_Bounds but will clear the capability tag if the
-- bounds cannot be set exactly, due to capability compression.
procedure Set_Address_And_Bounds
(Cap : in out Capability;
Address : System.Storage_Elements.Integer_Address;
Length : Bounds_Length)
with
Inline_Always;
-- Set the address and narrow the bounds of the capability so that the
-- lower bound is Address and the upper bound is Address + Length.
--
-- Note that the effective bounds of the output capability may be wider
-- than the range Address .. Address + Length - 1 due to capability
-- compression, but they will always be a subset of the original bounds.
procedure Set_Address_And_Exact_Bounds
(Cap : in out Capability;
Address : System.Storage_Elements.Integer_Address;
Length : Bounds_Length)
with
Inline_Always;
-- Set the address and narrow the bounds of the capability so that the
-- lower bound is Address and the upper bound is Address + Length.
--
-- This is similar to Set_Address_And_Bounds but will clear the capability
-- tag if the bounds cannot be set exactly, due to capability compression.
function Representable_Length (Length : Bounds_Length) return Bounds_Length
with
Import, Convention => Intrinsic,
External_Name => "__builtin_cheri_round_representable_length";
-- Returns the length that a capability would have after using Set_Bounds
-- to set the Length (assuming appropriate alignment of the base).
function Representable_Alignment_Mask
(Length : Bounds_Length)
return System.Storage_Elements.Integer_Address
with
Import, Convention => Intrinsic,
External_Name => "__builtin_cheri_representable_alignment_mask";
-- Returns a bitmask that can be used to align an address downwards such
-- that it is sufficiently aligned to create a precisely bounded
-- capability.
function Align_Address_Down
(Address : System.Storage_Elements.Integer_Address;
Length : Bounds_Length)
return System.Storage_Elements.Integer_Address is
(Address and Representable_Alignment_Mask (Length));
-- Align an address such that it is sufficiently aligned to create a
-- precisely bounded capability, rounding down if necessary.
--
-- Due to capability compression, the upper and lower bounds of a
-- capability must be aligned based on the length of the bounds to ensure
-- that the capability is representable. This function aligns an address
-- down to the next boundary if it is not already aligned.
function Capability_With_Address_Aligned_Down
(Cap : Capability;
Length : Bounds_Length)
return Capability is
(Capability_With_Address
(Cap, Align_Address_Down (Get_Address (Cap), Length)));
-- Align a capability's address such that it is sufficiently aligned to
-- create a precisely bounded capability, rounding down if necessary.
--
-- Due to capability compression, the upper and lower bounds of a
-- capability must be aligned based on the length of the bounds to ensure
-- that the capability is representable. This function aligns an address
-- down to the next boundary if it is not already aligned.
function Align_Address_Up
(Address : System.Storage_Elements.Integer_Address;
Length : Bounds_Length)
return System.Storage_Elements.Integer_Address
with
Inline;
-- Align an address such that it is sufficiently aligned to create a
-- precisely bounded capability, rounding upwards if necessary.
--
-- Due to capability compression, the upper and lower bounds of a
-- capability must be aligned based on the length of the bounds to ensure
-- that the capability is representable. This function aligns an address up
-- to the next boundary if it is not already aligned.
function Capability_With_Address_Aligned_Up
(Cap : Capability;
Length : Bounds_Length)
return Capability is
(Capability_With_Address
(Cap, Align_Address_Up (Get_Address (Cap), Length)));
-- Align a capability's address such that it is sufficiently aligned to
-- create a precisely bounded capability, rounding upwards if necessary.
--
-- Due to capability compression, the upper and lower bounds of a
-- capability must be aligned based on the length of the bounds to ensure
-- that the capability is representable. This function aligns an address up
-- to the next boundary if it is not already aligned.
------------------------------------------
-- Object Types, Sealing, and Unsealing --
------------------------------------------
type Object_Type is
range -2**(System.Word_Size - 1) .. +2**(System.Word_Size - 1) - 1 with
Size => System.Word_Size;
Type_Unsealed : constant Object_Type := 0;
Type_Sentry : constant Object_Type := 1;
function Get_Object_Type (Cap : Capability) return Object_Type with
Import, Convention => Intrinsic,
External_Name => "__builtin_cheri_type_get";
-- Get the object type of a capability
function Is_Sealed (Cap : Capability) return Boolean with
Import, Convention => Intrinsic,
External_Name => "__builtin_cheri_sealed_get";
-- Check whether a capability is sealed
function Is_Unsealed (Cap : Capability) return Boolean is
(not Is_Sealed (Cap));
-- Check whether a capability is unsealed
function Is_Sentry (Cap : Capability) return Boolean is
(Get_Object_Type (Cap) = Type_Sentry);
-- Check whether a capability is a sealed entry
function Create_Sentry (Cap : Capability) return Capability with
Import, Convention => Intrinsic,
External_Name => "__builtin_cheri_seal_entry";
-- Create a sealed entry and return the new capability.
function Seal
(Cap : Capability;
Sealing_Cap : Capability)
return Capability
with
Import, Convention => Intrinsic,
External_Name => "__builtin_cheri_seal";
-- Seal a capability with a sealing capability, by setting the object type
-- of the capability to the Sealing_Cap's value, returning the sealed
-- capability.
function Unseal
(Cap : Capability;
Unsealing_Cap : Capability)
return Capability
with
Import, Convention => Intrinsic,
External_Name => "__builtin_cheri_unseal";
-- Unseal a capability with an unsealing capability, by checking the object
-- type of the capability against the Sealing_Cap's value, returning the
-- unsealed capability.
-----------------------------------
-- Capability Register Accessors --
-----------------------------------
function Get_PCC return System.Address with
Import, Convention => Intrinsic,
External_Name => "__builtin_cheri_program_counter_get";
-- Get the Program Counter Capablity (PCC)
function Get_DDC return System.Address with
Import, Convention => Intrinsic,
External_Name => "__builtin_cheri_global_data_get";
-- Get the Default Data Capability (DDC)
function Get_CSP return System.Address with
Import, Convention => Intrinsic,
External_Name => "__builtin_cheri_stack_get";
-- Get the Capability Stack Pointer (CSP)
---------------------------
-- Capability Exceptions --
---------------------------
Capability_Bound_Error : exception;
-- An out-of-bounds access was attempted
Capability_Permission_Error : exception;
-- An attempted access exceeded the permissions granted by a capability
Capability_Sealed_Error : exception;
-- A sealed capability was dereferenced
Capability_Tag_Error : exception;
-- An invalid capability was dereferenced
end Interfaces.CHERI;
|
