Apparatus and method for interpreting permissions associated with capabilities
阅读说明:本技术 用于诠释与能力相关联的权限的装置及方法 (Apparatus and method for interpreting permissions associated with capabilities ) 是由 格雷姆·彼得·巴尔内斯 于 2018-04-27 设计创作,主要内容包括:本文提供用于诠释与能力相关联的权限的装置及方法。该装置具有:处理电路,用于执行指令以执行操作;以及能力存储组件,可由处理电路可访问并且被布置为存储用于约束处理电路在执行指令时执行的至少一个操作的能力。该能力标识数目为N个的多个默认权限,所述默认权限的状态是根据默认诠释从该能力中提供的N个权限标志来确定的。根据该默认诠释,每个权限标志可以与这些默认权限中的一个相关联。处理电路随后被布置为根据替代诠释来分析能力,以便根据N个权限标志的逻辑组合来导出权限的扩展集的状态,其中该扩展集包括至少N+1个权限。这提供了用于将额外权限编码到能力中而不增加所需的权限标志数量,同时仍保持期望行为的机制。(Devices and methods for interpreting permissions associated with capabilities are provided herein. The device has: processing circuitry to execute instructions to perform operations; and a capability storage component accessible by the processing circuitry and arranged to store a capability for constraining at least one operation performed by the processing circuitry when executing the instructions. The capability identifies a number N of default permissions, the states of which are determined from N permission flags provided in the capability according to default interpretations. Each permission token may be associated with one of the default permissions according to the default interpretation. The processing circuitry is then arranged to analyze the capabilities according to the alternative interpretations so as to derive a state of an extended set of permissions according to a logical combination of the N permission flags, wherein the extended set includes at least N +1 permissions. This provides a mechanism for encoding additional rights into the capability without increasing the number of rights flags required, while still maintaining the desired behavior.)
1. An apparatus, comprising:
processing circuitry to execute instructions to perform operations; and
a capability storage component accessible by the processing circuitry and arranged to store capabilities for constraining at least one operation performed by the processing circuitry when executing the instructions, the capabilities identifying a number N of a plurality of default permissions, the state of the default permissions being determined from N permission flags provided in the capabilities according to a default interpretation, each permission flag being associated with one of the default permissions according to the default interpretation;
the processing circuitry is arranged to analyze the capabilities according to alternative interpretations to derive a state of an extended set of permissions from the logical combination of the N permission flags, the extended set comprising at least N +1 permissions.
2. The apparatus of claim 1, wherein the extended set of permissions includes the N number of a plurality of default permissions and at least one additional permission.
3. Apparatus as claimed in claim 1 or 2, wherein said processing circuitry is subject to any override control information, is granted a right for said capability when said right has a set state, and revokes said right for said capability when said right has a clear state.
4. The apparatus of any of claims 1-3, wherein the extended set of permissions includes modifiable permissions that, when in a cleared state, indicate that the capability cannot be modified by one or more capability modification instructions.
5. The apparatus of claim 4, wherein the N permission flags provided in the capability are allowed to transition from a set value to a clear value when in a set state subject to any override control information that prevents modification.
6. The apparatus of any preceding claim, wherein the plurality of N default permissions comprises:
one or more memory access permissions to identify that the capability is prevented from being used by one or more memory access operations to access data in the memory while in the clear state; and
executable permissions to identify that the capability, when in a cleared state, is prevented from being used to fetch instructions from memory when forming a program counter capability.
7. The apparatus of claim 6, wherein the one or more memory access permissions comprise: at least one write permission identifying whether the capability is prevented for performing at least one type of write operation to the memory; and at least one read permission identifying whether the capability is prevented for performing at least one type of read operation from the memory.
8. The apparatus of any preceding claim when dependent on claim 4, wherein:
the plurality of default permissions includes an executable permission to identify that the capability, when in a cleared state, is prevented from being used as a program counter capability for fetching instructions from the memory; and is
According to the alternative interpretation of the N permission flags, the capability is prevented from both the executable permission and the modifiable permission being in a set state.
9. The apparatus of claim 8, wherein:
the plurality of default permissions further comprises: at least one write permission identifying whether the capability is prevented for performing at least one type of write operation to the memory; and at least one read permission identifying whether the capability is prevented for performing at least one type of read operation from the memory;
the N permission flags include at least one write bit, at least one read bit, and an execute bit, the values of these bits identifying the status of the at least one write permission, the at least one read permission, and the execute permission, respectively, according to the default interpretation; and is
In accordance with the alternative interpretation, the processing circuitry is arranged to determine that the modifiable authority is in the set state when at least one write bit is set or the execute bit is cleared.
10. The apparatus of claim 9, wherein:
in accordance with the alternative interpretation, the processing circuitry is arranged to determine that the executable authority is in the set state when the execute bit is set and all of the at least one write bit is cleared.
11. The apparatus of claim 9 or 10, wherein:
for each read permission, in accordance with the alternative interpretation, the processing circuitry is arranged to determine that the read permission is in the set state when the associated read bit is set and either the modifiable permission is in the set state or the capability is used as a program counter capability.
12. The apparatus of any one of claims 9-11, wherein:
the processing circuitry is arranged to clear the execution bit within a program counter capability in response to executing an address generation instruction to generate the result capability in accordance with the result capability.
13. The apparatus of claim 12, wherein when the program counter capability causes the execute bit to be set and all of the at least one write bit to be cleared, the clearing of the execute bit in the result capability causes the result capability to be treated as such according to the alternative interpretation: its modifiable permission is in the set state and each read permission is in the state indicated by the associated read bit.
14. The apparatus of any one of claims 9-13, wherein:
the processing circuitry is responsive to executing a branch with link instruction to generate a return address capability in accordance with a program counter capability such that when the modifiable authority is in the clear state within the program counter capability, the return address capability also causes its modifiable authority to be in the clear state.
15. The apparatus of any of claims 9-14, further comprising:
at least one additional capability storage component, said at least one additional capability storage component in combination with said capability storage component forming a program counter capability storage component and one or more general purpose capability storage components;
when a capability stored in one of the one or more universal capability storage components causes the execute bit to be set, at least one of the read bits to be set, and all of the at least one write bits to be cleared, the processing circuitry is constrained, in accordance with the alternative interpretation, to use only the capability to form a new program counter capability to be stored in the program counter capability storage component; and is
Once the capabilities are stored in the program counter capability storage component, the new program counter capability is treated in accordance with the alternative interpretation such that each read permission is in the set state, the associated read bit of that read permission being set, thereby enabling the word value to be read by the processing circuitry from memory.
16. The apparatus of any preceding claim, further comprising:
a configuration storage component to store a configuration value indicating which of the default interpretation and the alternative interpretation is to be applied by the processing circuit.
17. Apparatus as claimed in any preceding claim, wherein said capability is a bounded pointer and said authority is used to control use by said processing circuitry of a pointer value specified within said capability.
18. A method of interpreting permissions associated with capabilities in a device, the device comprising: processing circuitry to execute instructions to perform operations; and a capability storage component accessible by the processing circuitry and arranged to store the capability for constraining at least one operation performed by the processing circuitry when executing the instruction, the capability identifying a number N of a plurality of default permissions, and the method comprising:
providing N permission flags within the capability such that a state of the default permission is determined from the N permission flags according to a default interpretation and each permission flag is associated with one of the default permissions; and
analyzing the capabilities according to the alternative interpretations to derive a state of an extended set of permissions from the logical combination of the N permission tokens, the extended set including at least N +1 permissions.
19. An apparatus, comprising:
processing means for executing instructions to perform operations; and
capability storage component means for access by said processing circuitry and for storing capabilities for constraining at least one operation performed by said processing circuitry when executing said instructions, said capabilities identifying a plurality of N number of default permissions, the state of said default permissions being determined from N permission flags provided in said capabilities according to a default interpretation, each permission flag being associated with one of said default permissions according to said default interpretation;
the processing device is to analyze the capabilities according to alternative interpretations to derive a state of an extended set of permissions from a logical combination of the N permission flags, the extended set including at least N +1 permissions.
20. A virtual machine computer program comprising program instructions for controlling a host data processing apparatus to provide an instruction execution environment corresponding to the apparatus of any one of claims 1 to 17.
21. A computer-readable storage medium storing the virtual machine computer program of claim 20.
Technical Field
The present disclosure relates to the field of data processing.
Background
Capabilities-based architectures are becoming increasingly interesting, where certain capabilities are defined for a given process, and if an attempt is made to perform an operation outside the defined capabilities, an error may be triggered. These capabilities may take various forms, but one type of capability is a bounded pointer (which may also be referred to as a "fat pointer").
A plurality of capability storage components (e.g. registers) may be provided for storing capabilities for access by the processing circuitry of the data processing apparatus. Each capability may include a plurality of permission flags identifying one or more permissions (permissions) associated with the capability, e.g., to limit the use of the capability to certain types of operations of the processing circuitry, certain modes of operation, etc. For example, in view of a bounded pointer within such a capability storage component, this may identify an unexpanded range of memory addresses accessible by the processing circuitry, and one or more permission flags identifying the associated permissions. While the processing circuitry may be permitted to take steps to narrow down the scope and/or clear the permission flags associated with any particular bounded pointer available to it, it is not possible in normal operation to expand the scope or set the permission flags in an attempt to increase the capacity provided to the processing circuitry by that bounded pointer.
It is desirable to allow the number of permissions associated with a capability to be extended, but the number of bits used to encode the capability is typically constrained, for example by the size of the capability storage component that stores the capability.
Disclosure of Invention
In a first exemplary configuration, an apparatus is provided that includes: processing circuitry to execute instructions to perform operations; and a capability storage component accessible by the processing circuitry and arranged to store a capability for constraining at least one operation performed by the processing circuitry when executing the instruction, the capability identifying a number N of default permissions, the state of the default permissions being determined from N permission flags provided in the capability according to a default interpretation, each permission flag being associated with one of the default permissions according to the default interpretation; the processing circuitry is arranged to analyse the capabilities in dependence on the alternative interpretations so as to derive a state of an extended set of permissions from the logical combination of the N permission flags, the extended set comprising at least N +1 permissions.
In another exemplary configuration, there is provided a method of interpreting permissions associated with capabilities in a device, the device comprising: processing circuitry to execute instructions to perform operations; and a capability storage component accessible by the processing circuitry and arranged to store a capability for constraining at least one operation performed by the processing circuitry when executing said instructions, the capability identifying a number N of default permissions, and the method comprising: providing N permission flags within the capability such that a state of default permissions is determined from the N permission flags according to a default interpretation, and each permission flag is associated with one of the default permissions; and analyzing the capabilities according to the surrogate interpretations to derive a state of an extended set of permissions from the logical combination of the N permission flags, the extended set including at least N +1 permissions.
In yet another exemplary configuration, an apparatus is provided, the apparatus comprising: processing means for executing instructions to perform operations; and capability storage component means for access by the processing circuitry and for storing capability for constraining at least one operation performed by the processing means when executing said instructions, the capability identifying a number N of default permissions, the state of the default permissions being determined from N permission flags provided in the capability according to a default interpretation, each permission flag being associated with one of the default permissions according to the default interpretation; processing means for analyzing capabilities according to the surrogate interpretations to derive a state of an extended set of permissions from the logical combination of the N permission flags, the extended set including at least N +1 permissions.
In a further exemplary configuration, there is provided a virtual machine computer program comprising program instructions for controlling a host data processing apparatus to provide an instruction execution environment corresponding to the apparatus of the first exemplary configuration described above. In one embodiment, a computer readable storage medium may be provided to store a virtual machine computer program.
Drawings
The present technology will be further described, by way of example only, with reference to embodiments of the present technology as illustrated in the accompanying drawings, in which:
FIG. 1 is a block diagram of an apparatus according to one embodiment;
FIG. 2 illustrates an example of the types of instructions that may trigger an error if an attempt is made to set or access a pointer value within a bounded set of pointer storage components, where the pointer value is used to specify an address outside the range indicated by the associated range information;
FIG. 3 illustrates the use of flag bits associated with a bounded pointer in accordance with one embodiment;
FIG. 4 is a diagram illustrating authority bits that may be provided within bounded pointer capabilities and default interpretations of the authority bits, according to one embodiment;
FIG. 5 is a flow diagram showing how the state of modifiable permissions can be determined from permission bits depending on whether default interpretations are being used or alternative interpretations are being used;
FIG. 6 is a flow diagram showing how the state of executable rights can be determined from the permission bits depending on whether default or alternative interpretations are being used;
FIG. 7 is a flow diagram showing how the state of a particular read permission can be determined from permission bits depending on whether default interpretations are being used or alternative interpretations are being used;
FIG. 8 is a flow diagram showing how the state of a particular write permission can be determined from permission bits depending on whether default interpretations are being used or alternative interpretations are being used;
FIG. 9 is a table that schematically illustrates the state of an extended set of permissions according to alternate interpretations in one embodiment, as determined according to execute, read, and write permission bits stored within a capability;
FIG. 10 is a state transition diagram indicating allowed state transitions of the read, write, and execute permission bits in one embodiment;
FIG. 11 schematically illustrates operations performed in executing an address generation instruction according to one embodiment;
FIG. 12 schematically illustrates the operation of a branch with a link instruction according to one embodiment;
FIG. 13 schematically illustrates execution of a branch instruction according to one embodiment; and
figure 14 shows a virtual machine implementation that may be used.
Detailed Description
Before discussing embodiments with reference to the figures, the following description of embodiments is provided.
As previously mentioned, capability-based architectures are becoming increasingly interesting, where certain capabilities are defined for a given process, and if an attempt is made to perform an operation outside the defined capabilities, an error may be triggered. Various types of capabilities may be defined, but one type of capability is a bounded pointer (which in one embodiment combines a pointer value with associated range and permission information).
Devices employing such capability-based architectures will typically have a storage component for storing capabilities (also referred to herein as a bounded pointer storage component, or more generally a capability storage component). The storage elements may be registers (also referred to herein as bounded pointer registers or capability registers) and/or may be memory locations in general-purpose memory, such as locations on a stack memory. Certain instructions may be used to reference such storage components in order to access a desired capability and perform an operation in accordance with that capability. For example, in view of a bounded pointer, execution of such an instruction may cause the bounded pointer to be retrieved, and the pointer value in the bounded pointer to be subsequently used to derive the address in memory required during execution of the instruction. The pointer value may be used directly to identify the memory address or may be used to derive the memory address, for example by adding an offset to the pointer value. If the memory address is within the range specified by the range information and any permissions specified in the permission information are satisfied, the operation will be allowed to proceed.
Thus, for example, when a bounded pointer is used, the pointer value itself may point to or be used to determine the address of a data value to be accessed or an instruction to be fetched for execution. However, the scope and permission information may then be referenced, for example, to ensure that any addresses accessed are within an allowable range and are accessed for permitted purposes. This may be useful, for example, to ensure that addresses determined from the pointer remain within certain boundaries to maintain security or functional correctness of behavior. By such an approach, memory accesses by the processing circuitry may be efficiently supervised.
In a typical embodiment, the status of each privilege may be indicated by an associated privilege flag within the capability, which is either in a set state or a cleared state to identify the status of the corresponding privilege. When the rights flag is cleared, this will typically mean that the associated rights are in a cleared state, which in turn indicates to the processing circuitry that the rights have been revoked for the capability in question. Conversely, when the privilege flag is set, this may mean that the associated privilege has a set state, and thus the processing circuitry may be granted that privilege for that capability. However, in one embodiment, it may still be necessary to refer to other control information before deciding whether the processing circuitry is actually granted the right, and so the set state of the right identified by the associated permission flag may be used to indicate that the processing circuitry is subject to any override control information, to which the right is granted for the capability in question.
It is desirable to allow an increased number of rights to be specified for each capability, as such an approach would allow enhanced flexibility in the use of capabilities. However, the capability coding space is usually very constrained. For example, considering the example of a bounded pointer, bounded pointer capability also needs to be able to specify a pointer value and indicate the information of the associated range, and thus the number of remaining bits for specifying a permission flag may mean that it is not possible to simply continue to add other permission flags to the capability.
The embodiments described herein provide an efficient mechanism for allowing the number of rights associated with a capability to be extended in such situations.
In particular, in one embodiment, there is provided an apparatus having: processing circuitry to execute instructions to perform operations; and a capability storage component accessible by the processing circuitry and arranged to store a capability for constraining at least one operation performed by the processing circuitry when executing the instructions. The capability may identify a number N of default permissions whose states are determined from N permission flags provided in the capability according to a default interpretation. Each permission token may be associated with one of the default permissions according to the default interpretation. Thus, there may be a 1:1 correspondence between the privilege flags and the default privileges.
However, according to the described embodiment, the processing circuitry is arranged to analyze the capabilities according to the alternative interpretations so as to derive a state of an extended set of permissions according to a logical combination of the N permission flags, wherein the extended set comprises at least N +1 permissions.
In this way, the number of rights associated with the capability can be extended without increasing the number of rights flags. Furthermore, the method provides a very flexible mechanism, since the same permission flags can be used to support both default and alternate interpretations. Thus, the capability may be used in a system that supports both default and alternative interpretations, but may also be used in a system that supports only one of the interpretations. This may provide backward compatibility, for example, by also allowing this capability to be used with examples of processing circuitry that only support default interpretations.
The extended set of permissions may take various forms, but in one embodiment includes a number N of default permissions, and at least one additional permission. This thus allows at least one "new" right of the capability to be inferred via the use of the N right tokens in place of the interpretations. This "new" privilege may be a privilege that was not previously provided in the capability-based architecture, or may be a privilege that was previously provided only on a more global scale, rather than a privilege that may be set or cleared for individual capabilities.
In one example embodiment, the extended set of permissions includes modifiable permissions that, when in a cleared state, identify the capability as not modifiable by one or more capability modification instructions. By such an approach, the respective capabilities may be marked as non-modifiable, which may provide enhanced security in some cases.
In one embodiment, modifiable permissions allow N permission flags provided in the capability to be converted from a set value to a clear value when in a set state, subject to any override control information to prevent modification. In some cases, control information may not be overwritten, and thus the modifiable permission, when in the set state, directly indicates that the permission flag may transition from the set value to the clear value. However, in other embodiments, there may be additional control information that needs to be referenced before it can be confirmed that the modifiable permission in the set state does allow for selective clearing of the permission flag.
Consistent with common practices in capability, processes whose activities are constrained by capability may not be allowed to modify the capability in a manner that restores the cleared privilege flag to a set value, even when the modifiable privileges are in a set state. For this reason, when the modifiable authority is in the set state, this may allow the authority flag to be converted from the set value to the cleared value, but may not allow the cleared authority flag to be changed to the set value.
Although the setting of modifiable rights has been described with reference to the ability to change the value of the rights flag, modifiable rights can also affect other fields within the ability. For example, subject to other mechanisms that prevent capabilities from being modified, when modifiable permissions are in a set state, capabilities may be modified by a general capability modification instruction that may, for example, clear the permission flag, narrow the boundary, and/or change the address of the pointer value, in which case the capability is assumed to be a bounded pointer.
The default permissions may take various forms, but in one embodiment include: one or more memory access permissions to identify that the capability is blocked from being used by one or more memory access operations to access data in the memory while in the clear state; and executable rights to identify that the capability, when in a cleared state, is blocked from fetching instructions from memory when the program counter capability is formed. These default permissions may thus be used to constrain operations that attempt to access the memory address space.
The one or more memory access rights may take various forms, but in one embodiment include: at least one write permission to identify whether the capability is blocked for performing at least one type of write operation to the memory; and at least one read permission to identify whether the capability is blocked for performing at least one type of read operation from the memory. Thus, separate rights may be provided for read and write operations, and in fact multiple write rights and/or multiple read rights may be specified. The use of multiple rights may be used, for example, to identify that when the processing circuitry is operating in some modes but not others, a write or read operation may be performed when certain types of instructions are executed but not others, and/or may specify that the availability of a read or write depends on the information being read or written. For example, separate read and write rights may be specified for the case where the information being read or written is itself a capability or alternatively a standard data value.
In embodiments where the default permissions comprise executable permissions and the extended set of permissions comprises at least the addition of modifiable permissions described previously, then from the alternate interpretation of the N permission flags, the capability may be prevented from having both executable and modifiable permissions in a set state at the same time. Conversely, when a modifiable right is changed from a cleared state to a set state, some transition in the value of the permission flag may cause the executable right to transition from the set state to the cleared state, and vice versa.
In one embodiment, the N permission flags include at least one write bit, at least one read bit, and an execute bit, the values of which identify the status of at least one write permission, at least one read permission, and an execute permission, respectively, according to a default interpretation. In one such embodiment, the processing circuitry is arranged to determine that the modifiable authority is in the set state when the at least one write bit is set or the execute bit is cleared, in accordance with the alternative interpretation. This provides great flexibility in being able to specify when modifiable rights are in a set state for a particular capability.
While there is typically a 1:1 correspondence between each permission token and the associated default permission in accordance with the default interpretation, this is not the case in one embodiment when the permission tokens are interpreted in accordance with the alternative interpretation. Conversely, when alternative interpretations are used, a logical combination of permission flags is used to determine the state of at least one of the default permissions.
For example, in one embodiment, the processing circuitry is arranged to determine that the executable right is in a set state when the execution bit is set and all of the at least one write bit is cleared, in accordance with the alternative interpretation. Thus, according to alternative interpretations, it is not sufficient to merely set the execute bit in order to determine that the executable is in the set state, but instead it is also necessary to have any write bits provided within the capability also cleared. This provides a particularly efficient encoding to enable an extended set of permissions to be encoded within the available N permission flags, as it is generally considered undesirable to allow capabilities to have both write permission settings and executable permission settings for the same region of memory, and this option is prevented according to the proposed encoding.
In one embodiment, when using alternate interpretation, read permissions are also interpreted to use not only the associated read bit, but also additional information. In particular, for each read permission, according to the alternative interpretation, the processing circuitry may be arranged to determine that the read permission is in the set state when the associated read bit is set and the modifiable permission is in the set state or the capability is used as a program counter capability. Typically, modifiable rights are therefore put in a set state in order to grant any read rights according to the alternative interpretation needs. However, in one particular example where the capability is not modifiable, and in particular where the capability is used as a program counter capability, selective readability may be given. In this example, when the capability is in a program counter capability, the capability may be marked as executable and not modifiable, but still allowed to be readable under certain circumstances, depending on the associated read bit.
In both the default interpretation and the alternate interpretation, the change of permissions is accomplished by transitioning the permission flag states. As mentioned previously, when a process is given the right to change capabilities, it will typically only be able to change capabilities in a way that infers additional constraints, not in a way that relaxes the capability constraints. With regard to the permissions, this means that typically the process will only be able to clear the permission flags rather than setting them, and thus the transfer of permissions occurs via clearing one or more of the permission flags. Because a logical combination of permission flags is used to determine the state of the respective permissions based on the alternative interpretations, clearing one or more permission flags may allow at least one of the permissions to move into a set state. For example, modifiable permissions may be moved into a set state by clearing an execution flag.
The conversion of certain privilege flag values may also be associated with the processing of certain instructions. For example, in one embodiment, the processing circuitry may be arranged to clear the execution bit within the result capability in accordance with the program counter capability generation result capability in response to executing the address generation instruction. This may lead to some interesting behavior variations that may be very useful in practice. For example, this may mean that a capability that is executable but not modifiable when used as a program counter capability may be used to generate a result capability stored in a general purpose capability register, which is then modifiable. It may also be, for example, subsequently readable, depending on one or more read permission bits. In particular, in one embodiment, when the program counter capability has an execute bit set and all at least one write bit it has is cleared, the clearing of the execute bit in the result capability causes the result capability to be deemed to have according to the alternative interpretation that its modifiable permission is in a set state and each read permission it has is in a state indicated by the associated read bit.
As another example of how permissions may be managed when executing one or more particular types of instructions, the processing circuitry may be responsive to executing a branch with link instruction to generate a return address capability from the program counter capability such that when the modifiable permissions are in a cleared state within the program counter capability, the return address capability also has its modifiable permissions in a cleared state. With such an approach, it is possible to create a non-modifiable return address capability, which may provide enhanced security.
In one embodiment, the apparatus may have one or more general purpose capability storage components and a program counter capability storage component. In one such embodiment, when a capability stored in one of the one or more universal capability storage components has a set execute bit, at least one of the read bits is set and all of the at least one write bits are cleared, the processing circuitry is constrained according to the alternative interpretation to use only the capability to form a new program counter capability to be stored in the program counter capability storage component. However, once the capability is stored in the program counter capability storage component, the new program counter capability is treated according to the alternative interpretation as having each read permission in the set state with its associated read bit set, thereby enabling the word value to be read by the processing circuitry from the memory. Thus, tasks may be allocated that can only use the capability to branch when appropriate when executing a branch instruction, and thus the capability may only be used as an entry point for another routine. However, when a branch occurs and the capability is loaded into the program counter capability, then the other routine may use the capability in other ways, such as by using a load instruction that generates an address, for example, with reference to the program counter capability, to enable reading of a word value from memory.
In one embodiment, the processing circuitry may be arranged to always use alternative interpretations. However, in another embodiment a configuration storage component may be provided that stores configuration values for indicating which of the default interpretation and the alternative interpretation is to be applied by the processing circuitry. This thus provides a mechanism that allows switching between default and alternate interpretations over time as needed.
The permissions described above may be associated with a variety of different types of capabilities used by the device, but in one embodiment the capabilities are bounded pointers, and the permissions are used to control the use by the processing circuitry of pointer values specified within the capabilities.
Specific embodiments will now be described with reference to the accompanying drawings.
Fig. 1 schematically shows an example of a data processing apparatus 2 comprising a processing pipeline 4 for processing instructions. In this example, the processing pipeline 4 includes a plurality of pipeline stages, including a fetch stage 6, a decode stage 8, an
Fetch stage 6 fetches instructions from level 1(L1)
The fetched instruction is passed to a decode stage 8 which decodes the instruction to generate a decoded instruction. The decoded instructions may include control information for controlling the
The decoded instruction is passed to the
The
The addresses used by the pipeline 4 to reference program instructions and data values may be virtual addresses, but at least the
Although FIG. 1 shows a
Further, it should be understood that some systems may support multiple levels of address translation, such that, for example, a first TLB (or hierarchy of TLBs) may be used to translate virtual addresses to intermediate addresses, and a second level of address translation using one or more other TLBs may then translate the intermediate addresses to physical addresses for accessing cache or memory. For example, this may be used to support virtualization, where a first level of address translation may be managed by the operating system and a second level of address translation may be managed by the hypervisor.
As shown in FIG. 1, the apparatus 2 may have a set of bounded pointer registers 60. Although the set of bounded pointer registers is illustrated in FIG. 1 as being physically separate from the set of general purpose data registers 40, in one embodiment the same physical memory may be used to provide both general purpose data registers and bounded pointer registers.
Each bounded pointer register 60 includes a
FIG. 2 illustrates an example of an instruction type for which the allowable range is used to prevent unauthorized access to data or instructions. As shown in the top portion of FIG. 2, a particular bounded pointer register PR1 includes a given
For example, as shown in part A of FIG. 2, in some systems, if an attempt is made to set the value of
The scope information 64 and the
In addition to the bounded set of pointer storage elements 60 that may be used at the
Any particular range of memory addresses identified by a bounded pointer within a bounded pointer register may contain data, instructions, and/or other capabilities (i.e., other bounded pointers). Thus, it should be understood that at any point in time, the processing circuit's ability to access memory is defined by a set of capabilities including the capabilities identified in the bounded pointer registers and any other capabilities accessible via the capabilities maintained in the bounded pointer registers, and this set of capabilities is referred to herein as a capability domain.
The range information and any associated limits specified in PCC register 80 may be set in various ways. However, in one embodiment where the information is determined using one or more of the bounded pointers available to the processing circuitry in the current capability domain, no memory address is made accessible using the PCC-based bounds check that resides outside the memory address range identified for the current capability domain.
Fig. 3 schematically shows how flag bits are used in association with individual data blocks to identify whether these data blocks represent capabilities (i.e. bounded pointers and associated constraint information) or ordinary data. In particular, the
When a capability is loaded into one of the bounded pointer registers 60 (also referred to herein as a capability register), such as the
As previously discussed, it would be desirable to increase the number of permissions that may be associated with various capabilities without increasing the number of permission flags required. In particular, the coding space in the capability is often in short supply, and there may not be enough space to add other rights flags for each extra right that it is desired to encode.
Fig. 4 gives an example of a permission flag that may be provided in an existing capability in view of, for example, a bounded pointer. The
As also shown in FIG. 4, additional permissions may be encoded within the capability, and thus, for example, executable permissions may be indicated by the value of the associated execute (X) bit.
Each permission bit is associated with a respective permission, and thus directly identifies the state of the associated permission, according to a default interpretation of the permission bits within
Conversely, if the associated permission bit is cleared, this means that the associated permission for the capability is revoked, and thus the associated capability cannot be used to perform access to the type associated with the permission.
In the embodiments described below, the same permission bits are retained, but they may be interpreted differently in order to derive the state of the extended set of permissions. In particular, from the alternative interpretations, a logical combination of permission bits is used to identify the state of a set of added permissions. In one embodiment, the set of added permissions includes all write, read and executable permissions such as discussed with reference to FIG. 4, i.e., permissions available according to the default interpretation of W, R and the X permission bits, but in addition at least one additional permission is also derivable from the values of these W, R and X permission bits. In particular, in one embodiment, modifiable rights associated with the capability are also provided without requiring any additional permission bits to be specified.
The manner in which the state of the modifiable rights is determined in accordance with the above-described rights bits in one embodiment is described with reference to the flow diagram of FIG. 5. In
However, if alternate interpretation is being used, the process proceeds to step 210 where it is determined whether at least one of the W bits is set. If so, the process proceeds to step 220 where it is determined that the modifiable authority is in the set state. Thus, this means that capabilities can be modified by modifying some capabilities of the instruction unless other control states prevent such modification. For example, there may still be some general overwrite control information, meaning that a particular capability is not modifiable even though the modifiable permission indication determined from the permission bits does not prevent modifying the capability.
If it is determined at
Furthermore, flexibility is enhanced when using alternative interpretations, as the values of certain authority bits within a capability can be changed to change the capability from a modifiable state to a non-modifiable state. Furthermore, in certain cases, it may be possible to convert a non-modifiable capability to a modifiable capability, for example via the use of certain address generation instructions, as will be discussed later as an example with reference to FIG. 11.
While there is a 1:1 correspondence between the various permission bits and the associated permissions when using default interpretations, this is not the case according to alternative interpretations, and logical combinations of permission bits may be used to determine the state of a particular permission. FIG. 6, for example, illustrates how the state of executable rights can be evaluated depending on whether default or alternative interpretations are being used.
At
However, if it is determined that alternative interpretations are being used, the process proceeds to step 260, where it is determined whether the X bit is set. If not, the process proceeds to step 275, where it is determined that the execution authority is in a cleared state. However, if the X bit is set, this does not necessarily mean that the executable is in the set state by itself, but instead an additional check is performed at
Returning to step 265, it should be understood that the determination at
FIG. 7 is a flow diagram showing how the state of any of the read permissions may be evaluated depending on whether default or alternative interpretations are being used. At
However, if alternate interpretation is being used, the process proceeds to step 310 where it is first determined whether the associated read permission bit is set for the read permission in question. If not, the process proceeds directly to step 330 where it is determined that the read permission is in a clear state.
However, if the relevant read permission bit is set, this does not directly mean that the read permission is determined to be in the set state, but instead one or more further checks are required. First, at
If it is determined that the modifiable authorization is in the set state, the process proceeds to step 325 where the associated read authorization is determined to be in the set state. However, if the modifiable permissions are not in the set state, another check is performed at
If it is determined at
FIG. 8 is a flow diagram that illustrates how the state of any particular write right is evaluated in one embodiment. As indicated at block 350, in the described embodiment, write permissions are interpreted in exactly the same way, regardless of whether default or alternative interpretations are being used. In particular, at step 355, it is determined whether the associated write permission bit is set, and if so, at step 360 it is determined that the particular write permission is in the set state, otherwise at step 365 it is determined that the particular write permission is in the clear state.
From the above discussion of fig. 5-8, it will be appreciated that the states of one or more write permissions, one or more read permissions, executable permissions, and modifiable permissions may all be determined using existing W, R and X permission bits encoded within the capability. No additional modifiable permission bits need to be added and thus additional modifiable permissions can be encoded into the capability without requiring any additional permission bit encoding space.
FIG. 9 is a table showing the states of the four different types of permissions described above, depending on the X bit, the R bit, and the W bit. In this example, for ease of illustration, it is assumed that there is only one read permission and one write permission, and thus only a single R bit and a single W bit.
In a more general case, as will be appreciated from the flow diagrams of fig. 5-8, when determining the state of modifiable AND executable permissions (AND, in fact, readable permissions are known to depend on whether modifiable permissions are set), it will be necessary to perform logical OR (OR) AND (AND) operations on a plurality of W bits as part of the process of evaluating whether those permissions are in a set state OR a clear state.
FIG. 10 is a state transition diagram showing how individual permission bits may be changed from a set value to a clear value to effect state transitions of one or more of the permissions when a capability is marked as modifiable. Further, for ease of explanation, it is assumed that there is only a single W weight bit and a single R weight bit, but in the more general case where there are multiple R weight bits and multiple W weight bits, each of these R weight bits and W weight bits may be cleared independently.
As shown by the
Figure 10 illustrates a number of other possible transitions that may occur when the various authority bits are cleared. For ease of illustration, transitions directly from
Because the
As shown in FIG. 11, the address generation instruction may specify a general purpose capability register CNAs a destination register, and the source operand may also be specified by an immediate value within the instruction or an integer register whose reference content specifies an offset value.When executing such an address generation instruction, the program counter capability within PCC register 80 is used as
FIG. 12 illustrates the operation of a branch with link instructions according to one embodiment. As shown in FIG. 12, two separate processes are involved in the execution of a branch with a link instruction. The return address capability 517 is first generated from the current program counter capability 500. In one embodiment, this would involve fetching the pointer value 505 and adding the instruction size to the pointer value via add operation 510 to generate the return address pointer 515. All range and privilege information is then copied into the return address capability, which in one embodiment is stored in a Capability Link Register (CLR). The CLR may be provided in various ways, but in one embodiment is a particular one of the general purpose capability registers, e.g., C30. By ensuring that the return address capability is used at it, the effective program counter capability 500 will be executable and non-modifiable, meaning that the return address capability is also non-modifiableCannot be adjusted prior to making the return address to provide enhanced security.
Once return address capability has been generated, capability register CNThe contents of 520 are copied into the
FIG. 13 is a diagram schematically illustrating how the creation of a non-modifiable capability in a general purpose capability register can be subsequently used to provide a process with the capability of being used as an entry point capability only when executing branch instructions. In particular, as indicated by
When a branch instruction is subsequently executed to register the capability register CNResults in updated
This means that the
In one embodiment, the processing circuitry may be arranged to always use alternative interpretations. However, other examples of processing circuitry may use the same capabilities, but these examples are interpreted according to default interpretations, as the mechanisms described herein do not involve any changes in the used permission bits, thus providing backward compatibility with existing systems that use default interpretations.
In another embodiment, the processing circuitry may be capable of selectively switching from using default interpretations to alternative interpretations, and vice versa, and as shown in fig. 1,
Figure 14 shows a virtual machine implementation that may be used. Although the previously described embodiments implement the present invention in terms of apparatus and methods for operating specific processing hardware supporting the related art, so-called virtual machine implementations of hardware devices may also be provided. These virtual machine embodiments run on a
The above-described embodiments provide mechanisms for encoding one or more extra rights into a capability without consuming an extra rights bit. A logical combination of the existing permission bits may be used to enable an extended set of permissions to be encoded. In one embodiment, this involves reusing redundant encoding to avoid wasting the scarce bits to encode one or more additional rights, while still maintaining the desired behavior. Furthermore, a monotonically decreasing rights model is maintained. In particular, whether default interpretations or alternative interpretations are used, individual permission bits can only be changed from a set value to a cleared value when a capability is identified as modifiable, and thus a process that is constrained by the capability cannot restore any permission bits within the capability that have been cleared to a set state.
In one particular embodiment, the additional permissions added are modifiable permissions, enabling modifiable changes in capabilities to be represented on a capability-by-capability basis. This may provide enhanced flexibility and security within the capability-based system. Optionally, modifiable permissions may change the behavior of certain instructions used to generate capabilities from the capabilities maintained in the PCC register, including but not limited to carrying modifiable permissions into the capabilities generated by branch and link instructions, e.g., to produce an unmodifiable return address, and/or removing executable permissions from the capabilities generated by PC relative Address computation (ADR) instructions.
In addition, some useful behavior may be accommodated by selectively clearing the authority bits. For example, clearing an all-write permission bit from a capability with an X permission bit set will change the capability from modifiable and non-executable to non-modifiable and executable. As another example, clearing the execution permission bits from the capability with at least one readable permission bit set, such as via using an ADR instruction, will change the capability from non-modifiable, non-readable to modifiable and readable.
Further, in embodiments using
By using surrogate interpretations, where a logical combination of permission bits is used to define the state of an extended set of permissions, this allows stronger (more constrained) permissions to be specified in association with individual capabilities without the need to increase the number of permission bits used.
In this application, the word "configured to. In this context, "configuration" means an interconnection arrangement or manner of hardware or software. For example, the apparatus may have dedicated hardware providing the defined operations, or a processor or other processing device may be programmed to perform the functions. "configured to" does not imply that the device components need to be changed in any way to provide the defined operation.
Although illustrative embodiments of the present invention have been described in detail herein with reference to the accompanying drawings, it is to be understood that the invention is not limited to those precise embodiments, and that various changes, additions and modifications can be effected therein by one skilled in the art without departing from the scope and spirit of the invention as defined in the appended claims. For example, various combinations of the features of the independent claims may be made with the features of the dependent claims without departing from the scope of the present invention.
- 上一篇:一种医用注射器针头装配设备
- 下一篇:核映射