CHERI riscv: cap-load generation support

This makes [ms]ccsr writable, but only the GCLG bits are updated.

Author: nwf

target/riscv/cpu.h

@@ -180,6 +180,10 @@ struct CPURISCVState {
     target_ulong mbadaddr;
     target_ulong medeleg;
 
+#if defined(TARGET_CHERI) && !defined(TARGET_RISCV32)
+    target_ulong sccsr;
+#endif
+
 #ifdef TARGET_CHERI
     // XXX: not implemented properly
     cap_register_t UTCC; // SCR 4 User trap code cap. (UTCC)

target/riscv/cpu_bits.h

@@ -348,6 +348,11 @@
 #define CSR_UCCSR           0x8C0
 #define CSR_SCCSR           0x9C0
 #define CSR_MCCSR           0xBC0
+
+#define CCSR_ENABLE         0x1
+#define CCSR_DIRTY          0x2
+#define CCSR_GCLGS          0x4 /* Global Capability Load Generation, Super */
+#define CCSR_GCLGU          0x8 /* Global Capability Load Generation, User */
 #endif
 
 /* mstatus CSR bits */

target/riscv/cpu_helper.c

@@ -712,6 +712,17 @@ static int get_physical_address(CPURISCVState *env, hwaddr *physical,
                 } else {
                     *prot |= PAGE_LC_TRAP;
                 }
+            } else {
+                if (pte & PTE_LCM) {
+                    // Cap-loads checked against GCLG in CCSR using PTE_U
+
+                    target_ulong gclgmask =
+                            (pte & PTE_U) ? CCSR_GCLGU : CCSR_GCLGS;
+
+                    if (!(env->sccsr & gclgmask) != !(pte & PTE_LCG)) {
+                        *prot |= PAGE_LC_TRAP;
+                    }
+                }
             }
 #endif
             return TRANSLATE_SUCCESS;

target/riscv/csr.c

@@ -1227,12 +1227,8 @@ static int write_pmpaddr(CPURISCVState *env, int csrno, target_ulong val)
 #endif
 
 #ifdef TARGET_CHERI
-
 // See Capability Control and Status Registers (CCSRs) in CHERI ISA spec
-// The e “enable” bit tells whether capability extensions are enabled or disabled.
-#define CCSR_ENABLE 0x1
-// The d “dirty” bit tells whether a capability register has been written.
-#define CCSR_DIRTY 0x2
+
 // We used to report cause and capcause here, but those have moved to xTVAL
 
 static int read_ccsr(CPURISCVState *env, int csrno, target_ulong *val)
@@ -1241,24 +1237,44 @@ static int read_ccsr(CPURISCVState *env, int csrno, target_ulong *val)
     // The capability cause has moved to xTVAL so we don't report it here.
     RISCVCPU *cpu = env_archcpu(env);
     target_ulong ccsr = 0;
+
+    // The e “enable” bit tells whether capability extensions are enabled or disabled.
     ccsr = set_field(ccsr, CCSR_ENABLE, cpu->cfg.ext_cheri);
+
+    // The d “dirty” bit tells whether a capability register has been written.
     ccsr = set_field(ccsr, CCSR_DIRTY, 1); /* Always report dirty */
+
     // For backwards compat we also report cap cause and cap index
     // However, this is the last value and is not separated by privilege mode!
     // TODO: remove when CheriBSD has been updated to read xTVAL
     ccsr |= env->cap_cause << 5;
     ccsr |= env->cap_index << 10;
+
+    /* Expose state bits (GCLG) only above U mode */
+    if (env->priv != PRV_U)
+        ccsr |= env->sccsr;
+
     qemu_log_mask(CPU_LOG_INT, "Reading xCCSR(%#x): %x\n", csrno, (int)ccsr);
     *val = ccsr;
     return 0;
 }
 
 static int write_ccsr(CPURISCVState *env, int csrno, target_ulong val)
 {
-    error_report("Attempting to write " TARGET_FMT_lx
-                 "to xCCSR(%#x), this is not supported (yet?).",
-                 val, csrno);
-    return -1;
+    static const target_ulong gclgmask = (CCSR_GCLGS | CCSR_GCLGU);
+
+    /* U mode writes refused */
+    if (env->priv == PRV_U) {
+        error_report("Attempting to write " TARGET_FMT_lx
+                     "to xCCSR(%#x), this is not supported (yet?).",
+                     val, csrno);
+        return -1;
+    }
+
+    /* Take the GCLG bits from the store and update state bits */
+    env->sccsr = set_field(env->sccsr, gclgmask, get_field(val, gclgmask));
+
+    return 0;
 }
 
 static inline bool csr_needs_asr(CPURISCVState *env, int csrno) {
@@ -1571,8 +1587,9 @@ static riscv_csr_operations csr_ops[CSR_TABLE_SIZE] = {
     [CSR_MTINST] =              CSR_OP_RW(hmode, mtinst),
 
 #ifdef TARGET_CHERI
-    // CHERI CSRs: For now we alway report the same values and don't allow
-    // turning off any of the bits
+    // CHERI CSRs: For now we always report enabled and dirty and don't support
+    // turning off CHERI.  The global capability load generation bits in here
+    // can be written by S or higher.
     [CSR_UCCSR] =               CSR_OP_FN_RW(umode, read_ccsr, write_ccsr, "uccsr"),
     [CSR_SCCSR] =               CSR_OP_FN_RW(smode, read_ccsr, write_ccsr, "sccsr"),
     [CSR_MCCSR] =               CSR_OP_FN_RW(any, read_ccsr, write_ccsr, "mccsr"),