cheriot/cheriot_ibex_hw_revoker.h - mpact-cheriot - Git at Google

 // Copyright 2024 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.

 #ifndef MPACT_CHERIOT_CHERIOT_IBEX_HW_REVOKER_H_
 #define MPACT_CHERIOT_CHERIOT_IBEX_HW_REVOKER_H_

 #include <cstdint>

 #include "cheriot/cheriot_register.h"
 #include "mpact/sim/generic/counters_base.h"
 #include "mpact/sim/generic/data_buffer.h"
 #include "mpact/sim/generic/instruction.h"
 #include "mpact/sim/generic/ref_count.h"
 #include "mpact/sim/util/memory/memory_interface.h"
 #include "mpact/sim/util/memory/tagged_memory_interface.h"
 #include "riscv//riscv_plic.h"

 // This file contains the class declaration for the model of the Ibex HW
 // revoker for Cheriot. The HW revoker is a module that is used to invalidate
 // (or revoke the validity of) capabilities pointing to a freed portion of heap
 // memory. It is controlled by a set of memory mapped registers.
 //
 // The HW revoker is implemented as a counter value set object. It is bound
 // to a counter that is incremented whenever an instruction is executed, and,
 // when active, performs an action every 'period' number of increments
 // (configurable).
 //
 // The HW revoker is programmed using a memory interface. It supports non-vector
 // loads and stores only.
 //
 // The HW revoker is described in more detail in the following documents:
 // https://lowrisc.github.io/sonata-system/doc/ip/revoker.html
 // https://github.com/microsoft/cheriot-safe/blob/main/src/msft_cheri_subsystem/msftDvIp_mmreg.sv

 namespace mpact {
 namespace sim {
 namespace cheriot {

 using ::mpact::sim::generic::CounterValueSetInterface;
 using ::mpact::sim::generic::DataBuffer;
 using ::mpact::sim::generic::DataBufferFactory;
 using ::mpact::sim::generic::Instruction;
 using ::mpact::sim::generic::ReferenceCount;
 using ::mpact::sim::riscv::RiscVPlic;
 using ::mpact::sim::riscv::RiscVPlicIrqInterface;
 using ::mpact::sim::util::MemoryInterface;
 using ::mpact::sim::util::TaggedMemoryInterface;

 class CheriotIbexHWRevoker : public CounterValueSetInterface<uint64_t>,
                              public TaggedMemoryInterface {
  public:
   static constexpr uint32_t kStartAddressOffset = 0x0000;
   static constexpr uint32_t kEndAddressOffset = 0x0004;
   static constexpr uint32_t kGoOffset = 0x0008;
   static constexpr uint32_t kEpochOffset = 0x000c;
   static constexpr uint32_t kStatusOffset = 0x0010;
   static constexpr uint32_t kInterruptEnableOffset = 0x0014;

   CheriotIbexHWRevoker() = delete;
   CheriotIbexHWRevoker(const CheriotIbexHWRevoker &) = delete;
   CheriotIbexHWRevoker &operator=(const CheriotIbexHWRevoker &) = delete;
   CheriotIbexHWRevoker(RiscVPlicIrqInterface *plic_irq, uint64_t heap_base,
                        uint64_t heap_size, TaggedMemoryInterface *heap_memory,
                        uint64_t revocation_bits_base,
                        MemoryInterface *revocation_memory);
   CheriotIbexHWRevoker(uint64_t heap_base, uint64_t heap_size,
                        TaggedMemoryInterface *heap_memory,
                        uint64_t revocation_bits_base,
                        MemoryInterface *revocation_memory);
   ~CheriotIbexHWRevoker();
   // Resets the interrupt controller.
   void Reset();
   // CounterValueSetInterface override. This is called when the value of the
   // bound counter is modified.
   void SetValue(const uint64_t &val) override;

   // MemoryInterface overrides.
   // Non-vector load method.
   void Load(uint64_t address, DataBuffer *db, DataBuffer *tags,
             Instruction *inst, ReferenceCount *context) override;
   void Load(uint64_t address, DataBuffer *db, Instruction *inst,
             ReferenceCount *context) override;
   // Vector load method - this is stubbed out.
   void Load(DataBuffer *address_db, DataBuffer *mask_db, int el_size,
             DataBuffer *db, Instruction *inst,
             ReferenceCount *context) override;
   // Non-vector store method.
   void Store(uint64_t address, DataBuffer *db, DataBuffer *tags) override;
   void Store(uint64_t address, DataBuffer *dbs) override;
   // Vector store method - this is stubbed out.
   void Store(DataBuffer *address, DataBuffer *mask, int el_size,
              DataBuffer *db) override;

   // Getters & setters.
   void set_plic_irq(RiscVPlicIrqInterface *plic_irq) { plic_irq_ = plic_irq; }
   int period() const { return period_; }
   void set_period(int period) { period_ = period; }
   int cap_count() const { return cap_count_; }
   void set_cap_count(int cap_count) { cap_count_ = cap_count; }
   uint64_t revocation_bits_base() const { return revocation_bits_base_; }
   void set_revocation_bits_base(uint64_t revocation_bits_base) {
     revocation_bits_base_ = revocation_bits_base;
   }

  private:
   // MMR read/write methods.
   uint32_t Read(uint32_t offset);
   void Write(uint32_t offset, uint32_t value);
   void WriteGo();
   // Perform an iteration of revocation.
   void Revoke();
   void ProcessCapability(uint64_t address);
   bool MustRevoke(uint64_t address);
   void SetInterrupt(bool value);
   // The number of times SetValue is called before triggering a revocation
   // operation.
   int period_ = 1;
   // Tracker for the number of times SetValue is called.
   int num_calls_ = 0;
   // The max number of capabilities to revoke in a single operation.
   int cap_count_ = 0;
   // Current capability index.
   uint64_t current_cap_ = 0;
   // Sweep in progress.
   bool sweep_in_progress_ = false;
   RiscVPlicIrqInterface *plic_irq_ = nullptr;
   // Heap range.
   uint64_t heap_base_ = 0;
   uint64_t heap_max_ = 0;
   // Memory interface to use for the tagged heap.
   TaggedMemoryInterface *heap_memory_ = nullptr;
   // Memory interface to use for the revocation bits.
   MemoryInterface *revocation_memory_ = nullptr;
   // Data buffers.
   DataBuffer *db_ = nullptr;
   DataBuffer *tag_db_ = nullptr;
   // Capability register.
   CheriotRegister *cap_reg_ = nullptr;
   // Base address of the revocation bits.
   uint64_t revocation_bits_base_ = 0;
   // DB factory.
   DataBufferFactory db_factory_;

   // MMRs
   uint64_t start_address_ = 0;
   uint64_t end_address_ = 0;
   uint32_t go_ = 0;
   uint32_t epoch_ = 0;
   uint32_t interrupt_enable_ = 0;
   uint32_t interrupt_status_ = 0;
 };

 }  // namespace cheriot
 }  // namespace sim
 }  // namespace mpact

 #endif  // MPACT_CHERIOT_CHERIOT_IBEX_HW_REVOKER_H_
	// Copyright 2024 Google LLC
	//
	// Licensed under the Apache License, Version 2.0 (the "License");
	// you may not use this file except in compliance with the License.
	// You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.

	#ifndef MPACT_CHERIOT_CHERIOT_IBEX_HW_REVOKER_H_
	#define MPACT_CHERIOT_CHERIOT_IBEX_HW_REVOKER_H_

	#include <cstdint>

	#include "cheriot/cheriot_register.h"
	#include "mpact/sim/generic/counters_base.h"
	#include "mpact/sim/generic/data_buffer.h"
	#include "mpact/sim/generic/instruction.h"
	#include "mpact/sim/generic/ref_count.h"
	#include "mpact/sim/util/memory/memory_interface.h"
	#include "mpact/sim/util/memory/tagged_memory_interface.h"
	#include "riscv//riscv_plic.h"

	// This file contains the class declaration for the model of the Ibex HW
	// revoker for Cheriot. The HW revoker is a module that is used to invalidate
	// (or revoke the validity of) capabilities pointing to a freed portion of heap
	// memory. It is controlled by a set of memory mapped registers.
	//
	// The HW revoker is implemented as a counter value set object. It is bound
	// to a counter that is incremented whenever an instruction is executed, and,
	// when active, performs an action every 'period' number of increments
	// (configurable).
	//
	// The HW revoker is programmed using a memory interface. It supports non-vector
	// loads and stores only.
	//
	// The HW revoker is described in more detail in the following documents:
	// https://lowrisc.github.io/sonata-system/doc/ip/revoker.html
	// https://github.com/microsoft/cheriot-safe/blob/main/src/msft_cheri_subsystem/msftDvIp_mmreg.sv

	namespace mpact {
	namespace sim {
	namespace cheriot {

	using ::mpact::sim::generic::CounterValueSetInterface;
	using ::mpact::sim::generic::DataBuffer;
	using ::mpact::sim::generic::DataBufferFactory;
	using ::mpact::sim::generic::Instruction;
	using ::mpact::sim::generic::ReferenceCount;
	using ::mpact::sim::riscv::RiscVPlic;
	using ::mpact::sim::riscv::RiscVPlicIrqInterface;
	using ::mpact::sim::util::MemoryInterface;
	using ::mpact::sim::util::TaggedMemoryInterface;

	class CheriotIbexHWRevoker : public CounterValueSetInterface<uint64_t>,
	public TaggedMemoryInterface {
	public:
	static constexpr uint32_t kStartAddressOffset = 0x0000;
	static constexpr uint32_t kEndAddressOffset = 0x0004;
	static constexpr uint32_t kGoOffset = 0x0008;
	static constexpr uint32_t kEpochOffset = 0x000c;
	static constexpr uint32_t kStatusOffset = 0x0010;
	static constexpr uint32_t kInterruptEnableOffset = 0x0014;

	CheriotIbexHWRevoker() = delete;
	CheriotIbexHWRevoker(const CheriotIbexHWRevoker &) = delete;
	CheriotIbexHWRevoker &operator=(const CheriotIbexHWRevoker &) = delete;
	CheriotIbexHWRevoker(RiscVPlicIrqInterface *plic_irq, uint64_t heap_base,
	uint64_t heap_size, TaggedMemoryInterface *heap_memory,
	uint64_t revocation_bits_base,
	MemoryInterface *revocation_memory);
	CheriotIbexHWRevoker(uint64_t heap_base, uint64_t heap_size,
	TaggedMemoryInterface *heap_memory,
	uint64_t revocation_bits_base,
	MemoryInterface *revocation_memory);
	~CheriotIbexHWRevoker();
	// Resets the interrupt controller.
	void Reset();
	// CounterValueSetInterface override. This is called when the value of the
	// bound counter is modified.
	void SetValue(const uint64_t &val) override;

	// MemoryInterface overrides.
	// Non-vector load method.
	void Load(uint64_t address, DataBuffer db, DataBuffer tags,
	Instruction inst, ReferenceCount context) override;
	void Load(uint64_t address, DataBuffer db, Instruction inst,
	ReferenceCount *context) override;
	// Vector load method - this is stubbed out.
	void Load(DataBuffer address_db, DataBuffer mask_db, int el_size,
	DataBuffer db, Instruction inst,
	ReferenceCount *context) override;
	// Non-vector store method.
	void Store(uint64_t address, DataBuffer db, DataBuffer tags) override;
	void Store(uint64_t address, DataBuffer *dbs) override;
	// Vector store method - this is stubbed out.
	void Store(DataBuffer address, DataBuffer mask, int el_size,
	DataBuffer *db) override;

	// Getters & setters.
	void set_plic_irq(RiscVPlicIrqInterface *plic_irq) { plic_irq_ = plic_irq; }
	int period() const { return period_; }
	void set_period(int period) { period_ = period; }
	int cap_count() const { return cap_count_; }
	void set_cap_count(int cap_count) { cap_count_ = cap_count; }
	uint64_t revocation_bits_base() const { return revocation_bits_base_; }
	void set_revocation_bits_base(uint64_t revocation_bits_base) {
	revocation_bits_base_ = revocation_bits_base;
	}

	private:
	// MMR read/write methods.
	uint32_t Read(uint32_t offset);
	void Write(uint32_t offset, uint32_t value);
	void WriteGo();
	// Perform an iteration of revocation.
	void Revoke();
	void ProcessCapability(uint64_t address);
	bool MustRevoke(uint64_t address);
	void SetInterrupt(bool value);
	// The number of times SetValue is called before triggering a revocation
	// operation.
	int period_ = 1;
	// Tracker for the number of times SetValue is called.
	int num_calls_ = 0;
	// The max number of capabilities to revoke in a single operation.
	int cap_count_ = 0;
	// Current capability index.
	uint64_t current_cap_ = 0;
	// Sweep in progress.
	bool sweep_in_progress_ = false;
	RiscVPlicIrqInterface *plic_irq_ = nullptr;
	// Heap range.
	uint64_t heap_base_ = 0;
	uint64_t heap_max_ = 0;
	// Memory interface to use for the tagged heap.
	TaggedMemoryInterface *heap_memory_ = nullptr;
	// Memory interface to use for the revocation bits.
	MemoryInterface *revocation_memory_ = nullptr;
	// Data buffers.
	DataBuffer *db_ = nullptr;
	DataBuffer *tag_db_ = nullptr;
	// Capability register.
	CheriotRegister *cap_reg_ = nullptr;
	// Base address of the revocation bits.
	uint64_t revocation_bits_base_ = 0;
	// DB factory.
	DataBufferFactory db_factory_;

	// MMRs
	uint64_t start_address_ = 0;
	uint64_t end_address_ = 0;
	uint32_t go_ = 0;
	uint32_t epoch_ = 0;
	uint32_t interrupt_enable_ = 0;
	uint32_t interrupt_status_ = 0;
	};

	} // namespace cheriot
	} // namespace sim
	} // namespace mpact

	#endif // MPACT_CHERIOT_CHERIOT_IBEX_HW_REVOKER_H_