Weaken backwards-arc sentry pseudo-locality

[nwf]

#64 added a "pseudo-locality" flavor of return sentry capabilities: storing these always requires SL authority, even if the sentry object itself is G-lobal (which it should be, so that after return, things derived from auipcc are global). (See also discussion on #63)

This is all well and good, but it means that we can't easily let compartments running under the RTOS pivot onto heap-allocated stacks. While such a pivoted thread couldn't make cross-compartment calls and would have to be careful about local parameters, it would be very convenient for adapting existing code that uses large on-stack buffers (e.g., TLS), and it wouldn't require us to allocate large stacks for threads that incidentally call into such code.

@davidchisnall's suggestion is to weaken the requirement on stores such that storing a backwards-arc sentry requires SL of its authority (whatever that authority might be) if the capability in csp is SL-bearing. I'll write this up in Sail for review and @kliuMsft can tell us how we're ruining timing of the pipeline. :)

[kliuMsft]

I think from microarchitecture point of view, using CSP makes it tougher compared to using a CSR. Reason being that there is only one way (via CSRRW) to change a "normal" CSR, and it is easier for it to take effect immediately after execution. Meanwhile, CSP can be updated in a number of different ways (R2R instructions, load from memory) so it is tricker to get it right. We might be able to simplify things a little w/ flush instructions, but I am not super sure how it works beyond just cheriot-ibex.

[nwf]

(Another argument in favor of having made SP architectural and not an ordinary GPR. Which, having not done in the base ISA, RISC-V then almost did with the compressed instruction encodings... grumble.)

[nwf]

@davidchisnall was asking in the meeting, I think (forgive me if I've gotten this wrong), if it's possible to avoid some of the pipeline forwarding complexity by making csc %0, k(%1) instructions for which register %0 is holding a backward-arc sentry and %1 is not 2 (csp) take another cycle to read from the register file.

That's the case that matters, since when %1 is 2, the check is tautological:

• if csp bears SL, then we require SL when storing backward sentries, but oh look, the authority in csp has it, and
• if csp does not, then we don't require it, and the fact that the authority lacks it is boring.

In practice, almost all spills of return addresses will use csp as their authority (and this is also likely true of the switcher already, and where it isn't we can make it).

[nwf]

I think, musing aloud, that it's fine if this effect of transitioning csp is potentially not guaranteed to be felt until the next mret or cjalr instruction. There is a mret as part of context switch, a cjalr as part of cross-compartment call, and surely a cjalr as part of the stack pivot dance.

[kliuMsft]

@nwf if we can indeed defer the effect till mret/cjalr it would help (since those instructions flush the pipeline anyway).

Another thought - is it possible to make an architecturally visible mode bits rather than referring to CSP? I guess it's similar to making a CSR..

[nwf]

For now, just rip pseudolocality out. See #82. We can revisit this later.