CAndPerms: permit clearing GL on sealed caps #83
Conversation
|
@nwf either p[topm is fine from microarchitecture perspective. Option 1 is a little easier to implement & verify but the difference is not huge. |
|
If either works for uarch I think sw preference is for option 2 so lets go with that! |
|
The third option, which is easiest for software, is to treat whatever you have and whatever you have minus G as the only representable things and make CAndPerm do the same thing is does currently when the exact intersection is not representable. |
|
@davidchisnall what you're suggesting would be the same as forcing all bits of the mask except GL to one if the capability is sealed. Isn't it likely to be a programmer error to try to clear non-GL permissions on a sealed capability? If so that proposal would allow the error to go undetected. On the other hand if the programmer wants to clear permissions on unsealed capabilities and leave sealed ones alone (except GL) that would be useful. |
nwf
force-pushed
the
202411-candperm-seal-gl
branch
from
01263b2
to
b98eecf
Compare
But require that all other bits in the mask provided to CAndPerms be 1 in order for a tagged sealed input to result in a tagged sealed output.
nwf
force-pushed
the
202411-candperm-seal-gl
branch
from
b98eecf
to
19092ec
Compare
Address #70. This is not ready to merge, in that it hasn't yet decided between the two options:
CAndPermson a sealed operand must be all-ones or all-ones-but-GLGLbit.Shuffle the comment delimiters around to pick between the two. I believe either is fine from a security perspective; option 1 imposes stronger requirements on the program(mer) while the later tolerates some... incidental correctness. If one is clearly better for microarchitecture, tho', that could be the deciding factor.
Pinging @kliuMsft.