riscv · arichardson · Apr 15, 2024 · Apr 8, 2024 · Apr 8, 2024 · Apr 8, 2024
diff --git a/src/attributes.adoc b/src/attributes.adoc
@@ -48,6 +48,8 @@ endif::[]
 :cheri_pte_ext_name:       Zcheri_pte
 // Extension for CHERI capabilities in vector registers
 :cheri_vectorcap_ext_name: Zcheri_vectorcap
+// Extension for CHERI thread identification
+:cheri_tid_ext_name: Zcheri_tid
 
 // Extension for supporting lr/sc.[bh]
 :lr_sc_bh_ext_name: Zabhlrsc

diff --git a/src/cheri-tid-ext.adoc b/src/cheri-tid-ext.adoc
@@ -0,0 +1,28 @@
+== "Zcheri_tid" Extension for CHERI Thread Identification
+
+{cheri_tid_ext_name} is an optional extension to {cheri_base_ext_name}.
+Implementations that support {cheri_base_ext_name} and {cheri_legacy_ext_name}
+define a variant of the CHERI ISA that allows for software compartmentalisation
+of CHERI programs.
+
+=== Unprivileged CSRs
+
+==== User Thread Identifier Capability (utidc)
+
+The <<utidc>> register is an CLEN-wide read-only register. It is a read-only
+copy of the <<stidc>> register. On reset the tag will be set to 0 and the
+remainder of the data is UNSPECIFIED.
+
+[#CHERI_COMP,reftext="CHERI Compartmentalization]
+=== CHERI Compartmentalization
+
+This section describes how this specification enables support for compartmentalization for CHERI systems.
+Compartmentalization seeks to separate the privileges between different protection units, e.g., two or more libraries.
+Code can be separated by sentries, which allow for giving out code capabilities to untrusted code where the untrusted code can only call code capability, but not modify it.
+Sentries can be called from different threads and thus there needs to be a way of identifying the current thread.
+While identifying the current thread can be done by privileged code, e.g., the kernel, the implied performance overhead of this is not bearable for CHERI systems with many compartments.
+
+The RISC-V ABI includes a _thread pointer (tp)_ register, which is not usable for the purpose of reliably identifying the current thread because the tp register is a general purpose register and can be changed arbitrarily by untrusted code.
+Therefore, this specification offers two additional CSRs that facilitate a trusted source for the thread ID.
+The supervisor thread identifier (STID) register is readable and writeable with <<asr_perm>> from the supervisor mode allowing to change the thread ID on a context switch.
+The user thread identifier (UTID) exposes the current value of STID as a read-only copy.
diff --git a/src/img/stidreg.edn b/src/img/stidreg.edn
@@ -0,0 +1,14 @@
+[bytefield]
+----
+(defattrs :plain [:plain {:font-family "M+ 1p Fallback" :font-size 24}])
+(def row-height 40)
+(def row-header-fn nil)
+(def left-margin 100)
+(def right-margin 100)
+(def boxes-per-row 32)
+(draw-column-headers {:height 20 :font-size 18 :labels (reverse ["0" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "SXLEN-1"])})
+
+(draw-box "stid"  {:span 32})
+
+(draw-box "SXLEN" {:span 32 :borders {}})
+----
diff --git a/src/img/utidreg.edn b/src/img/utidreg.edn
@@ -0,0 +1,14 @@
+[bytefield]
+----
+(defattrs :plain [:plain {:font-family "M+ 1p Fallback" :font-size 24}])
+(def row-height 40)
+(def row-header-fn nil)
+(def left-margin 100)
+(def right-margin 100)
+(def boxes-per-row 32)
+(draw-column-headers {:height 20 :font-size 18 :labels (reverse ["0" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "UXLEN-1"])})
+
+(draw-box "utid"  {:span 32})
+
+(draw-box "UXLEN" {:span 32 :borders {}})
+----
diff --git a/src/riscv-cheri.adoc b/src/riscv-cheri.adoc
@@ -50,6 +50,8 @@ include::cheri-pte-ext.adoc[]
 
 include::riscv-legacy-integration.adoc[]
 
+include::cheri-tid-ext.adoc[]
+
 include::instructions.adoc[]
 
 include::tables.adoc[]

diff --git a/src/riscv-integration.adoc b/src/riscv-integration.adoc
@@ -371,6 +371,11 @@ xref:ucsrnames-renamed[xrefstyle=short] from the base RISC-V ISA and its
 extensions. The CSRs are renamed to reflect the fact that they are extended to
 CLEN+1 bits wide, as the *x* registers are renamed to *c* registers.
 
+Furthermore, {cheri_base_ext_name} adds two new CSRs to implement a trusted thread
+identifier (TID) used in compartmentalization. These CSRs are listed in
+xref:scsrnames-added[xrefstyle=short] and
+xref:ucsrnames-added[xrefstyle=short].
+
 [[dcsrnames-renamed]]
 .Renamed debug-mode CSRs in {cheri_base_ext_name}
 [%autowidth,float="center",align="center",cols="<,<,<,<,<,<",options="header"]
@@ -392,13 +397,29 @@ include::generated/csr_renamed_purecap_mode_m_table_body.adoc[]
 include::generated/csr_renamed_purecap_mode_s_table_body.adoc[]
 |===
 
+[[scsrnames-added]]
+.Added supervisor-mode CSRs in {cheri_base_ext_name}
+[%autowidth,float="center",align="center",cols="<,<,<,<,<",options="header"]
+|===
+|{cheri_base_ext_name} CSR|Address|Prerequisites|Permissions|Description
+|<<stid>>|0x580|S-mode|SRW, <<asr_perm>>|Supervisor Thread Identifier
+|===
+
 [[ucsrnames-renamed]]
 .Renamed user-mode CSRs in {cheri_base_ext_name}
 [%autowidth,float="center",align="center",cols="<,<,<,<,<,<",options="header"]
 |===
 include::generated/csr_renamed_purecap_mode_u_table_body.adoc[]
 |===
 
+[[ucsrnames-added]]
+.Added user-mode CSRs in {cheri_base_ext_name}
+[%autowidth,float="center",align="center",cols="<,<,<,<,<",options="header"]
+|===
+|{cheri_base_ext_name} CSR|Address|Prerequisites|Permissions|Description
+|<<utid>>|0xC80|U-mode|URO|User Thread Identifier
+|===
+
 === Machine-Level CSRs
 
 {cheri_base_ext_name} extends some M-mode CSRs to hold capabilities or
@@ -973,11 +994,31 @@ is the cause of the fault. The possible CHERI types and causes are encoded as
 shown in xref:mtval-cheri-type[xrefstyle=short] and
 xref:mtval-cheri-causes[xrefstyle=short] respectively.
 
+[#stid,reftext="stid"]
+==== Supervisor Thread Identifier (stid)
+
+The <<stid>> register is an SXLEN-bit read-write register. It is used to
+identify the current thread. The reset value of this register is
+UNSPECIFIED.
+
+.Supervisor thread identifier register
+include::img/stidreg.edn[]
+
 === Unprivileged CSRs
 
 Unlike machine and supervisor level CSRs, {cheri_base_ext_name} does not require
 <<pcc>> to grant <<asr_perm>> to access unprivileged CSRs.
 
+[#utid,reftext="utid"]
+==== User Thread Identifier (utid)
+
+The <<utid>> register is an UXLEN-bit read-only register. It is a read-only
+copy of the <<stid>> register. The reset value of this register is
+UNSPECIFIED.
+
+.User thread identifier register
+include::img/utidreg.edn[]
+
 === CHERI Exception handling
 
 NOTE: `auth_cap` is <<ddc>> for Legacy Mode and `cs1` for Capability Mode
@@ -1102,3 +1143,4 @@ written to these CSRs unless the specification explicitly states that the CSR
 behaves otherwise (see <<mepcc>> and <<sepcc>>). Also note that <<pcc>> can
 be written with a <<JALR>> instruction in Capability Mode which automatically unseal the capability _before_
 the invalid address conversion above.
+