diff --git a/cfi_backward.adoc b/cfi_backward.adoc index e442fa6..77de4d8 100644 --- a/cfi_backward.adoc +++ b/cfi_backward.adoc @@ -786,15 +786,18 @@ page. When `menvcfg.SSE=0`, this encoding remains reserved. When `V=1` and The following faults may occur: -. If the accessed page is a shadow stack page: +. If the accessed page is a shadow stack page (`pte.xwr=010b`): .. Stores other than `SSAMOSWAP`, `SSPUSH`, and `C.SSPUSH` cause store/AMO access-fault exception. .. Implicit accesses cause an access-fault exception corresponding to the original access type. -. If the accessed page is not a shadow stack page or if the page is in - non-idempotent memory: +. If the accessed page is read-write (`pte.xwr=?11b`) or execute-only + (`pte.xwr=100b`) page or if the page is in non-idempotent memory: .. `SSAMOSWAP`, `C.SSPUSH`, and `SSPUSH` cause a store/AMO access-fault. .. `C.SSPOPCHK` and `SSPOPCHK` cause a load access-fault. +. If the accessed page has read-only (`pte.xwr=001b`) permissions: +.. `SSAMOSWAP`, `C.SSPUSH`, and `SSPUSH` cause a store/AMO page-fault. +.. `C.SSPOPCHK` and `SSPOPCHK` cause a load page-fault. [NOTE] ==== @@ -818,9 +821,15 @@ On implementations where address-misaligned exception is prioritized higher than access-fault exception, a trap handler that emulates misaligned stores must cause an access-fault exception if store is being made to a shadow stack page. -Shadow stack instructions cause an access-fault if the accessed page is not a -shadow stack page or if the page is in non-idempotent memory to similarly -indicate fatality. +Shadow stack instructions cause an access-fault if the accessed page is +read-writeable or is executable or if the page is in non-idempotent memory to +similarly indicate fatality. + +Shadow stack instructions cause a page-fault if the accessed page is read-only +to support copy-on-write (COW) of a shadow stack page. If the page had been +marked as read-only due to the page being tracked for COW, the page fault +handler, in response to the page fault, creates a copy of the page and updates +the `pte.xwr` to `010b` to designate the each copy as a shadow stack page. While the specification mandates that an access-fault exception shall be generated when either single-stage or VS-stage address translation is invoked @@ -847,14 +856,14 @@ cite:[PRIV] is modified as follows: PAGESIZE` and go to step 2. 5. A leaf PTE has been found. If the memory access is by a shadow stack - instruction and `pte.xwr != 010b`, then cause an access-fault exception - corresponding to the access type. If the memory access is either a - non-shadow-stack store/AMO or an implicit access, and `pte.xwr == 010b`, then - an access-fault exception is raised, corresponding to the original access type. - If the requested memory access is not allowed by the `pte.r`, `pte.w`, `pte.x`, - and `pte.u` bits, given the current privilege mode and the value of the `SUM` - and `MXR` fields of the `mstatus` register, stop and raise a page-fault - exception corresponding to the original access type. + instruction and `pte.xwr != 010b` or `pte.xwr != 001b`, then cause an + access-fault exception corresponding to the access type. If the memory access + is either a non-shadow-stack store/AMO or an implicit access, and + `pte.xwr == 010b`, then cause an access-fault exception corresponding to the + original access type. If the requested memory access is not allowed by the + `pte.r`, `pte.w`, `pte.x`, and `pte.u` bits, given the current privilege mode + and the value of the `SUM` and `MXR` fields of the `mstatus` register, stop + and raise a page-fault exception corresponding to the original access type. The PMA checks are extended to require memory referenced by `SSAMOSWAP`, `SSPUSH`, `C.SSPUSH`, `C.SSPOPCHK`, and `SSPOPCHK` to be idempotent. @@ -881,10 +890,7 @@ Shadow stacks are expected to be bounded on each end using guard pages, so that no two shadow stacks are adjacent to each other. This guards against accidentally underflowing or overflowing from one shadow stack to another. Traditionally, a guard page for a stack is a page that is inaccessible to the process owning -the stack. For shadow stacks, the guard page may also be a non-shadow-stack -page that is otherwise accessible to the process owning the shadow stack -because shadow stack loads and stores to non-shadow-stack pages cause an -access-fault exception. +the stack. ==== The G-stage address translation and protections remain unaffected by the Zicfiss