Fix Morello capability store faults

[brettferdosi]

Previous logic had us only faulting when CDBM and SC are both unset, but for software manged capability dirty tracking we need to fault any time SC isn't set.

[LawrenceEsswood]

I don't think this is what you want. Obviously, the true correct behaviour when when !sc && cdbm is to have hardware tracking. Given that we don't to support this, I agree it might be fair to just trap (although maybe it should be up to the OS to just not set cdbm? What does arm do with the regular dbm bit when hardware does not support it?). In which case, you want to ignore cdbm completely. Currently what you have will trap capability stores when !sc, but only on TLB refill. The TLB entry still depends on CDBM and so subsequent accesses will fault differently.

[brettferdosi]

For regular dirty tracking, the OS gets a protection fault when the write inhibit bit is set. In the handler, if a write caused the fault and DBM is set then it will clear the bit that inhibits write access. To me the analogous thing would be to raise the capability fault when SC is unset and to set SC in the handler if it's a cap store and CDBM is set.

I agree with both of your comments about the check for !cdbm in my patch. Initially I didn't have the check, but without it the OS panics during boot with a tag violation. Not sure why that's the case as I'm unfamiliar with QEMU. Does either of you have any ideas about what might be happening? The OS patch is here: https://github.com/CTSRD-CHERI/cheribsd/pull/1077/commits/994796e2b669974e6336f8a2c3651c4cdd9a3cb9.