jrtc27
commented
9 months ago That requirement was deliberately dropped during the development of this spec (the CHERI spec enforces it) because people wanted tokens.
Open sorear opened 9 months ago
jrtc27
commented
9 months ago That requirement was deliberately dropped during the development of this spec (the CHERI spec enforces it) because people wanted tokens.
sorear
commented
9 months ago I remain unconvinced that for the minimal first pass spec, applications can't simply use a RO capability to an otherwise unused subobject, or a 0-length capability to a strictly interior address.
arichardson
commented
9 months ago Since you can still unseal using CBUILDCAP, I believe having non-executable sentries is valuable. I guess you might be able to use a zero-perms/0-length capability to a compartment-local address and then rederive, but I find unsealing using BUILDCAP is a cleaner approach for tokens.
Sentry capabilities have, by design, no authority except control transfer, and a sentry capability with X=0 is useless except as a token. If CSEAL is modified to unset the tag if the input lacks X permission, then the sentry case with X=0 becomes unconstructable and can be reused by future extensions.