Exception Levels

Cheriette currently runs in a dual-exception level mode, with privileged functions executed at EL2 and userspace executed at EL0.

Eventually, Cheriette will run privileged instructions at EL1 and userspace instructions at EL0, but EL1 and EL2 are functionally equivalent for our purposes for now. The reason why EL1 is preferable to EL2 is that ARM Morello EL1 can be architecturally forbidden from creating capbilities.

System Permission

CHERI provides a “PERMIT_ACCESS_SYSTEM_REGISTERS” permission on the PCC. This permission is part of the Aarch64, x86-64 and RISC-V CHERI implementations.

Without the PERMIT_ACCESS_SYSTEM_REGISTERS bit in the PCC set, CHERI architecturally traps accesses to privileged registers like trap configuration registers, page table base registers, etc.

In principle, PERMIT_ACCESS_SYSTEM_REGISTERS allows the construction of a single-exception-level system that never has to change exception levels and only distinguishes between “privileged” and “unprivileged” instructions by the presence of the PERMIT_ACCESS_SYSTEM_REGISTERS bit in the PCC.

However, according to the CHERI v9 architecture manual, the intention behind PERMIT_ACCESS_SYSTEM_REGISTERS is “code compartmentalization within the privilged ring”, which is not a gauarantee that the PERMIT_ACCESS_SYSTEM_REGISTERS bit set to 0 is equivalent to running in EL0.

While not an issue for the current design of Cheriette, using a single exception level also makes it more cumbersome to switch out page tables within the single exception level, compared to using EL0 for unprivileged execution.