Instruction for capability-aware system-level cache maintenance?

[leo308078]

Most CPUs provide custom system-level cache maintenance instructions, such as flushing or invalidating the entire cache, which are typically used during boot-up or power-down sequences.

Has the RISC-V CHERI project considered introducing capability-aware versions of these system-level cache maintenance instructions?
Specifically, is it possible for such instructions to reference a capability register and perform permission checks on each cache line as they operate?

If not, could the lack of capability checks in system-level cache maintenance operations potentially introduce security vulnerabilities?

[jrtc27]

If you're introducing custom extensions to a CHERI-RISC-V core it is your responsibility to consider how to make sure they do not compromise the capability security model. I don't think it's reasonable to consider each and every possible case that a vendor could dream up. At the end of the day, just as a vendor should not introduce features that undermine current RISC-V security models (MMU and PMP, for example, and there are cases where vendors have got this wrong, so this is not a new problem), they should not do so for future RISC-V security models.

[jrtc27]

For example, restricting to requiring ASR and/or a capability that spans the entire address space could be reasonable ways to approach the specific case you refer to, and it is up for the vendor to consider what they deem appropriate for their system.