1%
2% Copyright 2014, General Dynamics C4 Systems
3%
4% SPDX-License-Identifier: GPL-2.0-only
5%
6
7\chapter{\label{ch:cspace}Capability Spaces}
8
9Recall from \autoref{sec:cap-access-control} that seL4 implements a
10capability-based access control model.  Each userspace thread has an
11associated \emph{capability space} (CSpace) that contains the
12capabilities that the thread possesses, thereby governing which
13resources the thread can access.
14
15Recall that capabilities reside within kernel-managed objects known as
16\obj{CNode}s. A \obj{CNode} is a table of slots, each of which may
17contain a capability. This may include capabilities to further
18\obj{CNode}s, forming a directed graph. Conceptually a thread's CSpace
19is the portion of the directed graph that is reachable starting with
20the \obj{CNode} capability that is its CSpace root.
21
22A CSpace address refers to an individual slot (in
23some \obj{CNode} in the CSpace), which may or may not contain a
24capability. Threads refer to capabilities in their CSpaces (e.g. when
25making system calls) using the address of the slot that holds the
26capability in question.  An address in a CSpace is the concatenation
27of the indices of the \obj{CNode} capabilities forming the path to the
28destination slot; we discuss this further in
29\autoref{s:cspace-addressing}.
30
31% FIXME The references to mint in the following paragraph and previously in
32% this section need to be cleaned up. They were clearly written at a time when
33% it was not possible to change a capability's rights during a CNode_Copy.
34Recall that capabilities can be copied and moved within CSpaces, and
35also sent in messages (message sending will be described in detail in
36\autoref{sec:cap-transfer}).  Furthermore, new capabilities can be
37\emph{minted} from old ones with a subset of their rights.  Recall,
38from \autoref{s:memRevoke}, that seL4 maintains a \emph{capability
39  derivation tree} (CDT) in which it tracks the relationship between
40these copied capabilities and the originals.  The revoke method
41removes all capabilities (in all CSpaces) that were derived from a
42selected capability. This mechanism can be used by servers to restore
43sole authority to an object they have made available to clients, or by
44managers of untyped memory to destroy the objects in that memory so it
45can be retyped.
46
47seL4 requires the programmer to manage all in-kernel data structures,
48including CSpaces, from userspace. This means that the userspace
49programmer is responsible for constructing CSpaces as well as
50addressing capabilities within them.  This chapter first discusses
51capability and CSpace management, before discussing how capabilities
52are addressed within CSpaces, i.e. how applications can refer to
53individual capabilities within their CSpaces when invoking methods.
54
55\section{Capability and CSpace Management}
56
57\subsection{CSpace Creation}
58
59CSpaces are created by creating and manipulating \obj{CNode} objects.
60When creating a \obj{CNode} the user must specify the number of slots
61that it will have, and this determines the amount of memory that it
62will use. Each slot requires $2^\texttt{seL4\_SlotBits}$ bytes of physical
63memory and has the capacity to hold exactly one capability. This is 16
64bytes on 32-bit architectures and 32 bytes on 64-bit architectures.
65Like any other object, a \obj{CNode} must be created by calling
66\apifunc{seL4\_Untyped\_Retype}{untyped_retype} on an appropriate
67amount of untyped memory (see \autoref{sec:object_sizes}).  The caller
68must therefore have a capability to enough untyped memory as well as
69enough free capability slots available in existing \obj{CNode}s for
70the \apifunc{seL4\_Untyped\_Retype}{untyped_retype} invocation to
71succeed.
72
73\subsection{CNode Methods}
74\label{sec:cnode-ops}
75
76Capabilities are managed largely through invoking \obj{CNode} methods.
77
78\obj{CNodes} support the following methods:
79\begin{description}
80\item[\apifunc{seL4\_CNode\_Mint}{cnode_mint}] creates a new
81  capability in a specified \obj{CNode} slot from an existing
82  capability.  The newly created capability may have fewer rights than
83  the original and a different guard (see
84  \autoref{sec:cap_address_lookup}). \apifunc{seL4\_CNode\_Mint}{cnode_mint}
85  can also create a badged capability (see \autoref{sec:ep-badges})
86  from an unbadged one.
87\item[\apifunc{seL4\_CNode\_Copy}{cnode_copy}] is similar to
88  \apifunc{seL4\_CNode\_Mint}{cnode_mint}, but the newly created
89  capability has the same badge and guard as the original.
90\item[\apifunc{seL4\_CNode\_Move}{cnode_move}] moves a capability
91  between two specified capability slots. You cannot move a capability
92  to the slot in which it is currently.
93\item[\apifunc{seL4\_CNode\_Mutate}{cnode_mutate}] can move a
94  capability similarly to \apifunc{seL4\_CNode\_Move}{cnode_move} and
95  also reduce its rights similarly to
96  \apifunc{seL4\_CNode\_Mint}{cnode_mint}, but without making
97  a copy. That is, if the capability is revokable, it remains revokable.
98  Similar to \apifunc{seL4\_CNode\_Mint} it can
99  be used to adjust the guard of a \obj{CNode} capability. It cannot be
100  used to badge endpoint capabilities.
101\item[\apifunc{seL4\_CNode\_Rotate}{cnode_rotate}] moves two
102  capabilities between three specified capability slots. It is
103  essentially two \apifunc{seL4\_CNode\_Move}{cnode_move} invocations:
104  one from the second specified slot to the first, and one from the
105  third to the second. The first and third specified slots may be the
106  same, in which case the capability in it is swapped with the
107  capability in the second slot. The method is atomic; either both or
108  neither capabilities are moved.
109\item[\apifunc{seL4\_CNode\_Delete}{cnode_delete}] removes a
110  capability from the specified slot.
111\item[\apifunc{seL4\_CNode\_Revoke}{cnode_revoke}] is equivalent to
112  calling \apifunc{seL4\_CNode\_Delete}{cnode_delete} on each derived
113  child of the specified capability. It has no effect on the
114  capability itself, except in very specific circumstances outlined
115  in Section~\ref{s:cspace-revoke}.
116\item[\apifunc{seL4\_CNode\_SaveCaller}{cnode_savecaller}] moves a
117  kernel-generated reply capability of the current thread from the
118  special \obj{TCB} slot it was created in, into the designated CSpace
119  slot (non-MCS only).
120\item[\apifunc{seL4\_CNode\_CancelBadgedSends}{cnode_cancelbadgedsends}] cancels
121  any outstanding sends that use the same badge and object as the
122  specified capability.
123\end{description}
124
125\subsection{Capabilities to Newly-Retyped Objects}
126\label{sec:caps_to_new_objects}
127
128When retyping untyped memory into objects with
129\apifunc{seL4\_Untyped\_Retype}{untyped_retype}, capabilities to the
130newly-retyped objects are placed in consecutive slots in a
131\obj{CNode} specified by its \texttt{root}, \texttt{node\_index}, and
132\texttt{node\_depth} arguments. The \texttt{node\_offset} argument specifies the
133index into the \obj{CNode} at which the first capability will be placed.
134The \texttt{num\_objects} argument specifies the number of capabilities (and, hence, objects)
135to create. All slots must be empty or an error will result. All resulting
136capabilities will be placed in the same \obj{CNode}.
137
138\subsection{Capability Rights}
139\label{sec:cap_rights}
140
141As mentioned previously, some capability types have \emph{access
142  rights} associated with them. Currently, access rights are
143associated with capabilities for \obj{Endpoint}s (see
144\autoref{ch:ipc}), \obj{Notification}s (see
145\autoref{ch:notifications}), \obj{Page}s (see \autoref{ch:vspace}) and
146\obj{Reply}ing (see \autoref{ch:ipc}).  The
147access rights associated with a capability determine the methods that
148can be invoked.  seL4 supports four access rights, which
149are Read, Write, Grant and GrantReply. Read, Write and Grant are orthogonal to
150each other. GrantReply is a less powerful form of Grant e.g. if you already have
151Grant, having GrantReply or not is irrelevant.  The meaning of each right is interpreted
152relative to the various object types, as detailed
153in~\autoref{tab:rights}.
154
155When an object is first created, the initial capability that refers to
156it carries the maximum set of access rights. Other, less-powerful
157capabilities may be manufactured from this original capability, using
158methods such as \apifunc{seL4\_CNode\_Mint}{cnode_mint} and
159\apifunc{seL4\_CNode\_Mutate}{cnode_mutate}.  If a greater set of
160rights than the source capability is specified for the destination
161capability in either of these invocations, the destination rights are
162silently downgraded to those of the source.
163
164%TODO it looks ugly now
165\begin{table}[htb]
166  \renewcommand{\arraystretch}{1.5}
167  \begin{tabularx}{\textwidth}{p{0.15\textwidth}XXXX}
168    \toprule
169    Type & Read & Write & Grant & GrantReply \\
170    \midrule
171    \obj{Endpoint} & Receiving & Sending & Sending any
172    capabilities & Sending reply
173    capabilities \\
174    \obj{Notification} & Waiting & Signaling & N/A & N/A \\
175    \obj{Page} & Mapping the page readable. & Mapping the page writable. & N/A & N/A \\
176    \obj{Reply} & N/A & N/A & Sending any capabilities in reply message & N/A \\
177    \bottomrule
178  \end{tabularx}
179  \caption{\label{tab:rights}seL4 access rights: What a specific right entitles a
180  capability to do}
181\end{table}
182
183\subsection{Capability Derivation Tree}
184\label{sec:cap_derivation}
185
186As mentioned in \autoref{s:memRevoke}, seL4 keeps track of capability
187derivations in a capability derivation tree.
188
189Various methods, such as \apifunc{seL4\_CNode\_Copy}{cnode_copy} or
190\apifunc{seL4\_CNode\_Mint}{cnode_mint}, may be used to create derived
191capabilities. Not all capabilities support derivation. In general,
192only \emph{original} capabilities support derivation invocations, but
193there are exceptions.  \autoref{tab:cap-derivation} summarises the
194conditions that must be met for capability derivation to succeed for
195the various capability types, and how capability-derivation failures
196are reported in each case. The capability types not listed can be
197derived once.
198
199\begin{table}[htb]
200  \begin{tabularx}{\textwidth}{p{0.25\textwidth}XX}
201    \toprule
202    Cap Type & Conditions for Derivation & Error Code on Derivation Failure \\
203    \midrule
204    \obj{ReplyCap} & Cannot be derived & Dependent on syscall \\
205    \obj{IRQControl} & Cannot be derived & Dependent on syscall \\
206    \obj{Untyped} & Must not have children (\autoref{s:cspace-revoke}) & \enummem{seL4\_RevokeFirst} \\
207    \obj{Page Table} & Must be mapped & \enummem{seL4\_IllegalOperation} \\
208    \obj{Page Directory} & Must be mapped & \enummem{seL4\_IllegalOperation}\\
209    \ifxeightsix
210    \obj{IO Page Table (IA-32 only)} & Must be mapped & \enummem{seL4\_IllegalOperation}\\
211    \fi \bottomrule
212  \end{tabularx}
213  \caption{Capability derivation.\label{tab:cap-derivation}}
214\end{table}
215
216\begin{figure}[th]
217  \begin{center}
218    \includegraphics[width=0.8\textwidth]{figs/CDT}
219  \end{center}
220  \caption{Example capability derivation tree.}\label{fig:CDT}
221\end{figure}
222
223\autoref{fig:CDT} shows an example capability derivation tree that
224illustrates a standard scenario: the top level is a large untyped
225capability, the second level splits this capability into two regions
226covered by their own untyped caps, both are children of the first
227level.  The third level on the left is a copy of the level 2 untyped
228capability.  Untyped capabilities when copied always create children,
229never siblings.  In this scenario, the untyped capability was typed
230into two separate objects, creating two capabilities on level 4, both
231are the original capability to the respective object, both are
232children of the untyped capability they were created from.
233
234Ordinary original capabilities can have one level of derived
235capabilities.  Further copies of these derived capabilities will
236create siblings, in this case remaining on level 5. There is an
237exception to this scheme for \obj{Endpoint} and \obj{Notification} capabilities --- they support an
238additional layer of depth though \emph{badging}.
239The original \obj{Endpoint} or \obj{Notification} capability will be unbadged. Using
240the mint method, a copy of the capability with a specific \emph{badge} can be
241created (see \autoref{s:ep-badge}, \autoref{s:notif-badge}). This new, badged capability to the same object is treated as
242an original capability (the ``original badged endpoint capability'')
243and supports one level of derived children like other capabilities.
244
245
246\section{Deletion and Revocation}
247\label{s:cspace-revoke}
248
249Capabilities in seL4 can be deleted and revoked. Both methods
250primarily affect capabilities, but they can have side effects on
251objects in the system where the deletion or revocation results in the
252destruction of the last capability to an object.
253
254As described above, \apifunc{seL4\_CNode\_Delete}{cnode_delete} will
255remove a capability from the specified CNode slot. Usually, this is
256all that happens. If, however, it was the last typed capability to an
257object, this object will now be destroyed by the kernel, cleaning up
258all remaining in-kernel references and preparing the memory for
259re-use.
260
261If the object to be destroyed was a capability container, i.e.\ a TCB
262or CNode, the destruction process will delete each capability held in
263the container, prior to destroying the container. This may result in
264the destruction of further objects if the contained capabilities are
265the last capabilities.\footnote{The recursion is limited as if the last
266capability to a CNode is found within the container, the found CNode
267is not destroyed. Instead, the found CNode is made unreachable by
268moving the capability pointing to the found CNode into the found cnode
269itself, by swapping the capability with the first capability in the
270found cnode, and then trying to delete the swapped capability
271instead. This breaks the recursion.
272
273The result of this approach is that deleting the last cap to the root
274CNode of a CSpace does not recursively delete the entire
275CSpace. Instead, it deletes the root CNode, and the branches of the
276tree become unreachable, potentially including the deleting of some of
277the unreachable CNode's caps to make space for the self-referring
278capability. The practical consequence of this approach is that CSpace
279deletion requires user-level to delete the tree leaf first if
280unreachable CNodes are to be avoided. Alternatively, any resulting
281unreachable CNodes can be cleaned up via revoking a covering untyped
282capability, however this latter approach may be more complex to
283arrange by construction at user-level.}
284
285The \apifunc{seL4\_CNode\_Revoke}{cnode_revoke} method will
286\apifunc{seL4\_CNode\_Delete}{cnode_delete} all CDT children of the
287specified capability, but will leave the capability itself intact. If
288any of the revoked child capabilities were the last capabilities to an
289object, the appropriate destroy operation is triggered.
290
291Note: \apifunc{seL4\_CNode\_Revoke}{cnode_revoke} may only partially
292complete in two specific circumstances. The first being where a
293CNode containing the last capability to the TCB of the thread
294performing the revoke (or the last capability to the TCB itself) is
295deleted as a result of the revoke. In this case the thread performing
296the revoke is destroyed during the revoke and the revoke does not
297complete. The second circumstance is where the storage containing the
298capability that is the target of the revoke is deleted as a result of
299the revoke. In this case, the authority to perform the revoke is
300removed during the operation and the operation stops part way
301through. Both these scenarios can be and should be avoided at
302user-level by construction.
303
304Note that for page tables and page directories
305\apifunc{seL4\_CNode\_Revoke}{cnode_revoke} will not revoke frame
306capabilities mapped into the address space.  They will only be
307unmapped from the space.
308
309
310\section{CSpace Addressing}
311\label{s:cspace-addressing}
312
313When performing a system call, a thread specifies to the kernel the
314capability to be invoked by giving an address in its CSpace. This
315address refers to the specific slot in the caller's CSpace that
316contains the capability to be invoked.
317
318CSpaces are designed to permit sparsity, and the process of looking-up
319a capability address must be efficient. Therefore, CSpaces are
320implemented as \emph{guarded page tables}.
321% FIXME: need a references to justify the above decision
322
323As explained earlier, a CSpace is a directed graph of \obj{CNode}
324objects, and each \obj{CNode} is a table of slots, where each slot can
325either be empty, or contain a capability, which may refer to another \obj{CNode}.
326Recall from \autoref{s:sel4_internals} that the number of slots in a \obj{CNode}
327must be a power of two. A \obj{CNode} is said to have a \emph{radix}, which is
328the power to which two is raised in its size. That is, if a \obj{CNode} has
329$2^k$ slots, its radix would be $k$.
330The kernel stores a capability to the root \obj{CNode} of each thread's
331CSpace in the thread's TCB. Conceptually, a \obj{CNode} capability
332stores not only a reference to the \obj{CNode} to which it refers, but
333also carries a \emph{guard} value, explained in
334\autoref{sec:cap_address_lookup}.
335
336\subsection{Capability Address Lookup}
337\label{sec:cap_address_lookup}
338Like a virtual memory address, a capability address is simply an
339integer. Rather than referring to a location of physical memory (as
340does a virtual memory address), a capability address refers to a
341capability slot.  When looking up a capability address presented by a
342userspace thread, the kernel first consults the \obj{CNode} capability
343in the thread's TCB that defines the root of the thread's CSpace. It
344then compares that \obj{CNode}'s \emph{guard} value against the most
345significant bits of the capability address.  If the two values are
346different, lookup fails. Otherwise, the kernel then uses the next
347most-significant \emph{radix} bits of the capability address as an
348index into the \obj{CNode} to which the \obj{CNode} capability
349refers. The slot~$s$ identified by these next \emph{radix} bits might
350contain another \obj{CNode} capability or contain something else
351(including nothing).  If $s$ contains a \obj{CNode} capability~$c$ and
352there are remaining bits (following the \emph{radix} bits) in the
353capability address that have yet to be translated, the lookup process
354repeats, starting from the \obj{CNode} capability~$c$ and using these
355remaining bits of the capability address. Otherwise, the lookup
356process terminates successfully; the capability address in question
357refers to the capability slot~$s$.
358
359\begin{figure}[tb]
360    \begin{center}
361        \includegraphics[scale=0.5]{figs/fig1-4.pdf}
362        \caption{An example CSpace demonstrating object references at
363          all levels, various guard and radix sizes and internal CNode
364          references.}
365        \label{fig1.4}
366    \end{center}
367\end{figure}
368
369Figure \ref{fig1.4} demonstrates a valid CSpace with the following
370features:
371\begin{itemize}
372\item a top level CNode object with a 12-bit guard set to 0x000 and
373  256 slots;
374\item a top level CNode with direct object references;
375\item a top level CNode with two second-level CNode references;
376\item second level CNodes with different guards and slot counts;
377\item a second level CNode that contains a reference to a top level
378  CNode;
379\item a second level CNode that contains a reference to another CNode
380  where there are some bits remaining to be translated;
381\item a second level CNode that contains a reference to another CNode
382  where there are no bits remaining to be translated; and
383\item object references in the second level CNodes.
384\end{itemize}
385
386It should be noted that \autoref{fig1.4} demonstrates only what is
387possible, not what is usually practical. Although the CSpace is legal,
388it would be reasonably difficult to work with due to the small number
389of slots and the circular references within it.
390
391
392\subsection{Addressing Capabilities}
393\label{sec:cap_addressing}
394
395A capability address is stored in a CPointer (abbreviated CPTR), which
396is an unsigned integer variable. Capabilities are addressed in
397accordance with the translation algorithm described above.  Two
398special cases involve addressing \obj{CNode} capabilities themselves
399and addressing a range of capability slots.
400
401Recall that the translation algorithm described above will traverse
402\obj{CNode} capabilities while there are address bits remaining to be
403translated. Therefore, in order to address a capability which may be
404a \obj{CNode} capability, the user must supply not only a capability
405address but also specify the maximum number of bits of the capability
406address that are to be translated, called the \emph{depth limit}.
407When a CPointer is paired with depth limit \textit{depth}, only its
408\textit{depth} least significant bits are used in translation.
409
410Certain methods, such as
411\apifunc{seL4\_Untyped\_Retype}{untyped_retype}, require the user to
412provide a range of capability slots. This is done by providing a base
413capability address, which refers to the first slot in the range,
414together with a window size parameter, specifying the number of slots
415(with consecutive addresses, following the base slot) in the range.
416
417
418\autoref{fig2.1} depicts an example CSpace. In order to illustrate
419these ideas, we determine the address of each of the 10 capabilities
420in this CSpace.
421
422\begin{figure}[tb]
423  \begin{center}
424    \includegraphics[scale=0.5]{figs/fig2-1.pdf}
425    \caption{An arbitrary CSpace layout.}
426    \label{fig2.1}
427  \end{center}
428\end{figure}
429
430
431\begin{description}
432\item[Cap A.] The first CNode has a 4-bit guard set to 0x0, and an
433  8-bit radix. Cap A resides in slot 0x60 so, provided that it is not
434  a \obj{CNode} capability, it may be referred to by any address of
435  the form 0x060\textit{nnnnn} (where \textit{nnnnn} is any sequence
436  of 5 hexadecimal digits, because the translation process terminates
437  after translating the first 12 bits of the address). For simplicity,
438  we usually set unused address bits to 0, which in this case yields
439  the address 0x06000000.
440
441\item[Cap B.] Again, the first CNode has a 4-bit guard set to 0x0, and
442  an 8-bit radix. The second CNode is reached via the L2 CNode Cap.
443  It also has a 4-bit guard of 0x0 and Cap B resides at index
444  0x60. Hence, Cap B's address is 0x00F06000.  Translation of this
445  address terminates after the first 24 bits.
446
447\item[Cap C.] This capability is addressed via both CNodes. The third
448  CNode is reached via the L3 CNode Cap, which resides at index 0x00
449  of the second CNode. The third CNode has no guard and Cap C is at
450  index 0x60.  Hence, its address is 0x00F00060. Translation of this
451  address leaves 0 bits untranslated.
452
453\item[Caps C--G.] This range of capability slots is addressed by
454  providing a base address (which refers to the slot containing Cap C)
455  of 0x00F00060 and a window size of 5.
456
457\item[L2 CNode Cap.] Recall that to address a \obj{CNode} capability,
458  the user must supply not only a capability address but also specify
459  the depth limit, which is the maximum number of bits to be
460  translated.  L2 CNode Cap resides at offset 0x0F of the first CNode,
461  which has a 4-bit guard of 0x0.  Hence, it may be referred to by any
462  address of the form 0x\textit{nnnnn}00F with a depth limit of 12
463  bits, where \textit{nnnnn} is any sequence of 5 hexadecimal digits.
464
465\item[L3 CNode Cap.] This capability resides at index 0x00 of the
466  second CNode, which is reached by the L2 CNode Cap. The second CNode
467  has a 4-bit guard of 0x0. Hence, the capability may be referred to
468  by any address of the form 0x\textit{nn}00F000 with a depth limit of
469  24 bits, where \textit{nn} is any sequence of 2 hexadecimal digits.
470\end{description}
471
472In summary, to refer to any capability (or slot) in a CSpace, the user
473must supply its address. When the capability might be a CNode, the
474user must also supply a depth limit.  To specify a range of capability
475slots, the user supplies a starting address and a window size.
476
477\section{Lookup Failure Description}
478\label{sec:lookup_fail_desc}
479
480When a capability lookup fails, a description of the failure is given
481to either the calling thread or the thread's exception handler in its
482IPC buffer.  The format of the description is always the same but may
483occur at varying offsets in the IPC buffer depending on how the error
484occurred.  The description format is explained below.  The first word
485indicates the type of lookup failure and the meaning of later words
486depend on this.
487
488\subsection{Invalid Root}
489
490A CSpace CPTR root (within which a capability was to be looked up)
491is invalid. For example, the capability is not a \obj{CNode} cap.\\  \\
492
493\begin{tabularx}{\textwidth}{XX}
494  \toprule
495  Data & Meaning \\
496  \midrule
497  \ipcbloc{Offset + 0} & \enummem{seL4\_InvalidRoot} \\
498  \bottomrule
499\end{tabularx}
500
501\subsection{Missing Capability}
502
503A capability required for an invocation is not present or does not
504have sufficient rights. \\ \\
505
506\begin{tabularx}{\textwidth}{XX}
507  \toprule
508  Data & Meaning \\
509  \midrule
510  \ipcbloc{Offset + 0} & \enummem{seL4\_MissingCapability} \\
511    \ipcbloc{Offset + seL4\_CapFault\_BitsLeft} & Bits left \\
512  \bottomrule
513\end{tabularx}
514
515\subsection{Depth Mismatch}
516
517When resolving a capability, a CNode was traversed that resolved more
518bits than was left to decode in the CPTR or a non-CNode capability was
519encountered while there were still bits remaining to be looked up. \\ \\
520
521\begin{tabularx}{\textwidth}{XX}
522  \toprule
523  Data & Meaning \\
524  \midrule
525  \ipcbloc{Offset + 0} & \enummem{seL4\_DepthMismatch} \\
526  \ipcbloc{Offset + seL4\_CapFault\_BitsLeft} & Bits of CPTR remaining to decode \\
527  \ipcbloc{Offset + seL4\_CapFault\_DepthMismatch\_BitsFound} & Bits that the current CNode being traversed resolved \\
528  \bottomrule
529\end{tabularx}
530
531\subsection{Guard Mismatch}
532
533When resolving a capability, a CNode was traversed with a guard size
534larger than the number of bits remaining or the CNode's guard did not
535match the next bits of the CPTR being resolved. \\ \\
536
537\begin{tabularx}{\textwidth}{XX}
538  \toprule
539  Data & Meaning \\
540  \midrule
541  \ipcbloc{Offset + 0} & \enummem{seL4\_GuardMismatch} \\
542    \ipcbloc{Offset + seL4\_CapFault\_BitsLeft} & Bits of CPTR remaining to decode \\
543  \ipcbloc{Offset + seL4\_CapFault\_GuardMismatch\_GuardFound} & The CNode's guard \\
544  \ipcbloc{Offset + seL4\_CapFault\_GuardMismatch\_BitsFound} & The CNode's guard size \\
545  \bottomrule
546\end{tabularx}
547
548
549