Replace various macros from compartment-macros with compiler builtins.

[davidchisnall]

A lot of things in compartment-macros.h that should be compiler builtins:

• MMIO_CAPABILITY, should be __builtin_cheriot_mmio_capability(type, identifier), lowered to llvm.cheriot.mmio_capability, which is attributed so that optimisers know that it always returns the same value, and then expanded to something equivalent to the current assembly in the back end (ideally with the permissions handled more sensibly).
• CHERIOT_EMIT_STATIC_SEALING_TYPE should be __builtin_cheriot_sealing_type(identifier), generating an LLVM intrinsic that then expanding in the back end to something equivalent to the current assembly.
• DECLARE_STATIC_SEALED_VALUE should be replaced with a [[cheriot::sealed(identifier, identifier)]] attribute on a structure. This should use the attribute that will be introduced in Add type attributes (and wire them through name mangling) for sealed types #5, the only thing allowed on these globals is taking their address. STATIC_SEALED_VALUE then is replaced with simply taking the address of a global declared with the cheriot::sealed attribute.

[resistor]

MMIO_CAPABILITY

I think this one could be modeled entirely in LLVM IR. We can build the GlobalValue declarations for __import_mem_foo and __import_mem_foo_end, and use those to define a COMDAT in IR for __import_mem_foo_*_*_*_*.

[resistor]

How important is it to get the type in the builtin, vs having the builtin return volatile void* and casting in source? The latter option would be a lot simpler to implement.

[davidchisnall]

The type needs to come from somewhere. Ideally, I'd want to have the C code look something like this:

__attribute__((cheriot_mmio(uart)) extern volatile Uart uart1;

And then just use uart1 as the variable, though redefining the current macro to something like:

#define MMIO_CAPABILITY(type, name) ((volatile type *)__builtin_cheriot_mmio_capability(name)

Would also be fine.

The static sealed objects are more annoying to expose in this way because they need to be initialised from C types, so ideally they would just be:

__attribute__((cheriot_sealed("CompartmentName", "SealingTypeName")))
struct SomeStruct foo = { 1,2,3};

And then the only thing that you'd be allowed to do with the global would be to take the address. We could implement the current macros as:

#define DECLARE_STATIC_SEALED_VALUE(type, compartment, keyName, name)     \
__attribute__((cheriot_sealed(compartment, keyName))) \
extern type name;
#define DEFINE_STATIC_SEALED_VALUE(                                            \
  type, compartment, keyName, name, initialiser, ...)                          \
__attribute__((cheriot_sealed(compartment, keyName)))   \
extern type name = initialiser;
#define STATIC_SEALED_VALUE(name) &(name)

Globals with the cheriot_sealed attribute can be initialised and their addresses taken, but nothing else. Ideally we'd also have a Sema check that the initialiser did not contain any pointers, did not call any non-trivial C++ constructors, and so on.