My understanding is that to seal a capability I require a sealer cap which has address that fits into the object ID of the capability to be sealed, i.e it's address is < 64KBytes.
How to obtain a suitable capability on Linux purecap? Is there a new system call available to get one?
I am temporarily using DDC, and this works, e.g something like this:
void* __capability sealed_cap = cheri_seal(ptr_to_seal, (uint8_t*)cheri_ddc_get() + (ptrdiff_t)0x1234);
But obviously I need a proper sealing capability, mmap() / malloc() are likely to give something with a lower bound too high. I suppose I could reduce the bounds of DDC but this sounds like a hack.
Please advise how it is supposed to be done!
Thanks
Brilliant, exactly what I needed to know - thanks Kevin.