CHERI plus/versus Rust

One nice property of Rust for CHERI is that Rust provides explicit provenance APIs. So you can see OK, what's going on (unsafely) here is legal and ought to still work under CHERI or, contrariwise, nope this is not even supposed to work so we need to expect that these parts must be rewritten or we can't target CHERI with this software.

All the safe Rust of course is in the first category, but also isn't reaping much benefit from CHERI.

core::ptr::without_provenance(addr) and core::ptr::with_exposed_provenance(addr) are largely text, one of them says we offer no justification for why this can be a pointer (maybe it isn't, if we never dereference it then it's fine even in CHERI AFAIU) the other offers the justification of exposure, a feature CHERI does not support, so it's effectively documenting why it won't work with CHERI.

On the other hand some_pointer.with_addr(addr) promises to work under CHERI because we're saying if we keep the CHERI capability bits from some_pointer, but use the address addr instead of the address from some_pointer that's also a valid pointer. On my x86-64 there are no capability bits, but on CHERI there are and on both this works _if_ it would be correct to do this, MIRI can check it, and CHERI can use it.