From owner-p4-projects@FreeBSD.ORG Mon Jun 25 16:51:18 2012 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 53A60106568C; Mon, 25 Jun 2012 16:51:16 +0000 (UTC) Delivered-To: perforce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 078BA1065686 for ; Mon, 25 Jun 2012 16:51:16 +0000 (UTC) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from skunkworks.freebsd.org (skunkworks.freebsd.org [IPv6:2001:4f8:fff6::2d]) by mx1.freebsd.org (Postfix) with ESMTP id D86D38FC16 for ; Mon, 25 Jun 2012 16:51:15 +0000 (UTC) Received: from skunkworks.freebsd.org (localhost [127.0.0.1]) by skunkworks.freebsd.org (8.14.4/8.14.4) with ESMTP id q5PGpFaw058663 for ; Mon, 25 Jun 2012 16:51:15 GMT (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: (from perforce@localhost) by skunkworks.freebsd.org (8.14.4/8.14.4/Submit) id q5PGpFEb058657 for perforce@freebsd.org; Mon, 25 Jun 2012 16:51:15 GMT (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Date: Mon, 25 Jun 2012 16:51:15 GMT Message-Id: <201206251651.q5PGpFEb058657@skunkworks.freebsd.org> X-Authentication-Warning: skunkworks.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f From: Robert Watson To: Perforce Change Reviews Precedence: bulk Cc: Subject: PERFORCE change 213450 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jun 2012 16:51:18 -0000 http://p4web.freebsd.org/@@213450?ac=10 Change 213450 by rwatson@rwatson_svr_ctsrd_mipsbuild on 2012/06/25 16:50:17 A further reworking on CheriBSD management of CP2 contexts for user threads: - Introduce constants for various important values inserted into capabilities configured for user threads so that it's easier to write corresponding unit tests. - Select more conservative initial register values on execve(): $c0 contains full access to the user address space, and other capabilities are initialised to null rights. - Don't use a CP2 user template variable, just construct required capabilities from the kernel data capability (KDC) on demand. Eventually we'll want to rearrange things a bit so that the kernel doesn't execute with all privilege, but instead alays employs capabilities when accessing user data, but not yet. - Fix bugs in CP2_CR_GET_UPERMS() and CP2_CR_GET(), which were not used in Deimos and hence didn't work. Affected files ... .. //depot/projects/ctsrd/cheribsd/src/sys/mips/cheri/cp2.c#8 edit .. //depot/projects/ctsrd/cheribsd/src/sys/mips/include/cheri.h#3 edit .. //depot/projects/ctsrd/cheribsd/src/sys/mips/include/cherireg.h#3 edit Differences ... ==== //depot/projects/ctsrd/cheribsd/src/sys/mips/cheri/cp2.c#8 (text+ko) ==== @@ -1,5 +1,5 @@ /*- - * Copyright (c) 2011 Robert N. M. Watson + * Copyright (c) 2011-2012 Robert N. M. Watson * All rights reserved. * * This software was developed by SRI International and the University of @@ -51,11 +51,6 @@ */ /* - * Template capability delegating ambient authority to userspace processes. - */ -static struct capability cp2_user_template; - -/* * Given an existing more privileged capability (fromcrn), build a new * capability in tocrn with the contents of the passed flattened * representation. @@ -80,31 +75,35 @@ CP2_CR_STORE(CHERI_CR_CT0, CHERI_CR_KDC, (uint64_t)cp); } +/* + * Functions to store a common set of capability values to in-memory + * capabilities: full privilege, userspace privilege, and null privilege. + * These are used to initialise capability registers when creating new + * contexts. + */ void cp2_capability_set_priv(struct capability *cp) { - cp2_capability_set(cp, CHERI_PERM_ALL, NULL, NULL, - 0xffffffffffffffff); + cp2_capability_set(cp, CHERI_CAP_PRIV_UPERMS, CHERI_CAP_PRIV_OTYPE, + CHERI_CAP_PRIV_BASE, CHERI_CAP_PRIV_LENGTH); } void -cp2_capability_set_upriv(struct capability *cp) +cp2_capability_set_user(struct capability *cp) { - /* - * XXXRW: Note assumption that MIPS_XUSEG_START == NULL. Perhaps - * should be a CTASSERT(). - */ - cp2_capability_set(cp, CHERI_PERM_ALL, NULL, NULL, - MIPS_XUSEG_END); + cp2_capability_set(cp, CHERI_CAP_USER_UPERMS, CHERI_CAP_USER_OTYPE, + CHERI_CAP_USER_BASE, CHERI_CAP_USER_LENGTH); } void cp2_capability_set_null(struct capability *cp) { - cp2_capability_set(cp, 0, NULL, NULL, 0); + cp2_capability_set(cp, CHERI_CAP_NOPRIV_UPERMS, + CHERI_CAP_NOPRIV_OTYPE, CHERI_CAP_NOPRIV_BASE, + CHERI_CAP_NOPRIV_LENGTH); } /* @@ -443,55 +442,44 @@ } } -static void -cheri_init(void *arg) -{ - - /* - * Initialise a template capability that will be used when - * configuring new user processes. - * - * XXXRW: Currently, this delegates the full address space -- more - * ideally, we'd limit it to user portions of the address space, - * reinforcing the MIPS segment and ring model. - */ - cp2_capability_set_priv(&cp2_user_template); -} -SYSINIT(elf32, SI_SUB_CREATE_INIT, SI_ORDER_ANY, cheri_init, NULL); - void cheri_exec_setregs(struct thread *td) { struct cp2_frame *cfp; + /* + * XXXRW: Experimental CHERI ABI initialises $c0 with full user + * privilege, and all other user-accessible capability registers with + * no rights at all. The runtime linker/compiler/application can + * propagate around rights as required. + */ cfp = &td->td_pcb->pcb_cp2frame; - cp2_capability_load(CHERI_CR_CT0, &cp2_user_template); - cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c0); - cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c1); - cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c2); - cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c3); - cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c4); - cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c5); - cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c6); - cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c7); - cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c8); - cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c9); - cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c10); - cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c11); - cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c12); - cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c13); - cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c14); - cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c15); - cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c16); - cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c17); - cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c18); - cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c19); - cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c20); - cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c21); - cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c22); - cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c23); - cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c24); - cp2_capability_store(CHERI_CR_CT0, &cfp->cf_udc); - cp2_capability_store(CHERI_CR_CT0, &cfp->cf_tsc); - cp2_capability_store(CHERI_CR_CT0, &cfp->cf_pcc); + cp2_capability_set_user(&cfp->cf_c0); + cp2_capability_set_null(&cfp->cf_c1); + cp2_capability_set_null(&cfp->cf_c2); + cp2_capability_set_null(&cfp->cf_c3); + cp2_capability_set_null(&cfp->cf_c4); + cp2_capability_set_null(&cfp->cf_c5); + cp2_capability_set_null(&cfp->cf_c6); + cp2_capability_set_null(&cfp->cf_c7); + cp2_capability_set_null(&cfp->cf_c8); + cp2_capability_set_null(&cfp->cf_c9); + cp2_capability_set_null(&cfp->cf_c10); + cp2_capability_set_null(&cfp->cf_c11); + cp2_capability_set_null(&cfp->cf_c12); + cp2_capability_set_null(&cfp->cf_c13); + cp2_capability_set_null(&cfp->cf_c14); + cp2_capability_set_null(&cfp->cf_c15); + cp2_capability_set_null(&cfp->cf_c16); + cp2_capability_set_null(&cfp->cf_c17); + cp2_capability_set_null(&cfp->cf_c18); + cp2_capability_set_null(&cfp->cf_c19); + cp2_capability_set_null(&cfp->cf_c20); + cp2_capability_set_null(&cfp->cf_c21); + cp2_capability_set_null(&cfp->cf_c22); + cp2_capability_set_null(&cfp->cf_c23); + cp2_capability_set_null(&cfp->cf_c24); + cp2_capability_set_null(&cfp->cf_udc); + cp2_capability_set_null(&cfp->cf_tsc); + cp2_capability_set_null(&cfp->cf_pcc); } ==== //depot/projects/ctsrd/cheribsd/src/sys/mips/include/cheri.h#3 (text+ko) ==== @@ -104,7 +104,7 @@ #define CP2_CR_GET_UPERMS(crn, v) do { \ __asm__ __volatile__ ( \ - "cgetperms %0, $c%1; " : \ + "cgetperm %0, $c%1; " : \ "=r" (v) : "i" (crn)); \ } while (0) @@ -235,9 +235,9 @@ */ #define CP2_CR_GET(crn, c) do { \ CP2_CR_GET_UPERMS((crn), (c).c_uperms); \ - CP2_CR_GET_OTYPE((crn), (c).c_uperms); \ - CP2_CR_GET_BASE((crn), (c).c_uperms); \ - CP2_CR_GET_LENGTH((crn), (c).c_uperms); \ + CP2_CR_GET_OTYPE((crn), (c).u.c_otype); \ + CP2_CR_GET_BASE((crn), (c).c_base); \ + CP2_CR_GET_LENGTH((crn), (c).c_length); \ } while (0) #define CP2_CR_SET(crn_to, crn_from, c) do { \ @@ -321,7 +321,7 @@ void cp2_capability_set(struct capability *cp, uint32_t uperms, void *otypep /* eaddr */, void *basep, uint64_t length); void cp2_capability_set_priv(struct capability *cp); -void cp2_capability_set_upriv(struct capability *cp); +void cp2_capability_set_user(struct capability *cp); void cp2_capability_set_null(struct capability *cp); #ifdef _KERNEL ==== //depot/projects/ctsrd/cheribsd/src/sys/mips/include/cherireg.h#3 (text+ko) ==== @@ -1,5 +1,5 @@ /*- - * Copyright (c) 2011 Robert N. M. Watson + * Copyright (c) 2011-2012 Robert N. M. Watson * All rights reserved. * * This software was developed by SRI International and the University of @@ -68,6 +68,35 @@ CHERI_PERM_ACCESS_EPCC | CHERI_PERM_NON_EPHEMERAL) /* + * Definition for kernel "privileged" capability able to name the entire + * address space. + * + * XXXRW: Perhaps CHERI_UCAP_UNPRIV_LENGTH should actually just cover useg. + */ +#define CHERI_CAP_PRIV_UPERMS CHERI_PERM_ALL +#define CHERI_CAP_PRIV_OTYPE 0x0 +#define CHERI_CAP_PRIV_BASE 0x0 +#define CHERI_CAP_PRIV_LENGTH 0xffffffffffffffff + +/* + * Definition for userspace "unprivileged" capability able to name the user + * portion of the address space. + */ +#define CHERI_CAP_USER_UPERMS CHERI_PERM_ALL +#define CHERI_CAP_USER_OTYPE 0x0 +#define CHERI_CAP_USER_BASE MIPS_XUSEG_START +#define CHERI_CAP_USER_LENGTH (MIPS_XUSEG_END - MIPS_XUSEG_START) + +/* + * Definition for capability unable to name any resources. This is suitable + * for filling capability registers that should hold no privilege. + */ +#define CHERI_CAP_NOPRIV_UPERMS 0x0 +#define CHERI_CAP_NOPRIV_OTYPE 0x0 +#define CHERI_CAP_NOPRIV_BASE 0x0 +#define CHERI_CAP_NOPRIV_LENGTH 0x0 + +/* * A blend of hardware and software allocation of capability registers. * Ideally, this list wouldn't exist here, but be purely in the assembler. */