Date: Sun, 29 Jul 2012 22:55:12 GMT From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 215102 for review Message-ID: <201207292255.q6TMtCjR033217@skunkworks.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://p4web.freebsd.org/@@215102?ac=10 Change 215102 by rwatson@rwatson_svr_ctsrd_mipsbuild on 2012/07/29 22:55:09 Revise CHERI_EXCEPTION_RETURN() to install the kernel code capability (KCC) in EPCC before ERET occurs. Currently, the kernel runs in a single security domain described by KCC and the kernel data capability (KDC), and an exception that entered from userspace might later ERET to a kernel thread as a result of a kernel context switch. Because the kernel runs in a single security domain, its context switch code doesn't manage EPCC -- this occurs only for user threads, so it was possible to ERET to kernel using a userspace PCC -- which promptly threw an exception. Now, ERET to kernel is explicitly taught to install KDC in EPCC, so this doesn't happen. Once the kernel starts doing more interesting things with capabilities, more interesting things will need to be done here (and in other spots managing kernel context, such as SAVE/RESTORE_CPU macros used when exceptions fire in kernel). With this change, and following CHERI pipeline reworking, we can now boot CheriBSD single-user in simulation again. Affected files ... .. //depot/projects/ctsrd/cheribsd/src/sys/mips/include/cheriasm.h#5 edit Differences ... ==== //depot/projects/ctsrd/cheribsd/src/sys/mips/include/cheriasm.h#5 (text+ko) ==== @@ -38,10 +38,11 @@ /* * Assembly code to be used in CHERI exception handling and context switching. * - * When entering an exception handler, conditionally save the default user - * data capability. Then install the kernel's default data capability. The - * caller provides a temporary register to use for the purposes of querying - * CP0 SR to determine whether the target is userspace or the kernel. + * When entering an exception handler from userspace, conditionally save the + * default user data capability. Then install the kernel's default data + * capability. The caller provides a temporary register to use for the + * purposes of querying CP0 SR to determine whether the target is userspace or + * the kernel. */ #define CHERI_EXCEPTION_ENTER(reg) \ mfc0 reg, MIPS_COP_0_STATUS; \ @@ -49,22 +50,32 @@ beq reg, $0, 64f; \ nop; \ cmove $c25, $c0; \ -64: \ - cmove $c0, $c30; + cmove $c0, $c30; \ +64: /* * When returning from an exception, conditionally restore the default user * data capability. The caller provides a temporary register to use for the * purposes of querying CP0 SR to determine whether the target is userspace * or the kernel. + * + * XXXCHERI: We assume that the caller will install an appropriate PCC for a + * return to userspace, but that in the kernel case, we need to install a + * kernel EPCC, potentially overwriting a previously present user EPCC from + * exception entry. Once the kernel does multiple security domains, the + * caller should manage EPCC in that case as well, and we can remove EPCC + * assignment here. */ #define CHERI_EXCEPTION_RETURN(reg) \ mfc0 reg, MIPS_COP_0_STATUS; \ andi reg, reg, SR_KSU_USER; \ beq reg, $0, 65f; \ nop; \ - cmove $c0, $c25; \ -65: + b 66f; \ + cmove $c0, $c25; /* Branch-delay; install UDC in C0. */ \ +65: \ + cmove $c31, $c29; /* Install kernel PCC in EPCC. */ \ +66: /* * Macros to save and restore CP2 registers from pcb.pcb_cp2frame,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201207292255.q6TMtCjR033217>