Date: Mon, 7 Oct 2013 19:07:57 GMT From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@FreeBSD.org> Subject: PERFORCE change 997430 for review Message-ID: <201310071907.r97J7v3U001521@skunkworks.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://p4web.freebsd.org/@@997430?ac=10 Change 997430 by rwatson@rwatson_zenith_cl_cam_ac_uk on 2013/10/07 19:07:50 Integrate changes to sandbox-entry code for readpng-cheri and minifile. In the future this code (or code very much like it) will move to a new sandbox-specific csu (if some sort), rather than existing in each sandboxed component. Affected files ... .. //depot/projects/ctsrd/cheribsd/src/ctsrd/libexec/readpng-cheri/mips64/chsbrt.S#3 integrate .. //depot/projects/ctsrd/cheribsd/src/ctsrd/minifile/cheri/mips64/chsbrt.S#2 integrate Differences ... ==== //depot/projects/ctsrd/cheribsd/src/ctsrd/libexec/readpng-cheri/mips64/chsbrt.S#3 (text+ko) ==== @@ -1,5 +1,5 @@ #- -# Copyright (c) 2012 Robert N. M. Watson +# Copyright (c) 2012-2013 Robert N. M. Watson # All rights reserved. # # This software was developed by SRI International and the University of @@ -49,17 +49,16 @@ # # $c0, $pcc contain access to (100% overlapped) sandbox code and data # -# $c1-$c7 contain user capability arguments +# $c1, $c2 contain the invoked object capability +# $c3-$c10 contain user capability arguments # -# $c26 contains the invoked data capability - the complete segment, -# which will also be installed in $c0 locally due to lack of CCALL. +# $c26 contains the invoked data capability - the complete segment, which +# we will install into $c0 to allow MIPS code to access it. # # For now, assume: -# (1) We are on the receiving end of CJALR, not CCALL. -# (2) We enter with the caller's $c0 due to no CCALL -# (3) The caller has not set up the general-purpose register context, that's +# (1) The caller has not set up the general-purpose register context, that's # our job. -# (4) The goal is not to set up the CHERI calling convention .. yet; we will +# (2) The goal is not to set up the CHERI calling convention .. yet; we will # run only native MIPS64 code, or hand-crafted CHERI assembler. Thus # must change before we can run Clang-compiled CHERI code. # @@ -69,31 +68,12 @@ __start: # - # Temporarily, save caller stack in temporaries so that we can - # restore them on return. - # - # XXXRW: To change once we use CCALL. - # - move $t0, $sp - move $t1, $fp - - # # Set up in-sandbox stack. # cgetlen $sp, $c26 move $fp, $sp # - # Temporarily, save caller $c0 for later restoration. - # - # Notice: store relative to $c26, not $c0. - # - # XXXRW: To change once we use CCALL. - # - daddiu $sp, -32 - csc $c0, $sp, 0($c26) - - # # Install $idc as $c0. From here on out, we can do MIPS feteches and # stores to memory inside the sandbox, and $c0-relative capability # fetches and stores. @@ -101,27 +81,6 @@ cmove $c0, $c26 # - # Push return capability. - # - daddiu $sp, -32 - csc $c24, $sp, 0($c0) - - # - # Push return address. - # - daddiu $sp, -8 - sd $ra, 0($sp) - - # - # Save caller stack pointers for later restoration. - # - # XXXRW: To change once we use CCALL. - # - daddiu $sp, -16 - sd $t0, 0($sp) - sd $t1, 8($sp) - - # # XXXRW: Defensively clear all general-purpose and capability # registers that aren't explicit or ABI-implied arguments. # @@ -137,89 +96,32 @@ sd $a5, 0($at) # - # If abort() is called, we effectively longjmp back to just after the - # call to invoke(). Save a stack pointer for that unwind. + # Invoke MIPS ABI C "invoke" function. # - dla $at, abort_stack - sd $sp, 0($at) - - # - # Invoke MIPS ABI C "invoke" function. + # XXXRW: $t9 not set properly. # dla $25, invoke jalr $25 nop # Branch-delay slot - # - # Pop caller stack pointers for later installation. - # - # XXXRW: To move to caller context once using CCALL. - # abort_target: - ld $t0, 0($sp) - ld $t1, 8($sp) - daddiu $sp, 16 - # - # Pop return address. + # Clear our $c0 so that it is not leaked back to caller. # - ld $ra, 0($sp) - daddiu $sp, 8 - - # - # Pop return capability. - # - clc $c24, $sp, 0($c0) - daddiu $sp, 32 - - # - # Pop caller $c0 -- no more use of MIPS fetch/store after this point. - # - # XXXRW: To move to caller context once using CCALL. - # - clc $c0, $sp, 0($c0) - daddiu $sp, 32 + ccleartag $c0 # - # Re-install caller stack. - # - # XXXRW: To move to caller context once using CCALL. - # - move $sp, $t0 - move $fp, $t1 - - # - # XXXRW: Defensively clear general-purpose and capability registers - # that aren't explicit or ABI-implied return values. - # - dli $at, 0 - dli $t2, 0 - dli $t3, 0 - dli $t8, 0 - dli $t9, 0 - - # # Return to caller. # - cjr $31($c24) # Jump to return capability register - nop # Branch-delay slot? + creturn .end __start .global abort .ent abort abort: - # - # If abort() is called, unwind the stack and jump into the return - # code. Set $v0 to -2 so that it's somewhat recognisable, even if - # non-ideal. - # - dla $at, abort_stack - ld $sp, 0($at) dli $v0, -2 b abort_target nop .end abort .data -abort_stack: - .dword 0x0000000000000000 # What to restore sp to on abort ==== //depot/projects/ctsrd/cheribsd/src/ctsrd/minifile/cheri/mips64/chsbrt.S#2 (text+ko) ==== @@ -1,5 +1,5 @@ #- -# Copyright (c) 2012 Robert N. M. Watson +# Copyright (c) 2012-2013 Robert N. M. Watson # All rights reserved. # # This software was developed by SRI International and the University of @@ -49,17 +49,16 @@ # # $c0, $pcc contain access to (100% overlapped) sandbox code and data # -# $c1-$c7 contain user capability arguments +# $c1, $c2 contain the invoked object capability +# $c3-$c10 contain user capability arguments # -# $c26 contains the invoked data capability - the complete segment, -# which will also be installed in $c0 locally due to lack of CCALL. +# $c26 contains the invoked data capability - the complete segment, which +# we will install into $c0 to allow MIPS code to access it. # # For now, assume: -# (1) We are on the receiving end of CJALR, not CCALL. -# (2) We enter with the caller's $c0 due to no CCALL -# (3) The caller has not set up the general-purpose register context, that's +# (1) The caller has not set up the general-purpose register context, that's # our job. -# (4) The goal is not to set up the CHERI calling convention .. yet; we will +# (2) The goal is not to set up the CHERI calling convention .. yet; we will # run only native MIPS64 code, or hand-crafted CHERI assembler. Thus # must change before we can run Clang-compiled CHERI code. # @@ -69,31 +68,12 @@ __start: # - # Temporarily, save caller stack in temporaries so that we can - # restore them on return. - # - # XXXRW: To change once we use CCALL. - # - move $t0, $sp - move $t1, $fp - - # # Set up in-sandbox stack. # cgetlen $sp, $c26 move $fp, $sp # - # Temporarily, save caller $c0 for later restoration. - # - # Notice: store relative to $c26, not $c0. - # - # XXXRW: To change once we use CCALL. - # - daddiu $sp, -32 - csc $c0, $sp, 0($c26) - - # # Install $idc as $c0. From here on out, we can do MIPS feteches and # stores to memory inside the sandbox, and $c0-relative capability # fetches and stores. @@ -101,27 +81,6 @@ cmove $c0, $c26 # - # Push return capability. - # - daddiu $sp, -32 - csc $c24, $sp, 0($c0) - - # - # Push return address. - # - daddiu $sp, -8 - sd $ra, 0($sp) - - # - # Save caller stack pointers for later restoration. - # - # XXXRW: To change once we use CCALL. - # - daddiu $sp, -16 - sd $t0, 0($sp) - sd $t1, 8($sp) - - # # XXXRW: Defensively clear all general-purpose and capability # registers that aren't explicit or ABI-implied arguments. # @@ -137,89 +96,32 @@ sd $a5, 0($at) # - # If abort() is called, we effectively longjmp back to just after the - # call to invoke(). Save a stack pointer for that unwind. + # Invoke MIPS ABI C "invoke" function. # - dla $at, abort_stack - sd $sp, 0($at) - - # - # Invoke MIPS ABI C "invoke" function. + # XXXRW: $t9 not set properly. # dla $25, invoke jalr $25 nop # Branch-delay slot - # - # Pop caller stack pointers for later installation. - # - # XXXRW: To move to caller context once using CCALL. - # abort_target: - ld $t0, 0($sp) - ld $t1, 8($sp) - daddiu $sp, 16 - # - # Pop return address. + # Clear our $c0 so that it is not leaked back to caller. # - ld $ra, 0($sp) - daddiu $sp, 8 - - # - # Pop return capability. - # - clc $c24, $sp, 0($c0) - daddiu $sp, 32 - - # - # Pop caller $c0 -- no more use of MIPS fetch/store after this point. - # - # XXXRW: To move to caller context once using CCALL. - # - clc $c0, $sp, 0($c0) - daddiu $sp, 32 + ccleartag $c0 # - # Re-install caller stack. - # - # XXXRW: To move to caller context once using CCALL. - # - move $sp, $t0 - move $fp, $t1 - - # - # XXXRW: Defensively clear general-purpose and capability registers - # that aren't explicit or ABI-implied return values. - # - dli $at, 0 - dli $t2, 0 - dli $t3, 0 - dli $t8, 0 - dli $t9, 0 - - # # Return to caller. # - cjr $31($c24) # Jump to return capability register - nop # Branch-delay slot? + creturn .end __start .global abort .ent abort abort: - # - # If abort() is called, unwind the stack and jump into the return - # code. Set $v0 to -2 so that it's somewhat recognisable, even if - # non-ideal. - # - dla $at, abort_stack - ld $sp, 0($at) dli $v0, -2 b abort_target nop .end abort .data -abort_stack: - .dword 0x0000000000000000 # What to restore sp to on abort
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201310071907.r97J7v3U001521>