PERFORCE change 213450 for review

Robert Watson rwatson at FreeBSD.org
Mon Jun 25 16:51:18 UTC 2012 

http://p4web.freebsd.org/@@213450?ac=10

Change 213450 by rwatson at rwatson_svr_ctsrd_mipsbuild on 2012/06/25 16:50:17

	A further reworking on CheriBSD management of CP2 contexts for user
	threads:
	
	- Introduce constants for various important values inserted into
	  capabilities configured for user threads so that it's easier to
	  write corresponding unit tests.
	
	- Select more conservative initial register values on execve(): $c0
	  contains full access to the user address space, and other
	  capabilities are initialised to null rights.
	
	- Don't use a CP2 user template variable, just construct required
	  capabilities from the kernel data capability (KDC) on demand.
	  Eventually we'll want to rearrange things a bit so that the kernel
	  doesn't execute with all privilege, but instead alays employs
	  capabilities when accessing user data, but not yet.
	
	- Fix bugs in CP2_CR_GET_UPERMS() and CP2_CR_GET(), which were not
	  used in Deimos and hence didn't work.

Affected files ...

.. //depot/projects/ctsrd/cheribsd/src/sys/mips/cheri/cp2.c#8 edit
.. //depot/projects/ctsrd/cheribsd/src/sys/mips/include/cheri.h#3 edit
.. //depot/projects/ctsrd/cheribsd/src/sys/mips/include/cherireg.h#3 edit

Differences ...

==== //depot/projects/ctsrd/cheribsd/src/sys/mips/cheri/cp2.c#8 (text+ko) ====

@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 2011 Robert N. M. Watson
+ * Copyright (c) 2011-2012 Robert N. M. Watson
  * All rights reserved.
  *
  * This software was developed by SRI International and the University of
@@ -51,11 +51,6 @@
  */
 
 /*
- * Template capability delegating ambient authority to userspace processes.
- */
-static struct capability	cp2_user_template;
-
-/*
  * Given an existing more privileged capability (fromcrn), build a new
  * capability in tocrn with the contents of the passed flattened
  * representation.
@@ -80,31 +75,35 @@
 	CP2_CR_STORE(CHERI_CR_CT0, CHERI_CR_KDC, (uint64_t)cp);
 }
 
+/*
+ * Functions to store a common set of capability values to in-memory
+ * capabilities: full privilege, userspace privilege, and null privilege.
+ * These are used to initialise capability registers when creating new
+ * contexts.
+ */
 void
 cp2_capability_set_priv(struct capability *cp)
 {
 
-	cp2_capability_set(cp, CHERI_PERM_ALL, NULL, NULL,
-	    0xffffffffffffffff);
+	cp2_capability_set(cp, CHERI_CAP_PRIV_UPERMS, CHERI_CAP_PRIV_OTYPE,
+	    CHERI_CAP_PRIV_BASE, CHERI_CAP_PRIV_LENGTH);
 }
 
 void
-cp2_capability_set_upriv(struct capability *cp)
+cp2_capability_set_user(struct capability *cp)
 {
 
-	/*
-	 * XXXRW: Note assumption that MIPS_XUSEG_START == NULL.  Perhaps
-	 * should be a CTASSERT().
-	 */
-	cp2_capability_set(cp, CHERI_PERM_ALL, NULL, NULL,
-	    MIPS_XUSEG_END);
+	cp2_capability_set(cp, CHERI_CAP_USER_UPERMS, CHERI_CAP_USER_OTYPE,
+	    CHERI_CAP_USER_BASE, CHERI_CAP_USER_LENGTH);
 }
 
 void
 cp2_capability_set_null(struct capability *cp)
 {
 
-	cp2_capability_set(cp, 0, NULL, NULL, 0);
+	cp2_capability_set(cp, CHERI_CAP_NOPRIV_UPERMS,
+	    CHERI_CAP_NOPRIV_OTYPE, CHERI_CAP_NOPRIV_BASE,
+	    CHERI_CAP_NOPRIV_LENGTH);
 }
 
 /*
@@ -443,55 +442,44 @@
 	}
 }
 
-static void
-cheri_init(void *arg)
-{
-
-	/*
-	 * Initialise a template capability that will be used when
-	 * configuring new user processes.
-	 *
-	 * XXXRW: Currently, this delegates the full address space -- more
-	 * ideally, we'd limit it to user portions of the address space,
-	 * reinforcing the MIPS segment and ring model.
-	 */
-	cp2_capability_set_priv(&cp2_user_template);
-}
-SYSINIT(elf32, SI_SUB_CREATE_INIT, SI_ORDER_ANY, cheri_init, NULL);
-
 void
 cheri_exec_setregs(struct thread *td)
 {
 	struct cp2_frame *cfp;
 
+	/*
+	 * XXXRW: Experimental CHERI ABI initialises $c0 with full user
+	 * privilege, and all other user-accessible capability registers with
+	 * no rights at all.  The runtime linker/compiler/application can
+	 * propagate around rights as required.
+	 */
 	cfp = &td->td_pcb->pcb_cp2frame;
-	cp2_capability_load(CHERI_CR_CT0, &cp2_user_template);
-	cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c0);
-	cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c1);
-	cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c2);
-	cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c3);
-	cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c4);
-	cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c5);
-	cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c6);
-	cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c7);
-	cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c8);
-	cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c9);
-	cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c10);
-	cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c11);
-	cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c12);
-	cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c13);
-	cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c14);
-	cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c15);
-	cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c16);
-	cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c17);
-	cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c18);
-	cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c19);
-	cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c20);
-	cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c21);
-	cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c22);
-	cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c23);
-	cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c24);
-	cp2_capability_store(CHERI_CR_CT0, &cfp->cf_udc);
-	cp2_capability_store(CHERI_CR_CT0, &cfp->cf_tsc);
-	cp2_capability_store(CHERI_CR_CT0, &cfp->cf_pcc);
+	cp2_capability_set_user(&cfp->cf_c0);
+	cp2_capability_set_null(&cfp->cf_c1);
+	cp2_capability_set_null(&cfp->cf_c2);
+	cp2_capability_set_null(&cfp->cf_c3);
+	cp2_capability_set_null(&cfp->cf_c4);
+	cp2_capability_set_null(&cfp->cf_c5);
+	cp2_capability_set_null(&cfp->cf_c6);
+	cp2_capability_set_null(&cfp->cf_c7);
+	cp2_capability_set_null(&cfp->cf_c8);
+	cp2_capability_set_null(&cfp->cf_c9);
+	cp2_capability_set_null(&cfp->cf_c10);
+	cp2_capability_set_null(&cfp->cf_c11);
+	cp2_capability_set_null(&cfp->cf_c12);
+	cp2_capability_set_null(&cfp->cf_c13);
+	cp2_capability_set_null(&cfp->cf_c14);
+	cp2_capability_set_null(&cfp->cf_c15);
+	cp2_capability_set_null(&cfp->cf_c16);
+	cp2_capability_set_null(&cfp->cf_c17);
+	cp2_capability_set_null(&cfp->cf_c18);
+	cp2_capability_set_null(&cfp->cf_c19);
+	cp2_capability_set_null(&cfp->cf_c20);
+	cp2_capability_set_null(&cfp->cf_c21);
+	cp2_capability_set_null(&cfp->cf_c22);
+	cp2_capability_set_null(&cfp->cf_c23);
+	cp2_capability_set_null(&cfp->cf_c24);
+	cp2_capability_set_null(&cfp->cf_udc);
+	cp2_capability_set_null(&cfp->cf_tsc);
+	cp2_capability_set_null(&cfp->cf_pcc);
 }

==== //depot/projects/ctsrd/cheribsd/src/sys/mips/include/cheri.h#3 (text+ko) ====

@@ -104,7 +104,7 @@
 
 #define	CP2_CR_GET_UPERMS(crn, v)	do {				\
 	__asm__ __volatile__ (						\
-	    "cgetperms %0, $c%1; " :					\
+	    "cgetperm %0, $c%1; " :					\
 	    "=r" (v) : "i" (crn));					\
 } while (0)
 
@@ -235,9 +235,9 @@
  */
 #define	CP2_CR_GET(crn, c)	do {					\
 	CP2_CR_GET_UPERMS((crn), (c).c_uperms);				\
-	CP2_CR_GET_OTYPE((crn), (c).c_uperms);				\
-	CP2_CR_GET_BASE((crn), (c).c_uperms);				\
-	CP2_CR_GET_LENGTH((crn), (c).c_uperms);				\
+	CP2_CR_GET_OTYPE((crn), (c).u.c_otype);				\
+	CP2_CR_GET_BASE((crn), (c).c_base);				\
+	CP2_CR_GET_LENGTH((crn), (c).c_length);				\
 } while (0)
 
 #define	CP2_CR_SET(crn_to, crn_from, c)	do {				\
@@ -321,7 +321,7 @@
 void	cp2_capability_set(struct capability *cp, uint32_t uperms,
 	    void *otypep /* eaddr */, void *basep, uint64_t length);
 void	cp2_capability_set_priv(struct capability *cp);
-void	cp2_capability_set_upriv(struct capability *cp);
+void	cp2_capability_set_user(struct capability *cp);
 void	cp2_capability_set_null(struct capability *cp);
 
 #ifdef _KERNEL

==== //depot/projects/ctsrd/cheribsd/src/sys/mips/include/cherireg.h#3 (text+ko) ====

@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 2011 Robert N. M. Watson
+ * Copyright (c) 2011-2012 Robert N. M. Watson
  * All rights reserved.
  *
  * This software was developed by SRI International and the University of
@@ -68,6 +68,35 @@
 	CHERI_PERM_ACCESS_EPCC | CHERI_PERM_NON_EPHEMERAL)
 
 /*
+ * Definition for kernel "privileged" capability able to name the entire
+ * address space.
+ *
+ * XXXRW: Perhaps CHERI_UCAP_UNPRIV_LENGTH should actually just cover useg.
+ */
+#define	CHERI_CAP_PRIV_UPERMS		CHERI_PERM_ALL
+#define	CHERI_CAP_PRIV_OTYPE		0x0
+#define	CHERI_CAP_PRIV_BASE		0x0
+#define	CHERI_CAP_PRIV_LENGTH		0xffffffffffffffff
+
+/*
+ * Definition for userspace "unprivileged" capability able to name the user
+ * portion of the address space.
+ */
+#define	CHERI_CAP_USER_UPERMS		CHERI_PERM_ALL
+#define	CHERI_CAP_USER_OTYPE		0x0
+#define	CHERI_CAP_USER_BASE		MIPS_XUSEG_START
+#define	CHERI_CAP_USER_LENGTH		(MIPS_XUSEG_END - MIPS_XUSEG_START)
+
+/*
+ * Definition for capability unable to name any resources.  This is suitable
+ * for filling capability registers that should hold no privilege.
+ */
+#define	CHERI_CAP_NOPRIV_UPERMS		0x0
+#define	CHERI_CAP_NOPRIV_OTYPE		0x0
+#define	CHERI_CAP_NOPRIV_BASE		0x0
+#define	CHERI_CAP_NOPRIV_LENGTH		0x0
+
+/*
  * A blend of hardware and software allocation of capability registers.
  * Ideally, this list wouldn't exist here, but be purely in the assembler.
  */

More information about the p4-projects mailing list