PERFORCE change 213450 for review
Robert Watson
rwatson at FreeBSD.org
Mon Jun 25 16:51:18 UTC 2012
http://p4web.freebsd.org/@@213450?ac=10
Change 213450 by rwatson at rwatson_svr_ctsrd_mipsbuild on 2012/06/25 16:50:17
A further reworking on CheriBSD management of CP2 contexts for user
threads:
- Introduce constants for various important values inserted into
capabilities configured for user threads so that it's easier to
write corresponding unit tests.
- Select more conservative initial register values on execve(): $c0
contains full access to the user address space, and other
capabilities are initialised to null rights.
- Don't use a CP2 user template variable, just construct required
capabilities from the kernel data capability (KDC) on demand.
Eventually we'll want to rearrange things a bit so that the kernel
doesn't execute with all privilege, but instead alays employs
capabilities when accessing user data, but not yet.
- Fix bugs in CP2_CR_GET_UPERMS() and CP2_CR_GET(), which were not
used in Deimos and hence didn't work.
Affected files ...
.. //depot/projects/ctsrd/cheribsd/src/sys/mips/cheri/cp2.c#8 edit
.. //depot/projects/ctsrd/cheribsd/src/sys/mips/include/cheri.h#3 edit
.. //depot/projects/ctsrd/cheribsd/src/sys/mips/include/cherireg.h#3 edit
Differences ...
==== //depot/projects/ctsrd/cheribsd/src/sys/mips/cheri/cp2.c#8 (text+ko) ====
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 2011 Robert N. M. Watson
+ * Copyright (c) 2011-2012 Robert N. M. Watson
* All rights reserved.
*
* This software was developed by SRI International and the University of
@@ -51,11 +51,6 @@
*/
/*
- * Template capability delegating ambient authority to userspace processes.
- */
-static struct capability cp2_user_template;
-
-/*
* Given an existing more privileged capability (fromcrn), build a new
* capability in tocrn with the contents of the passed flattened
* representation.
@@ -80,31 +75,35 @@
CP2_CR_STORE(CHERI_CR_CT0, CHERI_CR_KDC, (uint64_t)cp);
}
+/*
+ * Functions to store a common set of capability values to in-memory
+ * capabilities: full privilege, userspace privilege, and null privilege.
+ * These are used to initialise capability registers when creating new
+ * contexts.
+ */
void
cp2_capability_set_priv(struct capability *cp)
{
- cp2_capability_set(cp, CHERI_PERM_ALL, NULL, NULL,
- 0xffffffffffffffff);
+ cp2_capability_set(cp, CHERI_CAP_PRIV_UPERMS, CHERI_CAP_PRIV_OTYPE,
+ CHERI_CAP_PRIV_BASE, CHERI_CAP_PRIV_LENGTH);
}
void
-cp2_capability_set_upriv(struct capability *cp)
+cp2_capability_set_user(struct capability *cp)
{
- /*
- * XXXRW: Note assumption that MIPS_XUSEG_START == NULL. Perhaps
- * should be a CTASSERT().
- */
- cp2_capability_set(cp, CHERI_PERM_ALL, NULL, NULL,
- MIPS_XUSEG_END);
+ cp2_capability_set(cp, CHERI_CAP_USER_UPERMS, CHERI_CAP_USER_OTYPE,
+ CHERI_CAP_USER_BASE, CHERI_CAP_USER_LENGTH);
}
void
cp2_capability_set_null(struct capability *cp)
{
- cp2_capability_set(cp, 0, NULL, NULL, 0);
+ cp2_capability_set(cp, CHERI_CAP_NOPRIV_UPERMS,
+ CHERI_CAP_NOPRIV_OTYPE, CHERI_CAP_NOPRIV_BASE,
+ CHERI_CAP_NOPRIV_LENGTH);
}
/*
@@ -443,55 +442,44 @@
}
}
-static void
-cheri_init(void *arg)
-{
-
- /*
- * Initialise a template capability that will be used when
- * configuring new user processes.
- *
- * XXXRW: Currently, this delegates the full address space -- more
- * ideally, we'd limit it to user portions of the address space,
- * reinforcing the MIPS segment and ring model.
- */
- cp2_capability_set_priv(&cp2_user_template);
-}
-SYSINIT(elf32, SI_SUB_CREATE_INIT, SI_ORDER_ANY, cheri_init, NULL);
-
void
cheri_exec_setregs(struct thread *td)
{
struct cp2_frame *cfp;
+ /*
+ * XXXRW: Experimental CHERI ABI initialises $c0 with full user
+ * privilege, and all other user-accessible capability registers with
+ * no rights at all. The runtime linker/compiler/application can
+ * propagate around rights as required.
+ */
cfp = &td->td_pcb->pcb_cp2frame;
- cp2_capability_load(CHERI_CR_CT0, &cp2_user_template);
- cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c0);
- cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c1);
- cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c2);
- cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c3);
- cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c4);
- cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c5);
- cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c6);
- cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c7);
- cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c8);
- cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c9);
- cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c10);
- cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c11);
- cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c12);
- cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c13);
- cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c14);
- cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c15);
- cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c16);
- cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c17);
- cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c18);
- cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c19);
- cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c20);
- cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c21);
- cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c22);
- cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c23);
- cp2_capability_store(CHERI_CR_CT0, &cfp->cf_c24);
- cp2_capability_store(CHERI_CR_CT0, &cfp->cf_udc);
- cp2_capability_store(CHERI_CR_CT0, &cfp->cf_tsc);
- cp2_capability_store(CHERI_CR_CT0, &cfp->cf_pcc);
+ cp2_capability_set_user(&cfp->cf_c0);
+ cp2_capability_set_null(&cfp->cf_c1);
+ cp2_capability_set_null(&cfp->cf_c2);
+ cp2_capability_set_null(&cfp->cf_c3);
+ cp2_capability_set_null(&cfp->cf_c4);
+ cp2_capability_set_null(&cfp->cf_c5);
+ cp2_capability_set_null(&cfp->cf_c6);
+ cp2_capability_set_null(&cfp->cf_c7);
+ cp2_capability_set_null(&cfp->cf_c8);
+ cp2_capability_set_null(&cfp->cf_c9);
+ cp2_capability_set_null(&cfp->cf_c10);
+ cp2_capability_set_null(&cfp->cf_c11);
+ cp2_capability_set_null(&cfp->cf_c12);
+ cp2_capability_set_null(&cfp->cf_c13);
+ cp2_capability_set_null(&cfp->cf_c14);
+ cp2_capability_set_null(&cfp->cf_c15);
+ cp2_capability_set_null(&cfp->cf_c16);
+ cp2_capability_set_null(&cfp->cf_c17);
+ cp2_capability_set_null(&cfp->cf_c18);
+ cp2_capability_set_null(&cfp->cf_c19);
+ cp2_capability_set_null(&cfp->cf_c20);
+ cp2_capability_set_null(&cfp->cf_c21);
+ cp2_capability_set_null(&cfp->cf_c22);
+ cp2_capability_set_null(&cfp->cf_c23);
+ cp2_capability_set_null(&cfp->cf_c24);
+ cp2_capability_set_null(&cfp->cf_udc);
+ cp2_capability_set_null(&cfp->cf_tsc);
+ cp2_capability_set_null(&cfp->cf_pcc);
}
==== //depot/projects/ctsrd/cheribsd/src/sys/mips/include/cheri.h#3 (text+ko) ====
@@ -104,7 +104,7 @@
#define CP2_CR_GET_UPERMS(crn, v) do { \
__asm__ __volatile__ ( \
- "cgetperms %0, $c%1; " : \
+ "cgetperm %0, $c%1; " : \
"=r" (v) : "i" (crn)); \
} while (0)
@@ -235,9 +235,9 @@
*/
#define CP2_CR_GET(crn, c) do { \
CP2_CR_GET_UPERMS((crn), (c).c_uperms); \
- CP2_CR_GET_OTYPE((crn), (c).c_uperms); \
- CP2_CR_GET_BASE((crn), (c).c_uperms); \
- CP2_CR_GET_LENGTH((crn), (c).c_uperms); \
+ CP2_CR_GET_OTYPE((crn), (c).u.c_otype); \
+ CP2_CR_GET_BASE((crn), (c).c_base); \
+ CP2_CR_GET_LENGTH((crn), (c).c_length); \
} while (0)
#define CP2_CR_SET(crn_to, crn_from, c) do { \
@@ -321,7 +321,7 @@
void cp2_capability_set(struct capability *cp, uint32_t uperms,
void *otypep /* eaddr */, void *basep, uint64_t length);
void cp2_capability_set_priv(struct capability *cp);
-void cp2_capability_set_upriv(struct capability *cp);
+void cp2_capability_set_user(struct capability *cp);
void cp2_capability_set_null(struct capability *cp);
#ifdef _KERNEL
==== //depot/projects/ctsrd/cheribsd/src/sys/mips/include/cherireg.h#3 (text+ko) ====
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 2011 Robert N. M. Watson
+ * Copyright (c) 2011-2012 Robert N. M. Watson
* All rights reserved.
*
* This software was developed by SRI International and the University of
@@ -68,6 +68,35 @@
CHERI_PERM_ACCESS_EPCC | CHERI_PERM_NON_EPHEMERAL)
/*
+ * Definition for kernel "privileged" capability able to name the entire
+ * address space.
+ *
+ * XXXRW: Perhaps CHERI_UCAP_UNPRIV_LENGTH should actually just cover useg.
+ */
+#define CHERI_CAP_PRIV_UPERMS CHERI_PERM_ALL
+#define CHERI_CAP_PRIV_OTYPE 0x0
+#define CHERI_CAP_PRIV_BASE 0x0
+#define CHERI_CAP_PRIV_LENGTH 0xffffffffffffffff
+
+/*
+ * Definition for userspace "unprivileged" capability able to name the user
+ * portion of the address space.
+ */
+#define CHERI_CAP_USER_UPERMS CHERI_PERM_ALL
+#define CHERI_CAP_USER_OTYPE 0x0
+#define CHERI_CAP_USER_BASE MIPS_XUSEG_START
+#define CHERI_CAP_USER_LENGTH (MIPS_XUSEG_END - MIPS_XUSEG_START)
+
+/*
+ * Definition for capability unable to name any resources. This is suitable
+ * for filling capability registers that should hold no privilege.
+ */
+#define CHERI_CAP_NOPRIV_UPERMS 0x0
+#define CHERI_CAP_NOPRIV_OTYPE 0x0
+#define CHERI_CAP_NOPRIV_BASE 0x0
+#define CHERI_CAP_NOPRIV_LENGTH 0x0
+
+/*
* A blend of hardware and software allocation of capability registers.
* Ideally, this list wouldn't exist here, but be purely in the assembler.
*/
More information about the p4-projects
mailing list