From owner-p4-projects@FreeBSD.ORG  Sun Jul 29 22:55:14 2012
Return-Path: <owner-p4-projects@FreeBSD.ORG>
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 6FE2F1065670; Sun, 29 Jul 2012 22:55:13 +0000 (UTC)
Delivered-To: perforce@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 265D2106566C
	for <perforce@freebsd.org>; Sun, 29 Jul 2012 22:55:13 +0000 (UTC)
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: from skunkworks.freebsd.org (skunkworks.freebsd.org
	[IPv6:2001:4f8:fff6::2d])
	by mx1.freebsd.org (Postfix) with ESMTP id F2E738FC0C
	for <perforce@freebsd.org>; Sun, 29 Jul 2012 22:55:12 +0000 (UTC)
Received: from skunkworks.freebsd.org (localhost [127.0.0.1])
	by skunkworks.freebsd.org (8.14.4/8.14.4) with ESMTP id q6TMtCwX033220
	for <perforce@freebsd.org>; Sun, 29 Jul 2012 22:55:12 GMT
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: (from perforce@localhost)
	by skunkworks.freebsd.org (8.14.4/8.14.4/Submit) id q6TMtCjR033217
	for perforce@freebsd.org; Sun, 29 Jul 2012 22:55:12 GMT
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Date: Sun, 29 Jul 2012 22:55:12 GMT
Message-Id: <201207292255.q6TMtCjR033217@skunkworks.freebsd.org>
X-Authentication-Warning: skunkworks.freebsd.org: perforce set sender to
	bb+lists.freebsd.perforce@cyrus.watson.org using -f
From: Robert Watson <rwatson@FreeBSD.org>
To: Perforce Change Reviews <perforce@freebsd.org>
Precedence: bulk
Cc: 
Subject: PERFORCE change 215102 for review
X-BeenThere: p4-projects@freebsd.org
X-Mailman-Version: 2.1.5
List-Id: p4 projects tree changes <p4-projects.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/p4-projects>
List-Post: <mailto:p4-projects@freebsd.org>
List-Help: <mailto:p4-projects-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 29 Jul 2012 22:55:14 -0000

http://p4web.freebsd.org/@@215102?ac=10

Change 215102 by rwatson@rwatson_svr_ctsrd_mipsbuild on 2012/07/29 22:55:09

	Revise CHERI_EXCEPTION_RETURN() to install the kernel code
	capability (KCC) in EPCC before ERET occurs.  Currently, the
	kernel runs in a single security domain described by KCC and
	the kernel data capability (KDC), and an exception that
	entered from userspace might later ERET to a kernel thread
	as a result of a kernel context switch.
	
	Because the kernel runs in a single security domain, its
	context switch code doesn't manage EPCC -- this occurs only
	for user threads, so it was possible to ERET to kernel using
	a userspace PCC -- which promptly threw an exception.  Now,
	ERET to kernel is explicitly taught to install KDC in EPCC, so
	this doesn't happen.
	
	Once the kernel starts doing more interesting things with
	capabilities, more interesting things will need to be done
	here (and in other spots managing kernel context, such as
	SAVE/RESTORE_CPU macros used when exceptions fire in kernel).
	
	With this change, and following CHERI pipeline reworking, we
	can now boot CheriBSD single-user in simulation again.

Affected files ...

.. //depot/projects/ctsrd/cheribsd/src/sys/mips/include/cheriasm.h#5 edit

Differences ...

==== //depot/projects/ctsrd/cheribsd/src/sys/mips/include/cheriasm.h#5 (text+ko) ====

@@ -38,10 +38,11 @@
 /*
  * Assembly code to be used in CHERI exception handling and context switching.
  *
- * When entering an exception handler, conditionally save the default user
- * data capability.  Then install the kernel's default data capability.  The
- * caller provides a temporary register to use for the purposes of querying
- * CP0 SR to determine whether the target is userspace or the kernel.
+ * When entering an exception handler from userspace, conditionally save the
+ * default user data capability.  Then install the kernel's default data
+ * capability.  The caller provides a temporary register to use for the
+ * purposes of querying CP0 SR to determine whether the target is userspace or
+ * the kernel.
  */
 #define	CHERI_EXCEPTION_ENTER(reg)					\
 	mfc0	reg, MIPS_COP_0_STATUS;					\
@@ -49,22 +50,32 @@
 	beq	reg, $0, 64f;						\
 	nop;								\
 	cmove	$c25, $c0;						\
-64:									\
-	cmove	$c0, $c30;
+	cmove	$c0, $c30;						\
+64:
 
 /*
  * When returning from an exception, conditionally restore the default user
  * data capability.  The caller provides a temporary register to use for the
  * purposes of querying CP0 SR to determine whether the target is userspace
  * or the kernel.
+ *
+ * XXXCHERI: We assume that the caller will install an appropriate PCC for a
+ * return to userspace, but that in the kernel case, we need to install a
+ * kernel EPCC, potentially overwriting a previously present user EPCC from
+ * exception entry.  Once the kernel does multiple security domains, the
+ * caller should manage EPCC in that case as well, and we can remove EPCC
+ * assignment here.
  */
 #define	CHERI_EXCEPTION_RETURN(reg)					\
 	mfc0	reg, MIPS_COP_0_STATUS;					\
 	andi	reg, reg, SR_KSU_USER;					\
 	beq	reg, $0, 65f;						\
 	nop;								\
-	cmove	$c0, $c25;						\
-65:
+	b	66f;							\
+	cmove	$c0, $c25;	/* Branch-delay; install UDC in C0. */	\
+65:									\
+	cmove	$c31, $c29;	/* Install kernel PCC in EPCC. */	\
+66:
 
 /*
  * Macros to save and restore CP2 registers from pcb.pcb_cp2frame,