From owner-p4-projects@FreeBSD.ORG Sun Sep 29 09:28:52 2013 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 8420CA16; Sun, 29 Sep 2013 09:28:52 +0000 (UTC) Delivered-To: perforce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 3A8D3A14 for ; Sun, 29 Sep 2013 09:28:52 +0000 (UTC) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from skunkworks.freebsd.org (skunkworks.freebsd.org [8.8.178.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 276022DC9 for ; Sun, 29 Sep 2013 09:28:52 +0000 (UTC) Received: from skunkworks.freebsd.org ([127.0.1.74]) by skunkworks.freebsd.org (8.14.7/8.14.7) with ESMTP id r8T9SqtP017468 for ; Sun, 29 Sep 2013 09:28:52 GMT (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: (from perforce@localhost) by skunkworks.freebsd.org (8.14.7/8.14.6/Submit) id r8T9Sp3w017459 for perforce@freebsd.org; Sun, 29 Sep 2013 09:28:51 GMT (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Date: Sun, 29 Sep 2013 09:28:51 GMT Message-Id: <201309290928.r8T9Sp3w017459@skunkworks.freebsd.org> X-Authentication-Warning: skunkworks.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f From: Robert Watson Subject: PERFORCE change 890770 for review To: Perforce Change Reviews Precedence: bulk X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.14 List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Sep 2013 09:28:52 -0000 http://p4web.freebsd.org/@@890770?ac=10 Change 890770 by rwatson@rwatson_zenith_cl_cam_ac_uk on 2013/09/29 09:28:44 Prefer FreeBSD macro for daddiu. Replace an incorrect csc with a more correct clc when popping PCC from the trusted stack. Affected files ... .. //depot/projects/ctsrd/cheribsd/src/sys/mips/cheri/ccall.S#7 edit Differences ... ==== //depot/projects/ctsrd/cheribsd/src/sys/mips/cheri/ccall.S#7 (text+ko) ==== @@ -126,7 +126,7 @@ /* Push PC + 4 */ MFC0 k0, MIPS_COP_0_EXC_PC - daddiu k0, 4 + PTR_ADDU k0, k0, 4 csd k0, k1, U_CHERI_STACK_PC(CHERI_REG_KDC) /* @@ -184,7 +184,7 @@ clc CHERI_REG_IDC, k1, U_CHERI_STACK_IDC(CHERI_REG_KDC) /* Pop PCC. */ - csc CHERI_REG_EPCC, k1, U_CHERI_STACK_PCC(CHERI_REG_KDC) + clc CHERI_REG_EPCC, k1, U_CHERI_STACK_PCC(CHERI_REG_KDC) /* Pop PC + padding; +4 increment already done. */ cld k0, k1, U_CHERI_STACK_PC(CHERI_REG_KDC) From owner-p4-projects@FreeBSD.ORG Sun Sep 29 11:14:44 2013 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id D3AD78F0; Sun, 29 Sep 2013 11:14:43 +0000 (UTC) Delivered-To: perforce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 953FF8EE for ; Sun, 29 Sep 2013 11:14:43 +0000 (UTC) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from skunkworks.freebsd.org (skunkworks.freebsd.org [8.8.178.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 8136E2212 for ; Sun, 29 Sep 2013 11:14:43 +0000 (UTC) Received: from skunkworks.freebsd.org ([127.0.1.74]) by skunkworks.freebsd.org (8.14.7/8.14.7) with ESMTP id r8TBEh1a076326 for ; Sun, 29 Sep 2013 11:14:43 GMT (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: (from perforce@localhost) by skunkworks.freebsd.org (8.14.7/8.14.6/Submit) id r8TBEh64076323 for perforce@freebsd.org; Sun, 29 Sep 2013 11:14:43 GMT (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Date: Sun, 29 Sep 2013 11:14:43 GMT Message-Id: <201309291114.r8TBEh64076323@skunkworks.freebsd.org> X-Authentication-Warning: skunkworks.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f From: Robert Watson Subject: PERFORCE change 891716 for review To: Perforce Change Reviews Precedence: bulk X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.14 List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Sep 2013 11:14:44 -0000 http://p4web.freebsd.org/@@891716?ac=10 Change 891716 by rwatson@rwatson_zenith_cl_cam_ac_uk on 2013/09/29 11:14:31 Remove XXX comment about setting the type; we now do that. Remove use of K0/K1 registers in CCall/CReturn -- that was temporary scaffolding. Affected files ... .. //depot/projects/ctsrd/cheribsd/src/bin/cheritest/cheritest.c#22 edit Differences ... ==== //depot/projects/ctsrd/cheribsd/src/bin/cheritest/cheritest.c#22 (text+ko) ==== @@ -101,7 +101,6 @@ static void cheritest_ccall(void) { - register_t k0, k1; /*- * Construct a generic capability in $c3 that describes the combined @@ -111,7 +110,6 @@ * $c2, suitable for use with CCall. * * Current limitations: - * - Doesn't set the type (XXXRW: new or old semantics?) * - $c2 doesn't matter as sandbox_creturn doesn't access data. * - We don't flush registers before CCall. * - We don't restore registers after CCall. @@ -137,33 +135,13 @@ /* Invoke capability. */ CHERI_CCALL(1, 2); - - /* - * XXXRW: Rely on a side channel out of our test handler to see - * whether it was a CCall or CReturn. - */ - __asm__ __volatile__ ("move %0, $k0" : "=r" (k0)); - __asm__ __volatile__ ("move %0, $k1" : "=r" (k1)); - printf("MIPS K0: %016jx\n", k0); - printf("MIPS K1: %016jx\n", k1); } static void cheritest_creturn(void) { - register_t k0, k1; - /* XXXRW: Temporary nop semantics. */ CHERI_CRETURN(); - - /* - * XXXRW: Rely on a side channel out of our test handler to see - * whether it was a CCall or CReturn. - */ - __asm__ __volatile__ ("move %0, $k0" : "=r" (k0)); - __asm__ __volatile__ ("move %0, $k1" : "=r" (k1)); - printf("MIPS K0: %016jx\n", k0); - printf("MIPS K1: %016jx\n", k1); } static void From owner-p4-projects@FreeBSD.ORG Sun Sep 29 14:06:47 2013 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 3DB96FB3; Sun, 29 Sep 2013 14:06:47 +0000 (UTC) Delivered-To: perforce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id F3BA5FB1 for ; Sun, 29 Sep 2013 14:06:46 +0000 (UTC) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from skunkworks.freebsd.org (skunkworks.freebsd.org [8.8.178.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id DFA642868 for ; Sun, 29 Sep 2013 14:06:46 +0000 (UTC) Received: from skunkworks.freebsd.org ([127.0.1.74]) by skunkworks.freebsd.org (8.14.7/8.14.7) with ESMTP id r8TE6kkW023728 for ; Sun, 29 Sep 2013 14:06:46 GMT (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: (from perforce@localhost) by skunkworks.freebsd.org (8.14.7/8.14.6/Submit) id r8TE6ka2023725 for perforce@freebsd.org; Sun, 29 Sep 2013 14:06:46 GMT (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Date: Sun, 29 Sep 2013 14:06:46 GMT Message-Id: <201309291406.r8TE6ka2023725@skunkworks.freebsd.org> X-Authentication-Warning: skunkworks.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f From: Robert Watson Subject: PERFORCE change 893249 for review To: Perforce Change Reviews Precedence: bulk X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.14 List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Sep 2013 14:06:47 -0000 http://p4web.freebsd.org/@@893249?ac=10 Change 893249 by rwatson@rwatson_zenith_cl_cam_ac_uk on 2013/09/29 14:06:40 Add an additional NULL-pointer derefence command to cheritest, since we appear to have an issue with kernel stack corruption visible only in the handler for invalid TLB entries, triggered by excessively imaginative pointer dereferences. Affected files ... .. //depot/projects/ctsrd/cheribsd/src/bin/cheritest/cheritest.c#23 edit Differences ... ==== //depot/projects/ctsrd/cheribsd/src/bin/cheritest/cheritest.c#23 (text+ko) ==== @@ -74,6 +74,7 @@ fprintf(stderr, "cheritest listcausereg\n"); fprintf(stderr, "cheritest listprivregs\n"); fprintf(stderr, "cheritest listregs\n"); + fprintf(stderr, "cheritest nullderef\n"); fprintf(stderr, "cheritest overrun\n"); fprintf(stderr, "cheritest sandbox\n"); fprintf(stderr, "cheritest sandbox_invoke_abort\n"); @@ -221,6 +222,16 @@ } static void +cheritest_nullderef(void) +{ + int *p, v; + + p = NULL; + v = *p; + printf("%d\n", v); +} + +static void cheritest_sandbox(void) { @@ -340,6 +351,8 @@ cheritest_copyregs(); else if (strcmp(argv[i], "creturn") == 0) cheritest_creturn(); + else if (strcmp(argv[i], "nullderef") == 0) + cheritest_nullderef(); else if (strcmp(argv[i], "overrun") == 0) cheritest_overrun(); else if (strcmp(argv[i], "sandbox") == 0) From owner-p4-projects@FreeBSD.ORG Wed Oct 2 13:51:57 2013 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id B9B36F5D; Wed, 2 Oct 2013 13:51:57 +0000 (UTC) Delivered-To: perforce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 7B957F5B for ; Wed, 2 Oct 2013 13:51:57 +0000 (UTC) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from skunkworks.freebsd.org (skunkworks.freebsd.org [8.8.178.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 677002C95 for ; Wed, 2 Oct 2013 13:51:57 +0000 (UTC) Received: from skunkworks.freebsd.org ([127.0.1.74]) by skunkworks.freebsd.org (8.14.7/8.14.7) with ESMTP id r92DpvGf020052 for ; Wed, 2 Oct 2013 13:51:57 GMT (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: (from perforce@localhost) by skunkworks.freebsd.org (8.14.7/8.14.6/Submit) id r92Dpu0e020049 for perforce@freebsd.org; Wed, 2 Oct 2013 13:51:56 GMT (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Date: Wed, 2 Oct 2013 13:51:56 GMT Message-Id: <201310021351.r92Dpu0e020049@skunkworks.freebsd.org> X-Authentication-Warning: skunkworks.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f From: Robert Watson Subject: PERFORCE change 931244 for review To: Perforce Change Reviews Precedence: bulk X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.14 List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Oct 2013 13:51:57 -0000 http://p4web.freebsd.org/@@931244?ac=10 Change 931244 by rwatson@rwatson_zenith_cl_cam_ac_uk on 2013/10/02 13:51:29 Shrink PCB-embedded trusted stack down to 2 entries from 10 for now; growth of the PCB shrunk the available kernel stack sufficiently to cause deeply nested VM paths to overflow. In the case I encountered, triggered by a userspace NULL-pointer dereference, found the following on a manually unwound stack: user null pointer deref -> vm -> signal delivery -> coredump -> vfs -> page fault -> vm page filling -> interrupt delivery -> timer code -> sleepq processing -> Where consisted of taking a TLB invalid fault on the guard page and then keeling over. It would be helpful if (a) DDB's stack trace code on MIPS could walk past exceptions rather than requiring manual unwinding, and (b) code detecting stack overflow didn't promptly overwrite the register state required to debug it. In the longer term we'll need to move the TSC elsewhere. We may also want to grow the default MIPS kernel stack for 64-bit somewhat as even before my change, it came very close to the limit. Affected files ... .. //depot/projects/ctsrd/cheribsd/src/sys/mips/include/cheri.h#24 edit Differences ... ==== //depot/projects/ctsrd/cheribsd/src/sys/mips/include/cheri.h#24 (text+ko) ==== @@ -118,7 +118,7 @@ struct chericap csf_idc; }; -#define CHERI_STACK_DEPTH 10 /* XXXRW: 10 is a nice round number. */ +#define CHERI_STACK_DEPTH 2 /* XXXRW: 2 is a nice round number. */ struct cheri_stack { u_int cs_max; /* Maximum frame depth. */ u_int cs_pointer; /* Current frame index. */ From owner-p4-projects@FreeBSD.ORG Wed Oct 2 14:08:15 2013 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 3C8803C0; Wed, 2 Oct 2013 14:08:15 +0000 (UTC) Delivered-To: perforce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id D9FBA3BE for ; Wed, 2 Oct 2013 14:08:14 +0000 (UTC) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from skunkworks.freebsd.org (skunkworks.freebsd.org [8.8.178.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id C54C42D6B for ; Wed, 2 Oct 2013 14:08:14 +0000 (UTC) Received: from skunkworks.freebsd.org ([127.0.1.74]) by skunkworks.freebsd.org (8.14.7/8.14.7) with ESMTP id r92E8E8t043471 for ; Wed, 2 Oct 2013 14:08:14 GMT (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: (from perforce@localhost) by skunkworks.freebsd.org (8.14.7/8.14.6/Submit) id r92E8EPU043468 for perforce@freebsd.org; Wed, 2 Oct 2013 14:08:14 GMT (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Date: Wed, 2 Oct 2013 14:08:14 GMT Message-Id: <201310021408.r92E8EPU043468@skunkworks.freebsd.org> X-Authentication-Warning: skunkworks.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f From: Robert Watson Subject: PERFORCE change 931386 for review To: Perforce Change Reviews Precedence: bulk X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.14 List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Oct 2013 14:08:15 -0000 http://p4web.freebsd.org/@@931386?ac=10 Change 931386 by rwatson@rwatson_zenith_cl_cam_ac_uk on 2013/10/02 14:07:34 Flesh out the remainder of the basic substance of a software-path CCall, but with some notable XXX's involving error handling and the trusted stack. Affected files ... .. //depot/projects/ctsrd/cheribsd/src/sys/mips/cheri/ccall.S#8 edit Differences ... ==== //depot/projects/ctsrd/cheribsd/src/sys/mips/cheri/ccall.S#8 (text+ko) ==== @@ -110,11 +110,69 @@ * XXXRW: Temporarily, store a one-entry trusted stack in a global. k1 should * eventually point to the next entry in td->td_pcb.pcb_cheristack, with an * overflow check. + * + * XXXRW: We'd like a CSetCause so that we can jump to the general CP2 + * exception handler from here after setting its state appropriately. + * + * NB: No attempt to make this pipeline well yet -- branch-delay slots not + * well-utilised, some CP2 fields accessed multiple times. */ CHERICCall: .set push .set noat + /* First, test argument registers for tag validity. */ + cbtu CHERI_REG_CCALLCODE, CCall_c1_invalid + nop + cbtu CHERI_REG_CCALLDATA, CCall_c2_invalid + nop + + /* Second, check for the sealed bit on both arguments. */ + cgetunsealed k0, CHERI_REG_CCALLCODE + beqz k0, CCall_c1_unsealed + nop + + cgetunsealed k0, CHERI_REG_CCALLDATA + beqz k0, CCall_c2_unsealed + nop + + /* Third, check for type equality. */ + cgettype k0, CHERI_REG_CCALLCODE + cgettype k1, CHERI_REG_CCALLDATA + bne k0, k1, CCall_c1_c2_type_mismatch + nop + + /* Fourth, check permissions. */ + cgetperm k0, CHERI_REG_CCALLCODE + REG_LI k1, CHERI_PERM_SEAL | CHERI_PERM_EXECUTE + and k0, k0, k1 + beq k0, k1, CCall_c1_perms + nop + + /* Fifth, check proposed PC is not lower than base. */ + cgetbase k0, CHERI_REG_CCALLCODE + cgettype k1, CHERI_REG_CCALLCODE + sltu k1, k1, k0 + bne k1, zero, CCall_c1_range + nop + + /* + * Sixth, check proposed PC is not greater than base + length - 4. + * + * XXXRW: CHERI ISA spec calls for '-1'; we use '4' as it is the + * length of an instruction. + * + * XXXRW: Check this logic. + */ + cgetbase k0, CHERI_REG_CCALLCODE + cgetlen k1, CHERI_REG_CCALLCODE + PTR_ADDU k0, k0, k1 + PTR_SUBIU k0, 4 + cgettype k1, CHERI_REG_CCALLCODE + sltu k1, k1, k0 + bne k1, zero, CCall_c1_range + nop + /* XXXRW: Change to PCB reference in the future. */ PTR_LA k1, cheri_tsc_hack @@ -160,6 +218,22 @@ CHERI_EXCEPTION_RETURN(k0) eret + +CCall_c1_invalid: +CCall_c2_invalid: +CCall_c1_unsealed: +CCall_c2_unsealed: +CCall_c1_c2_type_mismatch: +CCall_c1_perms: +CCall_c1_range: + /* XXXRW: For now, treat as a NOP. */ + MFC0 k0, MIPS_COP_0_EXC_PC + PTR_ADDIU k0, 4 + MTC0 k0, MIPS_COP_0_EXC_PC + + CHERI_EXCEPTION_RETURN(k0); + eret + .set pop /* @@ -172,6 +246,13 @@ * XXXRW: Temporarily, store a one-entry trusted stack in a global. k1 should * eventually point to the next entry in td->td_pcb.pcb_cheristack, with an * underflow check. + * + * XXXRW: We'd like a CSetCause so that we can jump to the general CP2 + * exception handler from here after setting its state appropriately. + * + * Possible failure modes: + * + * 1. Trusted stack underflow. XXXRW: How to deal with this? */ CHERICReturn: .set push @@ -193,4 +274,14 @@ CHERI_EXCEPTION_RETURN(k0) eret - .set pop + +CReturn_error: + /* XXXRW: For now, treat as a NOP. */ + MFC0 k0, MIPS_COP_0_EXC_PC + PTR_ADDIU k0, 4 + MTC0 k0, MIPS_COP_0_EXC_PC + + CHERI_EXCEPTION_RETURN(k0) + eret + + .set pop From owner-p4-projects@FreeBSD.ORG Wed Oct 2 21:20:54 2013 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id D00CB8BD; Wed, 2 Oct 2013 21:20:54 +0000 (UTC) Delivered-To: perforce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 933DE8BB for ; Wed, 2 Oct 2013 21:20:54 +0000 (UTC) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from skunkworks.freebsd.org (skunkworks.freebsd.org [8.8.178.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 7115F2AEE for ; Wed, 2 Oct 2013 21:20:54 +0000 (UTC) Received: from skunkworks.freebsd.org ([127.0.1.74]) by skunkworks.freebsd.org (8.14.7/8.14.7) with ESMTP id r92LKsUi058018 for ; Wed, 2 Oct 2013 21:20:54 GMT (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: (from perforce@localhost) by skunkworks.freebsd.org (8.14.7/8.14.6/Submit) id r92LKsur058015 for perforce@freebsd.org; Wed, 2 Oct 2013 21:20:54 GMT (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Date: Wed, 2 Oct 2013 21:20:54 GMT Message-Id: <201310022120.r92LKsur058015@skunkworks.freebsd.org> X-Authentication-Warning: skunkworks.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f From: Robert Watson Subject: PERFORCE change 935213 for review To: Perforce Change Reviews Precedence: bulk X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.14 List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Oct 2013 21:20:55 -0000 http://p4web.freebsd.org/@@935213?ac=10 Change 935213 by rwatson@rwatson_zenith_cl_cam_ac_uk on 2013/10/02 21:20:34 Various steps on the path to a per-thread trusted stack: - Introduce cheri_memcpy(), a memory-copy utility function for the CheriBSD kernel, which is capable of preserving tag bits. This is not as good as a real tag-aware memcpy() as it only handles strong (32-byte) alignment, but useful for our purposes. Use this in copying CHER capability contexts rather than manual capability copies. - Add a new cheri_stack.c that implements two new functions: cheri_stack_init() and cheri_stack_copy() to be used in thread state reset (e.g., execve()) and thread fork. - For consistency with cheri_stack() routines, make cheri_context() routines accept pcb pointers rather than cheri_frame pointers. The now-initialised/maintained per-thread trusted stack is not yet used by CCall/CReturn, however. Affected files ... .. //depot/projects/ctsrd/cheribsd/src/sys/mips/beri/files.beri#17 edit .. //depot/projects/ctsrd/cheribsd/src/sys/mips/cheri/cheri.c#17 edit .. //depot/projects/ctsrd/cheribsd/src/sys/mips/cheri/cheri_stack.c#1 add .. //depot/projects/ctsrd/cheribsd/src/sys/mips/include/cheri.h#25 edit .. //depot/projects/ctsrd/cheribsd/src/sys/mips/mips/pm_machdep.c#7 edit .. //depot/projects/ctsrd/cheribsd/src/sys/mips/mips/vm_machdep.c#11 edit Differences ... ==== //depot/projects/ctsrd/cheribsd/src/sys/mips/beri/files.beri#17 (text+ko) ==== @@ -26,7 +26,8 @@ mips/beri/beri_machdep.c standard mips/beri/beri_mp.c optional smp mips/beri/beri_pic.c optional fdt +mips/cheri/ccall.S optional cpu_cheri mips/cheri/cheri.c optional cpu_cheri -mips/cheri/ccall.S optional cpu_cheri +mips/cheri/cheri_stack.c optional cpu_cheri mips/mips/intr_machdep.c standard mips/mips/tick.c standard ==== //depot/projects/ctsrd/cheribsd/src/sys/mips/cheri/cheri.c#17 (text+ko) ==== @@ -80,6 +80,42 @@ struct cheri_stack_frame cheri_tsc_hack; /* + * Capability memcpy() routine -- not a general-purpose memcpy() as it has + * much stronger alignment and size requirements. + * + * XXXRW: Eventually, true memcpy() will support capabilities, and this will + * go away. We hope. + */ +void * +cheri_memcpy(void *dst, void *src, size_t len) +{ + register_t s; + u_int i; + + /* NB: Assumes CHERICAP_SIZE is a power of two. */ + KASSERT(((uintptr_t)dst & (CHERICAP_SIZE - 1)) == 0, + ("%s: unaligned dst", __func__)); + KASSERT(((uintptr_t)src & (CHERICAP_SIZE - 1)) == 0, + ("%s: unaligned src", __func__)); + KASSERT((len % CHERICAP_SIZE) == 0, + ("%s: copy size not a multiple of capability size", __func__)); + + /* + * XXXRW: Prevent preemption during memory copy, as we're using an + * exception handling temporary register. + */ + s = intr_disable(); + for (i = 0; i < (len / CHERICAP_SIZE); i++) { + cheri_capability_load(CHERI_CR_CTEMP, + (struct chericap *)src + i); + cheri_capability_store(CHERI_CR_CTEMP, + (struct chericap *)dst + i); + } + intr_restore(s); + return (dst); +} + +/* * Given an existing more privileged capability (fromcrn), build a new * capability in tocrn with the contents of the passed flattened * representation. @@ -182,38 +218,11 @@ } void -cheri_context_copy(struct cheri_frame *cf_destp, struct cheri_frame *cf_srcp) +cheri_context_copy(struct pcb *dst, struct pcb *src) { - /* XXXRW: Use a capability-aware memcpy here instead. */ - cheri_capability_copy(&cf_destp->cf_c0, &cf_srcp->cf_c0); - cheri_capability_copy(&cf_destp->cf_c1, &cf_srcp->cf_c1); - cheri_capability_copy(&cf_destp->cf_c2, &cf_srcp->cf_c2); - cheri_capability_copy(&cf_destp->cf_c3, &cf_srcp->cf_c3); - cheri_capability_copy(&cf_destp->cf_c4, &cf_srcp->cf_c4); - cheri_capability_copy(&cf_destp->cf_c5, &cf_srcp->cf_c5); - cheri_capability_copy(&cf_destp->cf_c6, &cf_srcp->cf_c6); - cheri_capability_copy(&cf_destp->cf_c7, &cf_srcp->cf_c7); - cheri_capability_copy(&cf_destp->cf_c8, &cf_srcp->cf_c8); - cheri_capability_copy(&cf_destp->cf_c9, &cf_srcp->cf_c9); - cheri_capability_copy(&cf_destp->cf_c10, &cf_srcp->cf_c10); - cheri_capability_copy(&cf_destp->cf_c11, &cf_srcp->cf_c11); - cheri_capability_copy(&cf_destp->cf_c12, &cf_srcp->cf_c12); - cheri_capability_copy(&cf_destp->cf_c13, &cf_srcp->cf_c13); - cheri_capability_copy(&cf_destp->cf_c14, &cf_srcp->cf_c14); - cheri_capability_copy(&cf_destp->cf_c15, &cf_srcp->cf_c15); - cheri_capability_copy(&cf_destp->cf_c16, &cf_srcp->cf_c16); - cheri_capability_copy(&cf_destp->cf_c17, &cf_srcp->cf_c17); - cheri_capability_copy(&cf_destp->cf_c18, &cf_srcp->cf_c18); - cheri_capability_copy(&cf_destp->cf_c19, &cf_srcp->cf_c19); - cheri_capability_copy(&cf_destp->cf_c20, &cf_srcp->cf_c20); - cheri_capability_copy(&cf_destp->cf_c21, &cf_srcp->cf_c21); - cheri_capability_copy(&cf_destp->cf_c22, &cf_srcp->cf_c22); - cheri_capability_copy(&cf_destp->cf_c23, &cf_srcp->cf_c23); - cheri_capability_copy(&cf_destp->cf_rcc, &cf_srcp->cf_rcc); - cheri_capability_copy(&cf_destp->cf_c25, &cf_srcp->cf_c25); - cheri_capability_copy(&cf_destp->cf_idc, &cf_srcp->cf_idc); - cheri_capability_copy(&cf_destp->cf_pcc, &cf_srcp->cf_pcc); + cheri_memcpy(&dst->pcb_cheriframe, &src->pcb_cheriframe, + sizeof(dst->pcb_cheriframe)); } void ==== //depot/projects/ctsrd/cheribsd/src/sys/mips/include/cheri.h#25 (text+ko) ==== @@ -390,6 +390,7 @@ CHERI_CGETLEN((c).c_length, (crn)); \ } while (0) +#ifdef _KERNEL /* * APIs that act on C language representations of capabilities -- but not * capabilities themselves. @@ -402,16 +403,26 @@ void cheri_capability_set_user(struct chericap *cp); void cheri_capability_set_null(struct chericap *cp); -#ifdef _KERNEL +/* + * CHERI capability utility functions. + */ +void *cheri_memcpy(void *dst, void *src, size_t len); + /* - * Kernel-specific CHERI context management functions. + * CHERI context management functions. */ -void cheri_context_copy(struct cheri_frame *cf_destp, - struct cheri_frame *cf_srcp); void cheri_exec_setregs(struct thread *td); void cheri_log_exception(struct trapframe *frame, int trap_type); int cheri_syscall_authorize(struct thread *td, u_int code, int nargs, register_t *args); + +/* + * Functions to set up and manipulate CHERI contexts and stacks. + */ +struct pcb; +void cheri_context_copy(struct pcb *dst, struct pcb *src); +void cheri_stack_copy(struct pcb *dst, struct pcb *src); +void cheri_stack_init(struct pcb *pcb); #endif #endif /* _MIPS_INCLUDE_CHERI_H_ */ ==== //depot/projects/ctsrd/cheribsd/src/sys/mips/mips/pm_machdep.c#7 (text+ko) ==== @@ -497,6 +497,7 @@ #if defined(CPU_CHERI) td->td_frame->sr |= MIPS_SR_COP_2_BIT; cheri_exec_setregs(td); + cheri_stack_init(td->td_pcb); #endif /* * FREEBSD_DEVELOPERS_FIXME: ==== //depot/projects/ctsrd/cheribsd/src/sys/mips/mips/vm_machdep.c#11 (text+ko) ==== @@ -149,10 +149,8 @@ * above, and once here using capabilities. Once bcopy() is * capability-oblivious, we can lose this. */ - cheri_context_copy(&pcb2->pcb_cheriframe, - &td1->td_pcb->pcb_cheriframe); - - /* XXXRW: Trusted stack initialisation here? */ + cheri_context_copy(pcb2, td1->td_pcb); + cheri_stack_copy(pcb2, td1->td_pcb); #endif /* Point mdproc and then copy over td1's contents @@ -432,10 +430,8 @@ * above, and once here using capabilities. Once bcopy() is * capability-oblivious, we can lose this. */ - cheri_context_copy(&pcb2->pcb_cheriframe, - &td0->td_pcb->pcb_cheriframe); - - /* XXXRW: Trusted stack initialisation here? */ + cheri_context_copy(pcb2, td0->td_pcb); + cheri_stack_copy(pcb2, td0->td_pcb); #endif /* From owner-p4-projects@FreeBSD.ORG Sat Oct 5 18:40:27 2013 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id C1E487C2; Sat, 5 Oct 2013 18:40:27 +0000 (UTC) Delivered-To: perforce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 6AB387C0 for ; Sat, 5 Oct 2013 18:40:27 +0000 (UTC) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from skunkworks.freebsd.org (skunkworks.freebsd.org [8.8.178.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 48BDE2FBF for ; Sat, 5 Oct 2013 18:40:27 +0000 (UTC) Received: from skunkworks.freebsd.org ([127.0.1.74]) by skunkworks.freebsd.org (8.14.7/8.14.7) with ESMTP id r95IeRmT046300 for ; Sat, 5 Oct 2013 18:40:27 GMT (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: (from perforce@localhost) by skunkworks.freebsd.org (8.14.7/8.14.6/Submit) id r95IePYU046295 for perforce@freebsd.org; Sat, 5 Oct 2013 18:40:25 GMT (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Date: Sat, 5 Oct 2013 18:40:25 GMT Message-Id: <201310051840.r95IePYU046295@skunkworks.freebsd.org> X-Authentication-Warning: skunkworks.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f From: Robert Watson Subject: PERFORCE change 971766 for review To: Perforce Change Reviews Precedence: bulk X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.14 List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Oct 2013 18:40:28 -0000 http://p4web.freebsd.org/@@971766?ac=10 Change 971766 by rwatson@rwatson_zenith_cl_cam_ac_uk on 2013/10/05 18:40:20 Continue implementation of software CCall/CReturn: - Implement support for per-thread trusted stacks in the CCall/CReturn exception handlers, with tests for overflow/underflow. - Use correct branch instructions when testing code and data-capability seals, target PC. We now get successfully into and out of sandboxes using CCall/CReturn under CheriBSD, but there remains only limited error handling. Affected files ... .. //depot/projects/ctsrd/cheribsd/src/sys/mips/cheri/ccall.S#9 edit .. //depot/projects/ctsrd/cheribsd/src/sys/mips/cheri/cheri_stack.c#2 edit .. //depot/projects/ctsrd/cheribsd/src/sys/mips/include/cheri.h#26 edit .. //depot/projects/ctsrd/cheribsd/src/sys/mips/mips/genassym.c#7 edit Differences ... ==== //depot/projects/ctsrd/cheribsd/src/sys/mips/cheri/ccall.S#9 (text+ko) ==== @@ -107,10 +107,6 @@ * XXXRW: Lots of non-done checking -- e.g., types, protection bits, etc. We * need a C error-handling path. * - * XXXRW: Temporarily, store a one-entry trusted stack in a global. k1 should - * eventually point to the next entry in td->td_pcb.pcb_cheristack, with an - * overflow check. - * * XXXRW: We'd like a CSetCause so that we can jump to the general CP2 * exception handler from here after setting its state appropriately. * @@ -129,11 +125,11 @@ /* Second, check for the sealed bit on both arguments. */ cgetunsealed k0, CHERI_REG_CCALLCODE - beqz k0, CCall_c1_unsealed + bnez k0, CCall_c1_unsealed nop cgetunsealed k0, CHERI_REG_CCALLDATA - beqz k0, CCall_c2_unsealed + bnez k0, CCall_c2_unsealed nop /* Third, check for type equality. */ @@ -146,14 +142,14 @@ cgetperm k0, CHERI_REG_CCALLCODE REG_LI k1, CHERI_PERM_SEAL | CHERI_PERM_EXECUTE and k0, k0, k1 - beq k0, k1, CCall_c1_perms + bne k0, k1, CCall_c1_perms nop /* Fifth, check proposed PC is not lower than base. */ cgetbase k0, CHERI_REG_CCALLCODE cgettype k1, CHERI_REG_CCALLCODE sltu k1, k1, k0 - bne k1, zero, CCall_c1_range + bnez k1, CCall_c1_range nop /* @@ -170,22 +166,43 @@ PTR_SUBIU k0, 4 cgettype k1, CHERI_REG_CCALLCODE sltu k1, k1, k0 - bne k1, zero, CCall_c1_range + bnez k1, CCall_c1_range + nop + + /* + * Now prepare to push IDC, PCC, PC+4 onto the trusted stack. Begin + * by retrieving the current PCB pointer to reach the trusted stack. + */ + GET_CPU_PCPU(k1) + PTR_L k1, PC_CURPCB(k1) + + /* Retrieve current trusted stack pointer. */ + PTR_L k0, U_PCB_CHERISTACK_SP(k1) + + /* If at bottom (byte offset 0), then overflow. */ + beqz k0, CCall_stack_overflow nop - /* XXXRW: Change to PCB reference in the future. */ - PTR_LA k1, cheri_tsc_hack + /* Decrement stack pointer. */ + PTR_SUBIU k0, k0, CHERI_FRAME_SIZE + + /* Write back stack pointer. */ + PTR_S k0, U_PCB_CHERISTACK_SP(k1) + + /* Convert stack-relative offset to global pointer. */ + PTR_ADDU k0, k1, k0 /* Add PCB pointer. */ + PTR_ADDIU k0, k0, U_PCB_CHERISTACK_FRAMES /* Add PCB offset. */ /* Push IDC. */ - csc CHERI_REG_IDC, k1, U_CHERI_STACK_IDC(CHERI_REG_KDC) + csc CHERI_REG_IDC, k0, CHERI_STACKFRAME_IDC(CHERI_REG_KDC) /* Push PCC. */ - csc CHERI_REG_EPCC, k1, U_CHERI_STACK_PCC(CHERI_REG_KDC) + csc CHERI_REG_EPCC, k0, CHERI_STACKFRAME_PCC(CHERI_REG_KDC) - /* Push PC + 4 */ - MFC0 k0, MIPS_COP_0_EXC_PC - PTR_ADDU k0, k0, 4 - csd k0, k1, U_CHERI_STACK_PC(CHERI_REG_KDC) + /* Push PC + 4; k1 is overwritten, so no longer PCB pointer. */ + MFC0 k1, MIPS_COP_0_EXC_PC + PTR_ADDU k1, k1, 4 + csd k1, k0, CHERI_STACKFRAME_PC(CHERI_REG_KDC) /* * Temporarily set KDC type to allow unsealing. @@ -201,7 +218,7 @@ /* Unseal cb; install in IDC. */ cunseal CHERI_REG_IDC, CHERI_REG_CCALLDATA, CHERI_REG_KDC - /* Installe cs.otype - cs.base into PC; note clobbers k1. */ + /* Installe cs.otype. */ cgettype k0, CHERI_REG_CCALLCODE cgetbase k1, CHERI_REG_CCALLCODE dsub k0, k0, k1 @@ -226,6 +243,7 @@ CCall_c1_c2_type_mismatch: CCall_c1_perms: CCall_c1_range: +CCall_stack_overflow: /* XXXRW: For now, treat as a NOP. */ MFC0 k0, MIPS_COP_0_EXC_PC PTR_ADDIU k0, 4 @@ -243,10 +261,6 @@ * XXXRW: Lots of non-done checking -- e.g., types, protection bits, etc. We * need a C error handling path. * - * XXXRW: Temporarily, store a one-entry trusted stack in a global. k1 should - * eventually point to the next entry in td->td_pcb.pcb_cheristack, with an - * underflow check. - * * XXXRW: We'd like a CSetCause so that we can jump to the general CP2 * exception handler from here after setting its state appropriately. * @@ -258,24 +272,46 @@ .set push .set noat - /* XXXRW: Change to PCB reference in the future. */ - PTR_LA k1, cheri_tsc_hack + /* Retrieve current PCB pointer. */ + GET_CPU_PCPU(k1) + PTR_L k1, PC_CURPCB(k1) + + /* + * The only currently defined check in CReturn is stack underflow; + * perform that check. + */ + PTR_L k0, U_PCB_CHERISTACK_SP(k1) + sltiu k0, CHERI_STACK_SIZE + beqz k0, CReturn_stack_underflow + nop + + /* Reload stack pointer. */ + PTR_L k0, U_PCB_CHERISTACK_SP(k1) + + /* Convert stack-relative offset to global pointer. */ + PTR_ADDU k0, k1, k0 /* Add PCB pointer. */ + PTR_ADDIU k0, k0, U_PCB_CHERISTACK_FRAMES /* Add PCB offset. */ /* Pop IDC. */ - clc CHERI_REG_IDC, k1, U_CHERI_STACK_IDC(CHERI_REG_KDC) + clc CHERI_REG_IDC, k0, CHERI_STACKFRAME_IDC(CHERI_REG_KDC) /* Pop PCC. */ - clc CHERI_REG_EPCC, k1, U_CHERI_STACK_PCC(CHERI_REG_KDC) + clc CHERI_REG_EPCC, k0, CHERI_STACKFRAME_PCC(CHERI_REG_KDC) - /* Pop PC + padding; +4 increment already done. */ - cld k0, k1, U_CHERI_STACK_PC(CHERI_REG_KDC) + /* Pop PC + padding; +4 already done; toasts k0; k1 still PCB. */ + cld k0, k0, CHERI_STACKFRAME_PC(CHERI_REG_KDC) MTC0 k0, MIPS_COP_0_EXC_PC COP0_SYNC + /* Update stack pointer. */ + PTR_L k0, U_PCB_CHERISTACK_SP(k1) + PTR_ADDIU k0, CHERI_FRAME_SIZE + PTR_S k0, U_PCB_CHERISTACK_SP(k1) + CHERI_EXCEPTION_RETURN(k0) eret -CReturn_error: +CReturn_stack_underflow: /* XXXRW: For now, treat as a NOP. */ MFC0 k0, MIPS_COP_0_EXC_PC PTR_ADDIU k0, 4 ==== //depot/projects/ctsrd/cheribsd/src/sys/mips/cheri/cheri_stack.c#2 (text+ko) ==== @@ -82,7 +82,7 @@ { bzero(&pcb->pcb_cheristack, sizeof(pcb->pcb_cheristack)); - pcb->pcb_cheristack.cs_max = CHERI_STACK_DEPTH; + pcb->pcb_cheristack.cs_sp = CHERI_STACK_SIZE; } /* ==== //depot/projects/ctsrd/cheribsd/src/sys/mips/include/cheri.h#26 (text+ko) ==== @@ -120,13 +120,16 @@ #define CHERI_STACK_DEPTH 2 /* XXXRW: 2 is a nice round number. */ struct cheri_stack { - u_int cs_max; /* Maximum frame depth. */ - u_int cs_pointer; /* Current frame index. */ + register_t cs_sp; /* Byte offset, not frame index. */ register_t _cs_pad0; register_t _cs_pad1; register_t _cs_pad2; + register_t _cs_pad3; struct cheri_stack_frame cs_frames[CHERI_STACK_DEPTH]; } __aligned(CHERICAP_SIZE); + +#define CHERI_FRAME_SIZE sizeof(struct cheri_stack_frame) +#define CHERI_STACK_SIZE (CHERI_STACK_DEPTH * CHERI_FRAME_SIZE) #endif /* ==== //depot/projects/ctsrd/cheribsd/src/sys/mips/mips/genassym.c#7 (text+ko) ==== @@ -106,10 +106,14 @@ ASSYM(MIPS_XKSEG_START, MIPS_XKSEG_START); #ifdef CPU_CHERI -ASSYM(U_PCB_CHERIFRAME, offsetof(struct pcb, pcb_cheriframe.cf_c0)); -ASSYM(U_CHERI_STACK_PC, offsetof(struct cheri_stack_frame, csf_pc)); -ASSYM(U_CHERI_STACK_PCC, offsetof(struct cheri_stack_frame, csf_pcc)); -ASSYM(U_CHERI_STACK_IDC, offsetof(struct cheri_stack_frame, csf_idc)); +ASSYM(CHERI_FRAME_SIZE, sizeof(struct cheri_stack_frame) * CHERI_STACK_DEPTH); +ASSYM(CHERI_STACK_SIZE, sizeof(struct cheri_stack_frame)); +ASSYM(U_PCB_CHERIFRAME, offsetof(struct pcb, pcb_cheriframe)); +ASSYM(U_PCB_CHERISTACK_SP, offsetof(struct pcb, pcb_cheristack.cs_sp)); +ASSYM(U_PCB_CHERISTACK_FRAMES, offsetof(struct pcb, pcb_cheristack.cs_frames)); +ASSYM(CHERI_STACKFRAME_PC, offsetof(struct cheri_stack_frame, csf_pc)); +ASSYM(CHERI_STACKFRAME_PCC, offsetof(struct cheri_stack_frame, csf_pcc)); +ASSYM(CHERI_STACKFRAME_IDC, offsetof(struct cheri_stack_frame, csf_idc)); #endif #ifdef CPU_CNMIPS