September 2022 - linux-morello - op-lists.linaro.org

[RFC PATCH 0/9] New CHERI API and rehauled user_ptr.h

by Kevin Brodsky

Hi, I am posting this series now to gather some opinions (notably in terms of naming) before I proceed further. The main focus is the introduction of two new user_ptr helpers: make_privileged_user_ptr() to create fine-grained user pointers (appropriate bounds and permissions), and check_user_ptr() to check user pointers. This does however require more involved CHERI operations than what we've used so far, and as a result it felt like the right time to introduce a new header with various CHERI-related definitions. This new cheri.h header should be included in new code instead of the compiler-provided cheriintrin.h, notably because it is safe to include it unconditionally. linux/cheri.h is also a great place to introduce appropriate (CHERI-generic) root capabilities, which is another focus of this series. This makes it possible to have generic implementations of uaddr_to_user_ptr*() and get rid of asm/user_ptr.h. The introduction of a root userspace capability with appropriate bounds and permissions is the only functional change from a userspace perspective: many capabilities given to userspace will now have bounds encompassing only the user address space and permissions corresponding to what is expected of an RWX capability in PCuABI. This work is to be continued by replacing most uses of morello_root_cap with cheri_root_cap_userspace (either in v2 or in a separate series). On a similar theme, compat_ptr() should be modified to derive capabilities from the current user DDC, and the new seal/CID root capabilities should be used in binfmt_elf.c. This would complete the transition to appropriate root capabilities. Back to the two new user_ptr helpers, make_privileged_user_ptr() is meant to replace uaddr_to_user_ptr_safe() and the latter should eventually disappear. This probably belongs to a different patch series, however the last patch provides an example of such a change. This work should probably wait until we start accessing user memory through capabilities in uaccess, as right now the capability metadata is not used anyway. Note that calls to uaddr_to_user_ptr() are workarounds in themselves and should all be eliminated eventually, so they are not considered here. Regarding check_user_ptr(), there is no immediate need for it - it will become relevant to implement explicit checking of user pointers (when get_user_pages() and friends are used). Finally the user_ptr.rst documentation needs to be updated to reflect the new helpers, this is to be done in v2. This series depends on Beata's handy printk patch for the warning messages. It was lightly tested and should be mostly fine, however note that compat_ptr() currently triggers warnings because it is implemented in terms of uaddr_to_user_ptr_safe() and compat_ptr() may be passed arbitrary integers. This will be fixed in v2 by appropriately deriving capabilities from DDC as mentioned above. Review branch: https://git.morello-project.org/kbrodsky-arm/linux/-/commits/cheri_ptr_api Thanks, Kevin Kevin Brodsky (9): linux/user_ptr.h: Remove kaddr_to_user_ptr() linux/user_ptr.h: Improve comment formatting arm64: uapi: Add asm/cheri.h linux/cheri.h: Introduce CHERI helpers arm64: morello: Implement cheri.h linux/user_ptr.h: Generic PCuABI impl for uaddr_to_user_ptr* arm64: Remove asm/user_ptr.h linux/user_ptr.h: Introduce fine-grained helpers mm/memory: Create fine-grained user pointer Documentation/core-api/user_ptr.rst | 8 -- arch/Kconfig | 2 +- arch/arm64/Kconfig | 2 +- arch/arm64/include/asm/cheri.h | 14 ++++ arch/arm64/include/asm/user_ptr.h | 43 ---------- arch/arm64/include/uapi/asm/cheri.h | 7 ++ arch/arm64/kernel/morello.c | 39 +++++++-- include/linux/cheri.h | 122 ++++++++++++++++++++++++++++ include/linux/user_ptr.h | 113 +++++++++++++++++++------- lib/Makefile | 3 + lib/cheri.c | 67 +++++++++++++++ lib/user_ptr.c | 62 ++++++++++++++ mm/memory.c | 3 +- 13 files changed, 392 insertions(+), 93 deletions(-) create mode 100644 arch/arm64/include/asm/cheri.h delete mode 100644 arch/arm64/include/asm/user_ptr.h create mode 100644 arch/arm64/include/uapi/asm/cheri.h create mode 100644 include/linux/cheri.h create mode 100644 lib/cheri.c create mode 100644 lib/user_ptr.c -- 2.34.1

2 years

7
54
0 0

Introduction on the "Linux on Morello Project"

by Vincenzo Frascino

Hi Arnd, I spoke to Linus (in Cc) on Friday and I thought it was a good idea to give to you an update on what we are doing as part of the linux on Morello project. We originally started with the basic enablement of the feature almost two year ago and then proceeded enabling the userspace support as part of the research project. To do so we went through the exercise of defining a Pure Capability based user Application Binary Interface (PCuABI) [1]. This ABI is still in review and we are hoping to finalize it by the end of October 2022. To get started with our implementation we identified a more stable subset of the full PCuABI which we call transitional PCuABI [2] and made sure it can work with the most commonly used C libraries (musl, glibc). The full PCuABI can be seen as an extension of the Transitional PCuABI. Recently we opened our implementation of the transitional PCuABI for external contributions [3]. We setup a mailing list as well for reviews and general discussions around Morello [4] and have a public task tracker that details what we are planning to do next [5]. Last but not least we have a public CI that verifies our implementation (currently based on kselftest and ltp but we are planning to extend it to more test suites in future) [6]. In reading our code, please consider that to enable userspace "quickly" we had to take some shortcuts of which we are aware. Because of that we feel that this is the right moment to start discussing design choices with the wider linux community especially after Matt's (in Cc) presentation at LPC ("Zettalinux: It's Not Too Late To Start") which made us realize that in the near future we will have to solve similar kind of problems. We consider in fact problems like the distinction in between an address and a pointer foundational work for a pure capability kernel. Caveat: Morello is not a committed architecture and the arm64 maintainers are not keen on supporting it upstream before that happens. I hope this email provides an helpful introduction on where we are and what we are doing. Please feel free to ask any question and to subscribe to the list if you want to follow the work we are doing. Thanks, Vincenzo [1] https://git.morello-project.org/morello/kernel/linux/-/wikis/Morello-pure-c… [2] https://git.morello-project.org/morello/kernel/linux/-/wikis/Transitional-M… [3] https://git.morello-project.org/morello/kernel/linux [4] https://op-lists.linaro.org/mailman3/lists/linux-morello.op-lists.linaro.or… [5] https://git.morello-project.org/groups/morello/kernel/-/epics?state=opened&… [6] https://git.morello-project.org/morello/kernel/linux/-/pipelines

2 years

3
6
0 0

[PATCH] arm64: entry-ftrace.S: Fix build when CONFIG_ARM64_MORELLO=y

by Kevin Brodsky

When Morello support is enabled, the size of struct pt_regs increases drastically (to make space for capability registers). As a result, PT_REGS_SIZE can unfortunately no longer be used as an immediate for LDP/STP. Use an explicit ADD instead. This fixes the build when CONFIG_ARM64_MORELLO and CONFIG_FUNCTION_TRACER are both selected. Reported-by: Ruben Ayrapetyan <ruben.ayrapetyan(a)arm.com> Signed-off-by: Kevin Brodsky <kevin.brodsky(a)arm.com> --- arch/arm64/kernel/entry-ftrace.S | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/arch/arm64/kernel/entry-ftrace.S b/arch/arm64/kernel/entry-ftrace.S index e535480a4069..66f75e2b2637 100644 --- a/arch/arm64/kernel/entry-ftrace.S +++ b/arch/arm64/kernel/entry-ftrace.S @@ -68,8 +68,9 @@ str x30, [sp, #S_PC] /* Create a frame record for the callsite above pt_regs */ - stp x29, x9, [sp, #PT_REGS_SIZE] - add x29, sp, #PT_REGS_SIZE + add x10, sp, #PT_REGS_SIZE + stp x29, x9, [x10] + mov x29, x10 /* Create our frame record within pt_regs. */ stp x29, x30, [sp, #S_STACKFRAME] -- 2.34.1

2 years, 1 month

3
5
0 0

[PATCH v3 0/4] Fixes for shm syscalls in compat64

by Teo Couprie Diaz

This patch series fixes shmctl, shmat and structs they use for compat64. Update the arm64/Kconfig as we only use ipc_parse_version in compat32. You can also find the patches at https://git.morello-project.org/Teo-CD/linux/-/tree/review/teo/shm-compat --- v1: Initial shmctl patch v2: Split patch between generic and arm64, shmat fix and Kconfig update v3: Small nits Teo Couprie Diaz (4): ipc/shm: Adapt shmctl for compat64 arm64: compat: Fix structs for compat64 arm64: compat: Only use legacy SHMLBA in compat32 arm64: Kconfig: ipc_parse_version depends on COMPAT32 arch/arm64/Kconfig | 2 +- arch/arm64/include/asm/compat.h | 10 ++++++++++ arch/arm64/include/asm/shmparam.h | 2 ++ ipc/shm.c | 8 ++++++++ 4 files changed, 21 insertions(+), 1 deletion(-) -- 2.25.1

2 years, 1 month

2
5
0 0

[PATCH] arm64: morello: Enable ANON_VMA_NAME in transitional defconfig

by Kevin Brodsky

This option is useful for Android (some Bionic tests rely on it). Signed-off-by: Kevin Brodsky <kevin.brodsky(a)arm.com> --- arch/arm64/configs/morello_transitional_pcuabi_defconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/arm64/configs/morello_transitional_pcuabi_defconfig b/arch/arm64/configs/morello_transitional_pcuabi_defconfig index d8365d9a916d..a6964b160b1c 100644 --- a/arch/arm64/configs/morello_transitional_pcuabi_defconfig +++ b/arch/arm64/configs/morello_transitional_pcuabi_defconfig @@ -61,6 +61,7 @@ CONFIG_KSM=y CONFIG_MEMORY_FAILURE=y CONFIG_TRANSPARENT_HUGEPAGE=y CONFIG_CMA=y +CONFIG_ANON_VMA_NAME=y CONFIG_NET=y CONFIG_PACKET=y CONFIG_UNIX=y -- 2.34.1

2 years, 1 month

1
1
0 0

[PATCH 0/3] Modify semctl/msgctl for compat64

by Amit Daniel Kachhap

Hi, This series adapts semctl/msgctl for compat64. This depends on Teo's work on shmctl. These patches can also be found on this location [1]. Thanks, Amit [1]: https://git.morello-project.org/amitdaniel/linux.git review/semctl_msgctl_v1 Amit Daniel Kachhap (3): ipc/sem: Adapt semctl syscall for compat64 ipc/msg: Adapt msgctl syscall for compat64 arm64: compat: Fix structs compat_semid64_ds/compat_msqid64_ds arch/arm64/include/asm/compat.h | 11 +++++++++++ ipc/msg.c | 6 ++++++ ipc/sem.c | 9 +++++++-- 3 files changed, 24 insertions(+), 2 deletions(-) -- 2.17.1

2 years, 1 month

4
8
0 0

[PATCH v2 1/4] ipc/shm: Adapt shmctl for compat64

by Teo Couprie Diaz

Update copy_compat_shmid_to_user to support compat_shmid64_ds that doesn't split 64-bit values. Don't limit shmmax to INT_MAX when in compat64. Signed-off-by: Teo Couprie Diaz <teo.coupriediaz(a)arm.com> --- ipc/shm.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/ipc/shm.c b/ipc/shm.c index 6d929205bc41..679d898373bf 100644 --- a/ipc/shm.c +++ b/ipc/shm.c @@ -1336,8 +1336,10 @@ struct compat_shm_info { static int copy_compat_shminfo_to_user(void __user *buf, struct shminfo64 *in, int version) { +#ifdef CONFIG_COMPAT32 if (in->shmmax > INT_MAX) in->shmmax = INT_MAX; +#endif if (version == IPC_64) { struct compat_shminfo64 info; memset(&info, 0, sizeof(info)); @@ -1381,12 +1383,18 @@ static int copy_compat_shmid_to_user(void __user *buf, struct shmid64_ds *in, struct compat_shmid64_ds v; memset(&v, 0, sizeof(v)); to_compat_ipc64_perm(&v.shm_perm, &in->shm_perm); +#ifdef CONFIG_COMPAT64 + v.shm_atime = in->shm_atime; + v.shm_dtime = in->shm_dtime; + v.shm_ctime = in->shm_ctime; +#else v.shm_atime = lower_32_bits(in->shm_atime); v.shm_atime_high = upper_32_bits(in->shm_atime); v.shm_dtime = lower_32_bits(in->shm_dtime); v.shm_dtime_high = upper_32_bits(in->shm_dtime); v.shm_ctime = lower_32_bits(in->shm_ctime); v.shm_ctime_high = upper_32_bits(in->shm_ctime); +#endif v.shm_segsz = in->shm_segsz; v.shm_nattch = in->shm_nattch; v.shm_cpid = in->shm_cpid; -- 2.25.1

2 years, 1 month

2
2
0 0

[PATCH] arm64: morello: Enable basic 9P FS support in transitional defconfig

by Beata Michalska

Enable basic support for 9P FS over virtio transport to support sharing host files w/ guests. Signed-off-by: Beata Michalska <beata.michalska(a)arm.com> --- Verified with model '-C bp.virtiop9device.root_path' switch. Sanity boot on the board only. arch/arm64/configs/morello_transitional_pcuabi_defconfig | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/arm64/configs/morello_transitional_pcuabi_defconfig b/arch/arm64/configs/morello_transitional_pcuabi_defconfig index d8365d9a916d..d3cdfc6abc3b 100644 --- a/arch/arm64/configs/morello_transitional_pcuabi_defconfig +++ b/arch/arm64/configs/morello_transitional_pcuabi_defconfig @@ -80,6 +80,8 @@ CONFIG_IP_NF_FILTER=y CONFIG_IP_NF_NAT=y CONFIG_IP_NF_TARGET_MASQUERADE=y CONFIG_BRIDGE=y +CONFIG_NET_9P=y +CONFIG_NET_9P_VIRTIO=y CONFIG_PCI=y CONFIG_PCI_HOST_GENERIC=y CONFIG_DEVTMPFS=y @@ -128,6 +130,7 @@ CONFIG_TMPFS=y CONFIG_HUGETLBFS=y CONFIG_CONFIGFS_FS=y # CONFIG_EFIVAR_FS is not set +CONFIG_9P_FS=y CONFIG_NLS_CODEPAGE_437=y CONFIG_NLS_ISO8859_1=y CONFIG_KEYS=y -- 2.25.1

2 years, 1 month

2
1
0 0

[PATCH v2 4/4] arm64: Kconfig: ipc_parse_version depends on COMPAT32

by Teo Couprie Diaz

ipc_parse_version is not used in 64-bit, only when in 32-bit compat. Change ARCH_WANT_COMPAT_IPC_PARSE_VERSION to be selected in COMPAT32 only. Signed-off-by: Teo Couprie Diaz <teo.coupriediaz(a)arm.com> --- arch/arm64/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index d402721ccad0..c784d8664a40 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -92,7 +92,7 @@ config ARM64 select ARCH_SUPPORTS_ATOMIC_RMW select ARCH_SUPPORTS_INT128 if CC_HAS_INT128 select ARCH_SUPPORTS_NUMA_BALANCING - select ARCH_WANT_COMPAT_IPC_PARSE_VERSION if COMPAT + select ARCH_WANT_COMPAT_IPC_PARSE_VERSION if COMPAT32 select ARCH_WANT_DEFAULT_BPF_JIT select ARCH_WANT_DEFAULT_TOPDOWN_MMAP_LAYOUT select ARCH_WANT_FRAME_POINTERS -- 2.25.1

2 years, 1 month

3
4
0 0

[PATCH v2 3/4] arm64: compat: Only use legacy SHMLBA in compat32

by Teo Couprie Diaz

On arm64 compat uses a 16k legacy alignment for shmat rather than the page size. Only set it when in compat32. Signed-off-by: Teo Couprie Diaz <teo.coupriediaz(a)arm.com> --- arch/arm64/include/asm/shmparam.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/arch/arm64/include/asm/shmparam.h b/arch/arm64/include/asm/shmparam.h index f920e22ec677..804de90c7931 100644 --- a/arch/arm64/include/asm/shmparam.h +++ b/arch/arm64/include/asm/shmparam.h @@ -10,7 +10,9 @@ * alignment value. Since we don't have aliasing D-caches, the rest of * the time we can safely use PAGE_SIZE. */ +#ifdef CONFIG_COMPAT32 #define COMPAT_SHMLBA (4 * PAGE_SIZE) +#endif #include <asm-generic/shmparam.h> -- 2.25.1

2 years, 1 month

2
2
0 0

2024

2023

2022

linux-morello September 2022