- linux-morello - op-lists.linaro.org

[PATCH RFC v2 00/19] Introduce mm reservation interface for PCuABI

by Amit Daniel Kachhap

Hi All, This patch series introduces the mm reservation interface to manage the owning capability of the allocated addresses. As compared to the RFC v1, this series adds reservation details in the VMA structure. Looking for feedback regarding interface names, interface directory structure etc. Patch [1-11] manages capability bounds via reservation interface. Patch [12-19] adds support for managing capability permissions. Details about several rules implemented can be found in PCuABI spec here [1]. Changes in RFC v2: 1) Removed separate maple tree structures for the reservation interface and modified the vma structure to add the reservation details. As most of the mmap/munmap operations happen per-vma so this reduced the code churnings. However this approach will increase time-complexity of syscalls which operate across vma's such as mlock, madvise etc. get_unmapped_area() which generated free unmapped virtual address may now need more iterations. 2) Added Cheri base representability and length representability modifications. Now get_unmapped_area() will generate CHERI representable addresses. 3) Added new PCuABI changes for mincore() syscall. 4) Added changes for compat64. Future works: 1) Users of vm_mmap/vm_munmap() i.e. filesystems, loaders, kexec etc to be modified to preserve capability addresses. 2) Cover remaining memory addressing syscalls. Testing: 1) All tests by Chaitanya in v4 selftests [2] passes. 2) Purecap/Compat Busybox boot passes after adding [WIP] patches present in [3]. The whole series can be found here [3]. [1]: https://git.morello-project.org/morello/kernel/linux/-/wikis/Morello-pure-c… [2]: https://git.morello-project.org/chaitanya_prakash/linux.git review/purecap_mmap_testcases [3]: https://git.morello-project.org/amitdaniel/linux.git review/purecap_mm_reservation_v2 Thanks, Amit Daniel Amit Daniel Kachhap (19): uapi: errno.h: Introduce PCuABI memory reservation error arm64: morello: Add VM_PCUABI_RESERVE flags mm: Add capability reservation interfaces in vma for PCuABI mm/cap_addr_mgmt: Add capability bound helpers for PCuABI mm/mmap: Modify unmapped address space management code for PCuABI mm/mmap: Use the PCuABI reservations in mmap/munmap mm/mremap: Add the PCuABI reservation interfaces mm/mprotect: Add the PCuABI reservation interfaces mm/madvise: Add the PCuABI reservation interfaces mm/mlock: Add the PCuABI reservation interfaces mm/msync: Add the PCuABI reservation interfaces uapi: mman-common.h: Macros for maximum capability permissions mm/cap_addr_mgmt: Add capability permission helpers for PCuABI mm/cap_addr_mgmt: Reduce the maximum protection check impact mm/mmap: Disable MAP_GROWSDOWN mapping flag for PCuABI mm/mmap: Add capability permission constraints for PCuABI mm/mremap: Add capability permission constraints for PCuABI mm/mprotect: Add capability permission constraints for PCuABI mm/mincore: Add capability constraints for PCuABI arch/arm64/include/asm/cap_addr_mgmt.h | 22 ++ include/linux/cap_addr_mgmt.h | 168 +++++++++++++ include/linux/cheri.h | 3 + include/linux/mm.h | 29 ++- include/linux/mm_types.h | 5 + include/uapi/asm-generic/errno.h | 2 + include/uapi/asm-generic/mman-common.h | 6 + io_uring/advise.c | 2 +- mm/Makefile | 2 +- mm/cap_addr_mgmt.c | 314 +++++++++++++++++++++++++ mm/damon/vaddr.c | 2 +- mm/madvise.c | 27 ++- mm/mincore.c | 46 +++- mm/mlock.c | 38 ++- mm/mmap.c | 182 ++++++++++++-- mm/mprotect.c | 21 +- mm/mremap.c | 109 +++++++-- mm/msync.c | 15 +- mm/util.c | 10 +- 19 files changed, 919 insertions(+), 84 deletions(-) create mode 100644 arch/arm64/include/asm/cap_addr_mgmt.h create mode 100644 include/linux/cap_addr_mgmt.h create mode 100644 mm/cap_addr_mgmt.c -- 2.25.1

5 months

2
32
0 0

[PATCH] uaccess_testing: Testing of capability enforcement in uaccess

by Akram Ahmad

Add tests for capability enforcement via the standard copy routines (copy_{to, from}_user, {get, put}_user), futex operations and the explicit uaccess checks used in iov_iter via readv and writev. Signed-off-by: Akram Ahmad <Akram.Ahmad(a)arm.com> --- Hi everyone, This patch extends kselftests with tests for various uaccess routines. Broadly speaking, this tests the standard uaccess routines, futex operations, and iov_iter (the latter is implemented by testing readv and writev syscalls). The tests currently examine the effects of passing a capability with a cleared tag, invalid permissions, and an invalid base address offset. These are tested separately from one another, and I would especially appreciate any comments on how this could be improved if needed (particularly on the futex test). Thank you and happy holidays! Akram [1] The branch for this patch: https://git.morello-project.org/arkamnite/linux/-/commits/morello%2Fuaccess [2] The issue ticket for this patch: https://git.morello-project.org/morello/kernel/linux/-/issues/58 tools/testing/selftests/Makefile | 1 + .../testing/selftests/arm64/morello/Makefile | 2 +- .../testing/selftests/arm64/morello/uaccess.c | 491 ++++++++++++++++++ 3 files changed, 493 insertions(+), 1 deletion(-) create mode 100644 tools/testing/selftests/arm64/morello/uaccess.c diff --git a/tools/testing/selftests/Makefile b/tools/testing/selftests/Makefile index 90a62cf75008..82abe4ddbb29 100644 --- a/tools/testing/selftests/Makefile +++ b/tools/testing/selftests/Makefile @@ -86,6 +86,7 @@ TARGETS += timers endif TARGETS += tmpfs TARGETS += tpm2 +TARGETS += uaccess TARGETS += user TARGETS += vDSO TARGETS += mm diff --git a/tools/testing/selftests/arm64/morello/Makefile b/tools/testing/selftests/arm64/morello/Makefile index ecfa6fc5e989..7b794d3e436c 100644 --- a/tools/testing/selftests/arm64/morello/Makefile +++ b/tools/testing/selftests/arm64/morello/Makefile @@ -17,7 +17,7 @@ CFLAGS += $(CLANG_FLAGS) $(CFLAGS_PURECAP) $(CFLAGS_COMMON) LDFLAGS += $(CLANG_LDFLAGS) $(CLANG_FLAGS) -nostdlib -static SRCS := $(wildcard *.c) $(wildcard *.S) -PROGS := bootstrap clone exit mmap read_write sched signal +PROGS := bootstrap clone exit mmap read_write sched signal uaccess DEPS := $(wildcard *.h) # these are the final executables diff --git a/tools/testing/selftests/arm64/morello/uaccess.c b/tools/testing/selftests/arm64/morello/uaccess.c new file mode 100644 index 000000000000..66d93137b819 --- /dev/null +++ b/tools/testing/selftests/arm64/morello/uaccess.c @@ -0,0 +1,491 @@ +// SPDX-License-Identifier: GPL-2.0 +// Copyright (C) 2023 Arm Limited + +#include <stdint.h> +#include <stddef.h> +#include <stdbool.h> + +#include <asm/fcntl.h> +#include <asm-generic/errno-base.h> +#include <cheriintrin.h> +#include <linux/fs.h> +#include <linux/futex.h> +#include <linux/mman.h> +#include <linux/sysinfo.h> +#include <linux/socket.h> +#include <linux/time.h> +#include <linux/uio.h> + +#include "freestanding.h" + +#define FILE_PERM 0666 +#define MSG_LEN 16 +#define NR_FUTEXES 2 + +static struct futex_waitv waitv[NR_FUTEXES]; +uint32_t futexes[NR_FUTEXES] = {1}; + +static const char file[] = "/my_file.txt"; +static int fd; +static int my_socket; + +static int open_file(void) +{ + return syscall(__NR_openat, 0, file, O_RDWR | O_CREAT, 0666); +} + +static int close_file(int __fd) +{ + return syscall(__NR_close, __fd); +} + +static __always_inline +void copy_to_user1(void) +{ + int result; + struct sysinfo my_sysinfo; + struct sysinfo *p_si = &my_sysinfo; + struct sysinfo my_sysinfo2; + struct sysinfo *p_si2 = &my_sysinfo2 + 10 * sizeof(struct sysinfo); + + result = syscall(__NR_sysinfo, p_si); + TH_LOG("%s: sysinfo with valid capability", __func__); + ASSERT_EQ(result, 0); + + TH_LOG("%s: sysinfo with invalid capability offset", __func__); + result = syscall(__NR_sysinfo, p_si2); + ASSERT_EQ(result, -EFAULT); +} + +static __always_inline +void copy_to_user2(void) +{ + int result; + struct sysinfo my_sysinfo; + struct sysinfo *cap = &my_sysinfo; + + TH_LOG("%s: sysinfo with cleared capability tag", __func__); + cap = (struct sysinfo *)cheri_tag_clear(cap); + result = syscall(__NR_sysinfo, cap); + ASSERT_EQ(result, -EFAULT); +} + +static __always_inline +void copy_to_user3(void) +{ + int result; + struct sysinfo my_sysinfo; + struct sysinfo *cap = &my_sysinfo; + + TH_LOG("%s: sysinfo with no capability permissions", __func__); + cap = (struct sysinfo *)cheri_perms_and(cap, 0); + result = syscall(__NR_sysinfo, cap); + ASSERT_EQ(result, -EFAULT); +} + +TEST(test_copy_to_user) +{ + copy_to_user1(); + copy_to_user2(); + copy_to_user3(); +} + +static __always_inline +void copy_from_user1(void) +{ + int result; + size_t my_offset = sizeof(int); + size_t *good_p = &my_offset; + size_t *bad_p = &my_offset + sizeof(int); + + /** + * Setup the parameters for our syscall: + * fd_in, fd_out: these can be the same fd. + * off_in: the capability pointing to a buffer for the offset + * off_out: NULL, as we do not need this. + * len: MSG_LEN + */ + fd = open_file(); + + result = syscall(__NR_copy_file_range, fd, good_p, fd, NULL, MSG_LEN, 0); + TH_LOG("%s: copy_file_range with valid capability", __func__); + ASSERT_GE(0, result); + + result = syscall(__NR_copy_file_range, fd, bad_p, fd, NULL, MSG_LEN, 0); + TH_LOG("%s: copy_file_range with invalid capability offset", __func__); + ASSERT_EQ(result, -EFAULT); + close_file(fd); +} + +static __always_inline +void copy_from_user2(void) +{ + int result; + size_t my_offset = sizeof(int); + size_t *good_p = &my_offset; + size_t *bad_p = (size_t *)cheri_tag_clear(good_p); + + fd = open_file(); + + result = syscall(__NR_copy_file_range, fd, bad_p, fd, NULL, MSG_LEN, 0); + TH_LOG("%s: copy_file_range with cleared capability tag", __func__); + ASSERT_EQ(result, -EFAULT); + close_file(fd); +} + +static __always_inline +void copy_from_user3(void) +{ + int result; + size_t my_offset = sizeof(int); + size_t *bad_p = (size_t *)cheri_perms_and(&my_offset, 0); + + fd = open_file(); + + result = syscall(__NR_copy_file_range, fd, bad_p, fd, NULL, MSG_LEN, 0); + TH_LOG("%s: copy_file_range with capability with no permissions", __func__); + ASSERT_EQ(result, -EFAULT); + close_file(fd); +} + +TEST(test_copy_from_user) +{ + copy_from_user1(); + copy_from_user2(); + copy_from_user3(); +} + +typedef unsigned short sa_family_t; + +struct sockaddr { + sa_family_t sa_family; + char sa_data[14]; +}; + +static __always_inline +void get_user1(void) +{ + int result; + struct sockaddr sa; + struct sockaddr sa2; + struct sockaddr *my_sockaddr_ptr = &sa2 + sizeof(int) * 1000; + + // socket(AF_INET, SOCK_STREAM, 0) + my_socket = syscall(__NR_socket, 2, 1, 0); + TH_LOG("%s: socket syscall complete", __func__); + ASSERT_GE(my_socket, 0); + + int sa_len = sizeof(sa); + int *my_len_pointer = &sa_len; + + TH_LOG("%s: getsockname with valid capability", __func__); + result = syscall(__NR_getsockname, my_socket, &sa, &sa_len); + ASSERT_EQ(result, 0); + + sa_len = sizeof(sa2); + TH_LOG("%s: getsockname with invalid capability offset", __func__); + result = syscall(__NR_getsockname, my_socket, my_sockaddr_ptr, my_len_pointer); + ASSERT_EQ(result, -EFAULT); +} + +static __always_inline +void get_user2(void) +{ + int result; + struct sockaddr sa; + int sa_len = sizeof(sa); + struct sockaddr *p_sockaddr = cheri_tag_clear(&sa); + + // socket(AF_INET, SOCK_STREAM, 0) + my_socket = syscall(__NR_socket, 2, 1, 0); + ASSERT_GE(my_socket, 0); + + result = syscall(__NR_getsockname, my_socket, p_sockaddr, &sa_len); + TH_LOG("%s: getsockname with cleared capability tag", __func__); + ASSERT_EQ(result, -EFAULT); +} + +static __always_inline +void get_user3(void) +{ + int result; + struct sockaddr sa; + int sa_len = sizeof(sa); + struct sockaddr *p_sockaddr = cheri_perms_and(&sa, 0); + + // socket(AF_INET, SOCK_STREAM, 0) + my_socket = syscall(__NR_socket, 2, 1, 0); + ASSERT_GE(my_socket, 0); + + result = syscall(__NR_getsockname, my_socket, p_sockaddr, &sa_len); + TH_LOG("%s: getsockname with no capability permissions", __func__); + ASSERT_EQ(result, -EFAULT); +} + +TEST(test_get_user) +{ + get_user1(); + get_user2(); + get_user3(); +} + +static __always_inline +void put_user1(void) +{ + int result; + struct timeval tv; + struct timeval *p_tv = &tv; + + result = syscall(__NR_gettimeofday, p_tv, NULL); + TH_LOG("%s: gettimeofday with valid capability", __func__); + ASSERT_EQ(result, 0); + + p_tv = &tv + sizeof(struct timeval) * 1000; + result = syscall(__NR_gettimeofday, p_tv, NULL); + TH_LOG("%s: gettimeofday with invalid capability offset", __func__); + ASSERT_EQ(result, -EFAULT); +} + +static __always_inline +void put_user2(void) +{ + int result; + struct timeval tv; + struct timeval *p_tv = &tv; + + p_tv = cheri_tag_clear(p_tv); + result = syscall(__NR_gettimeofday, p_tv, NULL); + TH_LOG("%s: gettimeofday with cleared capability tag", __func__); + ASSERT_EQ(result, -EFAULT); +} + +static __always_inline +void put_user3(void) +{ + int result; + struct timeval tv; + struct timeval *p_tv = &tv; + + p_tv = cheri_perms_and(p_tv, 0); + result = syscall(__NR_gettimeofday, p_tv, NULL); + TH_LOG("%s: gettimeofday with capability with no permissions", __func__); + ASSERT_EQ(result, -EFAULT); +} + +TEST(test_put_user) +{ + put_user1(); + put_user2(); + put_user3(); +} + +static inline int futex_waitv(volatile struct futex_waitv *waiters, unsigned long nr_waiters, + unsigned long flags, struct timespec *timo, clockid_t clockid) +{ + return syscall(__NR_futex_waitv, waiters, nr_waiters, flags, timo, clockid); +} + +static __always_inline +void futex1(void) +{ + struct timespec to; + + for (int i = 0; i < NR_FUTEXES; i++) { + waitv[i].uaddr = (uintptr_t)cheri_tag_clear(&futexes[i]); + waitv[i].flags = FUTEX_32 | FUTEX_PRIVATE_FLAG; + waitv[i].val = i; + waitv[i].__reserved = 0; + // This is necessary otherwise the loop is optimised away + TH_LOG("%s: waitv[%d] initialised", __func__, i); + } + + int res = futex_waitv(waitv, NR_FUTEXES, 0, &to, CLOCK_MONOTONIC); + + ASSERT_EQ(res, -EFAULT); +} + +TEST(test_futex) +{ + futex1(); +} + +static __always_inline +void explicit_readv1(void) +{ + ssize_t bytes_read; + char buf0[2]; + char buf1[4]; + char buf2[6]; + struct iovec iov[3]; + int iovcnt; + + iov[0].iov_base = buf0; + iov[0].iov_len = sizeof(buf0); + iov[1].iov_base = buf1; + iov[1].iov_len = sizeof(buf1); + iov[2].iov_base = buf2; + iov[2].iov_len = sizeof(buf2); + + iovcnt = sizeof(iov) / sizeof(struct iovec); + + fd = open_file(); + TH_LOG("%s: readv with valid capability", __func__); + bytes_read = syscall(__NR_readv, fd, iov, iovcnt); + close_file(fd); + ASSERT_GE(bytes_read, 0); +} + +static __always_inline +void explicit_readv2(void) +{ + ssize_t bytes_read; + char buf0[2]; + char buf1[4]; + char buf2[6]; + struct iovec iov[3]; + int iovcnt; + + iov[0].iov_base = buf0; + iov[0].iov_len = sizeof(buf0); + iov[1].iov_base = buf1; + iov[1].iov_len = sizeof(buf1); + iov[2].iov_base = buf2; + iov[2].iov_len = sizeof(buf2); + + iovcnt = sizeof(iov) / sizeof(struct iovec); + + fd = open_file(); + TH_LOG("%s: readv with invalid capability tag", __func__); + bytes_read = syscall(__NR_readv, fd, cheri_tag_clear(iov), iovcnt); + close_file(fd); + ASSERT_EQ(bytes_read, -EFAULT); +} + +static __always_inline +void explicit_readv3(void) +{ + ssize_t bytes_read; + char buf0[2]; + char buf1[4]; + char buf2[6]; + struct iovec iov[3]; + int iovcnt; + + iov[0].iov_base = cheri_perms_and(buf0, 0); + iov[0].iov_len = sizeof(buf0); + iov[1].iov_base = buf1; + iov[1].iov_len = sizeof(buf1); + iov[2].iov_base = buf2; + iov[2].iov_len = sizeof(buf2); + + iovcnt = sizeof(iov) / sizeof(struct iovec); + + fd = open_file(); + TH_LOG("%s: readv with invalid capability permissions", __func__); + bytes_read = syscall(__NR_readv, fd, cheri_perms_and(iov, 0), iovcnt); + close_file(fd); + ASSERT_EQ(bytes_read, -EFAULT); +} + +static __always_inline +void explicit_writev1(void) +{ + ssize_t bytes_written; + char *buf0 = "Hello I am the first char buffer!\n"; + char *buf1 = "Hello, I am the second char buffer.\n"; + char *buf2 = "Hello, I am the third and final char buffer.\n"; + struct iovec iov[3]; + int iovcnt; + + iov[0].iov_base = buf0; + iov[0].iov_len = sizeof(buf0); + iov[1].iov_base = buf1; + iov[1].iov_len = sizeof(buf1); + iov[2].iov_base = buf2; + iov[2].iov_len = sizeof(buf2); + + iovcnt = sizeof(iov) / sizeof(struct iovec); + + fd = open_file(); + TH_LOG("%s: writev with valid capability", __func__); + bytes_written = syscall(__NR_writev, fd, iov, iovcnt); + close_file(fd); + ASSERT_GE(bytes_written, 0); +} + +static __always_inline +void explicit_writev2(void) +{ + ssize_t bytes_written; + char *buf0 = "Hello I am the first char buffer!\n"; + char *buf1 = "Hello, I am the second char buffer.\n"; + char *buf2 = "Hello, I am the third and final char buffer.\n"; + struct iovec iov[3]; + int iovcnt; + + iov[0].iov_base = buf0; + iov[0].iov_len = sizeof(buf0); + iov[1].iov_base = buf1; + iov[1].iov_len = sizeof(buf1); + iov[2].iov_base = buf2; + iov[2].iov_len = sizeof(buf2); + + iovcnt = sizeof(iov) / sizeof(struct iovec); + + fd = open_file(); + TH_LOG("%s: writev with invalid capability tag", __func__); + bytes_written = syscall(__NR_writev, fd, cheri_tag_clear(iov), iovcnt); + close_file(fd); + ASSERT_EQ(bytes_written, -EFAULT); +} + +static __always_inline +void explicit_writev3(void) +{ + ssize_t bytes_written; + char *buf0 = "Hello I am the first char buffer!\n"; + char *buf1 = "Hello, I am the second char buffer.\n"; + char *buf2 = "Hello, I am the third and final char buffer.\n"; + struct iovec iov[3]; + int iovcnt; + + iov[0].iov_base = cheri_perms_and(buf0, 0); + iov[0].iov_len = sizeof(buf0); + iov[1].iov_base = buf1; + iov[1].iov_len = sizeof(buf1); + iov[2].iov_base = buf2; + iov[2].iov_len = sizeof(buf2); + + iovcnt = sizeof(iov) / sizeof(struct iovec); + + fd = open_file(); + TH_LOG("%s: writev with invalid capability permissions", __func__); + bytes_written = syscall(__NR_writev, fd, cheri_perms_and(iov, 0), iovcnt); + close_file(fd); + ASSERT_EQ(bytes_written, -EFAULT); +} + +/* + * Test readv and writev where the array of iovecs is provided + * by a capability. + */ +TEST(test_explicit_iov_iter) +{ + explicit_readv1(); + explicit_readv2(); + explicit_readv3(); + explicit_writev1(); + explicit_writev2(); + explicit_writev3(); +} + +int main(void) +{ + test_copy_to_user(); + test_copy_from_user(); + test_get_user(); + test_put_user(); + test_futex(); + test_explicit_iov_iter(); + return 0; +} -- 2.34.1

5 months

2
1
0 0

[PATCH] selftests/vDSO: Fix type casts in get_sysinfo_ehdr()

by Aditya Deshpande

Cast the return value of getauxptr() from void* to uintptr_t (which is defined as __uintcap_t in purecap) to address compiler warnings. Remove the unnecessary cast on getauxval(), as uintptr_t is defined as unsigned long in non-purecap anyway. Signed-off-by: Aditya Deshpande <aditya.deshpande(a)arm.com> --- Hi all, This is a minor follow up patch to the vDSO series which fixes a compiler warning about implicit type casts. The current state of the vDSO tests shouldn't cause any issues with the release as: 1. This is just a compiler warning - the test code is still functionally correct. 2. The vDSO selftests are built standalone anyways. Thanks, Aditya --- tools/testing/selftests/vDSO/parse_vdso.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/testing/selftests/vDSO/parse_vdso.h b/tools/testing/selftests/vDSO/parse_vdso.h index 54ad67f463cc..9c891a12be7d 100644 --- a/tools/testing/selftests/vDSO/parse_vdso.h +++ b/tools/testing/selftests/vDSO/parse_vdso.h @@ -38,9 +38,9 @@ void vdso_init_from_auxv(void *auxv); static inline uintptr_t get_sysinfo_ehdr() { #ifdef __CHERI_PURE_CAPABILITY__ - return getauxptr(AT_SYSINFO_EHDR); + return (uintptr_t)getauxptr(AT_SYSINFO_EHDR); #else - return (uintptr_t)getauxval(AT_SYSINFO_EHDR); + return getauxval(AT_SYSINFO_EHDR); #endif } -- 2.25.1

5 months

2
1
0 0

[PATCH v6 00/13] update bpf syscall for PCuABI/compat64

by Zachary Leaf

Hi, Here's v6. The bpf syscall is updated to propagate user pointers as capabilities in the pure-capability kernel-user ABI (PCuABI). It also includes an approach to support the existing aarch64 ABI (compat64). One complication here is from the fact this syscall supports many multiplexed sub-commands, some of which are themselves multiplexed with a number of further nested/multiplexed options. Another complication is that the existing syscall uses a trick of storing user pointers as u64 to avoid needing a compat handler for 32-bit systems. To retain compatibility with the aarch64 ABI and add Morello support, special compat64 conversion and handling is implemented. Inbound (userspace->kernel) conversion between compat64/native struct layouts is handled upfront on entry to the syscall (with the exception of bpf_xyz_info structs - see patch 8). This minimises changes to sub-command handlers. Some sub-commands require conversion back out to userspace and that by necessity is handled where it occurs. Patch 1 is not essential to this series but it's a nice debug feature to have and works[1]. It enables BPF_PROG_TYPE_TRACEPOINT which many eBPF kselftests use. Patches 5,6,8 implement the core compat64 handling. Each commit compiles cleanly but relevant parts will be broken inbetween. Patch 9 fixes the CHECK_ATTR macro to also check configs passed in via compat64. Patch 11 finally enables capabilities in the kernel. Patches 12,13 handles uaccess that occurs in two eBPF helper functions. The rest are setup/helper functions. Testing wise, see associated LTP changes below as posted to LTP mailing list[2]. The eBPF LTP tests are fairly minimal and test only a small part of the changes here. There's a new test to test CHECK_ATTR from patch 9. The kernel kselftests contain many more extensive eBPF tests. They can be built fairly easily natively on aarch64 which is useful for testing compat64. More work needs to be done here though to: a) enable out-of-tree cross-compilation for purecap as well as x86->aarch64 b) replace ptr_to_u64() with casts to uintptr_t in tests c) general libbpf/bpftool enablement and fixes since many tests rely on this d) CONFIG_DEBUG_INFO_BTF required for many tests but this requires the build system to have a recent version of pahole tool Next steps once we have the core kernel support would be porting libbpf and bpftool for purecap plus work on enabling kselftests as above. Kernel branch available at: https://git.morello-project.org/zdleaf/linux/-/tree/morello/bpf_v6 Associated LTP test/changes at: https://git.morello-project.org/zdleaf/morello-linux-test-project/-/tree/mo… Thanks, Zach [1] [PATCH v3 0/5] Restore syscall tracing on Morello https://op-lists.linaro.org/archives/list/linux-morello@op-lists.linaro.org… [2] [PATCH v2 0/3] add eBPF support https://op-lists.linaro.org/archives/list/linux-morello-ltp@op-lists.linaro… ----------------------------------------------------------------------- v6: - Re-work BPF_LINK_CREATE memcpy in convert_compat_bpf_attr() v5: - Simplify BPF_LINK_CREATE handling in bpf/syscall.c:convert_compat_bpf_attr() - Add missing bpf_compat_ptr_field() - Re-work/fix check_attr() to catch missing enum bpf_cmd values [...] [0] [RFC PATCH 0/9] update bpf syscall for PCuABI/compat64 https://op-lists.linaro.org/archives/list/linux-morello@op-lists.linaro.org… [1] [PATCH 00/10] update bpf syscall for PCuABI/compat64 https://op-lists.linaro.org/archives/list/linux-morello@op-lists.linaro.org… [2] [PATCH v2 00/12] update bpf syscall for PCuABI/compat64 https://op-lists.linaro.org/archives/list/linux-morello@op-lists.linaro.org… [3] [PATCH v3 00/12] update bpf syscall for PCuABI/compat64 https://op-lists.linaro.org/archives/list/linux-morello@op-lists.linaro.org… [4] [PATCH v4 00/12] update bpf syscall for PCuABI/compat64 https://op-lists.linaro.org/archives/list/linux-morello@op-lists.linaro.org… [5] [PATCH v5 00/12] update bpf syscall for PCuABI/compat64 https://op-lists.linaro.org/archives/list/linux-morello@op-lists.linaro.org… ----------------------------------------------------------------------- Zachary Leaf (13): arm64: morello: enable syscall tracing arch: rename 32bit_compat to compat32 arch: add compat helpers specific to 64-bit stddef: introduce copy_field helper bpf: compat64: add handler and convert bpf_attr in bpf: compat64: bpf_attr convert out bpf/btf: move zero check into btf.c bpf: compat64: handle bpf_{btf,prog,link}_info bpf: compat64: support CHECK_ATTR macro bpf: copy_{to,from}_user_with_ptr helpers bpf: use user pointer types in uAPI structs bpf: use addr for bpf_copy_from_user_with_task bpf: use addr for bpf_copy_from_user .../morello_transitional_pcuabi_defconfig | 2 +- arch/arm64/include/asm/compat.h | 11 +- arch/arm64/include/asm/ftrace.h | 2 +- arch/arm64/include/asm/mmu_context.h | 2 +- arch/arm64/include/asm/syscall.h | 6 +- arch/arm64/kernel/fpsimd.c | 6 +- arch/arm64/kernel/hw_breakpoint.c | 2 +- arch/arm64/kernel/perf_regs.c | 2 +- arch/arm64/kernel/pointer_auth.c | 6 +- arch/arm64/kernel/process.c | 16 +- arch/arm64/kernel/ptrace.c | 10 +- arch/arm64/kernel/signal.c | 2 +- arch/arm64/kernel/syscall.c | 2 +- arch/mips/include/asm/compat.h | 2 +- arch/parisc/include/asm/compat.h | 2 +- arch/powerpc/include/asm/compat.h | 2 +- arch/s390/include/asm/compat.h | 2 +- arch/sparc/include/asm/compat.h | 4 +- arch/x86/include/asm/compat.h | 2 +- drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 2 +- drivers/gpu/drm/amd/amdkfd/kfd_process.c | 2 +- drivers/input/input.c | 2 +- drivers/media/rc/bpf-lirc.c | 6 +- fs/ext4/dir.c | 2 +- fs/nfs/dir.c | 2 +- include/linux/bpf.h | 19 + include/linux/bpf_compat.h | 415 +++++++++ include/linux/bpfptr.h | 28 +- include/linux/compat.h | 16 +- include/linux/stddef.h | 3 + include/uapi/linux/bpf.h | 94 +- kernel/bpf/bpf_iter.c | 2 +- kernel/bpf/btf.c | 104 ++- kernel/bpf/cgroup.c | 9 +- kernel/bpf/hashtab.c | 12 +- kernel/bpf/helpers.c | 9 +- kernel/bpf/net_namespace.c | 6 +- kernel/bpf/offload.c | 2 +- kernel/bpf/syscall.c | 842 ++++++++++++++---- kernel/bpf/verifier.c | 20 +- kernel/time/time.c | 2 +- kernel/trace/bpf_trace.c | 6 +- mm/util.c | 2 +- net/bpf/bpf_dummy_struct_ops.c | 8 +- net/bpf/test_run.c | 31 +- net/core/sock_map.c | 6 +- 46 files changed, 1393 insertions(+), 342 deletions(-) create mode 100644 include/linux/bpf_compat.h -- 2.34.1

5 months

2
14
0 0

[Announcement] Integration drop 1.7.0 - changelog

by Kevin Brodsky

Hi, The top of the master branch has been tagged [1] as part of the integration drop 1.7.0. Below is the changelog for kernel users, since the previous integration drop (1.6.1). PCuABI-related changes ---------------------- * [Issue #24] A pure-capability vDSO is now provided in PCuABI. * [Issue #7] In a small number of situations, user-provided capabilities are now explicitly checked (validity, bounds and read/write permissions). This covers cases where user memory is accessed via a kernel mapping, instead of the standard approach where user mappings are used (uaccess). A section has also been added to the porting guide [2], as porting some drivers may require adding explicit checking. Note: patches have been posted on the list to enable capability checking in uaccess, but they are yet to be merged. * [Issue #46] The TCP_ZEROCOPY_RECEIVE getsockopt() option has been modified to operate on capabilities in PCuABI. A corresponding section has been added to the PCuABI specification [3]. * [Issue #51] MMC-related ioctl commands have been adapted to operate on capabilities. Other changes ------------- * KSM (Kernel Samepage Merging) is now disabled to avoid false positives when capability tags differ. It is unclear whether KSM would still be worthwhile with the extra overhead of comparing capability tags (issue #62 created to track this). * Internal refactoring to assist with upcoming changes. Contributions ------------- Kudos to everyone who has contributed to Morello Linux! Here are the contributors and number of patches since the previous integration drop: 10 Kevin Brodsky <kevin.brodsky(a)arm.com> 7 Luca Vizzarro <Luca.Vizzarro(a)arm.com> 6 Aditya Deshpande <aditya.deshpande(a)arm.com> 3 Harry Ramsey <harry.ramsey(a)arm.com> 2 Akram Ahmad <Akram.Ahmad(a)arm.com> Special thanks are also extended to everyone who has assisted in reviewing these patches. Cheers, Kevin [1] https://git.morello-project.org/morello/kernel/linux/-/commits/morello-rele… [2] https://git.morello-project.org/morello/kernel/linux/-/blob/morello-release… [3] https://git.morello-project.org/morello/kernel/linux/-/wikis/Morello-pure-c…

5 months

1
0
0 0

Linux DRM purecap "RFC"

by Carsten Haitzler

Just thought it's time to share the current state of drm purecap work: Kernel: https://git.morello-project.org/carhai01/linux-drm-purecap/-/commit/7ea169a… DRM: https://git.morello-project.org/carhai01/drm-linux-morello-purecap/-/commit… All the DRM tests ow pass for compat and purecap. I'm of 2 minds in the kernel code. I could go mimic the "copy field" stuff from EBPF but it's still going to be a bit messy. DRM code calls everything "compat" "32" so I'm keeping with that naming scheme (compat for us is 64bit). I've kept the compat structs at the entry points. I could copy to a local "native" struct I guess... It'd mean I carry more local data than I actually need/use. Anyway... comments?

5 months, 3 weeks

2
5
0 0

[PATCH v3 0/5] Provide a vDSO to purecap processes and write tests

by Aditya Deshpande

Hello, This patch series implements a pure-capability vDSO which purecap userspace applications can directly use. It also fixes the vDSO selftests so that they can be built as purecap binaries, therefore allowing the new purecap vDSO to be tested. The existing aarch64 vDSO implementation is unchanged - it has simply been redefined as the compat vDSO. Therefore, processes using both the standard and purecap ABIs will have a vDSO to use. Main changes in v3: * Series has now grown to 5 patches. The first patch duplicates an unmerged upstream change (I forgot to include this in v2). Once it is merged upstream and the fork is rebased this patch may disappear from the log. * Patch 3 adds some purecap-only code to linux/types.h to enable the vDSO, which uses kernel headers, to be built for purecap. * v2 removed the vdso-purecap/ directory, as it needlessly replicated the code in vdso/. vdso/Makefile was instead changed so it could build both vDSOs (regular and purecap) from the same source. This is achieved by calling the Makefile twice with BUILD_PURECAP_VDSO=[y/n]. v3 further changes this Makefile; now all purecap generated files are placed in a separate subdirectory (vdso/purecap.) Aditya Deshpande (5): selftests: vDSO: fix Makefile so that it uses lib.mk correctly selftests/vDSO: Add support for purecap vDSO testing linux/types.h: Redefine uintptr_t to __uintcap_t under purecap arm64: vdso: Build a pure-capability vDSO arm64: vDSO: Provide a purecap vDSO to userspace purecap programs arch/arm64/Makefile | 6 ++ arch/arm64/include/asm/elf.h | 24 +++++--- arch/arm64/include/asm/vdso.h | 1 + arch/arm64/include/asm/vdso/gettimeofday.h | 58 +++++++++++++++--- arch/arm64/kernel/Makefile | 2 + arch/arm64/kernel/vdso-purecap-wrap.S | 22 +++++++ arch/arm64/kernel/vdso.c | 55 ++++++++++++++++- arch/arm64/kernel/vdso/Makefile | 60 ++++++++++++++++--- fs/compat_binfmt_elf.c | 24 ++++---- include/linux/compiler.h | 3 +- include/linux/types.h | 4 ++ tools/testing/selftests/vDSO/Makefile | 16 ++--- tools/testing/selftests/vDSO/parse_vdso.h | 16 +++++ tools/testing/selftests/vDSO/vdso_test_abi.c | 5 +- .../selftests/vDSO/vdso_test_gettimeofday.c | 6 +- 15 files changed, 252 insertions(+), 50 deletions(-) create mode 100644 arch/arm64/kernel/vdso-purecap-wrap.S -- 2.25.1

5 months, 3 weeks

2
8
0 0

baremetal program execution on ARM Morello board

by CHANDRAJIT PAL

Hello, I am running baremetal programs on FVP. I compiled using llvm toolchain with baremetal support and created the .axf binaries under the debug directory of the project folder. This .axf executable Is something I like to test on morello board without any OS environment. when I tried to run the .axf binary on the board using the ARM development studio IDE morello edition, under the run> debug config> made the settings and when I I started debugging it gets stuck at the HLT instruction (when performing debug from symbol) or starting from the initial address and going into an infinite loop when starting from entry point. while on the terminal console I couldn't see the output of the printf statement which i was expecting. even if I try to run directly or debug it step by step. (the program is correct because I already tested on FVP) ..I am being redirected to the debug configuration. and iterating thru the same process as described without seeing the actual output on the terminal which I configured with the /dev/ttyusb2 115200 command. Any suggestions please.

5 months, 3 weeks

2
1
0 0

baremetal program execution on ARM Morello board

by CHANDRAJIT PAL

Hello, I am running baremetal programs on FVP. I compiled using llvm toolchain with baremetal support and created the .axf binaries under the debug directory of the project folder. This .axf executable Is something I like to test on morello board without any OS environment. when I tried to run the .axf binary on the board using the ARM development studio IDE morello edition, under the run> debug config> made the settings and when I I started debugging it gets stuck at the HLT instruction (when performing debug from symbol) or starting from the initial address and going into an infinite loop when starting from entry point. while on the terminal console I couldn't see the output of the printf statement which i was expecting. even if I try to run directly or debug it step by step. (the program is correct because I already tested on FVP) ..I am being redirected to the debug configuration. and iterating thru the same process as described without seeing the actual output on the terminal which I configured with the /dev/ttyusb2 115200 command. Any suggestions please.

5 months, 3 weeks

1
0
0 0

[PATCH V4 00/11] Add testcases for address space management syscalls

by Chaitanya S Prakash

Syscalls operating on memory mappings manage their address space via owning capabilities. They must adhere to a certain set of rules[1] in order to ensure memory safety. Address space management syscalls are only allowed to manipulate mappings that are within the range of the owning capability and have the appropriate permissions. Tests to check the capability's tag, bounds, range as well as permissions have been added. Finally, as certain flags and syscalls conflict with the reservation model or lack implementation, a check to verify appropriate handling of the same has also been added. The mincore() tests are expected to fail in this iteration as they are not fully supported. The next iterations will contain representability testcases. Review branch: https://git.morello-project.org/chaitanya_prakash/linux/-/tree/review/purec… This patch series has been tested on: https://git.morello-project.org/amitdaniel/linux/-/tree/review/purecap_mm_r… [1] https://git.morello-project.org/morello/kernel/linux/-/wikis/Morello-pure-c… Changes in V4: - Corrected subject of cover letter Changes in V3: https://op-lists.linaro.org/archives/list/linux-morello@op-lists.linaro.org… - Added get_pagesize() function and VERRIFY_ERRNO() macro - Added LoadCap and StoreCap permissions testcase - Added validity_tag_check testcases - Added reservation tests - Renamed variable "addr" to "ptr" to avoid confusion when manipulating both addresses and capabilities - Cleaned up syscall_mmap and syscall_mmap2 testcases - Restructured code into testcases that check tags, range, bounds and permissions - Improved range_check testcases - Improved commit messages - Removed helper functions, tests directly written in testcase functions - Removed signal handling and ddc register testcases Changes in V2: https://op-lists.linaro.org/archives/list/linux-morello@op-lists.linaro.org… - Added link to the review branch - Removed unnecessary whitespace Changes in V1: https://op-lists.linaro.org/archives/list/linux-morello@op-lists.linaro.org… Chaitanya S Prakash (11): kselftests/arm64: morello: Create wrapper functions for frequently invoked syscalls kselftests/arm64: morello: Add get_pagesize() function kselftests/arm64: morello: Add VERIFY_ERRNO() macro kselftests/arm64: morello: mmap: Clean up existing testcases kselftests/arm64: morello: mmap: Add MAP_GROWSDOWN testcase kselftests/arm64: morello: mmap: Add validity tag check testcases kselftests/arm64: morello: mmap: Add capability range testcases kselftests/arm64: morello: mmap: Add mmap() bounds check testcases kselftests/arm64: morello: mmap: Add mremap() bounds check testcases kselftests/arm64: morello: mmap: Add permission check testcases kselftests/arm64: morello: mmap: Add brk() testcase .../selftests/arm64/morello/bootstrap.c | 13 - .../selftests/arm64/morello/freestanding.c | 16 +- .../selftests/arm64/morello/freestanding.h | 74 ++- tools/testing/selftests/arm64/morello/mmap.c | 547 +++++++++++++++++- 4 files changed, 606 insertions(+), 44 deletions(-) -- 2.25.1

5 months, 4 weeks

3
21
0 0

2024

2023

2022

linux-morello