Hi,
This series is a follow-up to the RFC "New CHERI API and rehauled user_ptr.h", with a slightly different scope to make it more self-contained.
There are two main focuses for this series: 1. Introducing linux/cheri.h. There is no fundamental change compared to v1 here. 2. Deriving all capabilities from an appropriate userspace root capability (cheri_user_root_*) instead of morello_root_cap. v1 started this by reimplementing uaddr_to_user_ptr*, this series finishes up the work.
The focus of v1, adding generic functions to linux/user_ptr.h, has been dropped and will reappear in a separate series.
Some more details on the choice of root capabilities (see the comment in patch 5 regarding cheri_user_root_*):
* In purecap, the PCuABI spec gives us good guidance on which root capability we should use where. Namely:
- cheri_user_root_cap for almost all capabilities. The permissions correspond to the maximum permissions obtainable via mmap(). As we progress through the second phase, the bounds/permissions of capabilities derived from this root will be restricted as specified, and DDC will be set to null.
- cheri_user_root_{seal,cid}_cap for the AT_CHERI_{SEAL,CID}_CAP. These capabilities exist precisely because their permissions (Seal/Unseal/CompartmentID) are not provided in regular capabilities (derived from cheri_user_root_cap).
- cheri_user_root_all_cap for capabilities created via (privileged) ptrace. See patch 13 for some details on this.
* In hybrid, the de facto ABI is what Documentation/arm64/morello.rst says. As there is no mechanism to obtain special permissions, all capabilities are derived from cheri_user_root_all_cap. The documentation is updated accordingly.
This series introduces functional changes by restricting the bounds/permissions of all userspace capabilities, but these restrictions should not affect any valid use-case. More specifically:
* In purecap, the bounds of all capabilities are restricted to the user address space. See above for details on permissions.
* In hybrid, the bounds of capabilities are also restricted to the user address space. All relevant permissions remain available. CSP is no longer initialised to a valid capability, as this is neither required nor documented.
More detailed changelog below.
v1..v2: * Addressing review comments: - Reformatted the function documentation to make kernel-doc -v (mostly) happy. - Added some comment clarifying what CHERI_PERM_SW_VMEM is about. - Renamed ARCH_HAS_CHERI_H to HAVE_ARCH_CHERI_H. - Renamed cheri_root*_cap_userspace to cheri_user_root_*cap and added some description of each. - Renamed cheri_check_cap_data_access() to cheri_check_cap(). * New patches: - Derive compat_ptr() from cheri_user_root_all_cap (deriving from DDC proved more complicated than expected, created a ticket for that [1]) - Derive AT_CHERI_{SEAL,CID}_CAP from cheri_user_root_{seal,cid}_cap - Initialisation of capability registers from cheri_user_root_* (with a clear separation between purecap and hybrid) - Capabilities created via (privileged) ptrace now derived from cheri_user_root_all_cap - Remove morello_root_cap (no longer used) - Update documentation to reflect cheri_user_root_all_cap being the new root capability in hybrid * Other changes: - As per a recent update to the PCuABI spec, the BranchSealedPair is no longer part of the rootcap permission set. It is still needed in certain user capabilities, so moved it from CHERI_PERMS_ROOTCAP to explicit addition to cheri_user_root_cap in morello.c. - Added cheri_user_root_all_cap, the "root of roots" with all permissions. cheri_user_root_cid_cap is now derived from it too, so its bounds are not the whole address space any more. - Patch 8/9 (new functions in user_ptr.h) dropped. - Rebased on next.
Review branch:
https://git.morello-project.org/kbrodsky-arm/linux/-/commits/cheri_ptr_api_v...
Thanks, Kevin
[1] https://git.morello-project.org/morello/kernel/linux/-/issues/40
Kevin Brodsky (15): pps: Add missing #include linux/user_ptr.h: Remove kaddr_to_user_ptr() linux/user_ptr.h: Improve comment formatting arm64: uapi: Add asm/cheri.h linux/cheri.h: Introduce CHERI helpers arm64: morello: Implement cheri.h fs/binfmt_elf: Use appropriate caps for AT_CHERI_{SEAL,CID}_CAP arm64: compat: Use appropriate root cap in compat_ptr() in PCuABI linux/user_ptr.h: Generic PCuABI impl for uaddr_to_user_ptr* arm64: Remove asm/user_ptr.h arm64: morello: Initialise user capabilities from cheri_user_root_* arm64: morello: Initialise user DDC from cheri_user_root_* arm64: morello: Build arbitrary user caps using appropriate root arm64: morello: Remove morello_root_cap arm64: morello: Update root capability in documentation
Documentation/arm64/morello.rst | 23 +++-- Documentation/core-api/user_ptr.rst | 8 -- arch/Kconfig | 2 +- arch/arm64/Kconfig | 2 +- arch/arm64/include/asm/cheri.h | 11 +++ arch/arm64/include/asm/compat.h | 9 +- arch/arm64/include/asm/morello.h | 12 ++- arch/arm64/include/asm/user_ptr.h | 43 --------- arch/arm64/include/uapi/asm/cheri.h | 11 +++ arch/arm64/kernel/morello.c | 143 +++++++++++++++++----------- arch/arm64/kernel/process.c | 2 +- arch/arm64/kernel/ptrace.c | 2 +- arch/arm64/lib/morello.S | 17 ++-- drivers/pps/pps.c | 1 + fs/binfmt_elf.c | 10 +- include/linux/cheri.h | 132 +++++++++++++++++++++++++ include/linux/user_ptr.h | 69 ++++++-------- lib/Makefile | 3 + lib/cheri.c | 72 ++++++++++++++ lib/user_ptr.c | 26 +++++ 20 files changed, 413 insertions(+), 185 deletions(-) create mode 100644 arch/arm64/include/asm/cheri.h delete mode 100644 arch/arm64/include/asm/user_ptr.h create mode 100644 arch/arm64/include/uapi/asm/cheri.h create mode 100644 include/linux/cheri.h create mode 100644 lib/cheri.c create mode 100644 lib/user_ptr.c