On 11/04/2024 14:03, Kevin Brodsky wrote:
Hi,
This series implements the restriction of bounds and permissions of all capabilities provided to a new process. This includes registers (PCC, CSP, C1-C3), capabilities in the auxiliary vector and capabilities to strings in argv/envp (issue #19 [1]). To complete the alignment with the PCuABI specification, AT_BASE is restored as a simple address, DDC is nullified and CCTLR_EL0.SBL is set (issue #20 [2]).
This series is composed of the following patches:
Patch 1-4 fix issues revealed by the restrictions made in the following patches, notably DDC being set to null.
Patch 5 adds a generic helper.
Patch 6-8 refactor the start_thread() machinery so that binfmt_elf provides all the capabilities to set the initial capability registers to. This allows to centralise all calculations in binfmt_elf, and guarantees that capabilities in registers and in the auxiliary vector are consistent. No functional change at this point (the capabilities remain unrestricted).
Patch 9-11 perform the actual restriction of capabilities, simultaneously in initial registers and the auxiliary vector. Patch 11 is a simplified version of Téo's patch [3], without ensuring bounds representability (see below).
Patch 12-15 take care of the remaining alignment with the spec (AT_BASE, DDC, CCTLR_EL0.SBL).
With respect to the tightening of capability bounds, two important caveats should be noted:
In the absence of stack reservation (issue #21 [4]), the stack remains notionally unbounded, and so are the capabilities covering the entire stack (CSP, AT_CHERI_STACK_CAP).
No particular effort is made with respect to bounds representability. This means notably that capabilities to argv/envp strings may overlap, as well as capabilities to the argv/envp arrays. This is however very unlikely in practice (it would require very large strings or a very large number of arguments).
Review branch:
https://git.morello-project.org/kbrodsky-arm/linux/-/commits/morello/initial...
Thanks, Kevin
[1] https://git.morello-project.org/morello/kernel/linux/-/issues/19 [2] https://git.morello-project.org/morello/kernel/linux/-/issues/20 [3] https://op-lists.linaro.org/archives/list/linux-morello@op-lists.linaro.org/... [4] https://git.morello-project.org/morello/kernel/linux/-/issues/21
Kevin Brodsky (15): arm64: barrier: Make arch_counter_enforce_ordering() purecap-friendly kselftests/arm64: morello: Process caprelocs using appropriate root caps kselftests/arm64: morello: Remove invalid assumptions about initial data kselftests/arm64: morello: Seal reconstructed function pointer linux/user_ptr.h: Introduce user_ptr_set_bounds fs/binfmt_elf: Add entry member to elf_load_info binfmt: Store initial user pointers in bprm in PCuABI arm64: Use bprm->pcuabi to set initial pointers in PCuABI fs/binfmt_elf: Restrict executable/interpreter capabilities fs/binfmt_elf: Restrict stack capabilities fs/binfmt_elf: Restrict string capabilities fs/binfmt_elf: Make AT_BASE an address again elf: Remove elf_uaddr_to_user_ptr() arm64: morello: Nullify DDC in PCuABI arm64: morello: Set CCTLR_EL0.SBL in PCuABI
Applied on next.
Kevin
arch/arm64/include/asm/barrier.h | 13 + arch/arm64/include/asm/elf.h | 2 +- arch/arm64/include/asm/morello.h | 4 +- arch/arm64/include/asm/processor.h | 47 +-- arch/arm64/include/asm/sysreg.h | 2 + arch/arm64/kernel/morello.c | 44 ++- arch/arm64/kernel/process.c | 17 + fs/binfmt_elf.c | 306 ++++++++++++++---- fs/compat_binfmt_elf.c | 3 - include/linux/binfmts.h | 13 + include/linux/elf.h | 1 - include/linux/user_ptr.h | 22 ++ .../selftests/arm64/morello/bootstrap.c | 64 ++-- .../arm64/morello/freestanding_init_globals.c | 54 ++-- .../arm64/morello/freestanding_start.S | 4 +- 15 files changed, 417 insertions(+), 179 deletions(-)