 
            On 12/12/22 16:05, Kevin Brodsky wrote:
Hi,
This series is a follow-up to the RFC "New CHERI API and rehauled user_ptr.h", with a slightly different scope to make it more self-contained.
There are two main focuses for this series:
- Introducing linux/cheri.h. There is no fundamental change compared to v1 here.
- Deriving all capabilities from an appropriate userspace root capability (cheri_user_root_*) instead of morello_root_cap. v1 started this by reimplementing uaddr_to_user_ptr*, this series finishes up the work.
The focus of v1, adding generic functions to linux/user_ptr.h, has been dropped and will reappear in a separate series.
Some more details on the choice of root capabilities (see the comment in patch 5 regarding cheri_user_root_*):
In purecap, the PCuABI spec gives us good guidance on which root capability we should use where. Namely:
cheri_user_root_cap for almost all capabilities. The permissions correspond to the maximum permissions obtainable via mmap(). As we progress through the second phase, the bounds/permissions of capabilities derived from this root will be restricted as specified, and DDC will be set to null.
cheri_user_root_{seal,cid}_cap for the AT_CHERI_{SEAL,CID}_CAP. These capabilities exist precisely because their permissions (Seal/Unseal/CompartmentID) are not provided in regular capabilities (derived from cheri_user_root_cap).
cheri_user_root_all_cap for capabilities created via (privileged) ptrace. See patch 13 for some details on this.
In hybrid, the de facto ABI is what Documentation/arm64/morello.rst says. As there is no mechanism to obtain special permissions, all capabilities are derived from cheri_user_root_all_cap. The documentation is updated accordingly.
This series introduces functional changes by restricting the bounds/permissions of all userspace capabilities, but these restrictions should not affect any valid use-case. More specifically:
In purecap, the bounds of all capabilities are restricted to the user address space. See above for details on permissions.
In hybrid, the bounds of capabilities are also restricted to the user address space. All relevant permissions remain available. CSP is no longer initialised to a valid capability, as this is neither required nor documented.
I had a look at the v2 series. The series looks good to me and there are just few nits from my side.
Thanks, Amit Daniel
More detailed changelog below.
v1..v2:
- Addressing review comments:
- Reformatted the function documentation to make kernel-doc -v (mostly) happy.
- Added some comment clarifying what CHERI_PERM_SW_VMEM is about.
- Renamed ARCH_HAS_CHERI_H to HAVE_ARCH_CHERI_H.
- Renamed cheri_root*_cap_userspace to cheri_user_root_*cap and added some description of each.
- Renamed cheri_check_cap_data_access() to cheri_check_cap().
- New patches:
- Derive compat_ptr() from cheri_user_root_all_cap (deriving from DDC proved more complicated than expected, created a ticket for that [1])
- Derive AT_CHERI_{SEAL,CID}_CAP from cheri_user_root_{seal,cid}_cap
- Initialisation of capability registers from cheri_user_root_* (with a clear separation between purecap and hybrid)
- Capabilities created via (privileged) ptrace now derived from cheri_user_root_all_cap
- Remove morello_root_cap (no longer used)
- Update documentation to reflect cheri_user_root_all_cap being the new root capability in hybrid
- Other changes:
- As per a recent update to the PCuABI spec, the BranchSealedPair is no longer part of the rootcap permission set. It is still needed in certain user capabilities, so moved it from CHERI_PERMS_ROOTCAP to explicit addition to cheri_user_root_cap in morello.c.
- Added cheri_user_root_all_cap, the "root of roots" with all permissions. cheri_user_root_cid_cap is now derived from it too, so its bounds are not the whole address space any more.
- Patch 8/9 (new functions in user_ptr.h) dropped.
- Rebased on next.
Review branch:
https://git.morello-project.org/kbrodsky-arm/linux/-/commits/cheri_ptr_api_v...
Thanks, Kevin
[1] https://git.morello-project.org/morello/kernel/linux/-/issues/40
Kevin Brodsky (15): pps: Add missing #include linux/user_ptr.h: Remove kaddr_to_user_ptr() linux/user_ptr.h: Improve comment formatting arm64: uapi: Add asm/cheri.h linux/cheri.h: Introduce CHERI helpers arm64: morello: Implement cheri.h fs/binfmt_elf: Use appropriate caps for AT_CHERI_{SEAL,CID}_CAP arm64: compat: Use appropriate root cap in compat_ptr() in PCuABI linux/user_ptr.h: Generic PCuABI impl for uaddr_to_user_ptr* arm64: Remove asm/user_ptr.h arm64: morello: Initialise user capabilities from cheri_user_root_* arm64: morello: Initialise user DDC from cheri_user_root_* arm64: morello: Build arbitrary user caps using appropriate root arm64: morello: Remove morello_root_cap arm64: morello: Update root capability in documentation
Documentation/arm64/morello.rst | 23 +++-- Documentation/core-api/user_ptr.rst | 8 -- arch/Kconfig | 2 +- arch/arm64/Kconfig | 2 +- arch/arm64/include/asm/cheri.h | 11 +++ arch/arm64/include/asm/compat.h | 9 +- arch/arm64/include/asm/morello.h | 12 ++- arch/arm64/include/asm/user_ptr.h | 43 --------- arch/arm64/include/uapi/asm/cheri.h | 11 +++ arch/arm64/kernel/morello.c | 143 +++++++++++++++++----------- arch/arm64/kernel/process.c | 2 +- arch/arm64/kernel/ptrace.c | 2 +- arch/arm64/lib/morello.S | 17 ++-- drivers/pps/pps.c | 1 + fs/binfmt_elf.c | 10 +- include/linux/cheri.h | 132 +++++++++++++++++++++++++ include/linux/user_ptr.h | 69 ++++++-------- lib/Makefile | 3 + lib/cheri.c | 72 ++++++++++++++ lib/user_ptr.c | 26 +++++ 20 files changed, 413 insertions(+), 185 deletions(-) create mode 100644 arch/arm64/include/asm/cheri.h delete mode 100644 arch/arm64/include/asm/user_ptr.h create mode 100644 arch/arm64/include/uapi/asm/cheri.h create mode 100644 include/linux/cheri.h create mode 100644 lib/cheri.c create mode 100644 lib/user_ptr.c