On 18/01/2023 09:22, Amit Daniel Kachhap wrote:
@@ -307,17 +302,52 @@ static void __init check_root_cap(uintcap_t cap) static int __init morello_cap_init(void) { -#ifdef CONFIG_CHERI_PURECAP_UABI - uintcap_t ctemp; -#endif + uintcap_t root_cap, user_root_all_cap, ctemp;
+ root_cap = (uintcap_t)cheri_ddc_get(); + check_root_cap(root_cap);
+ /* Initialise standard CHERI root capabilities. */ + ctemp = cheri_address_set(root_cap, 0); + /* Same upper limit as for access_ok() and __uaccess_mask_ptr() */ + ctemp = cheri_bounds_set(ctemp, TASK_SIZE_MAX); + ctemp = cheri_perms_and(ctemp, CHERI_PERMS_ROOTCAP | CHERI_PERMS_READ | + CHERI_PERMS_WRITE | CHERI_PERMS_EXEC | + ARM_CAP_PERMISSION_BRANCH_SEALED_PAIR | + CHERI_PERM_SEAL | CHERI_PERM_UNSEAL | + ARM_CAP_PERMISSION_COMPARTMENT_ID); + user_root_all_cap = ctemp;
+ cheri_user_root_all_cap = user_root_all_cap;
Nit: This local variable user_root_all_cap seems to be extra. cheri_user_root_all_cap can be used to derive capabilities.
Right so I introduced this local variable as I thought it was better not to keep reading cheri_user_root_all_cap as it's a global. However a quick experiment on Compiler Explorer shows that I underestimated Clang and it is perfectly happy to assume that there is no need to reload the global every time, meaning that the generated code is exactly the same without using the local variable.
Since I don't really like the way the code looks with that additional variable either, very happy to remove it. Thanks for the nudge :)
+ ctemp = user_root_all_cap; + ctemp = cheri_perms_and(ctemp, CHERI_PERMS_ROOTCAP | CHERI_PERMS_READ | + CHERI_PERMS_WRITE | CHERI_PERMS_EXEC | + ARM_CAP_PERMISSION_BRANCH_SEALED_PAIR); + cheri_user_root_cap = ctemp;
+ ctemp = user_root_all_cap; + /* + * All object types, not a final decision - some of them may be later + * reserved to the kernel. + */ + ctemp = cheri_bounds_set(ctemp, 1u << 15);
Nit: May a macro like MAX_OBJECT_TYPE for (1u << 15) will make it clear.
Sure, it's Morello-specific so I'll add it directly in this file. It's not actually the maximum object type (often creates confusion as that's 2^15 - 1), so I would introduce CAP_OTYPE_FIELD_BITS = 15 instead.
Kevin
Although a description for it is there.
+ ctemp = cheri_perms_and(ctemp, CHERI_PERM_GLOBAL | + CHERI_PERM_SEAL | CHERI_PERM_UNSEAL); + cheri_user_root_seal_cap = ctemp; - morello_root_cap = (uintcap_t)cheri_ddc_get(); + /* Maximum userspace bounds for the time being. */ + ctemp = user_root_all_cap; + ctemp = cheri_perms_and(ctemp, CHERI_PERM_GLOBAL | + ARM_CAP_PERMISSION_COMPARTMENT_ID); + cheri_user_root_cid_cap = ctemp; - check_root_cap(morello_root_cap); + /* Initialise Morello-specific root capabilities. */ + morello_root_cap = root_cap; #ifdef CONFIG_CHERI_PURECAP_UABI /* Initialize a capability able to unseal sentry capabilities. */ - ctemp = cheri_address_set(morello_root_cap, CHERI_OTYPE_SENTRY); + ctemp = cheri_address_set(root_cap, CHERI_OTYPE_SENTRY); ctemp = cheri_bounds_set(ctemp, 1); ctemp = cheri_perms_and(ctemp, CHERI_PERM_GLOBAL | CHERI_PERM_UNSEAL); morello_sentry_unsealcap = ctemp;