On 31/01/2023 12:27, Beata Michalska wrote:

This one does not seem to be tightly coupled with the rest of the patches within the series so maybe pull it out and send separately as I guess it could be already merged ?

I think that's fair yes, if you think it looks good I would just merge it now.

Kevin

---

BR B. On Mon, Dec 12, 2022 at 10:35:36AM +0000, Kevin Brodsky wrote:

...

Commit "pps: Update compat ioctl handler for compat64" introduced the use of compat_ptr() in pps_cdev_compat_ioctl(), which relied on the implicit inclusion of <asm/compat.h>. compat_ptr() is generally defined in the generic <linux/compat.h>, so make sure to include it explicitly.

Fixes: ("pps: Update compat ioctl handler for compat64") Signed-off-by: Kevin Brodsky kevin.brodsky@arm.com

---

This is to avoid breaking the build in !PCuABI after patch 8.

drivers/pps/pps.c | 1 + 1 file changed, 1 insertion(+)

diff --git a/drivers/pps/pps.c b/drivers/pps/pps.c index 45551c113172..dba5a67a92d1 100644 --- a/drivers/pps/pps.c +++ b/drivers/pps/pps.c @@ -18,6 +18,7 @@ #include <linux/poll.h> #include <linux/pps_kernel.h> #include <linux/slab.h> +#include <linux/compat.h> #include "kc.h" -- 2.38.1

---

linux-morello mailing list -- linux-morello@op-lists.linaro.org To unsubscribe send an email to linux-morello-leave@op-lists.linaro.org

On 02/02/2023 17:00, Beata Michalska wrote:

On Thu, Feb 02, 2023 at 09:32:54AM +0100, Kevin Brodsky wrote:

...

On 31/01/2023 12:27, Beata Michalska wrote:

...

This one does not seem to be tightly coupled with the rest of the patches within the series so maybe pull it out and send separately as I guess it could be already merged ?

I think that's fair yes, if you think it looks good I would just merge it now.

I'd say go ahead and merge it. Thanks!

Thanks, done :) Now in next.

Kevin

---

BR B.

...

Kevin

...

---

BR B. On Mon, Dec 12, 2022 at 10:35:36AM +0000, Kevin Brodsky wrote:

...

Commit "pps: Update compat ioctl handler for compat64" introduced the use of compat_ptr() in pps_cdev_compat_ioctl(), which relied on the implicit inclusion of <asm/compat.h>. compat_ptr() is generally defined in the generic <linux/compat.h>, so make sure to include it explicitly.

Fixes: ("pps: Update compat ioctl handler for compat64") Signed-off-by: Kevin Brodsky kevin.brodsky@arm.com

---

This is to avoid breaking the build in !PCuABI after patch 8.

drivers/pps/pps.c | 1 + 1 file changed, 1 insertion(+)

diff --git a/drivers/pps/pps.c b/drivers/pps/pps.c index 45551c113172..dba5a67a92d1 100644 --- a/drivers/pps/pps.c +++ b/drivers/pps/pps.c @@ -18,6 +18,7 @@ #include <linux/poll.h> #include <linux/pps_kernel.h> #include <linux/slab.h> +#include <linux/compat.h> #include "kc.h" -- 2.38.1

---

linux-morello mailing list -- linux-morello@op-lists.linaro.org To unsubscribe send an email to linux-morello-leave@op-lists.linaro.org

On Mon, Dec 12, 2022 at 10:35:37AM +0000, Kevin Brodsky wrote:

The removal of set_fs() is now firmly established and there should

We could actually mention the exact commit that removed support for CONFIG_SET_FS ? 967747bbc084 : uaccess: remove CONFIG_SET_FS

--- BR B.

therefore be no need to create user pointers from kernel addresses any more. This means we can get rid of kaddr_to_user_ptr(), which is unused.

Signed-off-by: Kevin Brodsky kevin.brodsky@arm.com

Documentation/core-api/user_ptr.rst | 8 -------- arch/arm64/include/asm/user_ptr.h | 8 -------- include/linux/user_ptr.h | 16 ---------------- 3 files changed, 32 deletions(-)

diff --git a/Documentation/core-api/user_ptr.rst b/Documentation/core-api/user_ptr.rst index 21e02d4bd11b..925d22df2b9d 100644 --- a/Documentation/core-api/user_ptr.rst +++ b/Documentation/core-api/user_ptr.rst @@ -97,7 +97,6 @@ Each function covers a particular category of input integer:

• User-provided user address: ``uaddr_to_user_ptr()``
• Kernel-controlled user address: ``uaddr_to_user_ptr_safe()``
• • Kernel address: ``kaddr_to_user_ptr()``

• **Compat pointer**: ``compat_ptr()``

@@ -130,13 +129,6 @@ derived from in the PCuABI case. | | user address | mappings during | | kernel needs to access user memory using a bare | | | | process initialisation | | virtual address that is not provided by userspace. | +------------------------------+--------------------+------------------------+-----------------------------------+------------------------------------------------------+ -| ``kaddr_to_user_ptr()`` | Kernel address | [None currently] | Kernel root capability | There used to be a number of situations where kernel | -| | | | | memory was accessed through uaccess, requiring user | -| | | | | pointers to be created out of kernel addresses. | -| | | | | This should no longer be the case and this function | -| | | | | will be removed once it is confirmed that there is | -| | | | | no use-case left. | -+------------------------------+--------------------+------------------------+-----------------------------------+------------------------------------------------------+ | ``compat_ptr()`` | Compat pointer | Pointer in a | Current user DDC | Must be used whenever converting a compat user | | | | user-provided | | pointer to a native user pointer. | | | | ``compat_*`` struct | | | diff --git a/arch/arm64/include/asm/user_ptr.h b/arch/arm64/include/asm/user_ptr.h index 745e7d34f25b..323ad0301cbd 100644 --- a/arch/arm64/include/asm/user_ptr.h +++ b/arch/arm64/include/asm/user_ptr.h @@ -30,14 +30,6 @@ static inline void __user *uaddr_to_user_ptr_safe(ptraddr_t addr) } #define uaddr_to_user_ptr_safe(addr) uaddr_to_user_ptr_safe(addr) -static inline void __user *kaddr_to_user_ptr(ptraddr_t addr) -{

• uintcap_t root_cap = morello_get_root_cap();
• return (void __user *)__builtin_cheri_address_set(root_cap, addr);

-} -#define kaddr_to_user_ptr(addr) kaddr_to_user_ptr(addr)

#endif /* CONFIG_CHERI_PURECAP_UABI */ #endif /* __ASM_USER_PTR_H */ diff --git a/include/linux/user_ptr.h b/include/linux/user_ptr.h index 0942b58cfb6a..e2de3464bcf8 100644 --- a/include/linux/user_ptr.h +++ b/include/linux/user_ptr.h @@ -65,22 +65,6 @@ static inline void __user *uaddr_to_user_ptr_safe(ptraddr_t addr) } #endif -#ifndef kaddr_to_user_ptr -/**

• • kaddr_to_user_ptr - convert a kernel address to a user pointer
• • @addr: the address to set the pointer to
• • Returns a user pointer with its address set to @addr.
• • This function should be used when kernel memory needs to be accessed via a
• • user pointer. There should be no use for it after the removal of set_fs().
• */

-static inline void __user *kaddr_to_user_ptr(ptraddr_t addr) -{

• return as_user_ptr(addr);

-} -#endif

/**

• user_ptr_addr - extract the address of a user pointer
• @ptr: the user pointer to extract the address from

-- 2.38.1

---

linux-morello mailing list -- linux-morello@op-lists.linaro.org To unsubscribe send an email to linux-morello-leave@op-lists.linaro.org

On Thu, Feb 02, 2023 at 09:44:08AM +0100, Kevin Brodsky wrote:

On 31/01/2023 12:25, Beata Michalska wrote:

...

On Mon, Dec 12, 2022 at 10:35:37AM +0000, Kevin Brodsky wrote:

...

The removal of set_fs() is now firmly established and there should

We could actually mention the exact commit that removed support for CONFIG_SET_FS ? 967747bbc084 : uaccess: remove CONFIG_SET_FS

Right the way I thought about it was that it happened over a certain period of time, but indeed it's worth mentioning the final commit, will add that.

I get the idea, which is good, but that was the ultimate end of things for set_fs so I thought it would be nice to mention it.

--- BR B.

Kevin

...

---

BR B.

...

therefore be no need to create user pointers from kernel addresses any more. This means we can get rid of kaddr_to_user_ptr(), which is unused.

Signed-off-by: Kevin Brodsky kevin.brodsky@arm.com

Documentation/core-api/user_ptr.rst | 8 -------- arch/arm64/include/asm/user_ptr.h | 8 -------- include/linux/user_ptr.h | 16 ---------------- 3 files changed, 32 deletions(-)

diff --git a/Documentation/core-api/user_ptr.rst b/Documentation/core-api/user_ptr.rst index 21e02d4bd11b..925d22df2b9d 100644 --- a/Documentation/core-api/user_ptr.rst +++ b/Documentation/core-api/user_ptr.rst @@ -97,7 +97,6 @@ Each function covers a particular category of input integer:

• User-provided user address: ``uaddr_to_user_ptr()``
• Kernel-controlled user address: ``uaddr_to_user_ptr_safe()``
• • Kernel address: ``kaddr_to_user_ptr()``

• **Compat pointer**: ``compat_ptr()``

@@ -130,13 +129,6 @@ derived from in the PCuABI case. | | user address | mappings during | | kernel needs to access user memory using a bare | | | | process initialisation | | virtual address that is not provided by userspace. | +------------------------------+--------------------+------------------------+-----------------------------------+------------------------------------------------------+ -| ``kaddr_to_user_ptr()`` | Kernel address | [None currently] | Kernel root capability | There used to be a number of situations where kernel | -| | | | | memory was accessed through uaccess, requiring user | -| | | | | pointers to be created out of kernel addresses. | -| | | | | This should no longer be the case and this function | -| | | | | will be removed once it is confirmed that there is | -| | | | | no use-case left. | -+------------------------------+--------------------+------------------------+-----------------------------------+------------------------------------------------------+ | ``compat_ptr()`` | Compat pointer | Pointer in a | Current user DDC | Must be used whenever converting a compat user | | | | user-provided | | pointer to a native user pointer. | | | | ``compat_*`` struct | | | diff --git a/arch/arm64/include/asm/user_ptr.h b/arch/arm64/include/asm/user_ptr.h index 745e7d34f25b..323ad0301cbd 100644 --- a/arch/arm64/include/asm/user_ptr.h +++ b/arch/arm64/include/asm/user_ptr.h @@ -30,14 +30,6 @@ static inline void __user *uaddr_to_user_ptr_safe(ptraddr_t addr) } #define uaddr_to_user_ptr_safe(addr) uaddr_to_user_ptr_safe(addr) -static inline void __user *kaddr_to_user_ptr(ptraddr_t addr) -{

• uintcap_t root_cap = morello_get_root_cap();
• return (void __user *)__builtin_cheri_address_set(root_cap, addr);

-} -#define kaddr_to_user_ptr(addr) kaddr_to_user_ptr(addr)

#endif /* CONFIG_CHERI_PURECAP_UABI */ #endif /* __ASM_USER_PTR_H */ diff --git a/include/linux/user_ptr.h b/include/linux/user_ptr.h index 0942b58cfb6a..e2de3464bcf8 100644 --- a/include/linux/user_ptr.h +++ b/include/linux/user_ptr.h @@ -65,22 +65,6 @@ static inline void __user *uaddr_to_user_ptr_safe(ptraddr_t addr) } #endif -#ifndef kaddr_to_user_ptr -/**

• • kaddr_to_user_ptr - convert a kernel address to a user pointer
• • @addr: the address to set the pointer to
• • Returns a user pointer with its address set to @addr.
• • This function should be used when kernel memory needs to be accessed via a
• • user pointer. There should be no use for it after the removal of set_fs().
• */

-static inline void __user *kaddr_to_user_ptr(ptraddr_t addr) -{

• return as_user_ptr(addr);

-} -#endif

/**

• user_ptr_addr - extract the address of a user pointer
• @ptr: the user pointer to extract the address from

-- 2.38.1

---

linux-morello mailing list -- linux-morello@op-lists.linaro.org To unsubscribe send an email to linux-morello-leave@op-lists.linaro.org

On Mon, Dec 12, 2022 at 10:35:40AM +0000, Kevin Brodsky wrote:

For architectures implementing CHERI capabilities, introduce a new cheri.h header that defines a few helpers and macros, in addition to what is available in the compiler-provided <cheriintrin.h>.

This header is only meant for code manipulating CHERI capabilities explicitly and expands to nothing if __CHERI__ is not defined.

CONFIG_HAVE_ARCH_CHERI_H is also added to allow architectures to override some of the definitions by providing their own asm/cheri.h.

Signed-off-by: Kevin Brodsky kevin.brodsky@arm.com

arch/Kconfig | 3 + include/linux/cheri.h | 132 ++++++++++++++++++++++++++++++++++++++++++ lib/Makefile | 2 + lib/cheri.c | 72 +++++++++++++++++++++++ 4 files changed, 209 insertions(+) create mode 100644 include/linux/cheri.h create mode 100644 lib/cheri.c

diff --git a/arch/Kconfig b/arch/Kconfig index afde8a4eeee6..6c3c2e19b77e 100644 --- a/arch/Kconfig +++ b/arch/Kconfig @@ -1376,6 +1376,9 @@ config DYNAMIC_SIGFRAME config HAVE_ARCH_NODE_DEV_GROUP bool +config HAVE_ARCH_CHERI_H

• bool

config ARCH_HAS_USER_PTR_H bool diff --git a/include/linux/cheri.h b/include/linux/cheri.h new file mode 100644 index 000000000000..5f95f1ac8f01 --- /dev/null +++ b/include/linux/cheri.h @@ -0,0 +1,132 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +#ifndef _LINUX_CHERI_H +#define _LINUX_CHERI_H

+#ifdef __CHERI__

+#include <cheriintrin.h>

+#include <linux/types.h>

+#include <uapi/asm/cheri.h> +#ifdef CONFIG_HAVE_ARCH_CHERI_H +#include <asm/cheri.h> +#endif

+/*

• • Standard permission sets for new capabilities. Can be overridden by
• • architectures to add arch-specific permissions.
• */

+#ifndef CHERI_PERMS_READ +#define CHERI_PERMS_READ \

• (CHERI_PERM_LOAD | CHERI_PERM_LOAD_CAP)

+#endif

+#ifndef CHERI_PERMS_WRITE +#define CHERI_PERMS_WRITE \

• (CHERI_PERM_STORE | CHERI_PERM_STORE_CAP | CHERI_PERM_STORE_LOCAL_CAP)

+#endif

+#ifndef CHERI_PERMS_EXEC +#define CHERI_PERMS_EXEC \

• (CHERI_PERM_EXECUTE | CHERI_PERM_SYSTEM_REGS)

+#endif

+#ifndef CHERI_PERMS_ROOTCAP +#define CHERI_PERMS_ROOTCAP \

• (CHERI_PERM_GLOBAL | CHERI_PERM_SW_VMEM)

+#endif

+/**

• • cheri_build_user_cap() - Create a userspace capability.
• • @addr: Requested capability address.
• • @len: Requested capability length.
• • @perms: Requested capability permissions.
• • Return: A new capability derived from cheri_user_root_cap. Its address and

• •     permissions are set according to @addr and @perms respectively. Its
    

• •     bounds are set exactly with @addr as base address and @len as
    

• •     length.
    

• • The caller is responsible to ensure that:
• • 1. @addr is a valid userspace address.
• • 2. The (@addr, @len) tuple can be represented as capability bounds.
• • 3. @perms are valid permissions for a regular userspace capability.
• • If either 1. or 2. does not hold, the resulting capability will be invalid.
• • If 3. does not hold, the returned capability will not have any of the invalid
• • permissions.
• */

+void * __capability +cheri_build_user_cap(ptraddr_t addr, size_t len, cheri_perms_t perms);

The returned capability might be invalid as of having tag cleared. I assume in most of the cases it will be just fine, but wondering if it would make sense to return either capability with null capability , or one that could be validated with PTR_ERR somewhat ? Just thinking at loud here, how one would verify the result is valid (currently it would need check tag but maybe we could utilize more generic way of validating pointers ... On the other hand those new helpers are available only when __CHERI__ is defined so I assume there are only to be used in CHERI-related contexts ?

+/**

• • cheri_build_user_cap_inexact_bounds() - Create a userspace capability,

• •                                     allowing bounds to be enlarged.
    

• • @addr: Requested capability address.
• • @len: Requested capability length.
• • @perms: Requested capability permissions.
• • Return: A new capability derived from cheri_user_root_cap. Its address and

• •     permissions are set according to @addr and @perms respectively. Its
    

• •     bounds are set to the smallest representable range that includes the
    

• •     range [@addr, @addr + @len[.
    

• • This variant of cheri_build_user_cap() should only be used when it is safe to
• • enlarge the bounds of the capability. In particular, it should never be used
• • when creating a capability that is to be provided to userspace, because the
• • potentially enlarged bounds might give access to unrelated objects.
• • The caller is responsible to ensure that:
• • 1. @addr is a valid userspace address.
• • 2. @perms are valid permissions for a regular userspace capability.
• • If 1. does not hold, the resulting capability will be invalid.
• • If 2. does not hold, the returned capability will not have any of the invalid
• • permissions.
• */

+void * __capability +cheri_build_user_cap_inexact_bounds(ptraddr_t addr, size_t len,

• 		    cheri_perms_t perms);
  

+/**

• • cheri_check_cap() - Check whether a capability gives access to a range of

• •                 addresses.
    

• • @cap: Capability to check.
• • @len: Length of the access.
• • @perms: Required permissions.
• • Checks whether @cap gives access to a given range of addresses and has the
• • requested permissions. This means that:
• • • @cap is valid and unsealed.
• • • The range [@cap.address, @cap.address + @len[ is within the bounds
• • of @cap.
• • • The permissions of @cap include at least @perms.
• • Return: true if @cap passes the checks.
• */

+bool cheri_check_cap(void * __capability cap, size_t len, cheri_perms_t perms);

Minor but maybe void * __capability with const qualifier ?

+/*

• • Root capabilities. Should be set in arch code during the early init phase,
• • read-only after that.
• • cheri_user_root_cap is the standard root capability to derive new regular
• • (data/code) capabilities from. It does not include the special permissions
• • Seal/Unseal and CompartmentID; those are available separately via
• • cheri_user_root_{seal,cid}_cap. Finally cheri_user_root_all_cap includes all
• • permissions accessible to userspace and is ultimately the root of all user
• • capabilities; it should only be used in very specific situations.
• • The helpers above should be used instead where possible.
• */

+extern uintcap_t cheri_user_root_cap; /* Userspace (data/code) root */ +extern uintcap_t cheri_user_root_seal_cap; /* Userspace sealing root */ +extern uintcap_t cheri_user_root_cid_cap; /* Userspace compartment ID root */ +extern uintcap_t cheri_user_root_all_cap; /* Userspace root (all permissions) */

xxx_root_all_cap somehwat reads to me as 'all capabilities' instead of 'capability with all permissions' even the context guards the interpretation, but maybe xxx_root_fill_cap instead ?

+#endif /* __CHERI__ */

+#endif /* _LINUX_CHERI_H */ diff --git a/lib/Makefile b/lib/Makefile index 6b9ffc1bd1ee..8dd8c00fee31 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -263,6 +263,8 @@ obj-$(CONFIG_MEMREGION) += memregion.o obj-$(CONFIG_STMP_DEVICE) += stmp_device.o obj-$(CONFIG_IRQ_POLL) += irq_poll.o +obj-y += cheri.o

# stackdepot.c should not be instrumented or call instrumented functions. # Prevent the compiler from calling builtins like memcmp() or bcmp() from this # file. diff --git a/lib/cheri.c b/lib/cheri.c new file mode 100644 index 000000000000..d895e6594c21 --- /dev/null +++ b/lib/cheri.c @@ -0,0 +1,72 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +#ifdef __CHERI__

+#include <linux/bug.h> +#include <linux/cheri.h> +#include <linux/mm.h>

+uintcap_t cheri_user_root_cap __ro_after_init; +uintcap_t cheri_user_root_seal_cap __ro_after_init; +uintcap_t cheri_user_root_cid_cap __ro_after_init; +uintcap_t cheri_user_root_all_cap __ro_after_init;

+static void * __capability +build_user_cap(ptraddr_t addr, size_t len, cheri_perms_t perms, bool exact_bounds) +{

• void * __capability ret = (void * __capability)cheri_user_root_cap;
• cheri_perms_t root_perms = cheri_perms_get(ret);
• ret = cheri_perms_and(ret, perms);
• ret = cheri_address_set(ret, addr);
• if (exact_bounds)

• ret = cheri_bounds_set_exact(ret, len);
  

• else

• ret = cheri_bounds_set(ret, len);
  

• WARN(perms & ~root_perms,

•     "Permission mask %#lx discarded while creating user capability %#lp\n",
  

•     perms & ~root_perms, ret);
  

• WARN(cheri_is_invalid(ret),

•     "Invalid user capability created: %#lp (%s bounds requested)\n",
  

•     ret, (exact_bounds ? "exact" : "inexact"));
  

• return ret;

+}

+void * __capability +cheri_build_user_cap(ptraddr_t addr, size_t len, cheri_perms_t perms) +{

• return build_user_cap(addr, len, perms, true);

+}

+void * __capability +cheri_build_user_cap_inexact_bounds(ptraddr_t addr, size_t len,

• 		    cheri_perms_t perms)
  

+{

• return build_user_cap(addr, len, perms, false);

+}

+bool cheri_check_cap(void * __capability cap, size_t len, cheri_perms_t perms) +{

• ptraddr_t addr = untagged_addr(cheri_address_get(cap));
• /*

• * The base address (as returned by cheri_base_get()) is never tagged,
  

• * that is its top byte is always canonical, so no need for
  

• * untagged_addr().
  

• */
  

• ptraddr_t base = cheri_base_get(cap);
• if (cheri_is_invalid(cap) || cheri_is_sealed(cap))

• return false;
  

• if (addr < base || addr > base + cheri_length_get(cap) - len)

• return false;
  

• if (perms & ~cheri_perms_get(cap))

• return false;
  

• return true;

+}

+#endif /* __CHERI__ */

2.38.1

---

linux-morello mailing list -- linux-morello@op-lists.linaro.org To unsubscribe send an email to linux-morello-leave@op-lists.linaro.org

On Thu, Feb 02, 2023 at 09:56:16AM +0100, Kevin Brodsky wrote:

On 31/01/2023 12:24, Beata Michalska wrote:

...

...

diff --git a/include/linux/cheri.h b/include/linux/cheri.h new file mode 100644 index 000000000000..5f95f1ac8f01 --- /dev/null +++ b/include/linux/cheri.h @@ -0,0 +1,132 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +#ifndef _LINUX_CHERI_H +#define _LINUX_CHERI_H

+#ifdef __CHERI__

+#include <cheriintrin.h>

+#include <linux/types.h>

+#include <uapi/asm/cheri.h> +#ifdef CONFIG_HAVE_ARCH_CHERI_H +#include <asm/cheri.h> +#endif

+/*

• • Standard permission sets for new capabilities. Can be overridden by
• • architectures to add arch-specific permissions.
• */

+#ifndef CHERI_PERMS_READ +#define CHERI_PERMS_READ \

• (CHERI_PERM_LOAD | CHERI_PERM_LOAD_CAP)

+#endif

+#ifndef CHERI_PERMS_WRITE +#define CHERI_PERMS_WRITE \

• (CHERI_PERM_STORE | CHERI_PERM_STORE_CAP | CHERI_PERM_STORE_LOCAL_CAP)

+#endif

+#ifndef CHERI_PERMS_EXEC +#define CHERI_PERMS_EXEC \

• (CHERI_PERM_EXECUTE | CHERI_PERM_SYSTEM_REGS)

+#endif

+#ifndef CHERI_PERMS_ROOTCAP +#define CHERI_PERMS_ROOTCAP \

• (CHERI_PERM_GLOBAL | CHERI_PERM_SW_VMEM)

+#endif

+/**

• • cheri_build_user_cap() - Create a userspace capability.
• • @addr: Requested capability address.
• • @len: Requested capability length.
• • @perms: Requested capability permissions.
• • Return: A new capability derived from cheri_user_root_cap. Its address and

• •     permissions are set according to @addr and @perms respectively. Its
    

• •     bounds are set exactly with @addr as base address and @len as
    

• •     length.
    

• • The caller is responsible to ensure that:
• • 1. @addr is a valid userspace address.
• • 2. The (@addr, @len) tuple can be represented as capability bounds.
• • 3. @perms are valid permissions for a regular userspace capability.
• • If either 1. or 2. does not hold, the resulting capability will be invalid.
• • If 3. does not hold, the returned capability will not have any of the invalid
• • permissions.
• */

+void * __capability +cheri_build_user_cap(ptraddr_t addr, size_t len, cheri_perms_t perms);

The returned capability might be invalid as of having tag cleared. I assume in most of the cases it will be just fine, but wondering if it would make sense to return either capability with null capability , or one that could be validated with PTR_ERR somewhat ? Just thinking at loud here, how one would verify the result is valid (currently it would need check tag but maybe we could utilize more generic way of validating pointers ... On the other hand those new helpers are available only when __CHERI__ is defined so I assume there are only to be used in CHERI-related contexts ?

Yes, those helpers can only be used directly by CHERI-specific code. As to the issue of the returned capability being invalid, that would be a bug, i.e. the caller asked for bounds that are not representable (in the exact case) or are not within the userspace range. That's why there is a WARN() in the implementation: in such a case, the caller broke the contract and we report a bug. I think it makes more sense to do it this way than require the caller to check for errors, because there is no "normal error" here, only invalid usage.

Noted & agreed.

...

...

+/**

• • cheri_build_user_cap_inexact_bounds() - Create a userspace capability,

• •                                     allowing bounds to be enlarged.
    

• • @addr: Requested capability address.
• • @len: Requested capability length.
• • @perms: Requested capability permissions.
• • Return: A new capability derived from cheri_user_root_cap. Its address and

• •     permissions are set according to @addr and @perms respectively. Its
    

• •     bounds are set to the smallest representable range that includes the
    

• •     range [@addr, @addr + @len[.
    

• • This variant of cheri_build_user_cap() should only be used when it is safe to
• • enlarge the bounds of the capability. In particular, it should never be used
• • when creating a capability that is to be provided to userspace, because the
• • potentially enlarged bounds might give access to unrelated objects.
• • The caller is responsible to ensure that:
• • 1. @addr is a valid userspace address.
• • 2. @perms are valid permissions for a regular userspace capability.
• • If 1. does not hold, the resulting capability will be invalid.
• • If 2. does not hold, the returned capability will not have any of the invalid
• • permissions.
• */

+void * __capability +cheri_build_user_cap_inexact_bounds(ptraddr_t addr, size_t len,

• 		    cheri_perms_t perms);
  

+/**

• • cheri_check_cap() - Check whether a capability gives access to a range of

• •                 addresses.
    

• • @cap: Capability to check.
• • @len: Length of the access.
• • @perms: Required permissions.
• • Checks whether @cap gives access to a given range of addresses and has the
• • requested permissions. This means that:
• • • @cap is valid and unsealed.
• • • The range [@cap.address, @cap.address + @len[ is within the bounds
• • of @cap.
• • • The permissions of @cap include at least @perms.
• • Return: true if @cap passes the checks.
• */

+bool cheri_check_cap(void * __capability cap, size_t len, cheri_perms_t perms);

Minor but maybe void * __capability with const qualifier ?

Makes sense yes, capabilities are still pointers after all, and const correctness never hurts :)

...

...

+/*

• • Root capabilities. Should be set in arch code during the early init phase,
• • read-only after that.
• • cheri_user_root_cap is the standard root capability to derive new regular
• • (data/code) capabilities from. It does not include the special permissions
• • Seal/Unseal and CompartmentID; those are available separately via
• • cheri_user_root_{seal,cid}_cap. Finally cheri_user_root_all_cap includes all
• • permissions accessible to userspace and is ultimately the root of all user
• • capabilities; it should only be used in very specific situations.
• • The helpers above should be used instead where possible.
• */

+extern uintcap_t cheri_user_root_cap; /* Userspace (data/code) root */ +extern uintcap_t cheri_user_root_seal_cap; /* Userspace sealing root */ +extern uintcap_t cheri_user_root_cid_cap; /* Userspace compartment ID root */ +extern uintcap_t cheri_user_root_all_cap; /* Userspace root (all permissions) */

xxx_root_all_cap somehwat reads to me as 'all capabilities' instead of 'capability with all permissions' even the context guards the interpretation, but maybe xxx_root_fill_cap instead ?

Right, that's the issue with this naming scheme. I'm not sure what you're referring to with "fill" though? How about explicitly "allperms"?

My usual misspelling ... I meant 'full' as of : cheri_user_root_full_cap. Having 'allperms' seems adequate as well.

--- BR B.

Kevin

...

...

+#endif /* __CHERI__ */

+#endif /* _LINUX_CHERI_H */

On 18/01/2023 09:22, Amit Daniel Kachhap wrote:

...

@@ -307,17 +302,52 @@ static void __init check_root_cap(uintcap_t cap)     static int __init morello_cap_init(void)   { -#ifdef CONFIG_CHERI_PURECAP_UABI -    uintcap_t ctemp; -#endif +    uintcap_t root_cap, user_root_all_cap, ctemp;

+    root_cap = (uintcap_t)cheri_ddc_get(); +    check_root_cap(root_cap);

+    /* Initialise standard CHERI root capabilities. */ +    ctemp = cheri_address_set(root_cap, 0); +    /* Same upper limit as for access_ok() and __uaccess_mask_ptr() */ +    ctemp = cheri_bounds_set(ctemp, TASK_SIZE_MAX); +    ctemp = cheri_perms_and(ctemp, CHERI_PERMS_ROOTCAP | CHERI_PERMS_READ | +                       CHERI_PERMS_WRITE | CHERI_PERMS_EXEC | +                       ARM_CAP_PERMISSION_BRANCH_SEALED_PAIR | +                       CHERI_PERM_SEAL | CHERI_PERM_UNSEAL | +                       ARM_CAP_PERMISSION_COMPARTMENT_ID); +    user_root_all_cap = ctemp;

+    cheri_user_root_all_cap = user_root_all_cap;

Nit: This local variable user_root_all_cap seems to be extra. cheri_user_root_all_cap can be used to derive capabilities.

Right so I introduced this local variable as I thought it was better not to keep reading cheri_user_root_all_cap as it's a global. However a quick experiment on Compiler Explorer shows that I underestimated Clang and it is perfectly happy to assume that there is no need to reload the global every time, meaning that the generated code is exactly the same without using the local variable.

Since I don't really like the way the code looks with that additional variable either, very happy to remove it. Thanks for the nudge :)

...

+    ctemp = user_root_all_cap; +    ctemp = cheri_perms_and(ctemp, CHERI_PERMS_ROOTCAP | CHERI_PERMS_READ | +                       CHERI_PERMS_WRITE | CHERI_PERMS_EXEC | +                       ARM_CAP_PERMISSION_BRANCH_SEALED_PAIR); +    cheri_user_root_cap = ctemp;

+    ctemp = user_root_all_cap; +    /* +     * All object types, not a final decision - some of them may be later +     * reserved to the kernel. +     */ +    ctemp = cheri_bounds_set(ctemp, 1u << 15);

Nit: May a macro like MAX_OBJECT_TYPE for (1u << 15) will make it clear.

Sure, it's Morello-specific so I'll add it directly in this file. It's not actually the maximum object type (often creates confusion as that's 2^15 - 1), so I would introduce CAP_OTYPE_FIELD_BITS = 15 instead.

Kevin

Although a description for it is there.

...

+    ctemp = cheri_perms_and(ctemp, CHERI_PERM_GLOBAL | +                       CHERI_PERM_SEAL | CHERI_PERM_UNSEAL); +    cheri_user_root_seal_cap = ctemp;   -    morello_root_cap = (uintcap_t)cheri_ddc_get(); +    /* Maximum userspace bounds for the time being. */ +    ctemp = user_root_all_cap; +    ctemp = cheri_perms_and(ctemp, CHERI_PERM_GLOBAL | +                       ARM_CAP_PERMISSION_COMPARTMENT_ID); +    cheri_user_root_cid_cap = ctemp;   -    check_root_cap(morello_root_cap); +    /* Initialise Morello-specific root capabilities. */ +    morello_root_cap = root_cap;     #ifdef CONFIG_CHERI_PURECAP_UABI       /* Initialize a capability able to unseal sentry capabilities. */ -    ctemp = cheri_address_set(morello_root_cap, CHERI_OTYPE_SENTRY); +    ctemp = cheri_address_set(root_cap, CHERI_OTYPE_SENTRY);       ctemp = cheri_bounds_set(ctemp, 1);       ctemp = cheri_perms_and(ctemp, CHERI_PERM_GLOBAL | CHERI_PERM_UNSEAL);       morello_sentry_unsealcap = ctemp;

On 31/01/2023 12:25, Beata Michalska wrote:

...

diff --git a/arch/arm64/kernel/morello.c b/arch/arm64/kernel/morello.c index ccbf26e77919..0bb7b3dbedec 100644 --- a/arch/arm64/kernel/morello.c +++ b/arch/arm64/kernel/morello.c @@ -5,10 +5,9 @@ #define pr_fmt(fmt) "morello: " fmt -#include <cheriintrin.h>

#include <linux/cache.h> #include <linux/capability.h> +#include <linux/cheri.h> #include <linux/compat.h> #include <linux/mm.h> #include <linux/printk.h> @@ -21,10 +20,6 @@ #include <asm/morello.h> #include <asm/ptrace.h> -#ifdef CONFIG_CHERI_PURECAP_UABI -#include <cheriintrin.h> -#endif

/* Private functions implemented in morello.S */ void __morello_cap_lo_hi_tag(uintcap_t cap, u64 *lo_val, u64 *hi_val, u8 *tag); @@ -295,8 +290,8 @@ static void __init check_root_cap(uintcap_t cap) __morello_cap_lo_hi_tag(cap, &lo_val, &hi_val, &tag); /*

• * Check that DDC has the reset value, otherwise morello_root_cap and
  

• * all capabilities derived from it (especially those exposed to
  

• * Check that DDC has the reset value, otherwise root capabilities and
  

• * all capabilities derived from them (notably those exposed to
  

  • userspace) may not be reliable.
  */ if (!(tag == 1 &&

@@ -307,17 +302,52 @@ static void __init check_root_cap(uintcap_t cap) static int __init morello_cap_init(void) { -#ifdef CONFIG_CHERI_PURECAP_UABI

• uintcap_t ctemp;

-#endif

• uintcap_t root_cap, user_root_all_cap, ctemp;
• root_cap = (uintcap_t)cheri_ddc_get();
• check_root_cap(root_cap);
• /* Initialise standard CHERI root capabilities. */
• ctemp = cheri_address_set(root_cap, 0);
• /* Same upper limit as for access_ok() and __uaccess_mask_ptr() */
• ctemp = cheri_bounds_set(ctemp, TASK_SIZE_MAX);

Out of curiosity : why not *_set_exact ?

Because in principle, that would require checking that the range is representable. If somehow it wasn't we would have no choice but to expand it to make it representable, which is exactly the same as using the inexact variant. OTOH if we assume that the range is indeed representable, then using one or the other makes no difference.

...

• ctemp = cheri_perms_and(ctemp, CHERI_PERMS_ROOTCAP | CHERI_PERMS_READ |

• 		       CHERI_PERMS_WRITE | CHERI_PERMS_EXEC |
  

• 		       ARM_CAP_PERMISSION_BRANCH_SEALED_PAIR |
  

• 		       CHERI_PERM_SEAL | CHERI_PERM_UNSEAL |
  

• 		       ARM_CAP_PERMISSION_COMPARTMENT_ID);
  

• user_root_all_cap = ctemp;
• cheri_user_root_all_cap = user_root_all_cap;
• ctemp = user_root_all_cap;

I think this one is spurious (?): ctemp has not changed since the assignment two lines above.

See Amit's comment and my reply, I thought I'd introduce a local variable to avoid continuously reading a global, but in fact Clang is very happy to optimise that out too, so I've got rid of user_root_all_cap altogether.

...

• ctemp = cheri_perms_and(ctemp, CHERI_PERMS_ROOTCAP | CHERI_PERMS_READ |

• 		       CHERI_PERMS_WRITE | CHERI_PERMS_EXEC |
  

• 		       ARM_CAP_PERMISSION_BRANCH_SEALED_PAIR);
  

• cheri_user_root_cap = ctemp;

This will probably be optimized out but it could be combined with the cheri_perms_and above and you could drop the following two assignments. Similar optimization could also be done below.

This is certainly optimised out, such local variables are only a matter of style. I've thought about a number of options but in the end it feels like using a temporary for all operations is more consistent, though it does look a bit weird when there is only one operation (i.e. setting permissions). Given the length of the globals' names, I'm not sure doing it in one statement is clearer though.

Thinking some more, we could get a little fancy and introduce some helper to set permissions and bounds. Since we don't always need to set the bounds, that argument should be optional. Conveniently we've found a good macro trick to do that in LTP, so we could reuse it here, something like:

static uintcap_t __build_cap(uintcap_t root, cheri_perms_t perms, size_t length) {     uintcap_t c = root;

c = cheri_perms_and(c, perms);     if (length)         c = cheri_bounds_set(c, length);

return c; } #define build_cap(root, perms, ...) __build_cap(root, perms, ##__VA_ARGS__, 0)

Then to keep it readable, I would use a temporary for the permissions, something like this:

cheri_perms_t perms;     perms = CHERI_PERMS_ROOTCAP | CHERI_PERMS_READ |         CHERI_PERMS_WRITE | CHERI_PERMS_EXEC |         ARM_CAP_PERMISSION_BRANCH_SEALED_PAIR;     cheri_user_root_cap = build_cap(cheri_user_root_all_cap, perms);

How does that sound?

Kevin

---

BR B.

...

• ctemp = user_root_all_cap;
• /*

• * All object types, not a final decision - some of them may be later
  

• * reserved to the kernel.
  

• */
  

• ctemp = cheri_bounds_set(ctemp, 1u << 15);
• ctemp = cheri_perms_and(ctemp, CHERI_PERM_GLOBAL |

• 		       CHERI_PERM_SEAL | CHERI_PERM_UNSEAL);
  

• cheri_user_root_seal_cap = ctemp;

• morello_root_cap = (uintcap_t)cheri_ddc_get();

• /* Maximum userspace bounds for the time being. */
• ctemp = user_root_all_cap;
• ctemp = cheri_perms_and(ctemp, CHERI_PERM_GLOBAL |

• 		       ARM_CAP_PERMISSION_COMPARTMENT_ID);
  

• cheri_user_root_cid_cap = ctemp;

• check_root_cap(morello_root_cap);

• /* Initialise Morello-specific root capabilities. */
• morello_root_cap = root_cap;

#ifdef CONFIG_CHERI_PURECAP_UABI /* Initialize a capability able to unseal sentry capabilities. */

• ctemp = cheri_address_set(morello_root_cap, CHERI_OTYPE_SENTRY);

• ctemp = cheri_address_set(root_cap, CHERI_OTYPE_SENTRY); ctemp = cheri_bounds_set(ctemp, 1); ctemp = cheri_perms_and(ctemp, CHERI_PERM_GLOBAL | CHERI_PERM_UNSEAL); morello_sentry_unsealcap = ctemp;

On Mon, Dec 12, 2022 at 10:35:46AM +0000, Kevin Brodsky wrote:

Now that we have introduced the generic cheri_user_root_* userspace root capabilities, we can make use of them to derive the initial user capabilities (process startup and signal delivery). Note that DDC will be taken care of separately, as it is not saved in struct pt_regs and is not initialised in morello_thread_start() either.

For purecap (PCuABI) processes, we derive the capabilities from the "regular" root capability; their bounds and permissions will later be reduced further as per the PCuABI specification.

For hybrid processes (i.e. plain AArch64 ABI + capability support), the capabilities are derived from the special root capability with all permissions, cheri_user_root_all_cap. That's because we are not attempting to constrain the capabilities provided to hybrid processes in any way, and there is no mechanism to provide special permissions (Seal/Unseal/CompartmentID) separately in hybrid.

Since the purecap/hybrid initialisation is now clearly separated, we also use that opportunity to leave CSP zero-initialised in hybrid; a valid CSP should only be provided in purecap.

To avoid some ungraceful #ifdef'ing in morello_setup_signal_return(), morello_sentry_unsealcap is now always defined, as the overhead is insignificant (a 16-byte global and a few instructions on startup).

Minor: You can use IS_ENABLED instead of #ifdef'ing, though I do not mind the change.

--- BR B.

Signed-off-by: Kevin Brodsky kevin.brodsky@arm.com

arch/arm64/kernel/morello.c | 71 ++++++++++++++++++------------------- 1 file changed, 34 insertions(+), 37 deletions(-)

diff --git a/arch/arm64/kernel/morello.c b/arch/arm64/kernel/morello.c index 0bb7b3dbedec..7a9113e2cf5f 100644 --- a/arch/arm64/kernel/morello.c +++ b/arch/arm64/kernel/morello.c @@ -28,9 +28,7 @@ bool __morello_cap_has_executive(uintcap_t cap); /* Not defined as static because morello.S refers to it */ uintcap_t morello_root_cap __ro_after_init; -#ifdef CONFIG_CHERI_PURECAP_UABI static uintcap_t morello_sentry_unsealcap __ro_after_init; -#endif /* DDC_ELx reset value (low/high 64 bits), as defined in the Morello spec */ #define DDC_RESET_VAL_LOW_64 0x0 @@ -41,14 +39,9 @@ uintcap_t morello_get_root_cap(void) return morello_root_cap; } -static void init_pcc(struct pt_regs *regs) +static bool is_pure_task(void) {

• /*

• * Set PCC to the root capability. There is no need to set its value to
  

• * pc, this will be taken care of when PC is merged into PCC during
  

• * ret_to_user.
  

• */
  

• regs->pcc = morello_root_cap;

• return IS_ENABLED(CONFIG_CHERI_PURECAP_UABI) && !is_compat_task();

} static void update_regs_c64(struct pt_regs *regs, unsigned long pc) @@ -64,21 +57,24 @@ static void update_regs_c64(struct pt_regs *regs, unsigned long pc) } } -static void init_csp(struct pt_regs *regs) -{

• /*

• * TODO [PCuABI] - Adjust the bounds/permissions properly
  

• * This should also be somehow hooked up for stack limit changes
  

• */
  

• /* The actual value for CSP will be set during ret_to_user */
• regs->csp = morello_root_cap;

-}

void morello_thread_start(struct pt_regs *regs, unsigned long pc) {

• init_pcc(regs); update_regs_c64(regs, pc);
• init_csp(regs);

• /*

• * Note: there is no need to explicitly set the address of PCC/CSP as
  

• * PC/SP are already set to the appropriate values in regs, and X/C
  

• * register merging automatically happens during ret_to_user.
  

• */
  

• if (is_pure_task()) {

• /* TODO [PCuABI] - Adjust the bounds/permissions properly */
  

• regs->pcc = cheri_user_root_cap;
  

• regs->csp = cheri_user_root_cap;
  

• } else /* Hybrid */ {

• regs->pcc = cheri_user_root_all_cap;
  

• /* CSP is null-derived in hybrid */
  

• }

} #ifdef CONFIG_CHERI_PURECAP_UABI @@ -97,22 +93,25 @@ void morello_setup_signal_return(struct pt_regs *regs) * point (this means in particular that the signal handler is invoked in * Executive). */ -#ifdef CONFIG_CHERI_PURECAP_UABI

• if (is_compat_task())

• init_pcc(regs);
  

• /* Unseal if the pcc has sentry object type */
• else if (cheri_is_sentry(regs->pcc))

• regs->pcc = cheri_unseal(regs->pcc, morello_sentry_unsealcap);
  

-#else

• init_pcc(regs);

-#endif update_regs_c64(regs, regs->pc);

• /*

• * Also set CLR to a valid capability, to allow a C64 handler to return
  

• * to the trampoline using `ret clr`.
  

• */
  

• regs->cregs[30] = morello_root_cap;

• if (is_pure_task()) {

• /* Unseal if the pcc has sentry object type */
  

• if (cheri_is_sentry(regs->pcc))
  

• 	regs->pcc = cheri_unseal(regs->pcc,
  

• 				 morello_sentry_unsealcap);
  

• /* TODO [PCuABI] - Adjust the bounds/permissions properly */
  

• regs->cregs[30] = cheri_user_root_cap;
  

• } else /* Hybrid */ {

• regs->pcc = cheri_user_root_all_cap;
  

• /*
  

•  * Also set CLR to a valid capability, to allow a C64 handler
  

•  * to return to the trampoline using `ret clr`.
  

•  */
  

• regs->cregs[30] = cheri_user_root_all_cap;
  

• }

} static char *format_cap(char *buf, size_t size, uintcap_t cap) @@ -345,13 +344,11 @@ static int __init morello_cap_init(void) /* Initialise Morello-specific root capabilities. */ morello_root_cap = root_cap; -#ifdef CONFIG_CHERI_PURECAP_UABI /* Initialize a capability able to unseal sentry capabilities. */ ctemp = cheri_address_set(root_cap, CHERI_OTYPE_SENTRY); ctemp = cheri_bounds_set(ctemp, 1); ctemp = cheri_perms_and(ctemp, CHERI_PERM_GLOBAL | CHERI_PERM_UNSEAL); morello_sentry_unsealcap = ctemp; -#endif return 0; } -- 2.38.1

---

linux-morello mailing list -- linux-morello@op-lists.linaro.org To unsubscribe send an email to linux-morello-leave@op-lists.linaro.org