- linux-morello - op-lists.linaro.org

[RFC PATCH 0/9] New CHERI API and rehauled user_ptr.h

by Kevin Brodsky

Hi, I am posting this series now to gather some opinions (notably in terms of naming) before I proceed further. The main focus is the introduction of two new user_ptr helpers: make_privileged_user_ptr() to create fine-grained user pointers (appropriate bounds and permissions), and check_user_ptr() to check user pointers. This does however require more involved CHERI operations than what we've used so far, and as a result it felt like the right time to introduce a new header with various CHERI-related definitions. This new cheri.h header should be included in new code instead of the compiler-provided cheriintrin.h, notably because it is safe to include it unconditionally. linux/cheri.h is also a great place to introduce appropriate (CHERI-generic) root capabilities, which is another focus of this series. This makes it possible to have generic implementations of uaddr_to_user_ptr*() and get rid of asm/user_ptr.h. The introduction of a root userspace capability with appropriate bounds and permissions is the only functional change from a userspace perspective: many capabilities given to userspace will now have bounds encompassing only the user address space and permissions corresponding to what is expected of an RWX capability in PCuABI. This work is to be continued by replacing most uses of morello_root_cap with cheri_root_cap_userspace (either in v2 or in a separate series). On a similar theme, compat_ptr() should be modified to derive capabilities from the current user DDC, and the new seal/CID root capabilities should be used in binfmt_elf.c. This would complete the transition to appropriate root capabilities. Back to the two new user_ptr helpers, make_privileged_user_ptr() is meant to replace uaddr_to_user_ptr_safe() and the latter should eventually disappear. This probably belongs to a different patch series, however the last patch provides an example of such a change. This work should probably wait until we start accessing user memory through capabilities in uaccess, as right now the capability metadata is not used anyway. Note that calls to uaddr_to_user_ptr() are workarounds in themselves and should all be eliminated eventually, so they are not considered here. Regarding check_user_ptr(), there is no immediate need for it - it will become relevant to implement explicit checking of user pointers (when get_user_pages() and friends are used). Finally the user_ptr.rst documentation needs to be updated to reflect the new helpers, this is to be done in v2. This series depends on Beata's handy printk patch for the warning messages. It was lightly tested and should be mostly fine, however note that compat_ptr() currently triggers warnings because it is implemented in terms of uaddr_to_user_ptr_safe() and compat_ptr() may be passed arbitrary integers. This will be fixed in v2 by appropriately deriving capabilities from DDC as mentioned above. Review branch: https://git.morello-project.org/kbrodsky-arm/linux/-/commits/cheri_ptr_api Thanks, Kevin Kevin Brodsky (9): linux/user_ptr.h: Remove kaddr_to_user_ptr() linux/user_ptr.h: Improve comment formatting arm64: uapi: Add asm/cheri.h linux/cheri.h: Introduce CHERI helpers arm64: morello: Implement cheri.h linux/user_ptr.h: Generic PCuABI impl for uaddr_to_user_ptr* arm64: Remove asm/user_ptr.h linux/user_ptr.h: Introduce fine-grained helpers mm/memory: Create fine-grained user pointer Documentation/core-api/user_ptr.rst | 8 -- arch/Kconfig | 2 +- arch/arm64/Kconfig | 2 +- arch/arm64/include/asm/cheri.h | 14 ++++ arch/arm64/include/asm/user_ptr.h | 43 ---------- arch/arm64/include/uapi/asm/cheri.h | 7 ++ arch/arm64/kernel/morello.c | 39 +++++++-- include/linux/cheri.h | 122 ++++++++++++++++++++++++++++ include/linux/user_ptr.h | 113 +++++++++++++++++++------- lib/Makefile | 3 + lib/cheri.c | 67 +++++++++++++++ lib/user_ptr.c | 62 ++++++++++++++ mm/memory.c | 3 +- 13 files changed, 392 insertions(+), 93 deletions(-) create mode 100644 arch/arm64/include/asm/cheri.h delete mode 100644 arch/arm64/include/asm/user_ptr.h create mode 100644 arch/arm64/include/uapi/asm/cheri.h create mode 100644 include/linux/cheri.h create mode 100644 lib/cheri.c create mode 100644 lib/user_ptr.c -- 2.34.1

2 years, 11 months

7
54
0 0

Introduction on the "Linux on Morello Project"

by Vincenzo Frascino

Hi Arnd, I spoke to Linus (in Cc) on Friday and I thought it was a good idea to give to you an update on what we are doing as part of the linux on Morello project. We originally started with the basic enablement of the feature almost two year ago and then proceeded enabling the userspace support as part of the research project. To do so we went through the exercise of defining a Pure Capability based user Application Binary Interface (PCuABI) [1]. This ABI is still in review and we are hoping to finalize it by the end of October 2022. To get started with our implementation we identified a more stable subset of the full PCuABI which we call transitional PCuABI [2] and made sure it can work with the most commonly used C libraries (musl, glibc). The full PCuABI can be seen as an extension of the Transitional PCuABI. Recently we opened our implementation of the transitional PCuABI for external contributions [3]. We setup a mailing list as well for reviews and general discussions around Morello [4] and have a public task tracker that details what we are planning to do next [5]. Last but not least we have a public CI that verifies our implementation (currently based on kselftest and ltp but we are planning to extend it to more test suites in future) [6]. In reading our code, please consider that to enable userspace "quickly" we had to take some shortcuts of which we are aware. Because of that we feel that this is the right moment to start discussing design choices with the wider linux community especially after Matt's (in Cc) presentation at LPC ("Zettalinux: It's Not Too Late To Start") which made us realize that in the near future we will have to solve similar kind of problems. We consider in fact problems like the distinction in between an address and a pointer foundational work for a pure capability kernel. Caveat: Morello is not a committed architecture and the arm64 maintainers are not keen on supporting it upstream before that happens. I hope this email provides an helpful introduction on where we are and what we are doing. Please feel free to ask any question and to subscribe to the list if you want to follow the work we are doing. Thanks, Vincenzo [1] https://git.morello-project.org/morello/kernel/linux/-/wikis/Morello-pure-c… [2] https://git.morello-project.org/morello/kernel/linux/-/wikis/Transitional-M… [3] https://git.morello-project.org/morello/kernel/linux [4] https://op-lists.linaro.org/mailman3/lists/linux-morello.op-lists.linaro.or… [5] https://git.morello-project.org/groups/morello/kernel/-/epics?state=opened&… [6] https://git.morello-project.org/morello/kernel/linux/-/pipelines

2 years, 11 months

3
6
0 0

[PATCH v2] kernel: kcmp: Fix syscall ABI for purecap

by carsten.haitzler＠foss.arm.com

From: Carsten Haitzler <carsten.haitzler(a)foss.arm.com> Fix the kcmp syscall (when CONFIG_CHECKPOINT_RESTORE is enabled) for the case that the idx arguments might be pointers (capabilites) passed in. One of the kcmp types uses idx2 to carry a capability pointer to extended structure information copied in from userspace. Signed-off-by: Carsten Haitzler <carsten.haitzler(a)foss.arm.com> --- kernel/kcmp.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/kernel/kcmp.c b/kernel/kcmp.c index 5353edfad8e1..d59f74c68c93 100644 --- a/kernel/kcmp.c +++ b/kernel/kcmp.c @@ -133,7 +133,7 @@ static int kcmp_epoll_target(struct task_struct *task1, #endif SYSCALL_DEFINE5(kcmp, pid_t, pid1, pid_t, pid2, int, type, - unsigned long, idx1, unsigned long, idx2) + unsigned long, idx1, user_uintptr_t, idx2) { struct task_struct *task1, *task2; int ret; @@ -204,7 +204,8 @@ SYSCALL_DEFINE5(kcmp, pid_t, pid1, pid_t, pid2, int, type, #endif break; case KCMP_EPOLL_TFD: - ret = kcmp_epoll_target(task1, task2, idx1, (void *)idx2); + ret = kcmp_epoll_target(task1, task2, idx1, + (struct kcmp_epoll_slot __user *)idx2); break; default: ret = -EINVAL; -- 2.25.1

2 years, 11 months

2
2
0 0

[PATCH v2] mm/mmap: disable brk in purecap

by Teo Couprie Diaz

brk is not implemented in purecap, return -ENOSYS when not in compat. Signed-off-by: Teo Couprie Diaz <teo.coupriediaz(a)arm.com> --- Thanks Tudor for providing the code snippet, making it much more clear than my original ideas. v2: Fix style and format issues. mm/mmap.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/mm/mmap.c b/mm/mmap.c index ce282f9d9f8e..5de8e48b66b7 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -202,6 +202,11 @@ SYSCALL_DEFINE1(brk, unsigned long, brk) bool downgraded = false; LIST_HEAD(uf); +#ifdef CONFIG_CHERI_PURECAP_UABI + if (!in_compat_syscall()) + return -ENOSYS; +#endif + if (mmap_write_lock_killable(mm)) return -EINTR; base-commit: 3deb26714719d5068f5ef5d0fa9bc457c3cef6c1 -- 2.25.1

2 years, 11 months

2
1
0 0

[PATCH] kernel: kcmp: Fix syscall ABI for morello purecap

by carsten.haitzler＠foss.arm.com

From: Carsten Haitzler <carsten.haitzler(a)foss.arm.com> Fix the kcmp syscall (when CONFIG_CHECKPOINT_RESTORE is enabled) for the case that the idx arguments might be pointers (capabilites) passed in. One of the kcmp types uses idx2 to carry a capability pointer to extended structure information copied in from userspace. Signed-off-by: Carsten Haitzler <carsten.haitzler(a)foss.arm.com> --- kernel/kcmp.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/kernel/kcmp.c b/kernel/kcmp.c index 5353edfad8e1..da164266d647 100644 --- a/kernel/kcmp.c +++ b/kernel/kcmp.c @@ -133,7 +133,7 @@ static int kcmp_epoll_target(struct task_struct *task1, #endif SYSCALL_DEFINE5(kcmp, pid_t, pid1, pid_t, pid2, int, type, - unsigned long, idx1, unsigned long, idx2) + unsigned long, idx1, user_uintptr_t, idx2) { struct task_struct *task1, *task2; int ret; @@ -204,7 +204,8 @@ SYSCALL_DEFINE5(kcmp, pid_t, pid1, pid_t, pid2, int, type, #endif break; case KCMP_EPOLL_TFD: - ret = kcmp_epoll_target(task1, task2, idx1, (void *)idx2); + ret = kcmp_epoll_target(task1, task2, idx1, + (struct kcmp_epoll_slot __user *)idx2); break; default: ret = -EINVAL; -- 2.25.1

2 years, 11 months

3
2
0 0

[PATCH] kernel: kcmp: Fix syscall ABI for morello purecap

by carsten.haitzler＠foss.arm.com

From: Carsten Haitzler <carsten.haitzler(a)foss.arm.com> Fix the kcmp syscall (when CONFIG_CHECKPOINT_RESTORE is enabled) for the case that the idx arguemnts might be pointers (capabilites) passed in. One of the kcmp types uses idx2 to carry a capability pointer to extended structure information copied in from userspace. This allows for idx2 and idx1 to potentially do this now. Signed-off-by: Carsten Haitzler <carsten.haitzler(a)foss.arm.com> --- kernel/kcmp.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/kernel/kcmp.c b/kernel/kcmp.c index 5353edfad8e1..6f29a94b07d4 100644 --- a/kernel/kcmp.c +++ b/kernel/kcmp.c @@ -133,13 +133,12 @@ static int kcmp_epoll_target(struct task_struct *task1, #endif SYSCALL_DEFINE5(kcmp, pid_t, pid1, pid_t, pid2, int, type, - unsigned long, idx1, unsigned long, idx2) + user_uintptr_t, idx1, user_uintptr_t, idx2) { struct task_struct *task1, *task2; int ret; rcu_read_lock(); - /* * Tasks are looked up in caller's PID namespace only. */ @@ -204,7 +203,7 @@ SYSCALL_DEFINE5(kcmp, pid_t, pid1, pid_t, pid2, int, type, #endif break; case KCMP_EPOLL_TFD: - ret = kcmp_epoll_target(task1, task2, idx1, (void *)idx2); + ret = kcmp_epoll_target(task1, task2, idx1, (struct kcmp_epoll_slot __user *)idx2); break; default: ret = -EINVAL; -- 2.25.1

2 years, 12 months

3
2
0 0

[PATCH] fs/timerfd: Modify last arg to timerfd_ioctl to be user_uintptr_t

by carsten.haitzler＠foss.arm.com

From: Carsten Haitzler <carsten.haitzler(a)foss.arm.com> Block device ioctl's now take a user_uintptr_t as last argument for morello, so adapt to this to keep compiling if CONFIG_CHECKPOINT_RESTORE is enabled. Signed-off-by: Carsten Haitzler <carsten.haitzler(a)foss.arm.com> --- fs/timerfd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/timerfd.c b/fs/timerfd.c index e9c96a0c79f1..5a362ef4eed1 100644 --- a/fs/timerfd.c +++ b/fs/timerfd.c @@ -347,7 +347,7 @@ static void timerfd_show(struct seq_file *m, struct file *file) #endif #ifdef CONFIG_CHECKPOINT_RESTORE -static long timerfd_ioctl(struct file *file, unsigned int cmd, unsigned long arg) +static long timerfd_ioctl(struct file *file, unsigned int cmd, user_uintptr_t arg) { struct timerfd_ctx *ctx = file->private_data; int ret = 0; -- 2.25.1

2 years, 12 months

3
2
0 0

[PATCH] fs/timerfd: Modify last arg to timerfd_ioctl to be user_uintptr_t

by carsten.haitzler＠foss.arm.com

From: Carsten Haitzler <carsten.haitzler(a)foss.arm.com> Block device ioctl's now take a user_uintptr_t as last argument, so adapt to this to keep compiling if CONFIG_CHECKPOINT_RESTORE is enabled. Signed-off-by: Carsten Haitzler <carsten.haitzler(a)foss.arm.com> --- fs/timerfd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/timerfd.c b/fs/timerfd.c index e9c96a0c79f1..5a362ef4eed1 100644 --- a/fs/timerfd.c +++ b/fs/timerfd.c @@ -347,7 +347,7 @@ static void timerfd_show(struct seq_file *m, struct file *file) #endif #ifdef CONFIG_CHECKPOINT_RESTORE -static long timerfd_ioctl(struct file *file, unsigned int cmd, unsigned long arg) +static long timerfd_ioctl(struct file *file, unsigned int cmd, user_uintptr_t arg) { struct timerfd_ctx *ctx = file->private_data; int ret = 0; -- 2.25.1

2 years, 12 months

1
0
0 0

Fw: Linux support for RISC-V CHERI

by Dmitry Kasatkin

Hi, I think this is a good mailing list to share Cheri linux for risc-v project. -Dmitry ---------------------------------------------------------------------------------------------------------------------------------------- From: Dmitry Kasatkin Sent: Wednesday, September 28, 2022 4:23 PM To: cl-cheribsd-discuss(a)lists.cam.ac.uk; cl-cheri-discuss(a)lists.cam.ac.uk; linux-riscv(a)lists.infradead.org Cc: Wang Kui; Jan Erik Ekberg; Horsch, Julian; Ahlrichs, Vincent; Auer, Lukas Subject: Linux support for RISC-V CHERI Hi, I would like to inform that our work on Linux support for RISC-V CHERI has been open sourced on GitHub: https://github.com/cheri-linux CHERI is an experimental ISA exention providing architectural capabilities for different ISAs including RISC-V and ARM. CHERI is not available in mainstream CPUs and available on certain experimental cores for FPGAs. Information about CHERI can be found here: https://www.cl.cam.ac.uk/research/security/ctsrd/cheri This work dedicated to RISC-V and has been done by Huawei and Fraunhofer with the great support from Cambridge University. BR, Dmitry

2 years, 12 months

1
0
0 0

Fw: Linux support for RISC-V CHERI

by Dmitry Kasatkin

Hi, I think this is a good mailing list to share Cheri linux for risc-v project. -Dmitry ________________________________ From: Dmitry Kasatkin Sent: Wednesday, September 28, 2022 4:23 PM To: cl-cheribsd-discuss(a)lists.cam.ac.uk; cl-cheri-discuss(a)lists.cam.ac.uk; linux-riscv(a)lists.infradead.org Cc: Wang Kui; Jan Erik Ekberg; Horsch, Julian; Ahlrichs, Vincent; Auer, Lukas Subject: Linux support for RISC-V CHERI Hi, I would like to inform that our work on Linux support for RISC-V CHERI has been open sourced on GitHub: https://github.com/cheri-linux CHERI is an experimental ISA exention providing architectural capabilities for different ISAs including RISC-V and ARM. CHERI is not available in mainstream CPUs and available on certain experimental cores for FPGAs. Information about CHERI can be found here: https://www.cl.cam.ac.uk/research/security/ctsrd/cheri This work dedicated to RISC-V and has been done by Huawei and Fraunhofer with the great support from Cambridge University. BR, Dmitry

2 years, 12 months

1
0
0 0

2025

2024

2023

2022

linux-morello