- linux-morello - op-lists.linaro.org

[PATCH v2 2/4] arm64: compat: Fix structs for compat64

by Teo Couprie Diaz

struct compat_shmid64_ds: Don't split time attributes with two ulongs, use single longs. struct compat_ipc64_perm: In arm64 'mode' is an unsigned int instead of a short. No need for padding in that case. Signed-off-by: Teo Couprie Diaz <teo.coupriediaz(a)arm.com> --- arch/arm64/include/asm/compat.h | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/arch/arm64/include/asm/compat.h b/arch/arm64/include/asm/compat.h index 962f954fd194..e4073c91ea73 100644 --- a/arch/arm64/include/asm/compat.h +++ b/arch/arm64/include/asm/compat.h @@ -127,8 +127,12 @@ struct compat_ipc64_perm { __compat_gid32_t gid; __compat_uid32_t cuid; __compat_gid32_t cgid; +#ifdef CONFIG_COMPAT64 + unsigned int mode; +#else unsigned short mode; unsigned short __pad1; +#endif unsigned short seq; unsigned short __pad2; compat_ulong_t unused1; @@ -166,12 +170,18 @@ struct compat_msqid64_ds { struct compat_shmid64_ds { struct compat_ipc64_perm shm_perm; compat_size_t shm_segsz; +#ifdef CONFIG_COMPAT64 + compat_long_t shm_atime; + compat_long_t shm_dtime; + compat_long_t shm_ctime; +#else compat_ulong_t shm_atime; compat_ulong_t shm_atime_high; compat_ulong_t shm_dtime; compat_ulong_t shm_dtime_high; compat_ulong_t shm_ctime; compat_ulong_t shm_ctime_high; +#endif compat_pid_t shm_cpid; compat_pid_t shm_lpid; compat_ulong_t shm_nattch; -- 2.25.1

1 year, 11 months

1
0
0 0

[PATCH] lib/vsprintf: Add support for architectural capabilities

by Beata Michalska

Introduce new printk's pointer format extension to support capabilities, with one being denoted by specifying the 'l' length modifier alongside the 'p' type character => "%lp". In addition to the raw capability format, adding '#' flag will generate the simplified one, being slightly more verbose. In both cases, the actual result is subject to pointer hashing (capability value) unless either 'x' qualifier or no_hash_pointers command line parameter is being provided. For more details see the docs, updated here as well. While at it, add some testcases to validate new format, alongside checkpatchpl new warning to raise the awareness of potential misuse. Signed-off-by: Beata Michalska <beata.michalska(a)arm.com> --- Documentation/core-api/printk-formats.rst | 59 ++++++ lib/test_printf.c | 128 ++++++++++++ lib/vsprintf.c | 225 +++++++++++++++++++++- scripts/checkpatch.pl | 13 +- 4 files changed, 421 insertions(+), 4 deletions(-) diff --git a/Documentation/core-api/printk-formats.rst b/Documentation/core-api/printk-formats.rst index 5e89497ba314..f1e26cf41776 100644 --- a/Documentation/core-api/printk-formats.rst +++ b/Documentation/core-api/printk-formats.rst @@ -202,6 +202,65 @@ Example:: printk("test: difference between pointers: %td\n", ptr2 - ptr1); +Capabilities +------------ + +:: + + %lp[x] 1:ffffc00000010005:0123456789abcdef + %#lp[x] 0123456789abcdef[rwxRWE,0000000000000000,ffffffffffffffff] + + +For printing CHERI model-based architectural capabilities (when supported, +otherwise the result of using it is undefined). +The ``l`` modifier distinguishes pointers as capabilities from C integer pointers +(when in hybrid mode, in which case capabilities and pointers are not +interchangeable). Provided argument will be subject to hashing (capability vale +only, with remaining bits being disregarded) before printing, unless ``x`` +modifier is being specified as well, which results in the following capability +format being printed: + + Capability tag:Hight bits:Low bits + ------------------------------------ + <tag>:<127:64>:<63:0> + +Same considerations apply here, as when printing unmodified addresses. + +Specifying ``#`` modifier results in printing capabilities in a simplified format: + + <address> [<permissions>,<base>-<top>] (<attr>) + +with:: + + - permissions - none or any combination of: + - 'r' : CHERI_PERM_LOAD + - 'w' : CHERI_PERM_STORE + - 'x' : CHERI_PERM_EXECUTE + - 'R' : CHERI_PERM_LOAD_CAP + - 'W' : CHERI_PERM_STORE_CAP + - 'E' : ARM_CAP_PERMISSION_EXECUTIVE + - base - lower bound + - top - upper bound + - attr - none or any combination of: + 'invalid' - capability's tag is clear + 'sentry' - capability is a sealed entry + 'sealed' - capability is sealed with a type other than + the sealed entry object type. + +(the above applies to formats with either `'no_hash_pointers'` parameter being +enabled or ``x`` modifier being provided - otherwise subject to hashing. + +Currently only Morello architecture is being supported. + +Note: +In hybrid mode, capabilities are being passed as a reference. An attempt to +use this format with a non-capability type is undefined behaviour. +There are no safety nests, so extra consciousness is advised! Handle with care. + +Same applies when capabilities are not supported, as the use of either the ``#`` +flag or the ``l`` length modifier is undefined behaviour when combined with +%p. + Struct Resources ---------------- diff --git a/lib/test_printf.c b/lib/test_printf.c index 07309c45f327..e3bbb83c439e 100644 --- a/lib/test_printf.c +++ b/lib/test_printf.c @@ -24,6 +24,10 @@ #include <linux/property.h> +#ifdef __CHERI__ +#include <cheriintrin.h> +#endif + #include "../tools/testing/selftests/kselftest_module.h" #define BUF_SIZE 256 @@ -755,6 +759,127 @@ errptr(void) #endif } +static void __init +capability_pointer(void) +{ +#ifdef CONFIG_ARM64_MORELLO + + enum action { + CAP_AXN_NONE, + CAP_TAG_CLEAR, + CAP_NULL_DERIVE + }; + + struct __setup { + const char * const plain_fmt; + const char * const fmt; + const char * const expected; + int action; + } const setup[] = { + { "%lp", "%lpx", "1:da00400059ab89ab:"PTR_STR, CAP_AXN_NONE }, + { "%#lp", "%#lpx", + PTR_STR" [rw-RW-,ffff0123456789ab,ffff0123456799ab]", + CAP_AXN_NONE + }, + { "%lp", "%lpx", "0:da00400059ab89ab:"PTR_STR, CAP_TAG_CLEAR }, + { "%#lp", "%#lpx", + PTR_STR" [rw-RW-,ffff0123456789ab,ffff0123456799ab] (invalid)", + CAP_TAG_CLEAR + }, + { "%lp", "%lpx", PTR_STR, CAP_NULL_DERIVE }, + { "%#lp", "%#lpx", PTR_STR, CAP_NULL_DERIVE } + }; + + char buf[PLAIN_BUF_SIZE]; + const char * const cap_fmt[] = {"%lp", "%#lp"}; + int nchars; + + void *__capability __cap = kaddr_to_user_ptr((ptraddr_t)PTR); + /* Expecting basic permissions to be set */ + size_t perms = CHERI_PERM_GLOBAL | CHERI_PERM_LOAD | CHERI_PERM_LOAD_CAP | + CHERI_PERM_STORE | CHERI_PERM_STORE_CAP | CHERI_PERM_SEAL; + size_t size = 4096; + + __cap = cheri_perms_and(__cap, perms); + /* + * Basic checks so that the actual output can be safely compared + * to the expected one + */ + if (!cheri_tag_get(__cap) || cheri_perms_get(__cap) != perms + || cheri_is_sealed(__cap)) { + pr_warn("Failed to create capability for testing - skipping"); + skipped_tests += no_hash_pointers ? 4 + ARRAY_SIZE(setup) : + 4 + ARRAY_SIZE(setup)/2; + return; + } + + __cap = cheri_bounds_set_exact(__cap, size); + + /* Verify hashing */ + if (no_hash_pointers) { + pr_warn("Skipping capability hashing tests\n"); + skipped_tests += 4; + goto non_hashed; + } + + for (int i = 0; i < ARRAY_SIZE(cap_fmt); ++i) { + + nchars = snprintf(buf, PLAIN_BUF_SIZE, cap_fmt[i], __cap); + + /* + * Should be ADDR_WIDTH in this case , but hey, let's not be picky + * about it, at least not here ... not yet ... + */ + if (nchars != PTR_WIDTH) { + /* This also covers the case when the value has not been + * actually hashed as otherwise nchars would be greater than + * PTR_WIDTH + */ + pr_warn("Something went wrong with hashing capability value\n"); + goto failed; + } + + if (strncmp(buf, PTR_VAL_NO_CRNG, PTR_WIDTH) == 0) { + pr_warn("crng possibly not yet initialized - capability value buffer contains \"%s\"", + PTR_VAL_NO_CRNG); + } else if (strncmp(buf, ZEROS, strlen(ZEROS)) != 0) { + pr_warn("Unexpected format for supposedly hashed capability value\n"); + goto failed; + } + } + +non_hashed: + for (int i = 0; i < ARRAY_SIZE(setup); ++i) { + void *__capability __c = __cap; + + switch (setup[i].action) { + case CAP_TAG_CLEAR: + __c = cheri_tag_clear(__c); + break; + case CAP_NULL_DERIVE: + /* Null-derived capability */ + __c = (void *__capability) + (__cheri_addr uintcap_t)((void *)cheri_base_get(__cap)); + break; + default: + break; + } + + if (no_hash_pointers) + test(setup[i].expected, setup[i].plain_fmt, __c); + else + ++skipped_tests; + + test(setup[i].expected, setup[i].fmt, __c); + } + + return; + +failed: + failed_tests++; +#endif /* CONFIG_ARM64_MORELLO */ +} + static void __init test_pointer(void) { @@ -781,6 +906,9 @@ test_pointer(void) errptr(); fwnode_pointer(); fourcc_pointer(); +#ifdef __CHERI__ + capability_pointer(); +#endif } static void __init selftest(void) diff --git a/lib/vsprintf.c b/lib/vsprintf.c index 40d26a07a133..9dcdb364c0ba 100644 --- a/lib/vsprintf.c +++ b/lib/vsprintf.c @@ -51,6 +51,10 @@ #include <asm/byteorder.h> /* cpu_to_le16 */ #include <asm/unaligned.h> +#ifdef __CHERI__ +#include <cheriintrin.h> +#endif + #include <linux/string_helpers.h> #include "kstrtox.h" @@ -426,6 +430,9 @@ enum format_type { FORMAT_TYPE_PERCENT_CHAR, FORMAT_TYPE_INVALID, FORMAT_TYPE_LONG_LONG, +#ifdef __CHERI__ + FORMAT_TYPE_CAPABILITY, +#endif FORMAT_TYPE_ULONG, FORMAT_TYPE_LONG, FORMAT_TYPE_UBYTE, @@ -2401,6 +2408,7 @@ static noinline_for_stack char *pointer(const char *fmt, char *buf, char *end, void *ptr, struct printf_spec spec) { + switch (*fmt) { case 'S': case 's': @@ -2488,6 +2496,203 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr, } } +#ifdef __CHERI__ +/* + * Support for printing capabilities with %[#]lp[x] format. + * It stands slightly in contradiction to kernel extensions + * for pointer printk formats as it is using the 'l' modifier + * instead of relying on extended format specifiers. + * Currently supprted formats: + * + * lp[x] - Hex value of full capability bits preceeded with capability tag: + * <tag>:<127:64>:<63:0> + * (* outcome subject to kernel pointer hashing ) + * #lp[x] - Simplified format as: + * <address> [permissions=[rwxRWE],<base>-<top>] (attr=[invalid,sentry,sealed]) + * (* outcome subject to kernel pointer hashing ) + * + * Details at: + * Documentation/core-api/printk-formats.rst + * (keep both updated case making any changes) + * + * * - only the capability value (aka adress) undergoes hashing, + * remaining bits are being disregarded + * + */ +static noinline_for_stack +char *capability(const char *fmt, char *buf, char *end, void *__capability cap, + struct printf_spec spec) +{ +/* + * Write to the buffer only when there is a space for it, otherwise + * just advance the buffer marker to account for the space needed to + * store full value here + */ +#define update_buf_single(__b, __e, __c) \ + do { if ((__b) < (__e)) *(__b)++ = (__c); else ++__b; } while (0) + +#define show_tag(__cap) \ + do { \ + update_buf_single(buf, end, cheri_tag_get(__cap) ? '1' : '0'); \ + update_buf_single(buf, end, ':'); \ + } while (0) + + /* + * For null-derived capabilities switch to basic format + * (address only). + * Same applies when hashing is active. + */ + if ((!cheri_tag_get(cap) && +#if __has_builtin(__builtin_cheri_copy_from_high) + !__builtin_cheri_copy_from_high(cap)) +#else + !((*((ptraddr_t *)&cap + 1))) +#endif + || (likely(!no_hash_pointers) && *fmt != 'x')) { + + /* Avoid adding prefix */ + spec.flags &= ~SPECIAL; + return pointer(fmt, buf, end, (__cheri_fromcap void*)(cap), spec); + } + + if (spec.flags & SPECIAL) { /* Simplified format for capabilities */ + unsigned long long __data = cheri_perms_get(cap); + int field_width = spec.field_width; + const char* start = buf; + char * attr_start; + unsigned int i; + int attrib = 0; + int flags; + + /* Note: order matters to match the format required */ + struct { + unsigned long long cperm; const char id; + } static const __perms[] = { + { CHERI_PERM_LOAD, 'r' }, + { CHERI_PERM_STORE, 'w' }, + { CHERI_PERM_EXECUTE, 'x' }, + { CHERI_PERM_LOAD_CAP, 'R' }, + { CHERI_PERM_STORE_CAP, 'W' }, +#ifdef CONFIG_ARM64_MORELLO + { ARM_CAP_PERMISSION_EXECUTIVE, 'E' } +#endif + }; + /* + * Clear the 'SPECIAL' flag as that one results in adding '0x' + * prefix which should be skiped here to align with the + * way pointers are being handled. + */ + spec.flags &= ~SPECIAL; + + + /* + * Things get slightly confusing here when it comes to + * precision. The standard format specification claims that + * precision might cause truncation of the actual output, + * contrary to width. + * CHERI on the other hand suggests, that precision used + * with the 'p' specifier should determine the width of + * addresses though following current formating for pointer types, + * unless explicitely stated, the width will be enforced, leaving + * precision being ineffective. Furthermore, according to the guide, + * in theory recision should not affect the way the Raw and Simplified + * formats are being handled (the non-address related parts). + * Stick with that one. + * Note: Using precision with pointers/capabilities with + * active hashing might lead to slightly unexpected output. + * That's the result of applying the precision while + * respecting the field width. + * + * Width in this case refers to the width of final string generated for + * the simplified format + */ + spec.field_width = -1; + flags = spec.flags; + spec.flags &= ~(ZEROPAD | LEFT); + + buf = pointer(fmt, buf, end, (__cheri_fromcap void*)cap, spec); + + update_buf_single(buf, end, ' '); + update_buf_single(buf, end, '['); + for (i = 0; i < ARRAY_SIZE(__perms); ++i) { + update_buf_single(buf, end, + (__data & __perms[i].cperm ? __perms[i].id : '-')); + } + update_buf_single(buf, end, ','); + + __data = cheri_base_get(cap); + buf = pointer(fmt, buf, end, (void *)__data, spec); + update_buf_single(buf, end, ','); + + __data += cheri_length_get(cap); + buf = pointer(fmt, buf, end, (void *)__data, spec); + update_buf_single(buf, end, ']'); + + /* Attributes */ + /* Reset precision to output full attribute identifiers here */ + spec.precision = -1; + + /* Keep track of the attribute start section to format + * it properly in case there are attributes to be reported. + * Otherwise simply rolling on a buffer might lead to overflowing + * past the terminating character if the buffer is big enough. + */ + attr_start = buf; + buf +=2; + + if (!cheri_tag_get(cap)) { + buf = string_nocheck(buf, end, "invalid", spec); + ++attrib; + } + if (cheri_is_sentry(cap)) { + if (attrib++) + update_buf_single(buf, end, ','); + buf = string_nocheck(buf, end, "sentry", spec); + + } + if (cheri_is_sealed(cap)) { + if (attrib++) + update_buf_single(buf, end, ','); + buf = string_nocheck(buf, end, "sealed", spec); + } + + if (attrib) { + update_buf_single(attr_start, end, ' '); + update_buf_single(attr_start, end, '('); + update_buf_single(buf, end, ')'); + } else { + buf = attr_start; /* Rollback on space and opening bracket */ + } + + /* Restore the originally requested width */ + spec.field_width = field_width; + spec.flags |= flags; + + return widen_string(buf, buf - start, end, spec); + } + + /* + * Raw format: hex dump of full capability + */ + show_tag(cap); +#if __has_builtin(__builtin_cheri_copy_from_high) + buf = pointer_string(buf, end, + (void *) __builtin_cheri_copy_from_high(cap), + spec); +#else + buf = pointer_string(buf, end, + (void *)(*((ptraddr_t *)&cap + 1)), spec); +#endif + update_buf_single(buf, end, ':'); + return pointer_string(buf, end, (__cheri_fromcap void*)(cap), + spec); + + +#undef show_tag +#undef update_buf_single +} +#endif /* __CHERI__ */ + /* * Helper function to decode printf style format. * Each call decode a token from the format and return the @@ -2623,7 +2828,11 @@ int format_decode(const char *fmt, struct printf_spec *spec) return ++fmt - start; case 'p': - spec->type = FORMAT_TYPE_PTR; + spec->type = +#ifdef __CHERI__ + (qualifier == 'l') ? FORMAT_TYPE_CAPABILITY : +#endif + FORMAT_TYPE_PTR; return ++fmt - start; case '%': @@ -2717,6 +2926,7 @@ set_precision(struct printf_spec *spec, int prec) * * - ``%n`` is unsupported * - ``%p*`` is handled by pointer() + * - ``%lp[x]`` and ``%#lp[x]`` is handled by capability() * * See pointer() or Documentation/core-api/printk-formats.rst for more * extensive description. @@ -2818,7 +3028,18 @@ int vsnprintf(char *buf, size_t size, const char *fmt, va_list args) *str = '%'; ++str; break; - +#ifdef __CHERI__ + case FORMAT_TYPE_CAPABILITY: + if (IS_BUILTIN(CONFIG_ARM64_MORELLO)) { + str = capability(fmt, str, end, + va_arg(args, void *__capability), + spec); + while (isalnum(*fmt)) + fmt++; + break; + } + fallthrough; +#endif case FORMAT_TYPE_INVALID: /* * Presumably the arguments passed gcc's type diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl index 577e02998701..0c5468f0894c 100755 --- a/scripts/checkpatch.pl +++ b/scripts/checkpatch.pl @@ -6760,7 +6760,7 @@ sub process { my $fmt = get_quoted_string($lines[$count - 1], raw_line($count, 0)); $fmt =~ s/%%//g; - while ($fmt =~ /(\%[\*\d\.]*p(\w)(\w*))/g) { + while ($fmt =~ /(\%[\*\d\.#l]*p(\w)(\w*))/g) { $specifier = $1; $extension = $2; $qualifier = $3; @@ -6768,7 +6768,8 @@ sub process { ($extension eq "f" && defined $qualifier && $qualifier !~ /^w/) || ($extension eq "4" && - defined $qualifier && $qualifier !~ /^cc/)) { + defined $qualifier && $qualifier !~ /^cc/) || + ($specifier =~ /lp/ && $extension ne "x")) { $bad_specifier = $specifier; last; } @@ -6780,6 +6781,14 @@ sub process { "Using vsprintf specifier '\%px' potentially exposes the kernel memory layout, if you don't really need the address please consider using '\%p'.\n" . "$here\n$stat_real\n"); } } + + if ($fmt =~ /\%[\*\d\.#]*l{1}p/) { + my $stat_real = get_stat_real($linenr, $lc); + + WARN("VSPRINTF_POINTER_EXTENSION", + "Using vsprintf specifier '\%[#]lp[x]' is undefined behaviour when used with non-capability types in hybrid-mode. Make sure you got it right.\n" . "$here\n$stat_real\n"); + } + if ($bad_specifier ne "") { my $stat_real = get_stat_real($linenr, $lc); my $ext_type = "Invalid"; -- 2.25.1

1 year, 12 months

2
6
0 0

[PATCH v3 0/6] ELF aux entries and initial reg values in Transitional PCuABI

by Sherwin da Cruz

v2..v3: patch 4: Added new compat_start_thread() for compat64 binaries. This change was made in a separate patch and inserted before the previous patch 4 that sets c0-c3. The branch at [1] has been updated with the new commits --- This patchset adds partial support for the new aux entries in the PCuABI, which mainly passes capabilites to the program. The registers c0-c3 are also set to argc/argv/envp/auxv which currently still resides on the stack for backwards compatability. The patches are available at [1]. The constants for the new aux entries can be found at [2]. For reference the transitional PCuABI can be found at [3]. The capabilities placed in the aux vector do not have restricted permissions or bounds but have the address set to the specified value, except for AT_CHERI_STACK_CAP and AT_CHERI_CID_CAP. The upper and lower bounds of the RX and RW regions as defined in the PCuABI spec for both the interpreter and program are also determined, though the upper bounds are left unused since the bounds are currently not set on the new aux entries. A morello kselftest ensures that the register values of c0-c3 in startup code matches the corresponding values on the stack. [1] https://git.morello-project.org/sherwin-dc/linux/-/commits/morello/next/ [2] https://git.morello-project.org/morello/kernel/linux/-/wikis/Morello-pure-c… [3] https://git.morello-project.org/morello/kernel/linux/-/wikis/Transitional-M… Sherwin da Cruz (6): arm64: elf.h: Remove register init macro fs/binfmt_elf: Add additional Aux vector entries elf: Return result from START_THREAD macro arm64/elf: Use separate compat_start_thread() for compat64 arm64: Set c0-c3 to argc/argv/envp/auxv in start_thread() kselftests/arm64/morello: Test for new aux entries and init registers arch/arm64/include/asm/elf.h | 11 +- arch/arm64/include/asm/processor.h | 55 +++++++++- fs/binfmt_elf.c | 103 +++++++++++++++++- fs/compat_binfmt_elf.c | 24 ++-- fs/exec.c | 4 +- include/linux/auxvec.h | 2 +- include/linux/elf.h | 7 +- include/uapi/linux/auxvec.h | 13 +++ .../selftests/arm64/morello/bootstrap.c | 53 ++++++--- .../arm64/morello/freestanding_start.S | 12 +- 10 files changed, 239 insertions(+), 45 deletions(-) -- 2.25.1

2 years

2
7
0 0

[PATCH v3] security/keys: Fix ABI for userspace for keyctl to be large-ptr clean

by carsten.haitzler＠foss.arm.com

From: Carsten Haitzler <carsten.haitzler(a)foss.arm.com> Move unsigned long to user_uintptr_t for userspace ABI for purecap to work since pointers are not necessarily the size of an unsigned long on all architectures (like morello). Signed-off-by: Carsten Haitzler <carsten.haitzler(a)foss.arm.com> --- security/keys/keyctl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c index 96a92a645216..7b7e910d71f6 100644 --- a/security/keys/keyctl.c +++ b/security/keys/keyctl.c @@ -1866,8 +1866,8 @@ long keyctl_capabilities(unsigned char __user *_buffer, size_t buflen) /* * The key control system call */ -SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3, - unsigned long, arg4, unsigned long, arg5) +SYSCALL_DEFINE5(keyctl, int, option, user_uintptr_t, arg2, user_uintptr_t, arg3, + user_uintptr_t, arg4, user_uintptr_t, arg5) { switch (option) { case KEYCTL_GET_KEYRING_ID: -- 2.25.1

2 years

2
1
0 0

[PATCH v2 0/5] ELF aux entries and initial reg values in Transitional PCuABI

by Sherwin da Cruz

v2: patch 2: Fix logic error in code patch 2-5: Cosmetic changes and commit rewording The branch at [1] has been updated with the new commits --- This patchset adds partial support for the new aux entries in the PCuABI, which mainly passes capabilites to the program. The registers c0-c3 are also set to argc/argv/envp/auxv which currently still resides on the stack for backwards compatability. The patches are available at [1]. The constants for the new aux entries can be found at [2]. For reference the transitional PCuABI can be found at [3]. The capabilities placed in the aux vector do not have restricted permissions or bounds but have the address set to the specified value, except for AT_CHERI_STACK_CAP and AT_CHERI_CID_CAP. The upper and lower bounds of the RX and RW regions as defined in the PCuABI spec for both the interpreter and program are also determined, though the upper bounds are left unused since the bounds are currently not set on the new aux entries. A morello kselftest ensures that the register values of c0-c3 in startup code matches the corresponding values on the stack. [1] https://git.morello-project.org/sherwin-dc/linux/-/commits/morello/next/ [2] https://git.morello-project.org/morello/kernel/linux/-/wikis/Morello-pure-c… [3] https://git.morello-project.org/morello/kernel/linux/-/wikis/Transitional-M… Sherwin da Cruz (5): arm64: elf.h: Remove register init macro fs/binfmt_elf: Add additional Aux vector entries elf: Return result from START_THREAD macro arm64: Set c0-c3 to argc/argv/envp/auxv in start_thread() kselftests/arm64/morello: Test for new aux entries and init registers arch/arm64/include/asm/elf.h | 8 +- arch/arm64/include/asm/processor.h | 35 +++++- fs/binfmt_elf.c | 103 +++++++++++++++++- fs/compat_binfmt_elf.c | 6 +- fs/exec.c | 4 +- include/linux/auxvec.h | 2 +- include/linux/elf.h | 7 +- include/uapi/linux/auxvec.h | 13 +++ .../selftests/arm64/morello/bootstrap.c | 53 ++++++--- .../arm64/morello/freestanding_start.S | 12 +- 10 files changed, 209 insertions(+), 34 deletions(-) -- 2.25.1

2 years

2
7
0 0

[PATCH v2] morello: keyctl - fix ABI for userspace for purecap

by carsten.haitzler＠foss.arm.com

From: Carsten Haitzler <carsten.haitzler(a)foss.arm.com> Move unsigned long to user_uintptr_t for userspace ABI for purecap to work. Signed-off-by: Carsten Haitzler <carsten.haitzler(a)foss.arm.com> --- security/keys/keyctl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c index 96a92a645216..7b7e910d71f6 100644 --- a/security/keys/keyctl.c +++ b/security/keys/keyctl.c @@ -1866,8 +1866,8 @@ long keyctl_capabilities(unsigned char __user *_buffer, size_t buflen) /* * The key control system call */ -SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3, - unsigned long, arg4, unsigned long, arg5) +SYSCALL_DEFINE5(keyctl, int, option, user_uintptr_t, arg2, user_uintptr_t, arg3, + user_uintptr_t, arg4, user_uintptr_t, arg5) { switch (option) { case KEYCTL_GET_KEYRING_ID: -- 2.25.1

2 years

3
2
0 0

[PATCH v1] morello: keyctl - fix ABI for userspace for purecap

by carsten.haitzler＠foss.arm.com

From: Carsten Haitzler <carsten.haitzler(a)foss.arm.com> Move unsigned long to uintptr_t for userspace ABI for purecap to work. Dependent on patch series: Author: Vincenzo Frascino <vincenzo.frascino(a)arm.com> Subject: [linux-morello] [PATCH v2 0/5] morello: Enable docker by default Signed-off-by: Carsten Haitzler <carsten.haitzler(a)foss.arm.com> --- security/keys/keyctl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c index 96a92a645216..104fc313691d 100644 --- a/security/keys/keyctl.c +++ b/security/keys/keyctl.c @@ -1866,8 +1866,8 @@ long keyctl_capabilities(unsigned char __user *_buffer, size_t buflen) /* * The key control system call */ -SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3, - unsigned long, arg4, unsigned long, arg5) +SYSCALL_DEFINE5(keyctl, int, option, uintptr_t, arg2, uintptr_t, arg3, + uintptr_t, arg4, uintptr_t, arg5) { switch (option) { case KEYCTL_GET_KEYRING_ID: -- 2.25.1

2 years

3
2
0 0

[Linux-morello] [PATCH 0/5] ELF aux entries and initial reg values in Transitional PCuABI

by Sherwin da Cruz

This patchset adds partial support for the new aux entries in the PCuABI, which mainly passes capabilites to the program. The registers c0-c3 are also set to argc/argv/envp/auxv which currently still resides on the stack for backwards compatability. The patches are available at [1]. The constants for the new aux entries can be found at [2]. For reference the transitional PCuABI can be found at [3]. The capabilities placed in the aux vector do not have restricted permissions or bounds but have the address set to the specified value, except for AT_CHERI_STACK_CAP and AT_CHERI_CID_CAP. The upper and lower bounds of the RX and RW regions as defined in the PCuABI spec for both the interpreter and program are also determined, though the upper bounds are left unused since the bounds are currently not set on the new aux entries. A morello kselftest ensures that the register values of c0-c3 in startup code matches the corresponding values on the stack. [1] https://git.morello-project.org/sherwin-dc/linux/-/commits/morello/next/ [2] https://git.morello-project.org/morello/kernel/linux/-/wikis/Morello-pure-c… [3] https://git.morello-project.org/morello/kernel/linux/-/wikis/Transitional-M… Sherwin da Cruz (5): arm64: elf.h: Remove register init macro fs/binfmt_elf: Add additional Aux vector entries fs/binfmt_elf: Return result from START_THREAD macro fs/binfmt_elf: Set c0-c3 to argc/argv/envp/auxv kselftests/arm64/morello: Test for new aux entries and init registers arch/arm64/include/asm/elf.h | 8 +- arch/arm64/include/asm/processor.h | 30 +++++- fs/binfmt_elf.c | 102 ++++++++++++++++-- fs/compat_binfmt_elf.c | 6 +- fs/exec.c | 4 +- include/linux/auxvec.h | 2 +- include/linux/elf.h | 7 +- include/uapi/linux/auxvec.h | 13 +++ .../selftests/arm64/morello/bootstrap.c | 58 +++++++--- .../arm64/morello/freestanding_start.S | 12 ++- 10 files changed, 208 insertions(+), 34 deletions(-) -- 2.25.1

2 years

2
12
0 0

[PATCH v2 0/5] morello: Enable docker by default

by Vincenzo Frascino

Enable the required config options to run docker in the default defconfig for Morello Transitional PureCap User ABI (PCuABI) (morello_transitional_pcuabi_defconfig). The resulting .config was certified with [1]: ... info: reading kernel config from linux-out/.config ... Generally Necessary: - cgroup hierarchy: properly mounted [/sys/fs/cgroup] - apparmor: enabled and tools installed - CONFIG_NAMESPACES: enabled - CONFIG_NET_NS: enabled - CONFIG_PID_NS: enabled - CONFIG_IPC_NS: enabled - CONFIG_UTS_NS: enabled - CONFIG_CGROUPS: enabled - CONFIG_CGROUP_CPUACCT: enabled - CONFIG_CGROUP_DEVICE: enabled - CONFIG_CGROUP_FREEZER: enabled - CONFIG_CGROUP_SCHED: enabled - CONFIG_CPUSETS: enabled - CONFIG_MEMCG: enabled - CONFIG_KEYS: enabled - CONFIG_VETH: enabled - CONFIG_BRIDGE: enabled - CONFIG_BRIDGE_NETFILTER: enabled - CONFIG_IP_NF_FILTER: enabled - CONFIG_IP_NF_TARGET_MASQUERADE: enabled - CONFIG_NETFILTER_XT_MATCH_ADDRTYPE: enabled - CONFIG_NETFILTER_XT_MATCH_CONNTRACK: enabled - CONFIG_NETFILTER_XT_MATCH_IPVS: enabled - CONFIG_NETFILTER_XT_MARK: enabled - CONFIG_IP_NF_NAT: enabled - CONFIG_NF_NAT: enabled - CONFIG_POSIX_MQUEUE: enabled - CONFIG_CGROUP_BPF: enabled ... [1] https://github.com/moby/moby/blob/master/contrib/check-config.sh A rebased version of the patches on morello/next, to be used for testing purposes, can be found at: https://git.morello-project.org/vincenzo/linux morello/docker/v2 Changes: -------- v2: - Address review comments - Regenerate defconfig file Signed-off-by: Vincenzo Frascino <vincenzo.frascino(a)arm.com> Vincenzo Frascino (5): bpf: Use proper typecast for capability type net: Use proper typecast for capability type security/keys: Remove inconsistent __user annotation arm64: compat64: Make keyctl compatibility version generic morello: Enable docker in defconfig .../morello_transitional_pcuabi_defconfig | 18 ++++++++++++++++++ kernel/bpf/helpers.c | 3 ++- net/bridge/br_ioctl.c | 4 ++++ security/keys/compat.c | 8 ++++---- security/keys/keyring.c | 2 +- 5 files changed, 29 insertions(+), 6 deletions(-) -- 2.37.3

2 years

2
7
0 0

[PATCH v2] Documentation: Add a guide to porting drivers to PCuABI

by Kevin Brodsky

Add a small guide documenting the most common changes required to get drivers (and potentially other subsystems) compatible with the pure-capability user ABI (PCuABI). There is no obvious subdirectory for this type of document, and it is transient in nature, so add it at the top-level. Signed-off-by: Kevin Brodsky <kevin.brodsky(a)arm.com> --- Rendered version: https://git.morello-project.org/kbrodsky-arm/linux/-/blob/porting_guide_v2/… v1..v2: - Added more examples of changes we have already made. - Added a subsection regarding compat & PCuABI. - A few other minor improvements. Thanks Carsten and Zach for the review! Documentation/pcuabi-porting.rst | 366 +++++++++++++++++++++++++++++++ 1 file changed, 366 insertions(+) create mode 100644 Documentation/pcuabi-porting.rst diff --git a/Documentation/pcuabi-porting.rst b/Documentation/pcuabi-porting.rst new file mode 100644 index 000000000000..a3ff0c98e6b0 --- /dev/null +++ b/Documentation/pcuabi-porting.rst @@ -0,0 +1,366 @@ +================================= +Adding PCuABI support to drivers +================================= + +This document provides a non-exhaustive overview of the most common +changes required to support the pure-capability user ABI (PCuABI) in +arbitrary drivers. It may also be helpful for core subsystems, though +note that more extensive changes may be required compared to drivers +with straightforward interactions with userspace. + +.. _user pointer documentation: core-api/user_ptr.rst + +User pointer representation and conversions +=========================================== + +The appropriate API to represent and convert user pointers is described +in the `user pointer documentation`_. A few examples of modifications +required for PCuABI compliance: + ++--------------------------------+------------------------------------+ +| Invalid code | Potential replacement | ++================================+====================================+ +| ``(unsigned long)uptr`` | ``user_ptr_addr(uptr)`` | ++--------------------------------+------------------------------------+ +| ``(void __user *)u64`` | | ``uaddr_to_user_ptr(u64)`` | +| | | ``as_user_ptr(u64)`` | ++--------------------------------+------------------------------------+ +| ``get_user(uptr, &uarg->ptr)`` | ``get_user_ptr(uptr, &uarg->ptr)`` | ++--------------------------------+------------------------------------+ +| ``IS_ERR(ubuf)`` | ``USER_PTR_IS_ERR(ubuf)`` | ++--------------------------------+------------------------------------+ +| ... | ... | ++--------------------------------+------------------------------------+ + +``ioctl`` handlers' third argument +================================== + +Traditionally, the type of the third argument of ``ioctl`` handlers is +``unsigned long``. Unfortunately this is no longer appropriate in PCuABI +in many cases, as this argument may represent a pointer. A larger type, +able to hold a capability, is therefore necessary: this type is +``user_uintptr_t``. + +The prototype of most ``ioctl`` methods has been modified to take +``user_uintptr_t`` as third argument (``arg``), notably +``struct file_operations::unlocked_ioctl`` and +``struct block_device_operations::ioctl``. As a consequence, any driver +implementing such methods must change the prototype of the callback +accordingly, that is replace ``unsigned long`` with ``user_uintptr_t``, +as the prototypes must match exactly. + +Additionally, if the handler passes down ``arg`` to other functions, +such functions must also represent this argument as ``user_uintptr_t`` +**if they handle any request type where arg is a pointer** - in other +words, if they cast ``arg`` to a user pointer, e.g. ``void __user *``. +Otherwise, it is acceptable to leave these functions unchanged (i.e. +keep taking an ``unsigned long``). + +Example combining both types of changes (``sync_file_ioctl()`` is the +ioctl handler and passes down ``arg`` to the two other functions, which +interpret it as a user pointer):: + + diff --git a/drivers/dma-buf/sync_file.c b/drivers/dma-buf/sync_file.c + index 514d213261df..f07bf89a49f6 100644 + --- a/drivers/dma-buf/sync_file.c + +++ b/drivers/dma-buf/sync_file.c + @@ -319,7 +319,7 @@ static __poll_t sync_file_poll(struct file *file, poll_table *wait) + } + + static long sync_file_ioctl_merge(struct sync_file *sync_file, + - unsigned long arg) + + user_uintptr_t arg) + { + int fd = get_unused_fd_flags(O_CLOEXEC); + int err; + @@ -394,7 +394,7 @@ static int sync_fill_fence_info(struct dma_fence *fence, + } + + static long sync_file_ioctl_fence_info(struct sync_file *sync_file, + - unsigned long arg) + + user_uintptr_t arg) + { + struct sync_fence_info *fence_info = NULL; + struct dma_fence_unwrap iter; + @@ -465,7 +465,7 @@ static long sync_file_ioctl_fence_info(struct sync_file *sync_file, + } + + static long sync_file_ioctl(struct file *file, unsigned int cmd, + - unsigned long arg) + + user_uintptr_t arg) + { + struct sync_file *sync_file = file->private_data; + +Compat ``ioctl`` handlers +========================= + +Generalities on compat and PCuABI +--------------------------------- + +The introduction of PCuABI for 64-bit architectures created a need for +a different nature of compat layer. Instead of using it to support a +32-bit mode (compat32), it is now possible to use compat to support the +standard 64-bit ABI (compat64), where pointers remain 64-bit. + +Part of the existing generic compat code is applicable to compat64 as +well as compat32. However, some code is specific to 32-bit handling and +needs to be modified or skipped for compat64. Two new options can be +used for that purpose: ``CONFIG_COMPAT32`` and ``CONFIG_COMPAT64``. They +are mutually exclusive and both imply ``CONFIG_COMPAT``. + +Regarding Morello (arm64) specifically, AArch32 is not supported on +Morello, so only compat64 may be enabled when PCuABI is selected. + +Third argument +-------------- + +Unlike native ``ioctl`` handlers, the type of the third argument of +compat ``ioctl`` handlers remains ``unsigned long``, as this remains an +appropriate type to represent compat pointers in both compat32 and +compat64. As a result, **a native handler can no longer be used as a +compat handler**, because their prototypes differ. An appropriate compat +handler must therefore always be chosen. + +Compat user pointers should always be converted to native user pointers +using ``compat_ptr()``. Unfortunately this is not always the case in +existing drivers, especially in compat ``ioctl`` handlers, which may +simply pass their arguments through to the native handler without using +the appropriate pointer conversion. This is complicated by the fact that +the actual type of the third argument (``arg``) may depend on the +request type, just like in native handlers. The subsections below cover +the various possible situations. + +``arg`` is always a pointer +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +If ``arg`` always represents a pointer, it can be unconditionally +converted to a native pointer and passed to the native handler, for +instance:: + + static long my_compat_ioctl(struct file *file, unsigned int cmd, + unsigned long arg) + { + return my_ioctl(file, cmd, (user_uintptr_t)compat_ptr(arg)); + } + +For such a trivial ``file_operations`` compat handler, there is in fact +no need to create a compat handler; the ``compat_ptr_ioctl`` helper can +be used instead:: + + static const struct file_operations my_fops = { + ... + .compat_ioctl = compat_ptr_ioctl, + ... + }; + +Example removing an unnecessary compat handler (which is not +PCuABI-compliant as it casts ``compat_ptr(u)`` to ``unsigned long``):: + + diff --git a/fs/autofs/dev-ioctl.c b/fs/autofs/dev-ioctl.c + index 6f1547d9e02a..cfab4829b08b 100644 + --- a/fs/autofs/dev-ioctl.c + +++ b/fs/autofs/dev-ioctl.c + @@ -694,19 +694,9 @@ static long autofs_dev_ioctl(struct file *file, unsigned int command, + return (long) err; + } + + -#ifdef CONFIG_COMPAT + -static long autofs_dev_ioctl_compat(struct file *file, unsigned int command, + - unsigned long u) + -{ + - return autofs_dev_ioctl(file, command, (unsigned long) compat_ptr(u)); + -} + -#else + -#define autofs_dev_ioctl_compat NULL + -#endif + - + static const struct file_operations _dev_ioctl_fops = { + .unlocked_ioctl = autofs_dev_ioctl, + - .compat_ioctl = autofs_dev_ioctl_compat, + + .compat_ioctl = compat_ptr_ioctl, + .owner = THIS_MODULE, + .llseek = noop_llseek, + }; + +``arg`` is never a pointer +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +If ``arg`` never represents a pointer, it can directly be passed to +the native handler, optionally cast to ``user_uintptr_t``. + +Similarly, in this situation, the ``compat_noptr_ioctl`` helper can be +used instead of writing a trivial ``file_operations`` compat handler:: + + static const struct file_operations my_fops = { + ... + .compat_ioctl = compat_noptr_ioctl, + ... + }; + +Example:: + + diff --git a/drivers/block/loop.c b/drivers/block/loop.c + index 607545853ce7..d0167bd21c9d 100644 + --- a/drivers/block/loop.c + +++ b/drivers/block/loop.c + @@ -2197,7 +2197,7 @@ static const struct file_operations loop_ctl_fops = { + .open = nonseekable_open, + .unlocked_ioctl = loop_control_ioctl, + #ifdef CONFIG_COMPAT + - .compat_ioctl = loop_control_ioctl, + + .compat_ioctl = compat_noptr_ioctl, + #endif + .owner = THIS_MODULE, + .llseek = noop_llseek, + +``arg`` is sometimes a pointer +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +If ``arg`` represents a pointer for certain request types but not +others, then the compat handler should ensure that the appropriate +conversion is made depending on the request type, i.e. ``compat_ptr()`` +is used **if and only if arg is a pointer for the specific request +type.** + +Example where ``arg`` is a pointer for only one request type +(``FIONREAD``):: + + diff --git a/fs/notify/inotify/inotify_user.c b/fs/notify/inotify/inotify_user.c + index 9d3ebca0316f..b8c9ff2ea6c5 100644 + --- a/fs/notify/inotify/inotify_user.c + +++ b/fs/notify/inotify/inotify_user.c + @@ -340,6 +340,17 @@ static long inotify_ioctl(struct file *file, unsigned int cmd, + return ret; + } + + +#ifdef CONFIG_COMPAT + +static long compat_inotify_ioctl(struct file *file, unsigned int cmd, + + unsigned long arg) + +{ + + user_uintptr_t cmd_arg = (cmd == FIONREAD) ? + + (user_uintptr_t)compat_ptr(arg) : + + (user_uintptr_t)arg; + + return inotify_ioctl(file, cmd, cmd_arg); + +} + +#endif + + + static const struct file_operations inotify_fops = { + .show_fdinfo = inotify_show_fdinfo, + .poll = inotify_poll, + @@ -348,7 +359,7 @@ static const struct file_operations inotify_fops = { + .release = inotify_release, + .unlocked_ioctl = inotify_ioctl, + #ifdef CONFIG_COMPAT + - .compat_ioctl = inotify_ioctl, + + .compat_ioctl = compat_inotify_ioctl, + #endif + .llseek = noop_llseek, + }; + +Struct layout / 32-bit assumptions +---------------------------------- + +Aside from the conversion of ``arg``, existing compat ``ioctl`` handlers +should be examined carefully as they typically include two different +types of transformations: + +1. Struct layout transformation, which may include pointer conversions. +2. 32-bit-specific transformations, e.g. for 32-bit time representation. + +The difficulty with supporting compat64 is that the first transformation +may still required, while the second transformation is not relevant and +should not be carried out in compat64. For instance:: + + diff --git a/drivers/pps/pps.c b/drivers/pps/pps.c + index 6e6b6e61227b..45551c113172 100644 + --- a/drivers/pps/pps.c + +++ b/drivers/pps/pps.c + @@ -249,12 +249,13 @@ static long pps_cdev_ioctl(struct file *file, + static long pps_cdev_compat_ioctl(struct file *file, + unsigned int cmd, unsigned long arg) + { + - struct pps_device *pps = file->private_data; + - void __user *uarg = (void __user *) arg; + + void __user *uarg = compat_ptr(arg); + + cmd = _IOC(_IOC_DIR(cmd), _IOC_TYPE(cmd), _IOC_NR(cmd), sizeof(void *)); + + +#ifdef CONFIG_COMPAT32 + if (cmd == PPS_FETCH) { + + struct pps_device *pps = file->private_data; + struct pps_fdata_compat compat; + struct pps_fdata fdata; + int err; + @@ -289,8 +290,9 @@ static long pps_cdev_compat_ioctl(struct file *file, + return copy_to_user(uarg, &compat, + sizeof(struct pps_fdata_compat)) ? -EFAULT : 0; + } + +#endif /* CONFIG_COMPAT32 */ + + - return pps_cdev_ioctl(file, cmd, arg); + + return pps_cdev_ioctl(file, cmd, (user_uintptr_t)uarg); + } + #else + #define pps_cdev_compat_ioctl NULL + +When a given request takes a pointer to a struct, and that struct +contains types that differ in compat, it is normally represented as +``struct compat_<name>`` in the compat handler. It may happen that some +of the types used in this struct are only appropriate for compat32. The +preferred approach in this case is to change these types to appropriate +``compat_*`` types, for instance ``compat_long`` instead of ``s32``. +This holds even if the entire transformation is unnecessary in compat64; +this is so that the compat handler is kept as generic as possible. For +example:: + + diff --git a/block/ioctl.c b/block/ioctl.c + index da5dd701aff6..a18279f29d35 100644 + --- a/block/ioctl.c + +++ b/block/ioctl.c + @@ -377,7 +377,7 @@ struct compat_hd_geometry { + unsigned char heads; + unsigned char sectors; + unsigned short cylinders; + - u32 start; + + compat_ulong_t start; + }; + +When the struct contains pointers, they must be represented as +``compat_uptr_t`` (preferred) or ``compat_caddr_t`` in its compat +counterpart, and conversions between compat user pointers and native +user pointers must always be made using ``compat_ptr()`` and +``ptr_to_compat()``. + +``__user`` annotation fixups +============================ + +Most complex types involving ``__user`` fail to build in PCuABI, notably +double user pointers (user pointer to a user pointer). This is because +using ``__capability`` as a prefix to ``*`` only has the intended +meaning in a limited number of situations. Otherwise, the compiler will +typically throw the following error:: + + error: use of __capability is ambiguous + +A fixup is then required, as described in section "PCuABI-specific +changes" of the `user pointer documentation`_. For instance:: + + diff --git a/net/socket.c b/net/socket.c + index 8597fbacb089..ab2a610825cc 100644 + --- a/net/socket.c + +++ b/net/socket.c + @@ -3156,7 +3169,11 @@ void socket_seq_show(struct seq_file *seq) + * the next page isn't readable/writable, we get a fault. To prevent + * that, copy back and forth to the full size. + */ + +#ifdef CONFIG_CHERI_PURECAP_UABI + +int get_user_ifreq(struct ifreq *ifr, void * __capability *ifrdata, void __user *arg) + +#else + int get_user_ifreq(struct ifreq *ifr, void __user **ifrdata, void __user *arg) + +#endif + { + if (in_compat_syscall()) { + struct compat_ifreq *ifr32 = (struct compat_ifreq *)ifr; + +Fortunately, ``__user`` is mostly used in simple types, and such fixups +are rarely needed in driver code. -- 2.34.1

2 years

2
2
0 0

2024

2023

2022

linux-morello