Our implementation of PCuABI is now fairly close to the full specification, and the transitional PCuABI specification is no longer relevant.

Rename the Morello PCuABI defconfig accordingly. To avoid breaking existing flows that run make morello_transitional_pcuabi_defconfig, make the old file name a symlink.

Signed-off-by: Kevin Brodsky kevin.brodsky@arm.com ---

Git is providing a rather confusing diff here. What really happens is this:

* morello_transitional_pcuabi_defconfig => morello_pcuabi_defconfig (file renamed) * morello_transitional_pcuabi_defconfig is made a symlink to morello_pcuabi_defconfig

arch/arm64/configs/morello_pcuabi_defconfig | 171 +++++++++++++++++ .../morello_transitional_pcuabi_defconfig | 172 +----------------- 2 files changed, 172 insertions(+), 171 deletions(-) create mode 100644 arch/arm64/configs/morello_pcuabi_defconfig mode change 100644 => 120000 arch/arm64/configs/morello_transitional_pcuabi_defconfig

diff --git a/arch/arm64/configs/morello_pcuabi_defconfig b/arch/arm64/configs/morello_pcuabi_defconfig new file mode 100644 index 000000000000..eb778c38abbe --- /dev/null +++ b/arch/arm64/configs/morello_pcuabi_defconfig @@ -0,0 +1,171 @@ +CONFIG_SYSVIPC=y +CONFIG_POSIX_MQUEUE=y +CONFIG_AUDIT=y +CONFIG_NO_HZ_IDLE=y +CONFIG_HIGH_RES_TIMERS=y +CONFIG_BPF_SYSCALL=y +CONFIG_PREEMPT=y +CONFIG_IRQ_TIME_ACCOUNTING=y +CONFIG_BSD_PROCESS_ACCT=y +CONFIG_BSD_PROCESS_ACCT_V3=y +CONFIG_TASKSTATS=y +CONFIG_TASK_DELAY_ACCT=y +CONFIG_TASK_XACCT=y +CONFIG_TASK_IO_ACCOUNTING=y +CONFIG_IKCONFIG=y +CONFIG_IKCONFIG_PROC=y +CONFIG_UCLAMP_TASK=y +CONFIG_NUMA_BALANCING=y +CONFIG_MEMCG=y +CONFIG_BLK_CGROUP=y +CONFIG_UCLAMP_TASK_GROUP=y +CONFIG_CGROUP_PIDS=y +CONFIG_CGROUP_FREEZER=y +CONFIG_CGROUP_HUGETLB=y +CONFIG_CPUSETS=y +CONFIG_CGROUP_DEVICE=y +CONFIG_CGROUP_CPUACCT=y +CONFIG_CGROUP_PERF=y +CONFIG_CGROUP_BPF=y +CONFIG_USER_NS=y +CONFIG_SCHED_AUTOGROUP=y +CONFIG_BLK_DEV_INITRD=y +CONFIG_KALLSYMS_ALL=y +CONFIG_PROFILING=y +CONFIG_KEXEC=y +CONFIG_CRASH_DUMP=y +CONFIG_ARCH_VEXPRESS=y +CONFIG_ARM64_VA_BITS_48=y +CONFIG_SCHED_MC=y +CONFIG_NUMA=y +CONFIG_COMPAT=y +CONFIG_RANDOMIZE_BASE=y +CONFIG_WQ_POWER_EFFICIENT_DEFAULT=y +CONFIG_ENERGY_MODEL=y +CONFIG_ARM_PSCI_CPUIDLE=y +CONFIG_CPU_FREQ=y +CONFIG_CPU_FREQ_STAT=y +CONFIG_ACPI=y +CONFIG_ACPI_APEI=y +CONFIG_ACPI_APEI_GHES=y +CONFIG_ACPI_APEI_MEMORY_FAILURE=y +CONFIG_ACPI_APEI_EINJ=y +CONFIG_JUMP_LABEL=y +CONFIG_CHERI_PURECAP_UABI=y +CONFIG_MODULES=y +CONFIG_MODULE_UNLOAD=y +# CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS is not set +CONFIG_BINFMT_MISC=y +# CONFIG_COMPAT_BRK is not set +CONFIG_MEMORY_FAILURE=y +CONFIG_TRANSPARENT_HUGEPAGE=y +CONFIG_CMA=y +CONFIG_ANON_VMA_NAME=y +CONFIG_NET=y +CONFIG_PACKET=y +CONFIG_IP_PNP=y +CONFIG_IP_PNP_DHCP=y +CONFIG_NETFILTER=y +CONFIG_BRIDGE_NETFILTER=y +CONFIG_NF_CONNTRACK=y +CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y +CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y +CONFIG_NETFILTER_XT_MATCH_IPVS=y +CONFIG_NETFILTER_XT_MATCH_MARK=y +CONFIG_IP_VS=y +CONFIG_IP_NF_IPTABLES=y +CONFIG_IP_NF_FILTER=y +CONFIG_IP_NF_NAT=y +CONFIG_IP_NF_TARGET_MASQUERADE=y +CONFIG_BRIDGE=y +CONFIG_NET_9P=y +CONFIG_NET_9P_VIRTIO=y +CONFIG_PCI=y +CONFIG_PCI_HOST_GENERIC=y +CONFIG_DEVTMPFS=y +CONFIG_DEVTMPFS_MOUNT=y +CONFIG_ARM_SCMI_PROTOCOL=y +CONFIG_EFI_CAPSULE_LOADER=y +CONFIG_BLK_DEV_LOOP=y +CONFIG_VIRTIO_BLK=y +CONFIG_BLK_DEV_SD=y +CONFIG_ATA=y +CONFIG_SATA_AHCI=y +CONFIG_MD=y +CONFIG_BLK_DEV_DM=y +CONFIG_NETDEVICES=y +CONFIG_MACVLAN=y +CONFIG_MACVTAP=y +CONFIG_TUN=y +CONFIG_VETH=y +CONFIG_VIRTIO_NET=y +CONFIG_R8169=y +CONFIG_SMC91X=y +CONFIG_INPUT_MOUSEDEV=y +CONFIG_INPUT_EVDEV=y +# CONFIG_SERIO_SERPORT is not set +CONFIG_LEGACY_PTY_COUNT=16 +CONFIG_SERIAL_AMBA_PL011=y +CONFIG_SERIAL_AMBA_PL011_CONSOLE=y +CONFIG_HW_RANDOM=y +CONFIG_HW_RANDOM_VIRTIO=y +CONFIG_I2C_CADENCE=y +CONFIG_REGULATOR=y +CONFIG_REGULATOR_FIXED_VOLTAGE=y +CONFIG_DRM=y +CONFIG_DRM_LOAD_EDID_FIRMWARE=y +CONFIG_DRM_I2C_NXP_TDA998X=y +CONFIG_DRM_I2C_NXP_TDA9950=y +CONFIG_DRM_KOMEDA=y +CONFIG_DRM_PANFROST=y +CONFIG_FB=y +CONFIG_FB_EFI=y +CONFIG_USB_HIDDEV=y +CONFIG_I2C_HID_ACPI=y +CONFIG_USB=y +CONFIG_USB_XHCI_HCD=y +CONFIG_USB_STORAGE=y +CONFIG_MMC=y +CONFIG_MMC_BLOCK_MINORS=32 +CONFIG_MMC_ARMMMCI=y +CONFIG_RTC_CLASS=y +CONFIG_RTC_DRV_EFI=y +CONFIG_VIRTIO_MMIO=y +CONFIG_COMMON_CLK_SCMI=y +CONFIG_MAILBOX=y +CONFIG_ARM_MHU=y +CONFIG_PLATFORM_MHU=y +CONFIG_ARM_SMMU_V3=y +CONFIG_MEMORY=y +CONFIG_ARM_SPE_PMU=y +CONFIG_ANDROID_BINDER_IPC=y +CONFIG_EXT4_FS=y +CONFIG_EXT4_FS_POSIX_ACL=y +CONFIG_EXT4_FS_SECURITY=y +CONFIG_FANOTIFY=y +CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y +CONFIG_QUOTA=y +CONFIG_AUTOFS_FS=y +CONFIG_VFAT_FS=y +CONFIG_PROC_KCORE=y +CONFIG_TMPFS=y +CONFIG_HUGETLBFS=y +CONFIG_EFIVAR_FS=y +CONFIG_NFS_FS=y +CONFIG_ROOT_NFS=y +CONFIG_9P_FS=y +CONFIG_NLS_CODEPAGE_437=y +CONFIG_NLS_ISO8859_1=y +CONFIG_KEYS=y +CONFIG_SECURITY=y +CONFIG_SECURITY_NETWORK=y +CONFIG_SECURITY_SELINUX=y +CONFIG_PRINTK_TIME=y +CONFIG_DEBUG_KERNEL=y +CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y +CONFIG_MAGIC_SYSRQ=y +CONFIG_DEBUG_FS=y +# CONFIG_SCHED_DEBUG is not set +CONFIG_FTRACE_SYSCALLS=y +CONFIG_CORESIGHT=y +CONFIG_MEMTEST=y diff --git a/arch/arm64/configs/morello_transitional_pcuabi_defconfig b/arch/arm64/configs/morello_transitional_pcuabi_defconfig deleted file mode 100644 index eb778c38abbe..000000000000 --- a/arch/arm64/configs/morello_transitional_pcuabi_defconfig +++ /dev/null @@ -1,171 +0,0 @@ -CONFIG_SYSVIPC=y -CONFIG_POSIX_MQUEUE=y -CONFIG_AUDIT=y -CONFIG_NO_HZ_IDLE=y -CONFIG_HIGH_RES_TIMERS=y -CONFIG_BPF_SYSCALL=y -CONFIG_PREEMPT=y -CONFIG_IRQ_TIME_ACCOUNTING=y -CONFIG_BSD_PROCESS_ACCT=y -CONFIG_BSD_PROCESS_ACCT_V3=y -CONFIG_TASKSTATS=y -CONFIG_TASK_DELAY_ACCT=y -CONFIG_TASK_XACCT=y -CONFIG_TASK_IO_ACCOUNTING=y -CONFIG_IKCONFIG=y -CONFIG_IKCONFIG_PROC=y -CONFIG_UCLAMP_TASK=y -CONFIG_NUMA_BALANCING=y -CONFIG_MEMCG=y -CONFIG_BLK_CGROUP=y -CONFIG_UCLAMP_TASK_GROUP=y -CONFIG_CGROUP_PIDS=y -CONFIG_CGROUP_FREEZER=y -CONFIG_CGROUP_HUGETLB=y -CONFIG_CPUSETS=y -CONFIG_CGROUP_DEVICE=y -CONFIG_CGROUP_CPUACCT=y -CONFIG_CGROUP_PERF=y -CONFIG_CGROUP_BPF=y -CONFIG_USER_NS=y -CONFIG_SCHED_AUTOGROUP=y -CONFIG_BLK_DEV_INITRD=y -CONFIG_KALLSYMS_ALL=y -CONFIG_PROFILING=y -CONFIG_KEXEC=y -CONFIG_CRASH_DUMP=y -CONFIG_ARCH_VEXPRESS=y -CONFIG_ARM64_VA_BITS_48=y -CONFIG_SCHED_MC=y -CONFIG_NUMA=y -CONFIG_COMPAT=y -CONFIG_RANDOMIZE_BASE=y -CONFIG_WQ_POWER_EFFICIENT_DEFAULT=y -CONFIG_ENERGY_MODEL=y -CONFIG_ARM_PSCI_CPUIDLE=y -CONFIG_CPU_FREQ=y -CONFIG_CPU_FREQ_STAT=y -CONFIG_ACPI=y -CONFIG_ACPI_APEI=y -CONFIG_ACPI_APEI_GHES=y -CONFIG_ACPI_APEI_MEMORY_FAILURE=y -CONFIG_ACPI_APEI_EINJ=y -CONFIG_JUMP_LABEL=y -CONFIG_CHERI_PURECAP_UABI=y -CONFIG_MODULES=y -CONFIG_MODULE_UNLOAD=y -# CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS is not set -CONFIG_BINFMT_MISC=y -# CONFIG_COMPAT_BRK is not set -CONFIG_MEMORY_FAILURE=y -CONFIG_TRANSPARENT_HUGEPAGE=y -CONFIG_CMA=y -CONFIG_ANON_VMA_NAME=y -CONFIG_NET=y -CONFIG_PACKET=y -CONFIG_IP_PNP=y -CONFIG_IP_PNP_DHCP=y -CONFIG_NETFILTER=y -CONFIG_BRIDGE_NETFILTER=y -CONFIG_NF_CONNTRACK=y -CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y -CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y -CONFIG_NETFILTER_XT_MATCH_IPVS=y -CONFIG_NETFILTER_XT_MATCH_MARK=y -CONFIG_IP_VS=y -CONFIG_IP_NF_IPTABLES=y -CONFIG_IP_NF_FILTER=y -CONFIG_IP_NF_NAT=y -CONFIG_IP_NF_TARGET_MASQUERADE=y -CONFIG_BRIDGE=y -CONFIG_NET_9P=y -CONFIG_NET_9P_VIRTIO=y -CONFIG_PCI=y -CONFIG_PCI_HOST_GENERIC=y -CONFIG_DEVTMPFS=y -CONFIG_DEVTMPFS_MOUNT=y -CONFIG_ARM_SCMI_PROTOCOL=y -CONFIG_EFI_CAPSULE_LOADER=y -CONFIG_BLK_DEV_LOOP=y -CONFIG_VIRTIO_BLK=y -CONFIG_BLK_DEV_SD=y -CONFIG_ATA=y -CONFIG_SATA_AHCI=y -CONFIG_MD=y -CONFIG_BLK_DEV_DM=y -CONFIG_NETDEVICES=y -CONFIG_MACVLAN=y -CONFIG_MACVTAP=y -CONFIG_TUN=y -CONFIG_VETH=y -CONFIG_VIRTIO_NET=y -CONFIG_R8169=y -CONFIG_SMC91X=y -CONFIG_INPUT_MOUSEDEV=y -CONFIG_INPUT_EVDEV=y -# CONFIG_SERIO_SERPORT is not set -CONFIG_LEGACY_PTY_COUNT=16 -CONFIG_SERIAL_AMBA_PL011=y -CONFIG_SERIAL_AMBA_PL011_CONSOLE=y -CONFIG_HW_RANDOM=y -CONFIG_HW_RANDOM_VIRTIO=y -CONFIG_I2C_CADENCE=y -CONFIG_REGULATOR=y -CONFIG_REGULATOR_FIXED_VOLTAGE=y -CONFIG_DRM=y -CONFIG_DRM_LOAD_EDID_FIRMWARE=y -CONFIG_DRM_I2C_NXP_TDA998X=y -CONFIG_DRM_I2C_NXP_TDA9950=y -CONFIG_DRM_KOMEDA=y -CONFIG_DRM_PANFROST=y -CONFIG_FB=y -CONFIG_FB_EFI=y -CONFIG_USB_HIDDEV=y -CONFIG_I2C_HID_ACPI=y -CONFIG_USB=y -CONFIG_USB_XHCI_HCD=y -CONFIG_USB_STORAGE=y -CONFIG_MMC=y -CONFIG_MMC_BLOCK_MINORS=32 -CONFIG_MMC_ARMMMCI=y -CONFIG_RTC_CLASS=y -CONFIG_RTC_DRV_EFI=y -CONFIG_VIRTIO_MMIO=y -CONFIG_COMMON_CLK_SCMI=y -CONFIG_MAILBOX=y -CONFIG_ARM_MHU=y -CONFIG_PLATFORM_MHU=y -CONFIG_ARM_SMMU_V3=y -CONFIG_MEMORY=y -CONFIG_ARM_SPE_PMU=y -CONFIG_ANDROID_BINDER_IPC=y -CONFIG_EXT4_FS=y -CONFIG_EXT4_FS_POSIX_ACL=y -CONFIG_EXT4_FS_SECURITY=y -CONFIG_FANOTIFY=y -CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y -CONFIG_QUOTA=y -CONFIG_AUTOFS_FS=y -CONFIG_VFAT_FS=y -CONFIG_PROC_KCORE=y -CONFIG_TMPFS=y -CONFIG_HUGETLBFS=y -CONFIG_EFIVAR_FS=y -CONFIG_NFS_FS=y -CONFIG_ROOT_NFS=y -CONFIG_9P_FS=y -CONFIG_NLS_CODEPAGE_437=y -CONFIG_NLS_ISO8859_1=y -CONFIG_KEYS=y -CONFIG_SECURITY=y -CONFIG_SECURITY_NETWORK=y -CONFIG_SECURITY_SELINUX=y -CONFIG_PRINTK_TIME=y -CONFIG_DEBUG_KERNEL=y -CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y -CONFIG_MAGIC_SYSRQ=y -CONFIG_DEBUG_FS=y -# CONFIG_SCHED_DEBUG is not set -CONFIG_FTRACE_SYSCALLS=y -CONFIG_CORESIGHT=y -CONFIG_MEMTEST=y diff --git a/arch/arm64/configs/morello_transitional_pcuabi_defconfig b/arch/arm64/configs/morello_transitional_pcuabi_defconfig new file mode 120000 index 000000000000..c57a922f2b15 --- /dev/null +++ b/arch/arm64/configs/morello_transitional_pcuabi_defconfig @@ -0,0 +1 @@ +morello_pcuabi_defconfig \ No newline at end of file

Our implementation of PCuABI is now fairly close to the full specification, and the transitional PCuABI specification is no longer relevant.

Update the documentation to remove references to the transitional ABI, and list the remaining limitations w.r.t. the full ABI.

The Morello-specific limitations are also updated to be more representative of the current status. Those related to mmap-like syscalls in hybrid, and ptrace in general, are removed as they are the results of design decisions that have not expected to change.

Signed-off-by: Kevin Brodsky kevin.brodsky@arm.com --- Documentation/arch/arm64/morello.rst | 51 ++++++++++++---------------- Documentation/cheri/pcuabi.rst | 49 ++++++++++++++++++-------- 2 files changed, 56 insertions(+), 44 deletions(-)

diff --git a/Documentation/arch/arm64/morello.rst b/Documentation/arch/arm64/morello.rst index 0a76bbf06290..b62900c119a6 100644 --- a/Documentation/arch/arm64/morello.rst +++ b/Documentation/arch/arm64/morello.rst @@ -5,7 +5,7 @@ Morello in AArch64 Linux Author: Kevin Brodsky kevin.brodsky@arm.com

| Original date: 2020-09-07 -| Last updated: 2022-12-07 +| Last updated: 2024-04-25 |

This document describes the provision of Morello functionalities to @@ -13,15 +13,9 @@ userspace by Linux.

**Disclaimer** Support for Morello in Linux is experimental, just like the - Morello architecture itself. Any aspect of the kernel-user ABI - introduced for Morello may be later modified or removed, without - guaranteeing backwards-compatibility. Additionally, no claim or + Morello architecture itself. Additionally, no claim or guarantee is made regarding the security properties of this - implementation; the kernel-user interface is currently entirely - unrestricted w.r.t. capabilities held by the user context. This means - notably that capability-based sandboxes in userspace are - straightforward to escape, for instance by issuing syscalls. More - details can be found in the Limitations_ section. + implementation. More details can be found in the Limitations_ section.

Architecture overview ===================== @@ -264,23 +258,23 @@ configuration is untested. Please note that the following caveats and limitations currently apply when ``CONFIG_CHERI_PURECAP_UABI`` is selected:

-* A **transitional** variation of PCuABI is provided by the kernel. - The transitional ABI is specified separately in [5]_. Only **a limited - set of syscalls** is supported in this ABI. - -* Only a **fixed configuration** is supported when - ``CONFIG_CHERI_PURECAP_UABI`` is selected: - ``morello_transitional_pcuabi_defconfig``. +* Only a **fixed configuration** is supported when ``CONFIG_CHERI_PURECAP_UABI`` + is selected: ``morello_pcuabi_defconfig``. In other words, configuring the kernel with PCuABI support should be - done by using ``make morello_transitional_pcuabi_defconfig``. + done by using ``make morello_pcuabi_defconfig``. Selecting additional options may cause build and/or runtime errors.

+* Several aspects of the PCuABI specification [5]_ are not fully + implemented. Please refer to the `PCuABI documentation`_ for more + information. + The rest of this document specifies **extensions to the standard AArch64 ABI**. These extensions are also available in PCuABI, with a number of -differences. The transitional PCuABI specification [5]_ takes precedence -where it differs from the present document. +differences. The PCuABI specification [5]_ takes precedence where it +differs from the present document.

.. _pure-capability kernel-user ABI: Documentation/cheri/pcuabi.rst +.. _PCuABI documentation: Documentation/cheri/pcuabi.rst

Register handling ----------------- @@ -685,24 +679,18 @@ Note Limitations ===========

-* **No capability-based restriction is enforced at the kernel-user - interface.** This means in particular that: +* In the **standard AArch64 ABI** with Morello extensions (also known as + "hybrid"), the kernel-user interface is generally unrestricted w.r.t. + capabilities. In particular:

- Accesses by the kernel to user memory (uaccess) are not checked against the user's active DDC, allowing syscalls such as ``read()`` or ``write()`` to access memory that the user thread may not otherwise be - able to access through the capabilities it has access to. This - limitation is to be investigated as part of the support for the - pure-capability ABI. - - Syscalls in the ``mmap()`` family allow to modify the entire address - space without restriction. + able to access through the capabilities it has access to. - A user context running in Restricted is able to register arbitrary signal handlers, which are always invoked in Executive. As a result, a Restricted context can easily cause arbitrary code to be run in Executive. - - Any user context (whether running in Executive or Restricted) is - able to access the entire address space of the process through the - ptrace interface (by forking a child process for that purpose).

* No particular support for the DDCBO and PCCBO bits of CCTLR_EL0 is provided. If either of these bits is set in CCTLR_EL0 and the base of @@ -722,6 +710,9 @@ Limitations available registers when entering / exiting the kernel. - Capability tags in memory are not included in core dumps.

+* perf samples of type ``PERF_SAMPLE_CALLCHAIN`` are not supported if + PCuABI is selected. + References ==========

@@ -729,4 +720,4 @@ References .. [2] https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/ .. [3] https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-941.pdf .. [4] https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-947.pdf -.. [5] https://git.morello-project.org/morello/kernel/linux/-/wikis/Transitional-Mo... +.. [5] https://git.morello-project.org/morello/kernel/linux/-/wikis/Morello-pure-ca... diff --git a/Documentation/cheri/pcuabi.rst b/Documentation/cheri/pcuabi.rst index 90e8a4200826..a8a9a105c9e9 100644 --- a/Documentation/cheri/pcuabi.rst +++ b/Documentation/cheri/pcuabi.rst @@ -25,19 +25,41 @@ it is the only CHERI-enabled architecture supported in Linux. Adding support for other architectures would entail extending the specification accordingly.

-The present document deals with implementation aspects that are beyond -the scope of the specification. It aims to provide kernel developers -with an overview of the changes that have been made to various internal -kernel APIs in order to support PCuABI. - -Note: current limitations - Support for PCuABI in Linux is a work in progress, and at this stage - it is mostly of a functional nature, with only limited enforcement of - capability-related restrictions. The variant of the ABI that is - currently implemented in Linux is documented in the `transitional - PCuABI specification`_, which is forward-compatible with the full - specification. Only **a limited set of syscalls** is supported in this - ABI. +This Linux fork implements the essential aspects of PCuABI. However, +alignment with the specification is not complete. The following +limitations are currently present in this implementation: + +* Only a subset of drivers can be built when PCuABI is selected (see + section below). Those that can be built generally handle their own + ``ioctl`` commands correctly, but in certain cases the corresponding + uapi struct may represent pointers as ``__u64``, and as a result the + ``ioctl`` handler needs to create valid user pointers from the root + user capability to allow the operation to succeed. + +* Syscalls targeting another thread/process, including NUMA syscalls and + ``process_madvise()``, are not handled according to the spec. In + general, capabilities passed to them are not checked, and they are + preserved as if targeting the current process. + +* The initial kernel-provided data (``argv``, ``envp``, ``auxv``, + strings and data referred to from those arrays) is still stored on the + stack, instead of a separate memory mapping. The other aspects of the + "Kernel-provided data" section of the spec are implemented, which + means for instance that ``argv`` should be accessed through the ``C1`` + register instead of walking the stack. + +* The initial strings that elements of ``argv`` and ``envp`` point to + are not padded to ensure capability bounds representability. This + means that the bounds of capabilities in the ``argv`` and/or ``envp`` + arrays may overlap. Similarly the ``argv`` and ``envp`` capabilities + themselves may overlap with each other. Note however that such a + situation is expected to be very rare (requiring an extremely large + number of arguments or extremely long strings). + +The rest of this document deals with implementation aspects that are +beyond the scope of the specification. It aims to provide kernel +developers with an overview of the changes that have been made to +various internal kernel APIs in order to support PCuABI.

Config option ============= @@ -173,5 +195,4 @@ For more information about user pointers and related conversions, please refer to the `user pointer documentation`_.

.. _PCuABI specification: https://git.morello-project.org/morello/kernel/linux/-/wikis/Morello-pure-ca... -.. _Transitional PCuABI specification: https://git.morello-project.org/morello/kernel/linux/-/wikis/Transitional-Mo... .. _user pointer documentation: Documentation/core-api/user_ptr.rst