Beata Michalska authored Aug 02, 2022 and Kevin Brodsky committed Aug 02, 2022

Drop the standard system directories from the include search path
to avoid any potential ambiguities, relying almost solely on exported
kernel headers. This though, requires explicitly pulling in the compiler's
headers.

While at it, clean-up a bit [C|LD]FLAGS to make a clean cut between the
two and use them as required by given stage.
Signed-off-by: Beata Michalska <beata.michalska@arm.com>

Beata Michalska authored Aug 02, 2022 and Kevin Brodsky committed Aug 02, 2022

Make sure to use kernel uapi headers instead of pulling in
standard system ones.
Co-developed-by: Amit Daniel Kachhap <amit.kachhap@arm.com>
Signed-off-by: Amit Daniel Kachhap <amit.kachhap@arm.com>
Signed-off-by: Beata Michalska <beata.michalska@arm.com>

Tudor Cretu authored Jul 20, 2022 and Kevin Brodsky committed Jul 29, 2022

Enable DEBUG_INFO. Not choosing an option for the CONFIG_DEBUG_INFO
defaults to CONFIG_DEBUG_INFO_NONE which removes the debug symbols from
vmlinux. Use the toolchain default option instead.
Signed-off-by: Tudor Cretu <tudor.cretu@arm.com>

The implementation of PCuABI has required expanding the API around
user pointers a lot. Add a document describing that API and some of
the rationale behind it w.r.t. PCuABI.
Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>

Now that we have introduced copy_{to,from}_user_with_ptr(), we can
use them instead of the long "if PCuABI then ..._with_captags() else
...()" that we have had to use so far. No functional change.
Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>

This patch introduces new *_with_ptr() routines that guarantee that
(user) pointers contained within the transferred data are fully
preserved.

The main motivation for adding these new routines is to provide a
generic interface that is compatible with the pure-capability uABI,
where user pointers are tagged and are not preserved by ordinary
uaccess routines.
Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>

Kristina Martsenko authored Jun 27, 2022 and Kevin Brodsky committed Jul 05, 2022

A number of system calls use __u64 for pointers in UAPI structs (for
example clone_args, epoll_event). In CHERI PCuABI those pointers need to
be 129-bit capabilities, so the __u64 type is not large enough. Create a
new type __kernel_uintptr_t for these cases, which maintains
compatibility with old applications while also allowing capability
pointers.

Create two definitions for __kernel_uintptr_t: one for applications
compiled with purecap (__CHERI_PURE_CAPABILITY__ is defined) and one for
all other applications. Old applications can keep using __u64 for
pointers, while new purecap-enabled applications can use the uintptr_t
type for pointers, which will match the __kernel_uintptr_t type
(__uintcap_t when compiled with purecap, or __u64 when compiled without
purecap).

Furthermore, split up the user and kernel definitions. This is needed
because a PCuABI kernel needs to use __uintcap_t to handle capabilities
but it is a hybrid binary (__CHERI_PURE_CAPABILITY__ is not defined).

Also add an aligned variant. Capabilities are guaranteed to be aligned
to 16 bytes by the compiler on all architectures, so don't need explicit
alignment.

Note that __kernel_uintptr_t, despite the generic name, is always at
least 64 bits wide (not 32 bits on 32-bit systems).
Co-developed-by: Kevin Brodsky <kevin.brodsky@arm.com>
Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>
Signed-off-by: Kristina Martsenko <kristina.martsenko@arm.com>

Sherwin da Cruz authored May 20, 2022 and Kevin Brodsky committed Jul 05, 2022

A bug was found in the getrusage syscall where the compat64 version used
a different sized struct to pass arguments. This resulted in some
programs such as time in bash printing wrong values for process usage
times.

This is being fixed by using the native syscall which has the same
implementation since the struct members contain no pointers.
Signed-off-by: Sherwin da Cruz <sherwin.dacruz@arm.com>

Tudor Cretu authored May 16, 2022 and Kevin Brodsky committed Jul 05, 2022

For a compat ELF binary, /proc/pid/auxv will output an extra AT_NULL
entry or garbage at the end. This is because it interprets the auxv
elements using their native layout. The patch moves the auxv parsing
to the binfmt handler, where the correct layout of the auxv elements
is used. This patch is inspired by: https://lkml.org/lkml/2006/4/10/20

Signed-off-by: Tudor Cretu <tudor.cretu@arm.com>

Tudor Cretu authored May 04, 2022 and Kevin Brodsky committed Jul 05, 2022

The return value of restart_syscall() is the return value of whatever
syscall is being restarted. Conceptually, this can also be a capability,
but there aren't any syscalls that have implemented a restart function
and return a capability. So, add a comment explaining on why it is left
unmodified.
Signed-off-by: Tudor Cretu <tudor.cretu@arm.com>

Introduce CONFIG_CHERI_PURECAP_UABI in the documentation with the
relevant caveats, and update a few places accordingly.
Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>

There is currently no straightforward way to determine if the kernel
provides PCuABI, so printing some notice very early during the kernel
boot should be helpful.
Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>

arch_validate_sigaction() was introduced to enforce the additional
constraints on sigaction in PCuABI, however it is called by both the
native and the compat handler. Since the compat ABI should be left
unchanged, bail out if the caller is a compat task.
Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>

Tudor Cretu authored Apr 25, 2022 and Kevin Brodsky committed Jul 05, 2022

Structs ifconf and ifreq have user pointers as their members, so use the
*_with_captags version of interfaces for PCuABI. This will copy the
capability tag bits associated with the user memory. When config
CHERI_PURECAP_UABI is not present, then simply perform
copy_from_user/copy_to_user.
Signed-off-by: Tudor Cretu <tudor.cretu@arm.com>
Co-developed-by: Kevin Brodsky <kevin.brodsky@arm.com>
Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>

Tudor Cretu authored Apr 12, 2022 and Kevin Brodsky committed Jul 05, 2022

Without returning the creg register, sigreturn clears the metadata
of C0 every time it's invoked. So enable returning a capability for
sigreturn and choose the correct register set.
Signed-off-by: Tudor Cretu <tudor.cretu@arm.com>

Tudor Cretu authored Apr 12, 2022 and Kevin Brodsky committed Jul 05, 2022

Add the macros that allow changing the return type for the COMP syscalls
Signed-off-by: Tudor Cretu <tudor.cretu@arm.com>

Tudor Cretu authored Apr 12, 2022 and Kevin Brodsky committed Jul 05, 2022

Before this change, only syscalls with parameters were allowed to
return capabilities. This was previously done by modifying the
__SYSCALL_DEFINEx macro, which doesn't handle SYSCALL_DEFINE0.
The SYSCALL_DEFINE0 macros is tweaked to allow the change of the
return type.
Signed-off-by: Tudor Cretu <tudor.cretu@arm.com>
Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>

Tudor Cretu authored Apr 20, 2022 and Kevin Brodsky committed Jul 05, 2022

In compat64, the syscall never returns a valid capability. Therefore
setting C0 to the return of the syscall will always clear the metadata
of the register. This is problematic in the case of sigreturn syscall,
which must restore all registers, including C0. The change aligns
compat64 with the standard ABI (!PCuABI), where X0 is always merged into
C0 without it being cleared, regardless of the syscall.
Signed-off-by: Tudor Cretu <tudor.cretu@arm.com>

Enable support for the FAT filesystem to be able to mount the EFI
partition (for instance). The CONFIG_NLS_* options are also required
(already included in the standard defconfig).

While at it, reorder CONFIG_HW_RANDOM* to match the output of
make savedefconfig.
Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>

Kristina Martsenko authored Mar 23, 2022 and Kevin Brodsky committed Jul 05, 2022

Enable options to use USB, SATA and network devices on the Morello
board.
Signed-off-by: Kristina Martsenko <kristina.martsenko@arm.com>
Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>

Kristina Martsenko authored Mar 23, 2022 and Kevin Brodsky committed Jul 05, 2022

Use PCuABI-friendly functions to convert addresses to capability pointers
or vice-versa.

This is a minimal diff to get ATA to build. It may need to be revisited
for functionality changes for PCuABI.
Signed-off-by: Kristina Martsenko <kristina.martsenko@arm.com>

Kristina Martsenko authored Mar 23, 2022 and Kevin Brodsky committed Jul 05, 2022

Since commit "fs/ioctl: Modify 3rd argument of fops->unlocked_ioctl to
user_uintptr_t", block_device_operations->ioctl() must take a
user_uintptr_t as its third argument, in order to pass along CHERI
capabilities. Update sd_ioctl() to match.
Signed-off-by: Kristina Martsenko <kristina.martsenko@arm.com>

In compat64, pointers are 64-bit, and cannot be represented as u32;
the appropriate type to represent compat pointers is compat_uptr_t.
Adjust processcompl_compat() accordingly. Since the definition of
USBDEVFS_REAPURB{,NDELAY} is based on the size of void * from a
userspace perspective, USBDEVFS_REAPURB{,NDELAY}32 also need to be
adjusted.
Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>

The USBDEVFS_*32 constants represent the corresponding ioctl
requests in the compat ABI. Userspace should have no need for them
since they are purely intended for internal kernel usage.
Accordingly, move them out of the uapi header.

This move will be required to modify USBDEVFS_REAPURB{,NDELAY}32 to
support compat64, as compat_* types cannot be used in uapi headers.
Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>

The definition of USBDEVFS_REAPURB{,NDELAY} is currently based on
the size of void *, which is not appropriate in PCuABI where user
pointers are of a different size. Annotate the pointers with __user
to fix this.
Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>

Kristina Martsenko authored Mar 23, 2022 and Kevin Brodsky committed Jul 05, 2022

Since commit "fs/ioctl: Modify 3rd argument of fops->unlocked_ioctl to
user_uintptr_t", file_operations->unlocked_ioctl() must take a
user_uintptr_t as its third argument, in order to pass along CHERI
capabilities. Update usbdev_ioctl() to match.
Signed-off-by: Kristina Martsenko <kristina.martsenko@arm.com>
Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>

Kristina Martsenko authored Mar 23, 2022 and Kevin Brodsky committed Jul 05, 2022

Use PCuABI-friendly functions to convert addresses to capability pointers
or vice-versa. Also use put_user_ptr to store user pointers.

This is a minimal diff to get USB to build. It may need to be revisited
for functionality changes for PCuABI.
Signed-off-by: Kristina Martsenko <kristina.martsenko@arm.com>
Co-developed-by: Kevin Brodsky <kevin.brodsky@arm.com>
Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>

Kristina Martsenko authored Mar 23, 2022 and Kevin Brodsky committed Jul 05, 2022

CHERI compilers mandatorily need __capability annotations after the
pointer[*] in case of double pointers.

In order to minimise the need to disambiguate double user pointers,
user pointers are now passed around as straightforward void __user *
instead of double user pointers. This also allows us to get rid of a
number of casts. Note that the actual type that processcompl() takes
is a double user pointer (as per the cast when calling put_user()).
Signed-off-by: Kristina Martsenko <kristina.martsenko@arm.com>
Co-developed-by: Kevin Brodsky <kevin.brodsky@arm.com>
Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>

For some reason, compat_sys_ptrace() is only used in some
arch-specific <asm/unistd.h>. Make use of it in
<asm-generic/unistd.h> too, so that it is used on architectures
where compat uses <asm-generic/unistd.h>, such as in the arm64 +
compat64 case.
Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>

compat_arch_ptrace() is currently entirely specific to AArch32. In
order to support compat64, introduce an appropriate implementation
of compat_arch_ptrace() that mirrors the native arch_ptrace().
Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>

compat_ptrace_request() does not currently handle all requests where
the addr or data argument is a user pointer. Make it do so in order
to support compat64, in which case compat_ptr() must always be used
to obtain a valid user pointer from a compat user pointer.

To avoid duplication, the handling of PTRACE_{GET,SET}SIGMASK is
moved to helpers that are now called from both ptrace_request() and
compat_ptrace_request() (like most other requests).

Note that PTRACE_PEEKSIGINFO is a special case as it interprets both
addr and data as user pointers, but ptrace_peek_siginfo() converts
the data argument to a user pointer itself if currently in a compat
syscall, so there is no need to do so in compat_ptrace_request().
Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>

Since commit "arm64: morello: Add support for TLS as capabilities",
thread.uw.tp_value is a capability in PCuABI. A few places have not
been updated accordingly, in particular
morello_flush_cap_regs_to_64_regs(), which truncates CTPIDR to a
64-bit integer before storing it in tp_value. Cast it to
user_uintptr_t instead to make it work as intended with and without
PCuABI. This fixes ptrace(PTRACE_SETREGSET, NT_ARM_MORELLO).

Conversely, tls_get() still operates on 64-bit integers (to preserve
the existing uapi), but the size it writes to user memory is
currently inferred from the size of tp_value, which is a full
capability in PCuABI. Cast it to unsigned long explicitly to avoid
this. This fixes ptrace(PTRACE_GETREGSET, NT_ARM_TLS).

While at it, also add casts in tls_set() to make the conversions
explicit. This change is only cosmetic.
Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>

These are not particularly useful, and they cause problems when
running some LTP tests. CONFIG_EXT4_FS was implicitly selected, we
now need to select it explicitly.

Note that the ext{2,3} filesystems remain available in userspace, as
they can be handled by the ext4 driver itself.
Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>

Most of what compat_blkdev_ioctl() does works regardless of the
compat bitness, but a few parts are specific to 32-bit. Make these
work for compat64 too by using the appropriate compat_* types to
match native types, instead of hardcoding 32-bit integers.
Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>

Victor Do Nascimento authored Feb 03, 2022 and Kevin Brodsky committed Jul 05, 2022

Add very basic tests for address space management syscalls
with the intent on validating their capabilities support.
Signed-off-by: Victor Do Nascimento <victor.donascimento@arm.com>
Co-developed-by: Beata Michalska <beata.michalska@arm.com>
Signed-off-by: Beata Michalska <beata.michalska@arm.com>
Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>

Victor Do Nascimento authored Feb 03, 2022 and Kevin Brodsky committed Jul 05, 2022

Create a simple test to check our ability to modify and retrieve a
process' scheduler policy.
Signed-off-by: Victor Do Nascimento <victor.donascimento@arm.com>
Co-developed-by: Beata Michalska <beata.michalska@arm.com>
Signed-off-by: Beata Michalska <beata.michalska@arm.com>

Victor Do Nascimento authored Feb 03, 2022 and Kevin Brodsky committed Jul 05, 2022

Add very basic test cases for waitid ensuring correct behaviour
and capability support for struct siginfo and struct rusage pointer
args.
Signed-off-by: Victor Do Nascimento <victor.donascimento@arm.com>
Co-developed-by: Beata Michalska <beata.michalska@arm.com>
Signed-off-by: Beata Michalska <beata.michalska@arm.com>

Victor Do Nascimento authored Feb 03, 2022 and Kevin Brodsky committed Jul 05, 2022

Provide provisional (minimalistic) implementation for mmap that will
perform very basic validation on the obtained capability (if any),
along with mmap syscall direct wrapper for quick memory allocations.
Both made available from within main header file, exposing it for use
to diverse unit tests.
Signed-off-by: Victor Do Nascimento <victor.donascimento@arm.com>
Co-developed-by: Beata Michalska <beata.michalska@arm.com>
Signed-off-by: Beata Michalska <beata.michalska@arm.com>

AMIT KACHHAP authored Feb 15, 2022 and Kevin Brodsky committed Jul 05, 2022

Now most of the building blocks are in place so let's enable compat64
signal handling support. In order to do so, add a new file
signal_compat64.c which implements the compat frame setup functions by
re-using the existing signal.c codes. This new file redefines some of the
structures and functions to point to the corresponding compat versions.

As signal.c is re-used, few global functions, native frame setup structures
and PCuABI specific changes causes warnings and errors so add a compat64
specific definition SIGNAL_COMPAT64 to filter out such codes for compat64
case.
Signed-off-by: Amit Daniel Kachhap <amit.kachhap@arm.com>
Co-developed-by: Kevin Brodsky <kevin.brodsky@arm.com>
Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>

From a uapi perspective, siginfo_t has a fixed size of 128 bytes
regardless of the ABI and architecture. This is achieved through a
union that includes a padding array. In compat_siginfo_t, the union
does not include the "header" of common members (si_signo / si_errno
/ si_code), as a result the padding array needs to account for them.

The calculation is unfortunately invalid in compat64 as it assumes
that the _sifields union has the same alignment as an int (4), which
is no longer true as compat_uptr_t is 8 bytes, requiring the whole
union to be aligned to 8 bytes. Fix this by accounting for the
alignment requirement in the calculation.
Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>