1. 23 Jun, 2022 2 commits
  2. 20 Jun, 2022 2 commits
    • Tamas Petz's avatar
      Switch to single JSON descriptor · bcce64e6
      Tamas Petz authored
      It is getting harder and harder to maintain several
      syscall descriptions. Use only one while maintaining
      the existing flexibility.
      
      The new, but backwards compatible descriptor format
      adds 'libc' and 'arch' fields. The former filters
      libc, the latter architectures. An empty list means
      no filtering.
      
      Note that only bionic, where wrappers are generated,
      uses 'aliases' and 'symbol' field.
      
      Change-Id: I3ab2d567377b7175a17ddd8bc91a70afd5eb011d
      bcce64e6
    • Tamas Petz's avatar
      [Makefile] Do not generate shims twice · 1d354214
      Tamas Petz authored
      Multi-target rules are executed per target.
      Use target group (&:) to say that the rule is
      expected to create all the targets at once.
      
      The ordering rule was also behaving incorrectly
      in the new setup.
      
      Change-Id: I60dbdfee7a308d3af6f00bf40ac04e4ec63e471d
      1d354214
  3. 17 Jun, 2022 1 commit
    • Tamas Petz's avatar
      Support cancellation points · 421084cc
      Tamas Petz authored
      The new configuration option LIBSHIM_CANCELLATION_POINTS
      enables or disables support for cancellation points.
      
      The new argument "cg" is an int*: if it is non-null and
      the pointed value is not zero the system call is cancelled.
      
      This is basically just some labels which can be used to
      check whether a PC is within a range. In addition, a test
      helper is also available: if __shim_pause_in_cp is implemented
      and it returns nonzero, the current system call will busy-wait
      forever. This can be used to test cancellation integration with
      libc: a thread can be stopped reliably within the cancellable
      region.
      
      Wrappers do not support cancellation points.
      
      Change-Id: I40bf2fcb3119fef7b60eda6c8079854eb7f442bd
      421084cc
  4. 16 Jun, 2022 1 commit
    • Tamas Petz's avatar
      Move shim_svc_impl.h to svc.cpp · c2ad046a
      Tamas Petz authored
      With cancellation support there will be more logic,
      and we will need to export some symbols. Header
      inclusion prevents developing cancellation points.
      
      Change-Id: I792aa88a0944f630b5d892ce187238f0ad003902
      c2ad046a
  5. 15 Jun, 2022 2 commits
  6. 14 Jun, 2022 2 commits
  7. 13 Jun, 2022 1 commit
  8. 06 Jun, 2022 1 commit
  9. 26 May, 2022 1 commit
    • Tamas Petz's avatar
      Add __shim_is_pure_capability() · 7920d813
      Tamas Petz authored
      This function returns true if libshim was compiled
      for pure-capability ABI, otherwise false.
      
      Change-Id: I91659f7901ac11ccdbddce4ae5636100686592d3
      7920d813
  10. 20 May, 2022 1 commit
    • Tamas Petz's avatar
      Add generic arguments marshaling · 6818f7ec
      Tamas Petz authored
      This change adds a high-level implementation of arguments
      marshaling. It is meant to be a long-term replacement of
      the assembly implementation. The benefit is that this
      code uses cheriintrin.h and so it is architecture
      independent.
      
      Change-Id: Ia9889d7e23d434f931d64b365106fa2e59d423ac
      6818f7ec
  11. 17 May, 2022 4 commits
  12. 10 May, 2022 2 commits
  13. 03 May, 2022 1 commit
    • Tamas Petz's avatar
      [CHERIseed] Implement 'svc' for the sanitizer · 7bb64b23
      Tamas Petz authored
      CHERIseed will transform parameters such that right before
      the actual system call all arguments should be "peeked" using
      '__builtin_cheri_address_get' builtin.
      
      This is due to the behaviour of the sanitizer: an int-to-ptr
      operation creates a new capability on stack and sets its value
      to the integer value.
      
      Change-Id: Ie1025ab580fd9d7bcfb82d4b540001d92a07390b
      7bb64b23
  14. 28 Apr, 2022 4 commits
    • Tamas Petz's avatar
      [CHERIseed] Disable code path in clone() · d72268cc
      Tamas Petz authored
      CHERIseed targets capability-unaware architectures
      and so there is no such register as Morello's 'ctpidr_el0'.
      
      Change-Id: I8ff5e5ba8467006550b362a75c75560c37a45c2d
      d72268cc
    • Tamas Petz's avatar
      [CHERIseed] Automatically detect feature · f91daf47
      Tamas Petz authored
      __SANITIZE_CHERISEED__ is defined to '1', if libshim is
      compiled with '-fsanitize=cheriseed', otherwise it is
      undefined.
      
      Change-Id: I9ed8505ba5610b0376dc84a6573c625883bfcb0f
      f91daf47
    • Tamas Petz's avatar
      [CHERIseed] All assembly snippets are safe · 7aa38cad
      Tamas Petz authored
      Libshim has some assembly snippets but all of them
      have been reviewed for CHERIseed, therefore all of
      them are safe. There is no need to emit warnings
      during build.
      
      Change-Id: I0cdcec05193efc99b1b52df6acd4973ccc37ffd1
      7aa38cad
    • Tamas Petz's avatar
      Implement marshalling of mcontext · 0d94ff7b
      Tamas Petz authored
      Marshalling this member of ucontext depends on the architecture,
      therefore it is now extracted into a separate file.
      
      Change-Id: I827f7128517096da5233551a9c09c45351298420
      0d94ff7b
  15. 07 Apr, 2022 1 commit
  16. 14 Jan, 2022 1 commit
  17. 05 Jan, 2022 1 commit
  18. 15 Dec, 2021 1 commit
    • Yury Khrustalev's avatar
      Set bounds and permissions for argv and envp elements · 27f236ed
      Yury Khrustalev authored
      Each element of argv and envp gets its bounds set based on
      the strlen result for it: the resulting capability length
      will cover the entire string plus null character at the end.
      
      This patch also sets permissions of argv and envp elements.
      
      Change-Id: I370d0bc016eb6adfd2d9d84e0958b04e2514f175
      27f236ed
  19. 10 Dec, 2021 1 commit
    • Tamas Petz's avatar
      Remove 'shim_used' helper function · f9d48d7a
      Tamas Petz authored
      It is used only at one place and the same results can be
      achieved with no inline asm.
      
      Change-Id: Ic438ecb4786adfb66b31b66d3e1e08136837b088
      f9d48d7a
  20. 07 Dec, 2021 1 commit
  21. 02 Dec, 2021 1 commit
    • Jack Bond-Preston's avatar
      Fix struct sigaction check in rt_sigaction · 3c1e343d
      Jack Bond-Preston authored
      
      
      Change argument check from pointer to struct sigaction to pointer to
      local_sigaction_t.
      The kernel ABI sigaction struct is not guaranteed to match the libc ABI
      sigaction struct. In Musl, these (struct k_sigaction and struct
      sigaction, respectively) are different sizes and previously the libshim
      check on rt_sigaction would fail.
      Signed-off-by: Jack Bond-Preston's avatarJack Bond-Preston <jack.bond-preston@arm.com>
      Change-Id: Ifb91a54e4054477cf4633b5547a69c1aa56f7814
      3c1e343d
  22. 24 Nov, 2021 1 commit
    • Werner Lewis's avatar
      Add AT_CHERI root capabilities to auxv · 6f6fef9d
      Werner Lewis authored
      A set of experimental auxv members are defined to provide root RX, RW
      and sealing capabilities. These are derived from DDC with appropriate
      permissions. Bounds are unchanged for RX/RW and set to max object type
      value for sealing. These bounds should ideally be narrower to include
      only the writable range for RW, only the executable range for RX, and
      the required range for sealing.
      
      Change-Id: If65eb32d7e4e4efca04c9cb85cc57ee72ef506c5
      6f6fef9d
  23. 22 Nov, 2021 1 commit
    • Kevin Brodsky's avatar
      Transform ucontext_t* signal handler argument · 8cae6fdc
      Kevin Brodsky authored
      Currently pure-cap signal handlers cannot directly access the
      ucontext pointer argument because libshim just passes it through.
      
      This change fixes this by transforming the ucontext argument like
      the info argument: the pointer itself is transformed as usual, and
      the struct it points to (ucontext_t) also needs to be transformed
      as it contains a few pointers. The layout of ucontext_t is highly
      architecture-dependent, so its transformation must be special-cased
      for each architecture (currently aarch64 and x86_64).
      
      Change-Id: Ied0f59845d2634b6428b5882fec7ac029d8e462e
      8cae6fdc
  24. 19 Oct, 2021 1 commit
    • Tamas Petz's avatar
      Introduce LIBSHIM_ZERO_DDC configuration option · 6ac7fd46
      Tamas Petz authored
      When LIBSHIM_ZERO_DDC is enabled and targeting pure capability ABI,
      do_raw_args_marshalling() saves the original value of DDC and then
      clears it. This is meant to prevent deriving tagged capabilities
      from that point onwards using the original DDC value outside
      libshim.
      
      This change also removes 'rootcap' usages from libshim.
      
      Built and tested on FVP.
      
      Change-Id: I4cae99095f96999f5052ba83e43469168f7495cb
      6ac7fd46
  25. 18 Oct, 2021 1 commit
  26. 13 Oct, 2021 1 commit
    • Tamas Petz's avatar
      Split static and dynamic libc support · e996a08a
      Tamas Petz authored
      Static libc should contain all the symbols necessary to run
      an application. Dynamic libc, however, should only contain
      symbols which are not "duplicated" in the dynamic linker.
      
      So far both the dynamic linker and the shared libc had all
      the libshim symbols. This proved to be working correctly,
      however, having a fully singleton libshim is desirable.
      
      From now on only symbols which are mandatory for libc are
      provided, all the other libshim-internal symbols are weak.
      Because the dynamic linker has the strong alternatives of
      these symbols, linker will resolve these weak symbols so
      that they come from the linker. This allows implementation
      of a singleton pattern for libshim.
      
      Built and tested on FVP.
      
      Change-Id: I071ca7e23488293425990ead2c9261497c96786c
      e996a08a
  27. 12 Oct, 2021 1 commit
  28. 01 Oct, 2021 1 commit
  29. 29 Sep, 2021 1 commit
    • Tamas Petz's avatar
      [NFC] Clarify failed and best-effort calls · 5ee0ab05
      Tamas Petz authored
      To ease debugging, this change adds support to make a difference
      between system calls that are called best-effort and calls which
      actually failed when the related message gets printed.
      
      Change-Id: I05fd769ed2fcc391e8ce2ce823b0bcdf86a21e9e
      5ee0ab05