References:
[1] CHERI ISA v5 (2016), v6(2017), v7 (2019).
[2] CheriBSD, github, link.
2016 v5: Initial in-kernel privilege limitation
2017 v6: Mature kernel privilege limitation
[3] CHERI programmer’s guide, UCAM-CL-TR-877, 2015.
Kernel has no capability state during context switch: kernel state
How does CheriBSD do memory partition for physical memory tags?
Reference 1 ISAv7 ch3.8.3 Virtual Memory -> Authorizing MMU Control CHERI controls the use of privileged instructions and control registers that configure the MMU: Access_System_Registers permission must be present on PCC; for software managed-TLB, retrieving and inserting TLB entries also requires above permission on PCC/KCC/KDC; for hardware page-table walker, CHERI currently does not control memory acecesses performed by the walker via physical addresses. Page-Table Entry & TLB entry Permissions ISAv7 ch3.
References: [1] CHERI programmer’s guide, UCAM-CL-TR-877 Chapter 8.4, 2015. One trusted stack for each thread: pcb_cheristack. Initialized to empty when first thread in a process is created. Stack updates/inspections in the following situations: CCall exception CReturn exception CHERI_GET_STACK via sysarch system call CHERI_SET_STACK via sysarch system call cheri_stack_unwind: if a signal is delivered to a thread that is executing sandboxed code, and suitable signal-handling configuration has not been set up to safely receive the delivered signal, then for certian signals the kernel will automatically unwind the stack back to the caller of the sandbox.
Q & A where is the tagged memory being partitioned? The call path: boot2 -> ? -> locore.S: _locore/_start/unknown/btext -> platform_start() ? cheri_cpu_startup() in mips/cheri/cheri.c conf/ldscript.mips.mips64:34 ENTRY(_start) ? The BERIpad tablet: open-source construction, CPU, OS and applications: A small built-in ROM in BERI is able to relocate a FreeBSD kernel out of flash, or, if a DIP switch is set, make use of a kernel loaded directly into DRAM using JTAG.
e.g. PCC initialization Every userspace PCC get default bound as 2^39. hybridabi_capability_set_user_entry() creates the code capability with entry address. The PCC base is default as CHERI_CAP_USER_CODE_BASE, length is CHERI_CAP_USER_CODE_LENGTH, perm is CHERI_CAP_USER_CODE_PERMS. CHERI_CAP_USER_CODE_BASE (sys/mips/include/cherireg.h): 0x000000 CHERI_CAP_USER_CODE_LENGTH (sys/mips/include/cherireg.h): (VM_MAXUSER_ADDRESS - VM_MINUSER_ADDRESS) = 0x0000,0080,0000,0000 = 2^39 see tracking code below. CHERI_CAP_USER_CODE_PERMS (sys/mips/include/cherireg.h): CHERI_PERMS_USERSPACE | CHERI_PERM_EXECUTE #define CHERI_PERMS_USERSPACE \ (CHERI_PERM_GLOBAL | CHERI_PERM_LOAD | CHERI_PERM_LOAD_CAP | \ CHERI_PERM_CCALL | (CHERI_PERMS_SWALL & ~CHERI_PERM_CHERIABI_VMMAP))// file // sys/mips/include/vmparam.
Change List libprocstat(3) library and procstat(1) command: extended to inspect sandbox statistics. libcheri(3): a sandbox API, and a set of system-class objects that can be delegated to sandboxes. Currently (1), this consists of a singleton system object that provides the ability to print to stdout, and a file-descriptor class that allows delegation of individual kernel-provided file descriptors to sandboxes. libc_cheri(3): core C-language APIs and services within sandboxes.
If you could revise
the fundmental principles of
computer system design
to improve security...
... what would you change?