Kernel Change List

References:

[1] CHERI programmer’s guide, UCAM-CL-TR-877, 2015.

Overview

  • booting: enable capability coprocessor.
  • per-thread TCB:
    • a saved capability register file;
    • a per-thread trusted stack
  • context-switching: save/restore capability register file for userspace.
  • kernel debugger: print capability register file and other CHERI-related info.
  • virtual-memory subsystem:
    • anonymous (swap-backed) memory objects: memory tags preserved;
    • memory mappings are permitted to set the CHERI TLB bits enabling tagged loads and stores.
    • other objects not yet to preserve tags.
  • kernel memory copying:
    • new routines preserve tags;
    • selectively used: in copying register files and explicit tag-preserving copies;
    • majority of kernel memory copies are not tag-preserving.

  • system call permission:

    • rejects whose $PCC register does not have CHERI_PERM_SYSCALL user-defined permission bit, preventing sandboxes from directly invoking system services;
    • sandbox must invoke a system class that is authorized to invoke system calls;
    • should also have new system calls that does not need for interposition – similar to the behavior of Capsicum.

  • ccall and creturn fast exception handers:

    • unseal invoked object;
    • push the caller state to trusted stack;
    • retore it on return;
    • return to caller if fault occurs.

  • ktrace facility: allow object invocation/return to be traced.

  • cap faults:

    • fault in userspace
    • deliver as signals, extending signal trap frame to include capability registers;
    • allows userspace software ( in particular, language runtimes) to catch and handle software protection faults.

  • extended to allow processes to export class, method, and object statistics.

  • supports CheriABI: a new ABI and system call interface:

    • all pointers passed to and from the kernel are implemented as capabilities;
    • allows userspace processes to execute pure-capability-ABI binaries that have no dependence on conventional MIPS pointers.

Source code

src/sys/mips/cheri/ and src/sys/mips/include contains the majority of CHERI-specific code:

- coprocessor 2 initialization
- context management

headers

  • cheri.h: C-language definitions relating to capabilities

    • kernel-only context structures: cheri_kframe, cheri_signal;
    • kernel/user shared structures: cheri_frame, cheri_stack;
    • macro wrappers for inline assembly are provided for CHERI-aware software implemented via CHERI-unaware C, such as the kernel.

  • cheriasm.h: definitions for CHERI-aware assembly

    • kernel/userspace deinitions: CHERI register names
    • kernel-specific code used in exception handling

  • cheric.h: compiler builtin wrapper for register access, such as cheri_getbase(), cheri_andperm(). This is used only in userpsace due to dependencies on CHERI-aware Clang/LLVM.

  • cherireg.h: C macros suitable for use in both C and assembly that specify low-level CHERI constants, such as permission-mask values. For both kernel and userspace.

  • sys/sys/cheri_serial.h: provides a structure and definitions supporting serialization of capabilities independent of their size and micro-architectural details.

Source files

ccall.S: fast exception handlers for ccall and creturn. Errors go to a regular MipsUserGenException hander.

ccall_ktrace.S: a slow path exception handlers used to trace ccall and creturn invocations.

cheri.c: majority of CHERI-specific C code including:

  • debugging features;
  • sysctls;
  • initializaitoni for the capability state of threads/processes;
  • handling of fork;
  • portion of signal handling;
  • exception logging;
  • system call authorization.

cheri_bcopy.S: CHERI version of memcpy and bcopy

  • suitable for use throughout the kernel
  • copyin and copyout do not use them? [ch 8.1, p49]

cheri_debug.c: CHERI commands for in-kenrel debugger.

cheri_exception.c: reporting CHERI exceptions and registers on the system console.

cheri_signal.c: CHERI signal handling infrastructure.

cheri_stack.c: CHERI trusted-stack initialization, copying, and unwinding, and sysarch system calls to get/set current trusted stack.

cheri_syscall.c: CHERI related system-call infrastructure.

cheriabi_machdep.c: ISA dependent CheriABI support including

  • system call vector declaration;
  • argument parsing;
  • return handling;
  • signal handling;
  • process memory initialization.

sys/compat/cheriabit/* CheriABI ISA-independent implementation. The implementation is modelled on the support for 32-bit binaries in sys/compat/freebsd32.

Questions

Todo list:

  • in cheri.h: “Macro wrappers for inline assembly are provided for CHERI-aware software implemented via CHERI-unaware C, such as the kernel”, what is this? How does the CHERI-aware and CHERI-unaware code interface each other here?
    • Lele: See CheriABI, which defines how userspace (full capability) interfaces with kernel that has partial capability. ———————–
Created Jul 14, 2019 // Last Updated Oct 27, 2019

If you could revise
the fundmental principles of
computer system design
to improve security...

... what would you change?