References:
[1] CHERI programmer’s guide, UCAM-CL-TR-877 Chapter 8.4, 2015.
One trusted stack for each thread: pcb_cheristack.
Initialized to empty when first thread in a process is created.
Stack updates/inspections in the following situations:
CCall exceptionCReturn exceptionCHERI_GET_STACK via sysarch system callCHERI_SET_STACK via sysarch system callcheri_stack_unwind: if a signal is delivered to a thread that is executing sandboxed code, and suitable signal-handling configuration has not been set up to safely receive the delivered signal, then for certian signals the kernel will automatically unwind the stack back to the caller of the sandbox.show cheristack command in DDB.The TLS stores the trusted stack pointer. see trampolines of libcheri
TLS pointer is derived from the stack pointer $29 when __CHERI_CAPABILITY_TLS__ is disabled.
When __CHERI_CAPABILITY_TLS__ is enabled, the TLS pointer is derived from $chwr_userlocal instead of $29;
// file
// lib/libc/mips/static_tls.h
static __inline uintptr_t
_libc_get_static_tls_base(size_t offset)
{
#ifndef __CHERI_CAPABILITY_TLS__
vaddr_t tlsbase;
#else
uintptr_t tlsbase;
#endif
#if defined(__mips_n64)
#ifndef __CHERI_CAPABILITY_TLS__
__asm__ __volatile__ (
".set\tpush\n\t"
".set\tmips64r2\n\t"
"rdhwr\t%0, $29\n\t"
".set\tpop"
: "=r" (tlsbase));
#else
__asm__ __volatile__ (
"creadhwr\t%0, $chwr_userlocal"
: "=C" (tlsbase));
#endif
tlsbase -= TLS_TP_OFFSET + TLS_TCB_SIZE;
#else /* mips 32 */
__asm__ __volatile__ (
".set\tpush\n\t"
".set\tmips32r2\n\t"
"rdhwr\t%0, $29\n\t"
".set\tpop"
: "=r" (tlsbase));
tlsbase -= TLS_TP_OFFSET + TLS_TCB_SIZE;
#endif /* ! __mips_n64 */
tlsbase += offset;
return (tlsbase);
}
If you could revise
the fundmental principles of
computer system design
to improve security...
... what would you change?