c18n: Autumn 2023 release #1653
Conversation
There was a problem hiding this comment.
I'm not sure how best to integrate the libunwind changes. Perhaps @jrtc27, @arichardson, or @bsdjhb have opinions.
dpgao
force-pushed
the
c18n
branch
2 times, most recently
from
d1dcb82
to
18d13f8
Compare
dpgao
force-pushed
the
c18n
branch
2 times, most recently
from
40c238f
to
a24c2bf
Compare
dpgao
force-pushed
the
c18n
branch
14 times, most recently
from
e81efa3
to
25e6fa9
Compare
There was a problem hiding this comment.
Mostly fine, but there are a few later commits that fix things up in earlier commits that need squashing into the earlier commits or, in some cases, may need to be reordered (i.e. ideally the "don't use c30 to determine restricted" commit would come before the one that adds the rtld_die hack so that never gets introduced in the history)
lib/libthr/thread/thr_exit.c
Outdated
| @@ -322,7 +326,11 @@ exit_thread(void) | |||
| * Kernel will do wakeup at the address, so joiner thread | |||
| * will be resumed if it is sleeping at the address. | |||
| */ | |||
| #if defined(__CHERI_PURE_CAPABILITY__) && defined(RTLD_SANDBOX) | |||
| _rtld_thr_exit(&curthread->tid); | |||
There was a problem hiding this comment.
This PR does things the old way in the initial commit and then later reworks things; please squash that rather than introducing code you later remove
| table_index_to_compart_id(unsigned index) | ||
| { | ||
| struct tramp_stk_table dummy; | ||
| return (sizeof(dummy.stacks->bottom) * index / sizeof(*dummy.stacks)); |
There was a problem hiding this comment.
Not resolved in the commit this was a comment on. Resolving it in a later commit leaves incorrectly-styled code in the history.
libexec/rtld-elf/rtld_c18n.c
Outdated
| size_t size = atomic_load_explicit(&pg->size, memory_order_relaxed); | ||
| do { |
There was a problem hiding this comment.
Still present in the first big commit
dpgao
force-pushed
the
c18n
branch
11 times, most recently
from
d63f0f1
to
b2d5fa6
Compare
There was a problem hiding this comment.
I cannot review the benchmark ABI commit. It's hundreds of lines of churn completely reworking implementations beyond just adding some #ifdefs. That is not how to do things, either fold the reworking into earlier commits so there's less "do A, wait no do B, wait no do C instead" or, if it's instead reworking code that this PR hasn't touched before that point then a separate commit is fine, but not as part of the benchmark ABI commit. That has to be "add benchmark ABI without messing with existing purecap implementation beyond adding some ifs/#ifdefs", not shuffling things around, rewriting assembly sequences, adding entirely new sets of functions used in both cases, etc.
| table_index_to_compart_id(unsigned index) | ||
| { | ||
| struct tramp_stk_table dummy; | ||
| return (sizeof(dummy.stacks->bottom) * index / sizeof(*dummy.stacks)); |
There was a problem hiding this comment.
Not resolved in the commit this was a comment on. Resolving it in a later commit leaves incorrectly-styled code in the history.
dpgao
force-pushed
the
c18n
branch
3 times, most recently
from
9ee9fbc
to
c207bc4
Compare
Stack unwinding does not work under c18n so we explicitly disable it.
AT_PHDR is not executable and it is not necessary to clear its Executive permission bit. See freebsd_copyout_auxargs in sys/kern/imgact_elf.c.
(1) Support new ABI for passing memory arguments This commit supports the new purecap ABI for passing memory arguments (enabled by -morello-bounded-memargs=caller-only). During a compartment transition, the trampolines copy memory arguments (if any) to the callee's stack. Trampolines now also save and clear callee-saved registers in the trusted stack. The implementation of setjmp and longjmp are updated to support the resulting enlarged trusted frames. The trampoline generation infrastructure has been improve to allow better extensibility. (2) Clear unused registers during compartment transition Implements unused argument/return value register clearing for dynamic functions resolved by name (i.e., not function pointers). This implementation relies on a custom ELF section recording the signature of each dynamic function. (3) Allow multiple libraries in one compartment Introduce a policy mechanism that allows (a) multiple libraries to be in the same compartment so that no trampolines are inserted for function calls between them, and (b) certain 'trusted' symbols to be resolved directly without being wrapped by a trampoline. Feature (b) is used to mark a number of libc str* and mem* functions as trusted, significantly reducing the number of domain transitions for typical applications. setjmp/longjmp are also mark as trusted, which results in significantly simpler implementations to make them work under c18n.
Put atomic variables on different cache lines and put the first two capability-sized words of a trampoline on the same cache line.
This PR contains changes pertaining to compartmentalisation that should be included in the autumn 2023 release.
Key changes:
Support for the benchmark ABI.Note: Support for the benchmark ABI has not been merged yet.