[libunwind] Support rtld-c18n as the runtime linker.

This commit adds support for backtrace and exception handling in
libunwind when the process is running with the compartmentalization
runtime linker. The unwinding process remains the same until a
trampoline is encountered as the return address. This means that we are
crossing compartment boundaries and we need to gather the unwind
information from the runtime linker. We do this by reading information
from the executive stack that the runtime linker populates for us in
unw_getcontext.

It also adds a new class, CompartmentInfo, which is responsible for
abstracting away the details of c18n compartments. Currently, it is only
used to define the constants relating to the trusted frame layout.

There are two ways to compile this code:
 - LIBUNWIND_SANDBOX_OTYPES only;
 - LIBUNWIND_SANDBOX_OTYPES and LIBUNWIND_SANDBOX_HARDENED.

When LIBUNWIND_SANDBOX_HARDENED is specified, every stack pointer, frame
pointer and callee-saved register will be sealed in the unwind register
context. This is to prevent leakage of capabilities through the register
context as much as possible. There are two exceptions to this:
 - When unw_set_reg() is called from a libunwind consumer, the caller
   might expect to be able to retrieve the capability it stored in the
   context, and sealing it will break the API semantics;
 - When the capability that is in the context is a sentry. These can't
   be sealed using an otype.

The otype allocated to libunwind is given to libunwind by the runtime
linker via the _rtld_unw_getsealer function.

This functionality only works on Morello right now.

libunwind/include/__libunwind_config.h

@@ -11,6 +11,14 @@
 
 #define _LIBUNWIND_VERSION 15000
 
+#if defined(_LIBUNWIND_SANDBOX_HARDENED) && !defined(_LIBUNWIND_SANDBOX_OTYPES)
+#error "_LIBUNWIND_SANDBOX_HARDENED is invalid without a sandboxing mechanism"
+#endif
+
+#if defined(_LIBUNWIND_SANDBOX_OTYPES) && defined(_LIBUNWIND_NO_HEAP)
+#error "_LIBUNWIND_NO_HEAP cannot be used with _LIBUNWIND_SANDBOX_OTYPES"
+#endif
+
 #if defined(__arm__) && !defined(__USING_SJLJ_EXCEPTIONS__) && \
     !defined(__ARM_DWARF_EH__) && !defined(__SEH__)
 #define _LIBUNWIND_ARM_EHABI
@@ -20,7 +28,7 @@
 #define _LIBUNWIND_HIGHEST_DWARF_REGISTER_X86_64    32
 #define _LIBUNWIND_HIGHEST_DWARF_REGISTER_PPC       112
 #define _LIBUNWIND_HIGHEST_DWARF_REGISTER_PPC64     116
-#define _LIBUNWIND_HIGHEST_DWARF_REGISTER_MORELLO   229
+#define _LIBUNWIND_HIGHEST_DWARF_REGISTER_MORELLO   230
 #define _LIBUNWIND_HIGHEST_DWARF_REGISTER_ARM64     95
 #define _LIBUNWIND_HIGHEST_DWARF_REGISTER_ARM       287
 #define _LIBUNWIND_HIGHEST_DWARF_REGISTER_OR1K      32
@@ -76,11 +84,11 @@
 # elif defined(__aarch64__)
 #  define _LIBUNWIND_TARGET_AARCH64 1
 #  if defined(__CHERI_PURE_CAPABILITY__)
-#    define _LIBUNWIND_CONTEXT_SIZE 100
+#    define _LIBUNWIND_CONTEXT_SIZE 102
 #    if defined(__SEH__)
 #      error "Pure-capability aarch64 SEH not supported"
 #    else
-#      define _LIBUNWIND_CURSOR_SIZE 124
+#      define _LIBUNWIND_CURSOR_SIZE 126
 #    endif
 #    define _LIBUNWIND_HIGHEST_DWARF_REGISTER _LIBUNWIND_HIGHEST_DWARF_REGISTER_MORELLO
 #  else

libunwind/include/libunwind.h

@@ -678,7 +678,8 @@ enum {
   UNW_ARM64_C30 = 228,
   UNW_ARM64_CLR = 228,
   UNW_ARM64_C31 = 229,
-  UNW_ARM64_CSP = 229
+  UNW_ARM64_CSP = 229,
+  UNW_ARM64_ECSP = 230,
 };
 
 // 32-bit ARM registers. Numbers match DWARF for ARM spec #3.1 Table 1.

libunwind/src/AddressSpace.hpp

@@ -22,6 +22,7 @@
 #include "dwarf2.h"
 #include "EHHeaderParser.hpp"
 #include "Registers.hpp"
+#include "unwind_cheri.h"
 
 // We can no longer include C++ headers so duplicate std::min() here
 template<typename T> T uw_min(T a, T b) { return a < b ? a : b; }
@@ -320,6 +321,12 @@ class _LIBUNWIND_HIDDEN LocalAddressSpace {
     return get<v128>(addr);
   }
   capability_t     getCapability(pint_t addr) { return get<capability_t>(addr); }
+#if defined(__CHERI_PURE_CAPABILITY__) && defined(_LIBUNWIND_SANDBOX_OTYPES)
+  static uintcap_t getUnwindSealer();
+  static bool isValidSealer(uintcap_t sealer) {
+    return __builtin_cheri_tag_get(sealer);
+  }
+#endif // __CHERI_PURE_CAPABILITY__ && _LIBUNWIND_SANDBOX_OTYPES
   __attribute__((always_inline))
   uintptr_t       getP(pint_t addr);
   uint64_t        getRegister(pint_t addr);
@@ -408,6 +415,25 @@ inline uint64_t LocalAddressSpace::getRegister(pint_t addr) {
 #endif
 }
 
+#if defined(__CHERI_PURE_CAPABILITY__) && defined(_LIBUNWIND_SANDBOX_OTYPES)
+extern "C" {
+/// Call into the RTLD to get a sealer capability. This sealer will be used to
+/// seal information in the unwinding context if _LIBUNWIND_SANDBOX_HARDENED is
+/// specified.
+uintptr_t _rtld_unw_getsealer(void);
+uintptr_t __rtld_unw_getsealer();
+_LIBUNWIND_HIDDEN uintptr_t __rtld_unw_getsealer() {
+  return (uintptr_t)0;
+}
+_LIBUNWIND_WEAK_ALIAS(__rtld_unw_getsealer, _rtld_unw_getsealer)
+}
+
+/// C++ wrapper for calling into RTLD.
+inline uintcap_t LocalAddressSpace::getUnwindSealer() {
+  return _rtld_unw_getsealer();
+}
+#endif // __CHERI_PURE_CAPABILITY__ && _LIBUNWIND_SANDBOX_OTYPES
+
 /// Read a ULEB128 into a 64-bit word.
 inline uint64_t LocalAddressSpace::getULEB128(pint_t &addr, pint_t end) {
   const uint8_t *p = (uint8_t *)addr;
@@ -932,7 +958,8 @@ inline bool LocalAddressSpace::findUnwindSections(pc_t targetAddr,
     return true;
 #elif defined(_LIBUNWIND_USE_DL_ITERATE_PHDR)
   dl_iterate_cb_data cb_data = {this, &info, targetAddr};
-  CHERI_DBG("Calling dl_iterate_phdr()\n");
+  CHERI_DBG("Calling dl_iterate_phdr(0x%jx)\n",
+            (uintmax_t)targetAddr.address());
   int found = dl_iterate_phdr(findUnwindSectionsByPhdr, &cb_data);
   return static_cast<bool>(found);
 #endif

libunwind/src/CMakeLists.txt

@@ -80,6 +80,7 @@ set(LIBUNWIND_HEADERS
     Registers.hpp
     RWMutex.hpp
     Unwind-EHABI.h
+    unwind_cheri.h
     UnwindCursor.hpp
     ../include/libunwind.h
     ../include/unwind.h

libunwind/src/CompartmentInfo.hpp

@@ -0,0 +1,39 @@
+//===----------------------------------------------------------------------===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//
+// Abstracts unwind information when used with a compartmentalizing runtime
+// linker.
+//
+//===----------------------------------------------------------------------===//
+
+#ifndef __COMPARTMENT_INFO_HPP__
+#define __COMPARTMENT_INFO_HPP__
+
+namespace libunwind {
+class _LIBUNWIND_HIDDEN CompartmentInfo {
+public:
+  static CompartmentInfo sThisCompartmentInfo;
+#if defined(__CHERI_PURE_CAPABILITY__)
+  static const uintcap_t kInvalidRCSP = (uintcap_t)0;
+  // Per-architecture trusted stack frame layout.
+#if defined(_LIBUNWIND_TARGET_AARCH64)
+  static const uint32_t kNewSPOffset = 48;
+  static const uint32_t kNextOffset = 32;
+  static const uint32_t kFPOffset = 0;
+  static const uint32_t kCalleeSavedOffset = 80;
+  static const uint32_t kCalleeSavedCount = 10;
+  static const uint32_t kCalleeSavedSize = 16;
+  static const uint32_t kReturnAddressOffset = 40;
+  static const uint32_t kPCOffset = 16;
+  // kCalleeSavedCount - 1 because kCalleeSavedOffset is the first one.
+  static const uint32_t kTrustedFrameSize =
+      kCalleeSavedOffset + (kCalleeSavedCount - 1) * kCalleeSavedSize;
+#endif // _LIBUNWIND_TARGET_AARCH64
+#endif // __CHERI_PURE_CAPABILITY__
+};
+} // namespace libunwind
+#endif // __COMPARTMENT_INFO_HPP__