diff --git a/arch/cortex-m/src/syscall.rs b/arch/cortex-m/src/syscall.rs index 9e9e63eef6..773158ba70 100644 --- a/arch/cortex-m/src/syscall.rs +++ b/arch/cortex-m/src/syscall.rs @@ -240,9 +240,9 @@ impl kernel::syscall::UserspaceKernelBoundary for SysCall // - Stack offset 4 is R12, which the syscall interface ignores let stack_bottom = state.psp as *mut usize; ptr::write(stack_bottom.offset(7), state.psr); //......... -> APSR - ptr::write(stack_bottom.offset(6), callback.pc | 1); //... -> PC + ptr::write(stack_bottom.offset(6), usize::from(callback.pc) | 1); //... -> PC ptr::write(stack_bottom.offset(5), state.yield_pc | 1); // -> LR - ptr::write(stack_bottom.offset(3), callback.argument3); // -> R3 + ptr::write(stack_bottom.offset(3), callback.argument3.into()); // -> R3 ptr::write(stack_bottom.offset(2), callback.argument2); // -> R2 ptr::write(stack_bottom.offset(1), callback.argument1); // -> R1 ptr::write(stack_bottom.offset(0), callback.argument0); // -> R0 @@ -308,8 +308,13 @@ impl kernel::syscall::UserspaceKernelBoundary for SysCall // Use the helper function to convert these raw values into a Tock // `Syscall` type. - let syscall = - kernel::syscall::Syscall::from_register_arguments(svc_num, r0, r1, r2, r3); + let syscall = kernel::syscall::Syscall::from_register_arguments( + svc_num, + r0, + r1.into(), + r2.into(), + r3.into(), + ); match syscall { Some(s) => kernel::syscall::ContextSwitchReason::SyscallFired { syscall: s }, diff --git a/arch/rv32i/src/syscall.rs b/arch/rv32i/src/syscall.rs index d2db3b5c17..0ea6aa9507 100644 --- a/arch/rv32i/src/syscall.rs +++ b/arch/rv32i/src/syscall.rs @@ -198,7 +198,7 @@ impl kernel::syscall::UserspaceKernelBoundary for SysCall { state.regs[R_A0] = callback.argument0 as u32; state.regs[R_A1] = callback.argument1 as u32; state.regs[R_A2] = callback.argument2 as u32; - state.regs[R_A3] = callback.argument3 as u32; + state.regs[R_A3] = callback.argument3.as_ptr::<()>() as usize as u32; // We also need to set the return address (ra) register so that the new // function that the process is running returns to the correct location. @@ -209,7 +209,7 @@ impl kernel::syscall::UserspaceKernelBoundary for SysCall { state.regs[R_RA] = state.pc; // Save the PC we expect to execute. - state.pc = callback.pc as u32; + state.pc = usize::from(callback.pc) as u32; Ok(()) } @@ -634,9 +634,9 @@ impl kernel::syscall::UserspaceKernelBoundary for SysCall { let syscall = kernel::syscall::Syscall::from_register_arguments( state.regs[R_A4] as u8, state.regs[R_A0] as usize, - state.regs[R_A1] as usize, - state.regs[R_A2] as usize, - state.regs[R_A3] as usize, + (state.regs[R_A1] as usize).into(), + (state.regs[R_A2] as usize).into(), + (state.regs[R_A3] as usize).into(), ); match syscall { diff --git a/kernel/src/grant.rs b/kernel/src/grant.rs index 2788bbd7c9..d8522d9b5c 100644 --- a/kernel/src/grant.rs +++ b/kernel/src/grant.rs @@ -138,6 +138,7 @@ use crate::process::{Error, Process, ProcessCustomGrantIdentifier, ProcessId}; use crate::processbuffer::{ReadOnlyProcessBuffer, ReadWriteProcessBuffer}; use crate::processbuffer::{ReadOnlyProcessBufferRef, ReadWriteProcessBufferRef}; use crate::upcall::{Upcall, UpcallError, UpcallId}; +use crate::utilities::capability_ptr::CapabilityPtr; use crate::ErrorCode; /// Tracks how many upcalls a grant instance supports automatically. @@ -707,8 +708,8 @@ impl<'a> GrantKernelData<'a> { #[repr(C)] #[derive(Default)] struct SavedUpcall { - appdata: usize, - fn_ptr: Option>, + appdata: CapabilityPtr, + fn_ptr: CapabilityPtr, } /// A minimal representation of a read-only allow from app, used for storing a diff --git a/kernel/src/kernel.rs b/kernel/src/kernel.rs index b9a22625ef..9fe455d250 100644 --- a/kernel/src/kernel.rs +++ b/kernel/src/kernel.rs @@ -9,7 +9,6 @@ //! etc.) is defined in the `scheduler` subcrate and selected by a board. use core::cell::Cell; -use core::ptr::NonNull; use crate::capabilities; use crate::config; @@ -877,15 +876,31 @@ impl Kernel { subscribe_num: subdriver_number, }; - // First check if `upcall_ptr` is null. A null - // `upcall_ptr` will result in `None` here and - // represents the special "unsubscribe" operation. - let ptr = NonNull::new(upcall_ptr); + // TODO: when the compiler supports capability types + // bring this back as a NonNull + // type. https://github.com/tock/tock/issues/4134. + // + // Previously, we had a NonNull type (that had a niche) + // here, and could wrap that in Option to fill the niche + // and handle the Null case. CapabilityPtr is filling + // the gap left by * const(), which does not have the + // niche and allows NULL internally. Having a CHERI + // capability type with a niche is (maybe?) predicated + // on having better compiler support. + // Option> is preferable here, and it should + // go back to it just as soon as we can express "non + // null capability". For now, checking for the null case + // is handled internally in each `map_or` call. + // + //First check if `upcall_ptr` is null. A null + //`upcall_ptr` will result in `None` here and + //represents the special "unsubscribe" operation. + //let ptr = NonNull::new(upcall_ptr); // For convenience create an `Upcall` type now. This is // just a data structure and doesn't do any checking or // conversion. - let upcall = Upcall::new(process.processid(), upcall_id, appdata, ptr); + let upcall = Upcall::new(process.processid(), upcall_id, appdata, upcall_ptr); // If `ptr` is not null, we must first verify that the // upcall function pointer is within process accessible @@ -895,8 +910,8 @@ impl Kernel { // > process executable memory...), the kernel...MUST // > immediately return a failure with a error code of // > `INVALID`. - let rval1 = ptr.and_then(|upcall_ptr_nonnull| { - if !process.is_valid_upcall_function_pointer(upcall_ptr_nonnull) { + let rval1 = upcall_ptr.map_or(None, |upcall_ptr_nonnull| { + if !process.is_valid_upcall_function_pointer(upcall_ptr_nonnull.as_ptr()) { Some(ErrorCode::INVAL) } else { None @@ -1010,7 +1025,7 @@ impl Kernel { process.processid(), driver_number, subdriver_number, - upcall_ptr as usize, + upcall_ptr, appdata, rval ); diff --git a/kernel/src/memop.rs b/kernel/src/memop.rs index 35d4cf9177..b50333a165 100644 --- a/kernel/src/memop.rs +++ b/kernel/src/memop.rs @@ -6,6 +6,7 @@ use crate::process::Process; use crate::syscall::SyscallReturn; +use crate::utilities::capability_ptr::{CapabilityPtr, CapabilityPtrPermissions}; use crate::ErrorCode; /// Handle the `memop` syscall. @@ -52,35 +53,74 @@ pub(crate) fn memop(process: &dyn Process, op_type: usize, r1: usize) -> Syscall // Op Type 1: SBRK 1 => process .sbrk(r1 as isize) - .map(|addr| SyscallReturn::SuccessU32(addr as u32)) + .map(|addr| SyscallReturn::SuccessPtr(addr)) .unwrap_or(SyscallReturn::Failure(ErrorCode::NOMEM)), // Op Type 2: Process memory start - 2 => SyscallReturn::SuccessU32(process.get_addresses().sram_start as u32), + 2 => SyscallReturn::SuccessPtr(unsafe { + let addresses = process.get_addresses(); + CapabilityPtr::new_with_authority( + addresses.sram_start as *const _, + addresses.sram_start, + addresses.sram_app_brk - addresses.sram_start, + CapabilityPtrPermissions::ReadWrite, + ) + }), // Op Type 3: Process memory end - 3 => SyscallReturn::SuccessU32(process.get_addresses().sram_end as u32), + 3 => SyscallReturn::SuccessPtr(unsafe { + let addresses = process.get_addresses(); + CapabilityPtr::new_with_authority( + addresses.sram_end as *const _, + addresses.sram_start, + addresses.sram_end - addresses.sram_start, + CapabilityPtrPermissions::ReadWrite, + ) + }), // Op Type 4: Process flash start - 4 => SyscallReturn::SuccessU32(process.get_addresses().flash_start as u32), + 4 => SyscallReturn::SuccessPtr(unsafe { + let addresses = process.get_addresses(); + CapabilityPtr::new_with_authority( + addresses.flash_start as *const _, + addresses.flash_start, + addresses.flash_end - addresses.flash_start, + CapabilityPtrPermissions::Execute, + ) + }), // Op Type 5: Process flash end - 5 => SyscallReturn::SuccessU32(process.get_addresses().flash_end as u32), + 5 => SyscallReturn::SuccessPtr(unsafe { + let addresses = process.get_addresses(); + CapabilityPtr::new_with_authority( + addresses.flash_end as *const _, + addresses.flash_start, + addresses.flash_end - addresses.flash_start, + CapabilityPtrPermissions::Execute, + ) + }), // Op Type 6: Grant region begin - 6 => SyscallReturn::SuccessU32(process.get_addresses().sram_grant_start as u32), + 6 => SyscallReturn::SuccessAddr(process.get_addresses().sram_grant_start), // Op Type 7: Number of defined writeable regions in the TBF header. 7 => SyscallReturn::SuccessU32(process.number_writeable_flash_regions() as u32), // Op Type 8: The start address of the writeable region indexed by r1. 8 => { - let flash_start = process.get_addresses().flash_start as u32; + let flash_start = process.get_addresses().flash_start; let (offset, size) = process.get_writeable_flash_region(r1); if size == 0 { SyscallReturn::Failure(ErrorCode::FAIL) } else { - SyscallReturn::SuccessU32(flash_start + offset) + SyscallReturn::SuccessPtr(unsafe { + CapabilityPtr::new_with_authority( + (flash_start + offset) as *const _, + flash_start + offset, + size, + CapabilityPtrPermissions::ReadWrite, + ) + }) } } @@ -88,12 +128,19 @@ pub(crate) fn memop(process: &dyn Process, op_type: usize, r1: usize) -> Syscall // Returns (void*) -1 on failure, meaning the selected writeable region // does not exist. 9 => { - let flash_start = process.get_addresses().flash_start as u32; + let flash_start = process.get_addresses().flash_start; let (offset, size) = process.get_writeable_flash_region(r1); if size == 0 { SyscallReturn::Failure(ErrorCode::FAIL) } else { - SyscallReturn::SuccessU32(flash_start + offset + size) + SyscallReturn::SuccessPtr(unsafe { + CapabilityPtr::new_with_authority( + (flash_start + offset + size) as *const _, + flash_start + offset, + size, + CapabilityPtrPermissions::ReadWrite, + ) + }) } } diff --git a/kernel/src/process.rs b/kernel/src/process.rs index ae73535c16..1402297816 100644 --- a/kernel/src/process.rs +++ b/kernel/src/process.rs @@ -19,6 +19,7 @@ use crate::processbuffer::{ReadOnlyProcessBuffer, ReadWriteProcessBuffer}; use crate::storage_permissions; use crate::syscall::{self, Syscall, SyscallReturn}; use crate::upcall::UpcallId; +use crate::utilities::capability_ptr::CapabilityPtr; use tock_tbf::types::CommandPermissions; // Export all process related types via `kernel::process::`. @@ -528,7 +529,8 @@ pub trait Process { /// /// ## Returns /// - /// On success, return the previous break address. + /// On success, return the previous break address with authority that + /// has RW permissions from the start of process RAM to the new break. /// /// On error, return: /// - [`Error::InactiveApp`] if the process is not running and adjusting the @@ -540,7 +542,7 @@ pub trait Process { /// process's memory region. /// - [`Error::KernelError`] if there was an internal kernel error. This is /// a bug. - fn brk(&self, new_break: *const u8) -> Result<*const u8, Error>; + fn brk(&self, new_break: *const u8) -> Result; /// Change the location of the program break by `increment` bytes, /// reallocate the MPU region covering program memory, and return the @@ -548,7 +550,8 @@ pub trait Process { /// /// ## Returns /// - /// On success, return the previous break address. + /// On success, return the previous break address with authority that + /// has RW permissions from the start of process RAM to the new break. /// /// On error, return: /// - [`Error::InactiveApp`] if the process is not running and adjusting the @@ -560,7 +563,7 @@ pub trait Process { /// process's memory region. /// - [`Error::KernelError`] if there was an internal kernel error. This is /// a bug. - fn sbrk(&self, increment: isize) -> Result<*const u8, Error>; + fn sbrk(&self, increment: isize) -> Result; /// How many writeable flash regions defined in the TBF header for this /// process. @@ -575,10 +578,10 @@ pub trait Process { /// /// ## Returns /// - /// A tuple containing the a `u32` of the offset from the beginning of the - /// process's flash region where the writeable region starts and a `u32` of + /// A tuple containing the a `usize` of the offset from the beginning of the + /// process's flash region where the writeable region starts and a `usize` of /// the size of the region in bytes. - fn get_writeable_flash_region(&self, region_index: usize) -> (u32, u32); + fn get_writeable_flash_region(&self, region_index: usize) -> (usize, usize); /// Debug function to update the kernel on where the stack starts for this /// process. Processes are not required to call this through the memop @@ -791,7 +794,9 @@ pub trait Process { /// /// Returns `true` if the upcall function pointer is valid for this process, /// and `false` otherwise. - fn is_valid_upcall_function_pointer(&self, upcall_fn: NonNull<()>) -> bool; + // `upcall_fn` can eventually be a better type: + // + fn is_valid_upcall_function_pointer(&self, upcall_fn: *const ()) -> bool; // functions for processes that are architecture specific @@ -1078,10 +1083,10 @@ pub struct FunctionCall { pub argument1: usize, /// The third argument to the function. pub argument2: usize, - /// The fourth argument to the function. - pub argument3: usize, + /// The userdata provided by the process via `subscribe` + pub argument3: CapabilityPtr, /// The PC of the function to execute. - pub pc: usize, + pub pc: CapabilityPtr, } /// This is similar to `FunctionCall` but for the special case of the Null diff --git a/kernel/src/process_standard.rs b/kernel/src/process_standard.rs index 666016d954..f5c89fd751 100644 --- a/kernel/src/process_standard.rs +++ b/kernel/src/process_standard.rs @@ -36,6 +36,7 @@ use crate::processbuffer::{ReadOnlyProcessBuffer, ReadWriteProcessBuffer}; use crate::storage_permissions::StoragePermissions; use crate::syscall::{self, Syscall, SyscallReturn, UserspaceKernelBoundary}; use crate::upcall::UpcallId; +use crate::utilities::capability_ptr::{CapabilityPtr, CapabilityPtrPermissions}; use crate::utilities::cells::{MapCell, NumericCellExt, OptionalCell}; use tock_tbf::types::CommandPermissions; @@ -753,7 +754,7 @@ impl Process for ProcessStandard<'_, self.header.number_writeable_flash_regions() } - fn get_writeable_flash_region(&self, region_index: usize) -> (u32, u32) { + fn get_writeable_flash_region(&self, region_index: usize) -> (usize, usize) { self.header.get_writeable_flash_region(region_index) } @@ -827,7 +828,7 @@ impl Process for ProcessStandard<'_, }) } - fn sbrk(&self, increment: isize) -> Result<*const u8, Error> { + fn sbrk(&self, increment: isize) -> Result { // Do not modify an inactive process. if !self.is_running() { return Err(Error::InactiveApp); @@ -837,7 +838,7 @@ impl Process for ProcessStandard<'_, self.brk(new_break) } - fn brk(&self, new_break: *const u8) -> Result<*const u8, Error> { + fn brk(&self, new_break: *const u8) -> Result { // Do not modify an inactive process. if !self.is_running() { return Err(Error::InactiveApp); @@ -859,7 +860,18 @@ impl Process for ProcessStandard<'_, let old_break = self.app_break.get(); self.app_break.set(new_break); self.chip.mpu().configure_mpu(config); - Ok(old_break) + + let base = self.mem_start() as usize; + let break_result = unsafe { + CapabilityPtr::new_with_authority( + old_break as *const (), + base, + (new_break as usize) - base, + CapabilityPtrPermissions::ReadWrite, + ) + }; + + Ok(break_result) } }) } @@ -1229,8 +1241,8 @@ impl Process for ProcessStandard<'_, }) } - fn is_valid_upcall_function_pointer(&self, upcall_fn: NonNull<()>) -> bool { - let ptr = upcall_fn.as_ptr() as *const u8; + fn is_valid_upcall_function_pointer(&self, upcall_fn: *const ()) -> bool { + let ptr = upcall_fn as *const u8; let size = mem::size_of::<*const u8>(); // It is okay if this function is in memory or flash. @@ -1958,8 +1970,20 @@ impl ProcessStandard<'_, C let flash_start = process.flash.as_ptr(); let app_start = flash_start.wrapping_add(process.header.get_app_start_offset() as usize) as usize; - let init_fn = + let init_addr = flash_start.wrapping_add(process.header.get_init_function_offset() as usize) as usize; + let fn_base = flash_start as usize; + let fn_len = process.flash.len(); + + // We need to construct a capability with sufficient authority to cover all of a user's + // code, with permissions to execute it. The entirety of flash is sufficient. + + let init_fn = CapabilityPtr::new_with_authority( + init_addr as *const (), + fn_base, + fn_len, + CapabilityPtrPermissions::Execute, + ); process.tasks.map(|tasks| { tasks.enqueue(Task::FunctionCall(FunctionCall { @@ -1968,7 +1992,7 @@ impl ProcessStandard<'_, C argument0: app_start, argument1: process.memory_start as usize, argument2: process.memory_len, - argument3: process.app_break.get() as usize, + argument3: (process.app_break.get() as usize).into(), })); }); @@ -2119,16 +2143,28 @@ impl ProcessStandard<'_, C let flash_start = self.flash_start(); let app_start = flash_start.wrapping_add(self.header.get_app_start_offset() as usize) as usize; - let init_fn = + let init_addr = flash_start.wrapping_add(self.header.get_init_function_offset() as usize) as usize; + // We need to construct a capability with sufficient authority to cover all of a user's + // code, with permissions to execute it. The entirety of flash is sufficient. + + let init_fn = unsafe { + CapabilityPtr::new_with_authority( + init_addr as *const (), + flash_start as usize, + (self.flash_end() as usize) - (flash_start as usize), + CapabilityPtrPermissions::Execute, + ) + }; + self.enqueue_task(Task::FunctionCall(FunctionCall { source: FunctionCallSource::Kernel, pc: init_fn, argument0: app_start, argument1: self.memory_start as usize, argument2: self.memory_len, - argument3: self.app_break.get() as usize, + argument3: (self.app_break.get() as usize).into(), })) } @@ -2138,6 +2174,11 @@ impl ProcessStandard<'_, C /// to be accessible to the process and to not overlap with the grant /// region. fn in_app_owned_memory(&self, buf_start_addr: *const u8, size: usize) -> bool { + // TODO: On some platforms, CapabilityPtr has sufficient authority that we + // could skip this check. + // CapabilityPtr needs to make it slightly further, and we need to add + // interfaces that tell us how much assurance it gives on the current + // platform. let buf_end_addr = buf_start_addr.wrapping_add(size); buf_end_addr >= buf_start_addr @@ -2150,6 +2191,11 @@ impl ProcessStandard<'_, C /// this method returns true, the buffer is guaranteed to be readable to the /// process. fn in_app_flash_memory(&self, buf_start_addr: *const u8, size: usize) -> bool { + // TODO: On some platforms, CapabilityPtr has sufficient authority that we + // could skip this check. + // CapabilityPtr needs to make it slightly further, and we need to add + // interfaces that tell us how much assurance it gives on the current + // platform. let buf_end_addr = buf_start_addr.wrapping_add(size); buf_end_addr >= buf_start_addr diff --git a/kernel/src/syscall.rs b/kernel/src/syscall.rs index a6ba161b8a..8f8564fe3d 100644 --- a/kernel/src/syscall.rs +++ b/kernel/src/syscall.rs @@ -70,6 +70,7 @@ use core::fmt::Write; use crate::errorcode::ErrorCode; use crate::process; +use crate::utilities::capability_ptr::CapabilityPtr; pub use crate::syscall_driver::{CommandReturn, SyscallDriver}; @@ -155,9 +156,9 @@ pub enum Syscall { /// The subscribe identifier. subdriver_number: usize, /// Upcall pointer to the upcall function. - upcall_ptr: *mut (), + upcall_ptr: CapabilityPtr, /// Userspace application data. - appdata: usize, + appdata: CapabilityPtr, }, /// Structure representing an invocation of the Command system call class. @@ -240,53 +241,53 @@ impl Syscall { pub fn from_register_arguments( syscall_number: u8, r0: usize, - r1: usize, - r2: usize, - r3: usize, + r1: CapabilityPtr, + r2: CapabilityPtr, + r3: CapabilityPtr, ) -> Option { match SyscallClass::try_from(syscall_number) { Ok(SyscallClass::Yield) => Some(Syscall::Yield { which: r0, - param_a: r1, - param_b: r2, + param_a: r1.into(), + param_b: r2.into(), }), Ok(SyscallClass::Subscribe) => Some(Syscall::Subscribe { driver_number: r0, - subdriver_number: r1, - upcall_ptr: r2 as *mut (), + subdriver_number: r1.into(), + upcall_ptr: r2, appdata: r3, }), Ok(SyscallClass::Command) => Some(Syscall::Command { driver_number: r0, - subdriver_number: r1, - arg0: r2, - arg1: r3, + subdriver_number: r1.into(), + arg0: r2.into(), + arg1: r3.into(), }), Ok(SyscallClass::ReadWriteAllow) => Some(Syscall::ReadWriteAllow { driver_number: r0, - subdriver_number: r1, - allow_address: r2 as *mut u8, - allow_size: r3, + subdriver_number: r1.into(), + allow_address: r2.as_ptr::().cast_mut(), + allow_size: r3.into(), }), Ok(SyscallClass::UserspaceReadableAllow) => Some(Syscall::UserspaceReadableAllow { driver_number: r0, - subdriver_number: r1, - allow_address: r2 as *mut u8, - allow_size: r3, + subdriver_number: r1.into(), + allow_address: r2.as_ptr::().cast_mut(), + allow_size: r3.into(), }), Ok(SyscallClass::ReadOnlyAllow) => Some(Syscall::ReadOnlyAllow { driver_number: r0, - subdriver_number: r1, - allow_address: r2 as *const u8, - allow_size: r3, + subdriver_number: r1.into(), + allow_address: r2.as_ptr::().cast_mut(), + allow_size: r3.into(), }), Ok(SyscallClass::Memop) => Some(Syscall::Memop { operand: r0, - arg0: r1, + arg0: r1.into(), }), Ok(SyscallClass::Exit) => Some(Syscall::Exit { which: r0, - completion_code: r1, + completion_code: r1.into(), }), Err(_) => None, } @@ -374,8 +375,9 @@ impl Syscall { /// /// This struct operates over primitive types such as integers of fixed length /// and pointers. It is constructed by the scheduler and passed down to the -/// architecture to be encoded into registers, using the provided -/// [`encode_syscall_return`](SyscallReturn::encode_syscall_return) method. +/// architecture to be encoded into registers. Architectures may use the various +/// helper functions defined in +/// [`utilities::arch_helpers`](crate::utilities::arch_helpers). /// /// Capsules do not use this struct. Capsules use higher level Rust types (e.g. /// [`ReadWriteProcessBuffer`](crate::processbuffer::ReadWriteProcessBuffer) and @@ -405,6 +407,15 @@ pub enum SyscallReturn { /// Generic success case, with an additional 32-bit and 64-bit data field SuccessU32U64(u32, u64), + /// Generic success case with an additional address-sized value + /// that does not impute access permissions to the process. + SuccessAddr(usize), + + /// Generic success case, with an additional pointer. + /// This pointer is provenance bearing and implies access + /// permission to the process. + SuccessPtr(CapabilityPtr), + // These following types are used by the scheduler so that it can return // values to userspace in an architecture (pointer-width) independent way. // The kernel passes these types (rather than ProcessBuffer or Upcall) for @@ -414,6 +425,15 @@ pub enum SyscallReturn { // (pointers out of valid memory), the kernel cannot construct an // ProcessBuffer or Upcall type but needs to be able to return a failure. // -pal 11/24/20 + + // FIXME: We need to think about what these look like on CHERI + // Really, things that were capabilities should come back as capabilities. + // However, we discarded all capability information at the syscall boundary. + // We could always use our own DDC, with just the permissions and length implied by the + // specific syscall. This would certainly got give userspace _extra_ authority, + // but might rob them of some bounds / permissions. This is what is implemented currently. + // Preferable behavior is not to discard the capability so early (it should make it as far + // as grant is stored in grant allow slots) /// Read/Write allow success case, returns the previous allowed buffer and /// size to the process. AllowReadWriteSuccess(*mut u8, usize), @@ -471,6 +491,8 @@ impl SyscallReturn { SyscallReturn::SuccessU32U32U32(_, _, _) => true, SyscallReturn::SuccessU64(_) => true, SyscallReturn::SuccessU32U64(_, _) => true, + SyscallReturn::SuccessAddr(_) => true, + SyscallReturn::SuccessPtr(_) => true, SyscallReturn::AllowReadWriteSuccess(_, _) => true, SyscallReturn::UserspaceReadableAllowSuccess(_, _) => true, SyscallReturn::AllowReadOnlySuccess(_, _) => true, diff --git a/kernel/src/upcall.rs b/kernel/src/upcall.rs index a719f3d37d..213f06aa25 100644 --- a/kernel/src/upcall.rs +++ b/kernel/src/upcall.rs @@ -4,13 +4,12 @@ //! Data structure for storing an upcall from the kernel to a process. -use core::ptr::NonNull; - use crate::config; use crate::debug; use crate::process; use crate::process::ProcessId; use crate::syscall::SyscallReturn; +use crate::utilities::capability_ptr::CapabilityPtr; use crate::ErrorCode; /// Type to uniquely identify an upcall subscription across all drivers. @@ -83,23 +82,23 @@ pub(crate) struct Upcall { pub(crate) upcall_id: UpcallId, /// The application data passed by the app when `subscribe()` was called. - pub(crate) appdata: usize, + pub(crate) appdata: CapabilityPtr, /// A pointer to the first instruction of the function in the app that /// corresponds to this upcall. /// - /// If this value is `None`, this is a null upcall, which cannot actually be - /// scheduled. An `Upcall` can be null when it is first created, or after an - /// app unsubscribes from an upcall. - pub(crate) fn_ptr: Option>, + /// If this value is `null`, it should not actually be + /// scheduled. An `Upcall` can be null when it is first created, + /// or after an app unsubscribes from an upcall. + pub(crate) fn_ptr: CapabilityPtr, } impl Upcall { pub(crate) fn new( process_id: ProcessId, upcall_id: UpcallId, - appdata: usize, - fn_ptr: Option>, + appdata: CapabilityPtr, + fn_ptr: CapabilityPtr, ) -> Upcall { Upcall { process_id, @@ -147,7 +146,7 @@ impl Upcall { argument1: r1, argument2: r2, argument3: self.appdata, - pc: fp.as_ptr() as usize, + pc: *fp, })) }, ); @@ -177,8 +176,9 @@ impl Upcall { self.process_id, self.upcall_id.driver_num, self.upcall_id.subscribe_num, - self.fn_ptr - .map_or(core::ptr::null_mut::<()>(), |fp| fp.as_ptr()) as usize, + self.fn_ptr.map_or(core::ptr::null_mut::<()>(), |fp| fp + .as_ptr::<()>() + .cast_mut()) as usize, r0, r1, r2, @@ -198,10 +198,10 @@ impl Upcall { /// We provide this `.into` function because the return type needs to /// include the function pointer of the upcall. pub(crate) fn into_subscribe_success(self) -> SyscallReturn { - match self.fn_ptr { - Some(fp) => SyscallReturn::SubscribeSuccess(fp.as_ptr(), self.appdata), - None => SyscallReturn::SubscribeSuccess(core::ptr::null::<()>(), self.appdata), - } + self.fn_ptr.map_or( + SyscallReturn::SubscribeSuccess(core::ptr::null::<()>(), self.appdata.into()), + |fp| SyscallReturn::SubscribeSuccess(fp.as_ptr(), self.appdata.into()), + ) } /// Create a failure case syscall return type suitable for returning to @@ -214,9 +214,9 @@ impl Upcall { /// We provide this `.into` function because the return type needs to /// include the function pointer of the upcall. pub(crate) fn into_subscribe_failure(self, err: ErrorCode) -> SyscallReturn { - match self.fn_ptr { - Some(fp) => SyscallReturn::SubscribeFailure(err, fp.as_ptr(), self.appdata), - None => SyscallReturn::SubscribeFailure(err, core::ptr::null::<()>(), self.appdata), - } + self.fn_ptr.map_or( + SyscallReturn::SubscribeFailure(err, core::ptr::null::<()>(), self.appdata.into()), + |fp| SyscallReturn::SubscribeFailure(err, fp.as_ptr(), self.appdata.into()), + ) } } diff --git a/kernel/src/utilities/arch_helpers.rs b/kernel/src/utilities/arch_helpers.rs index 3b219dab5e..cdee406022 100644 --- a/kernel/src/utilities/arch_helpers.rs +++ b/kernel/src/utilities/arch_helpers.rs @@ -114,6 +114,12 @@ impl TRD104SyscallReturn { TRD104SyscallReturn::SubscribeFailure(a, b, c) } SyscallReturn::YieldWaitFor(a, b, c) => TRD104SyscallReturn::YieldWaitFor(a, b, c), + + // Compatibility mapping: + SyscallReturn::SuccessAddr(a) => TRD104SyscallReturn::SuccessU32(a as u32), + SyscallReturn::SuccessPtr(a) => { + TRD104SyscallReturn::SuccessU32(a.as_ptr::<()>() as u32) + } } } } diff --git a/kernel/src/utilities/capability_ptr.rs b/kernel/src/utilities/capability_ptr.rs new file mode 100644 index 0000000000..bf77ad4695 --- /dev/null +++ b/kernel/src/utilities/capability_ptr.rs @@ -0,0 +1,161 @@ +// Licensed under the Apache License, Version 2.0 or the MIT License. +// SPDX-License-Identifier: Apache-2.0 OR MIT +// Copyright Google LLC 2024. + +//! Defines the CapabilityPtr type + +use core::fmt::{Formatter, LowerHex, UpperHex}; +use core::ops::AddAssign; + +/// A pointer to userspace memory with implied authority. +/// +/// A [`CapabilityPtr`] points to memory a userspace process may be +/// permitted to read, write, or execute. It is sized exactly to a +/// CPU register that can pass values between userspace and the kernel. +/// Because it is register sized, [`CapabilityPtr`] is guaranteed to be +/// at least the size of a word ([usize]) [^note1]. Operations on the +/// pointer may affect permissions, e.g. offsetting the pointer beyond +/// the bounds of the memory object invalidates it. Like a `*const +/// ()`, a [`CapabilityPtr`] may also "hide" information by storing a +/// word of data with no memory access permissions. +/// +/// [`CapabilityPtr`] should be used to store or pass a value between the +/// kernel and userspace that may represent a valid userspace reference, +/// when one party intends the other to access it. +/// +/// [^note1]: Depending on the architecture, the size of a +/// [`CapabilityPtr`] may be a word size or larger, e.g., if registers +/// can store metadata such as access permissions. +#[derive(Copy, Clone, PartialEq, Eq, PartialOrd, Ord, Hash, Debug)] +#[repr(transparent)] +pub struct CapabilityPtr { + ptr: *const (), +} + +impl Default for CapabilityPtr { + fn default() -> Self { + Self { + ptr: core::ptr::null(), + } + } +} + +/// Permission sets a [`CapabilityPtr`] may grant. +/// These may not be enforced or exist on a given platform. +#[derive(Copy, Clone, PartialEq)] +pub enum CapabilityPtrPermissions { + None, + Read, + Write, + ReadWrite, + Execute, +} + +impl From for usize { + /// Returns the address of the [`CapabilityPtr`]. + /// Provenance note: may not expose provenance. + #[inline] + fn from(from: CapabilityPtr) -> Self { + from.ptr as usize + } +} + +impl From for CapabilityPtr { + /// Constructs a [`CapabilityPtr`] with a given address and no authority + /// + /// Provenance note: may have null provenance. + #[inline] + fn from(from: usize) -> Self { + Self { + ptr: from as *const (), + } + } +} + +impl UpperHex for CapabilityPtr { + /// Format the capability as an uppercase hex string. + /// Will print at least the address, and any platform specific metadata if it exists. + #[inline] + fn fmt(&self, f: &mut Formatter<'_>) -> core::fmt::Result { + UpperHex::fmt(&(self.ptr as usize), f) + } +} + +impl LowerHex for CapabilityPtr { + /// Format the capability as a lowercase hex string. + /// Will print at least the address, and any platform specific metadata if it exists. + #[inline] + fn fmt(&self, f: &mut Formatter<'_>) -> core::fmt::Result { + LowerHex::fmt(&(self.ptr as usize), f) + } +} + +impl AddAssign for CapabilityPtr { + /// Increments the address of a [`CapabilityPtr`] + #[inline] + fn add_assign(&mut self, rhs: usize) { + self.ptr = (self.ptr as *const u8).wrapping_add(rhs) as *const (); + } +} + +impl CapabilityPtr { + /// Returns the pointer component of a [`CapabilityPtr`] but without any of the authority. + pub fn as_ptr(&self) -> *const T { + self.ptr as *const T + } + + /// Construct a [`CapabilityPtr`] from a raw pointer, with authority ranging over + /// [`base`, `base + length`) and permissions `perms`. + /// + /// Provenance note: may derive from a pointer other than the input to provide something with + /// valid provenance to justify the other arguments. + /// + /// ## Safety + /// + /// Constructing a [`CapabilityPtr`] with metadata may convey authority to + /// dereference this pointer, such as in userspace. When these pointers + /// serve as the only memory isolation primitive in the system, this method + /// can thus break Tock's isolation model. As semi-trusted kernel code can + /// name this type and method, it is thus marked as `unsafe`. + /// + // TODO: Once Tock supports hardware that uses the [`CapabilityPtr`]'s + // metdata to convey authority, this comment should incorporate the exact + // safety conditions of this function. + #[inline] + pub unsafe fn new_with_authority( + ptr: *const (), + _base: usize, + _length: usize, + _perms: CapabilityPtrPermissions, + ) -> Self { + Self { ptr } + } + + /// If the [`CapabilityPtr`] is null returns `default`, otherwise applies `f` to `self`. + #[inline] + pub fn map_or(&self, default: U, f: F) -> U + where + F: FnOnce(&Self) -> U, + { + if self.ptr.is_null() { + default + } else { + f(self) + } + } + + /// If the [`CapabilityPtr`] is null returns `default`, otherwise applies `f` to `self`. + /// default is only evaluated if `self` is not null. + #[inline] + pub fn map_or_else(&self, default: D, f: F) -> U + where + D: FnOnce() -> U, + F: FnOnce(&Self) -> U, + { + if self.ptr.is_null() { + default() + } else { + f(self) + } + } +} diff --git a/kernel/src/utilities/mod.rs b/kernel/src/utilities/mod.rs index bc2f589824..8e146ac544 100644 --- a/kernel/src/utilities/mod.rs +++ b/kernel/src/utilities/mod.rs @@ -6,6 +6,7 @@ pub mod arch_helpers; pub mod binary_write; +pub mod capability_ptr; pub mod copy_slice; pub mod helpers; pub mod leasable_buffer; @@ -17,7 +18,6 @@ pub mod storage_volume; pub mod streaming_process_slice; mod static_ref; - pub use self::static_ref::StaticRef; /// The Tock Register Interface. diff --git a/libraries/tock-tbf/src/types.rs b/libraries/tock-tbf/src/types.rs index 282a2df25e..2b5cdc79a8 100644 --- a/libraries/tock-tbf/src/types.rs +++ b/libraries/tock-tbf/src/types.rs @@ -791,7 +791,7 @@ impl TbfHeader { } /// Get the offset and size of a given flash region. - pub fn get_writeable_flash_region(&self, index: usize) -> (u32, u32) { + pub fn get_writeable_flash_region(&self, index: usize) -> (usize, usize) { match *self { TbfHeader::TbfHeaderV2(hd) => hd.writeable_regions.map_or((0, 0), |wr_slice| { fn get_region( @@ -810,8 +810,8 @@ impl TbfHeader { match get_region(wr_slice, index) { Ok(wr) => ( - wr.writeable_flash_region_offset, - wr.writeable_flash_region_size, + wr.writeable_flash_region_offset as usize, + wr.writeable_flash_region_size as usize, ), Err(()) => (0, 0), }