-
Notifications
You must be signed in to change notification settings - Fork 48
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
switcher: change TrustedStack underflow to exit #328
Conversation
If we're handling this path, maybe we should initialise cra in new threads to the switcher's return entry point so that return from an entry point is a graceful thread exit? |
Ah interesting, a use case for manually I'll whip something up. |
0409f59
to
4385a7a
Compare
CI failures (so far; there may be others lurking) look to be due to CHERIoT-SAFE's Ibex submodule not including microsoft/cheriot-ibex@439b27ce ; Kunyan is looking at what I'd thought would be an easy PR, microsoft/cheriot-safe#18 . |
4385a7a
to
46db994
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM once CI is happy. I like that this cleans up the thread exit path and doesn't even introduce a new untrusted entry point into the switcher.
3956116
to
71ceb67
Compare
71ceb67
to
b57561d
Compare
Rather than infinitely looping such a damaged thread, request that the scheduler stop running it (via .Lset_mcause_and_exit_thread). This should never happen, as .Lpop_trusted_stack_frame tries to exit any thread that runs out of trusted stack frames, but the scheduler could ask us to resume such a thing anyway.
b57561d
to
13dbb90
Compare
#pragma clang diagnostic push | ||
#pragma clang diagnostic ignored "-Wc99-designator" | ||
constexpr SealingType Sentries[] = { | ||
[int(InterruptStatus::Enabled)] = ReturnSentryEnabling, | ||
[int(InterruptStatus::Disabled)] = ReturnSentryDisabling}; | ||
#pragma clang diagnostic pop |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This makes me a bit nervous. I'd normally do this kind of compile-time map with a template so that we get a compile error if something is invalid.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was just following seal_entry
immediately above. I'd be happy to rework both however desired, tho'.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, my code above is also bad. I think we want something like:
template<InterruptStatus T>
constexpr SealingType SealingTypeForInterruptStatus;
template<>
constexpr SealingType SealingTypeForInterruptStatus<InterruptStatus::Enabled> = ReturnSentryEnabling;
...
Assuming I got the syntax right.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, no, this needs to be a dynamic thing. Never mind. Leave as is for now.
Add its offset to the image header and change the header magic number.
If a thread returns from its topmost compartment, it should now directly enter the thread exit path without first going through a trap on an untagged cra.
Now that the initial cra for threads is a sentry to a graceful exit and not nullptr, there's no need to detect and notch out exceptions arising from thread exits. Co-authored-by: Robert Norton <robert.norton@microsoft.com>
13dbb90
to
0dfbced
Compare
Rather than infinitely looping such a damaged thread, request that the scheduler stop running it (via .Lset_mcause_and_exit_thread). This should never happen, as .Lpop_trusted_stack_frame tries to exit any thread that runs out of trusted stack frames, but the scheduler could ask us to resume such a thing anyway.