CheriABI CheriBSD user mode for CHERI-RISC-V

[kwitaszczyk]

The initial implementation of the CHERI-RSC-V user-mode for CheriABI should pass all cheribsdtest-purecap-dynamic tests. As of today, the remaining changes are:

• Make sure static binaries work;
• Make sure dynamic binaries work;
• Adapt existing and implement missing system calls to CheriABI:
  • flag_captured();
  • kbounce();
  • syscall() and __syscall();
  • sysctlbyname():
    • New system controls:
      • security.cheri.sealcap;
      • security.flags_captured.
• Disable system calls unavailable in CHERI-RISC-V, e.g. brk(2), compat syscalls;
• Make sure all tests run by cheribsdtest-purecap have the same results as if they were run in the system mode;
• Make sure all tests run by cheribsdtest-purecap-dynamic have the same results as if they were run in the system mode;
• Implement CheriABI tests for system calls supported by the user mode;
• Add a flag -e glob to cheribsdtest to exclude tests;
• Modify cheribsdtest to detect it's being run in the user mode and mark tests knowingly failing with xfail;
• Add an argument to pass a path to a program interpreter (/libexec/ld-elf.so.1, /libexec/ld-cheri-elf.so.1 or /libexec/ld-cheri-elf-debug.so.1);
• Revise pure-capability sigcode against sys/riscv/riscv/locore.S;
• Update credits in files;
• Write a write-up on what changes were required to support CheriABI in the user mode as an example of software adaptation to CheriABI.

Currently we won't support:

• Features:
  • Tag controller;
  • Temporal safety.
• Syscalls:
  • aio_read();
  • ptrace();
  • shm_open();
  • shmdt();
  • sysctlbyname() used for:
    • System controls that include pointers:
      • kern.proc.all.
• Tests:
  • aio_read():
    • test_aio_sival: Could not register aio; errno=78
  • ptrace():
    • test_ptrace_basic: Child exited abnormally
  • Reservations:
    • cheribsdtest_vm_reservation_access_fault: Expected signal 11, got 0
    • cheribsdtest_vm_reservation_reuse: mmap over reservation succeeded
    • cheribsdtest_vm_reservation_mmap_after_free_fixed: mmap after free succeeded
    • cheribsdtest_vm_reservation_mmap_after_free: mmap after free succeeded
    • cheribsdtest_vm_reservation_mmap_invalid_cap: mmap with invalid capability succeeded
    • cheribsdtest_vm_reservation_mmap_fixed_unreserved: mmap fixed with NULL-derived hint failed with 2 instead of ENOMEM
    • cheribsdtest_vm_reservation_mmap_insert_null_derived: mmap fixed with NULL-derived hint failed with 2 instead of ENOMEM
    • cheribsdtest_vm_reservation_mmap_fixed_insert_noperm: mmap fixed with capability missing VM_MAP perms failed with 2 instead of EACCES
  • Tags:
    • memcpy(), memmove():
      • test_string_memcpy: dst has capability after unaligned write
      • test_string_memmove: dst has capability after unaligned write
      • test_unaligned_capability_copy_memcpy: '!cheri_gettag(src_buffer[0])' is FALSE!
      • test_unaligned_capability_copy_memmove: '!cheri_gettag(src_buffer[0])' is FALSE!
    • open():
      • test_cheriabi_open_sealed: open succeeded
      • test_cheriabi_open_bad_addr: EFAULT expected: No such file or directory
      • test_cheriabi_open_bad_len: open succeeded
      • test_cheriabi_open_bad_len_2: open succeeded
      • test_cheriabi_open_bad_tag: open succeeded
      • test_cheriabi_open_bad_perm: open succeeded
    • mmap():
      • cheribsdtest_vm_mmap_invalid_cap: mmap with invalid capability succeeded
      • cheribsdtest_vm_mmap_invalid_cap_fixed: mmap with invalid capability failed with 2 instead of EINVAL
      • cheribsdtest_vm_notag_tmpfile_shared: Expected signal 11, got 0
      • cheribsdtest_vm_tag_shm_open_anon_shared2x: tag exists on first read
    • minherit():
      • test_cheriabi_minherit_invalid_ptr: minherit(mappings.middle, mappings.maplen * 2, INHERIT_NONE) unexpectedly returned 0
    • mprotect():
      • test_cheriabi_mprotect_invalid_ptr: mprotect(mappings.middle, mappings.maplen * 2, PROT_NONE) unexpectedly returned 0
    • munmap():
      • test_cheriabi_munmap_invalid_ptr: munmap(mappings.middle, mappings.maplen * 2) unexpectedly returned 0
    • printf():
      • test_printf_cap: Wrong output for simple scalar
      • test_strfcap_C: Wrong output for simple scalar '0x4 [,0-0xffffffffffffffff] (invalid)'
    • shmdt():
      • test_cheriabi_shmdt_invalid_ptr: 'cheri_gettag(mappings->first)' is FALSE!

Optional improvements:

• Fix strace and printing guest memory strings;
• Port thread.td_retval from CheriBSD to TaskState in QEMU and modify the syscall interface to take a pointer to a TaskState object, e.g. for mmap(2);
• SIGINFO (CTRL-T) should print argv of an emulated process and other useful debugging information, e.g. a system call;
• Automatically run tests with cheribsdtest-purecap-dynamic using the user mode in Jenkins excluding tests failing due to the missing tag controller;
• Add cheribuild targets run-riscv64-purecap-shell and run-riscv64-purecap-exec;
• Tutorials:
  • How to use the user mode to run a single binary?
  • How to start a jail with the user mode?
  • How to analyse a core dump generated by the user mode?
  • How to start the user mode with a debugger?

The above list is incomplete and will be updated as more problems are identified.

[brooksdavis]

This issue seems mostly overcome by events