| Age | Commit message (Collapse) | Author |
|---|
|
For each module keep an RX and an RW root capability. Use the existing
l_map_start for RX (covering all load segments) and add l_rw_start for
RW (covering all writable load segments).
For relocation processing, we also need individual RW ranges to decide
which objects need to be derived from RW and RX capabilities. In
practice most modules have exactly one RW segment and it's unlikely
that any module needs more than four distinct ranges to tightly cover
the RW mappings.
Only added on CHERI targets so always has to be used behind ifdef.
|
|
Use a capability for the load segment start that covers all load
segments so pointers can be derived from it.
It should have RX permission and a separate capability used for
writable pointers.
|
|
Use elfptr_t when ElfW(Addr) represents a runtime pointer (may be
dereferenced or pointers may be derived from it).
|
|
The linker created _end symbol does not have the right bounds, so
don't try to reuse leftover memory at the end of the .data section.
|
|
Store mmap result to intptr_t instead of long.
|
|
Pointer mangling cannot be supported on capability architectures.
And there is not enough bytes in dl_random for 128 bit pointers.
Stack guard is still loaded from dl_random: stack protection is
unlikely to be useful on a capability architecture, but it works.
|
|
Written in C so the self relocation code in crt1.o is easier to
maintain.
The purecap ELF entry is special: passes separate argc, argv, envp,
auxv in registers instead of on the stack.
For each module there will be separate RW and RX capabilities that
cover the writable and all load segments respectively. The relative
reloc processing code is prepared for such separate capabilities.
The static link detection (for self relocation) is not ideal, it
relies on relocations that don't work in PIC, so it is ifdefed out
for Scrt1.o. (Currently adrp of undefined weak symbol is not fixed
up by the linker to be 0 so we use movz to detect the presence of
__rela_dyn_start.)
|
|
The prototype of __libc_start_main is changed to
void
__libc_start_main (int main (int, char **, char **, void *),
int argc, char **argv, char **envp, void *auxv,
void rtld_fini (void), void *sp);
so envp is passed down separately and the unused init, fini args are
dropped.
|
|
Purecap ABI versions of crti.S and crtn.S.
|
|
New file containing the capability permission bits.
The capability permission bits are defined in the Arm Architecture
Reference Manual Suplement- Morello for A-Profile Architecture:
https://developer.arm.com/documentation/ddi0606/latest
|
|
|
|
The Elf64_auxv_t needs to be adjusted for the new capability size.
|
|
Follows the morello pure capability user ABI of linux.
|
|
|
|
|
|
This is a temporary workaround.
length is rounded up to pagesize and don't use exact bound (bounds
will be larger if exact value is not representable).
capability permissions are roughly emulated too.
TODO: kernel should do this
|
|
TODO: this is the value in the 5.18 kernel, will change later.
|
|
TODO: Remove this once morello has vdso gettimeofday.
|
|
TODO: drop this once linux brk always fails.
|
|
Current clone_args does not support 128 bit pointers.
TODO: the fix is incomplete (missing clone3 abi checks) and has to be
aligned with purecap clone3 struct layout.
|
|
Specifies the prot flags a mapping may gain via mprotect or MAP_FIXED.
On CHERI targets this is used to get capability with more permissions
than the original mmap protection would imply.
|
|
In fcntl va_arg is currently used even if the caller did not pass
any variadic arguments. This is undefined behaviour and does not
work with the Morello purecap ABI, so use a helper macro.
When the argument is missing, the result of the helper macro is
arbitrary as it will be ignored by the kernel, we just have to
ensure it does not cause a runtime crash.
|
|
prctl is a variadic function and on morello args that were not passed
cannot be accessed so the generic code does not work.
|
|
No need to set the child stack to sp, 0 means the parent stack is used.
This avoids purecap specific ifdefs in vfork.
|
|
Support the Morello Linux purecap syscall ABI. The macro definitions
are moved to a morello specific sysdep.h to avoid cluttering the
aarch64 one.
|
|
New syscall ABI requires different VDSO support code.
|
|
TODO: this affects API (syscall return type is long)
so breaks portability and requires doc updates.
|
|
from arm optimized-routines morello branch.
|
|
memset from arm optimized-routines morello branch.
|
|
|
|
|
|
|
|
Modified rawmemchr to support Arm Morello Capabilities.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
avoids out of bound access of the generic implementation.
|
|
avoids out of bounds access of the generic implementation.
|
|
Add macro definitions for purecap ABI in sysdep.h.
|
|
morello purecap gcc in some cases inlines 16byte memcpy as a capability
load, which is wrong if the source or dest may be unaligned.
stack guard only needs random for the address portion since only that
part is compared, so 8 byte is enough with 64 bit addresses, but the
current code is only right on little endian systems.
TODO: drop when gcc is fixed
|
|
There is no ideal ABI macro, so we assume __CHERI_PURE_CAPABILITY__
implies 64 bit long, 64 bit address and 128 bit pointer.
|
|
The CHERI pure capability programming model for C requires special
definition of {u}intptr_t.
Only the pure capability model is supported for hosted compilation,
but for freestanding compilation there is limited support for other
(hybrid capability) programming models too, which require new
{u}intcap_t type definitions.
|
|
The c++ mangling ABI for intptr_t and pthread_t are different on
morello.
|
|
There is no longer PLT reference to matherr in libm.
|
|
The base symbol version is 2.36.
|
