Add a new PT_CHERI_PCC segment to define the bounds of code capabilities#792
Add a new PT_CHERI_PCC segment to define the bounds of code capabilities#792jrtc27 merged 5 commits intoCTSRD-CHERI:devfrom
Conversation
|
The clang format errors are all about excessive whitespace in existing tests that I had to update. |
| #--- text_rodata.s | ||
|
|
||
| .global foo | ||
| .type foo, @function | ||
| foo: | ||
| ret | ||
| .size foo, . - foo | ||
|
|
||
| .rodata | ||
| .global bar | ||
| .type bar, @object | ||
| bar: | ||
| .space 8192 | ||
| .size bar, . - bar | ||
|
|
||
| #--- rodata_only.s | ||
|
|
||
| .rodata | ||
| .global bar | ||
| .type bar, @object | ||
| bar: | ||
| .space 8196 | ||
| .size bar, . - bar |
There was a problem hiding this comment.
Why not have rodata.s and link with small-text for one of the tests?
There was a problem hiding this comment.
I've had to rework these anyway after the change to use relocations (instead of always placing rodata under PCC bounds) which might not permit sharing as easily.
There was a problem hiding this comment.
But aside from the .global (and 8196 vs 8192, which isn't obviously not a typo?) they're (still) all the same, so I don't see why they can't share a single rodata.o?
There was a problem hiding this comment.
Here the 8196 is intended to require padding if it were part of a PT_CHERI_PCC segment.
There was a problem hiding this comment.
Hmm, it might be that I can use 8196 for all the test cases
bsdjhb
force-pushed
the
pt_cheri_pcc
branch
3 times, most recently
from
9c2c2ed to
59882ae
Compare
|
I think I want to pull "llvm-readelf: Use base+offset to resolve target symbol names" into dev now, and perhaps make the format less obtuse at the same time, since none of that really needs to wait on polishing the PCC bounds implementation. |
jrtc27
force-pushed
the
pt_cheri_pcc
branch
2 times, most recently
from
c66bf0f to
bc6ed71
Compare
bsdjhb
left a comment
bsdjhb
left a comment
There was a problem hiding this comment.
We should perhaps document .data.cheri.* in the commit log? Do we need CheriBSD changes in locore and csu to move some variables into those sections?
lld/ELF/Writer.cpp
Outdated
| if (sec == in.pccPadding->getParent()) | ||
| return true; | ||
|
|
||
| // Like RELRO, sections with some spectial names are |
There was a problem hiding this comment.
Do we need this explicitly? Won't they already be marked by the PC-relative relocations?
There was a problem hiding this comment.
My thinking was that there may be cases where for whatever reason there aren't PC-relative relocations but you nevertheless want them in PCC bounds (somehow obfuscated from the linker). Maybe that's a waste of time. It just felt a bit odd to have .data.cheri.pcc not end up in PCC bounds if you didn't reference it PC-relatively.
Not really. The variables don't actually need to be covered by PT_CHERI_PCC, because we're running before that point (and for csu it's not accessing anything RW), so the warnings are harmless. Ideally we'd have a way to say "R_PC that doesn't need to be in PCC bounds", and then locore can use that. Which would be some kind of new relocation, presumably, that behaves like a PC-relative one in every other respect. |
So I guess I don't understand what this is doing right now? Today the variables locore, etc. need are still in .data and .bss, so we issue the warning but keep going with your change? Do we need .data.cheri.pcc and .bss.cheri.pcc at all? Right now I think the support for them is incomplete as they will get merged into .data/.bss and not exist as separate output sections, so maybe we should wait to add them until we have a use case for them? Also, I do think for locore type things we may end up using a separate relocation instead to avoid the warning instead of these custom sections? |
Yeah that's true, I had that thought today and just got to verifying it, and yes, .data.cheri.pcc ends up in .data by default, so I'd need to teach it to split it out like .data.rel.ro, and yes, for locore etc we wouldn't be using this, we'd just be using a different relocation. I can just drop it for now until we have an actual use case for it. |
Static linkers can emit this ELF program header to describe the ranges of address space that should share PCC bounds. Dynamic linkers should constrain code and function pointers that resolve to addresses in these ranges to the bounds of the segment.
This just uses cheri-compressed-cap.h directly. Probably the existing helper methods in llvm/lib/Target/RISCV/MCTargetDesc should be moved out to llvm/Support so they can be reused here.
Similar to CHERI-RISC-V, this uses cheri-compressed-cap.h directly for CHERI-128.
jrtc27
force-pushed
the
pt_cheri_pcc
branch
2 times, most recently
from
c45e81b to
372e424
Compare
…DSOs This segment bounds all of the executable sections as well as any GOTs and other sections such as read-only data directly accessed via PCC. The PT_CHERI_PCC segment is aligned and padded to ensure that the segment bounds are exactly representable. The first section in the segment is aligned based on the segment size, and a new .pad.cheri.pcc section is inserted at the end of the segment to provide any needed padding. To simplify capreloc processing, function caprelocs use the bounds of the containing PT_CHERI_PCC segment. Future relative capability relocations should also use these bounds for function and code capabilities. This segment is not output for CHERI-MIPS when using the PLT or function descriptor ABIs as those use a separate mechanism for setting bounds on PCC. Co-authored-by: Jessica Clarke <jrtc27@jrtc27.com>
2 participants
This extracts the PT_CHERI_PCC bits from the c18n branch. It includes changes to rewrite the bounds of code capability relocations to use the bounds of the containing PT_CHERI_PCC instead of the bounds of the function.
This is not enabled for CHERI-MIPS.