Example comparingcheri_cap_build & cheri_address_set
#92
Conversation
|
Since I'm the dummy here, I'll ask the obvious question: does |
|
Took a while to demonstrate this conclusively, but the answer is no. I've got a snippet now which removes permissions from the DDC and shows that you can't use I suspect what's happening is that the I'd been aiming to get this tidied into the example with responses to @0152la 's notes, but haven't quite finished up and needing to dash — so I'll push the code demonstrating this tomorrow. (Also: I have a suspicion it can be used to reconstruct a capability that's been serialised to a file, which shouldn't be possible, but I'm not going to investigate that right now — maybe a diversion for next week.) |
|
Thanks!
This shouldn't be possible -- but there was once a bug in CheriBSD that allowed it because of file caching! It was fixed, though. |
|
|
|
Thanks both -- I get it now! |
|
Thanks @djlowther — that's a very helpful note! We haven't found much documentation around I haven't played with this yet and can't budget time to investigating it right now, but perhaps you know already: does that mean that a capability written to disk by one process could be loaded by a hybrid process with a very permissive DDC, and so re-created as a valid capability by that second process? Shouldn't that be forbidden, as @ltratt mentioned? Or am I misunderstanding something? |
|
The answer to your question is yes, in theory it could. However,
So the
with (provided R3 is available as scratch) (N.B. - this may have a different result on failure than Moreover, being able to recreate a capability from data from an IO stream is not a problem as long as it's done explicitly and doesn't grant extra privileges to the receiving process (which the superset restriction guarantees). In fact, it's necessary to allow the kernel to swap pages (which may contain valid capabilities) to disk. |
|
Fascinating! Thank you for the detailled response! |
|
@0152la I think this is OK to squash? |
|
Needs rebasing against master first. |
|
@probablytom Please squash. [Note: this doesn't mean you have to squash down to 1 commit, though you can if that makes sense. "Squashing" also implies "rebase + force push".] |
Adds an example comparing `cheri_cap_build` and `cheri_address_set`. `cheri_cap_build` and `cheri_address_set` are very similar, but not quite the same. We were previously unsure of what the difference between the two was; this example uses both and explains the differences between the two. Briefly put, `cheri_address_set` takes two capabilities as arguments and returns a new capability with the metadata of the first arg and the address of the second. `cheri_cap_build` takes a capability and a `uintcap_t` — some bits to interpret as a capability, but not actually a capability — and returns a new capability constructed from the bits of the second (`uintcap_t`) argument, which is valid if and only if it is no more permissive than the first (cap) argument. There's a little more detail, but that's a summary. For more, there are a couple of useful comments on github: - capablevms#92 (comment) - capablevms#39 (comment)
probablytom
force-pushed
the
example_cheri_cap_build
branch
2 times, most recently
from
3741aac to
d7ce778
Compare
|
Squashed! |
|
On my end, still says it's out of date with master. |
|
Oh, and mine too. Apologies, thought I'd fixed — one sec |
Adds an example comparing `cheri_cap_build` and `cheri_address_set`. `cheri_cap_build` and `cheri_address_set` are very similar, but not quite the same. We were previously unsure of what the difference between the two was; this example uses both and explains the differences between the two. Briefly put, `cheri_address_set` takes two capabilities as arguments and returns a new capability with the metadata of the first arg and the address of the second. `cheri_cap_build` takes a capability and a `uintcap_t` — some bits to interpret as a capability, but not actually a capability — and returns a new capability constructed from the bits of the second (`uintcap_t`) argument, which is valid if and only if it is no more permissive than the first (cap) argument. There's a little more detail, but that's a summary. For more, there are a couple of useful comments on github: - capablevms#92 (comment) - capablevms#39 (comment)
probablytom
force-pushed
the
example_cheri_cap_build
branch
from
d7ce778 to
ae1be5c
Compare
|
I've removed it from the merge queue, since this now seems to have our whole repo history in it. |
probablytom
force-pushed
the
example_cheri_cap_build
branch
from
ae1be5c to
d7ce778
Compare
|
Yes, fortunately it looks like it was also still marked as out of sync with master so didn't auto-merge. Should be fixed now — looks correct on my end, at least — but will keep my mitts off the merge button… |
|
…should be good to go… 👍 |
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
Adds an example comparing `cheri_cap_build` and `cheri_address_set`. `cheri_cap_build` and `cheri_address_set` are very similar, but not quite the same. We were previously unsure of what the difference between the two was; this example uses both and explains the differences between the two. Briefly put, `cheri_address_set` takes two capabilities as arguments and returns a new capability with the metadata of the first arg and the address of the second. `cheri_cap_build` takes a capability and a `uintcap_t` — some bits to interpret as a capability, but not actually a capability — and returns a new capability constructed from the bits of the second (`uintcap_t`) argument, which is valid if and only if it is no more permissive than the first (cap) argument. There's a little more detail, but that's a summary. For more, there are a couple of useful comments on github: - capablevms#92 (comment) - capablevms#39 (comment)
probablytom
force-pushed
the
example_cheri_cap_build
branch
from
29fbcfc to
c18cdf7
Compare
|
Re-formatted. |
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
|
@probablytom Is this ready for rereview? |
|
I'm confused about commit ba68b10. Looking at the code [1], this new example should only run on |
I agree that this might be worth investigating, but I'd prefer to get this PR in now, and investigate separately: we can always reenable on RISC-V later if it turns out there's a CI issue. @probablytom Just checking that this PR is finished from your perspective? |
|
Yes, I was confused as to why it was running too. I think it's because the CI runs Given other examples do this too, if the build passes CI now I don't think it's worth making changes in the short term to get this to run without the macros…but if you're keen, my suspicions sit with that makefile. So to answer the Q @ltratt, yes — happy with the state of this now — but also happy to make changes if there's anything else to tidy up! I'll squash when instructed. [1] https://github.com/capablevms/cheri-examples/blob/master/general_bounds.c |
|
You're right. It seems it assumes root examples mean I think that's the best resolution, but still the fact that we have some tests compiling in [1] https://github.com/capablevms/cheri-examples/blob/master/.buildbot.sh#L18 |
|
Yeah, let's get this in, and then refine/move things around in another PR. @probablytom Please squash. |
Adds an example comparing `cheri_cap_build` and `cheri_address_set`. `cheri_cap_build` and `cheri_address_set` are very similar, but not quite the same. We were previously unsure of what the difference between the two was; this example uses both and explains the differences between the two. Briefly put, `cheri_address_set` takes two capabilities as arguments and returns a new capability with the metadata of the first arg and the address of the second. `cheri_cap_build` takes a capability and a `uintcap_t` — some bits to interpret as a capability, but not actually a capability — and returns a new capability constructed from the bits of the second (`uintcap_t`) argument, which is valid if and only if it is no more permissive than the first (cap) argument. There's a little more detail, but that's a summary. For more, there are a couple of useful comments on github: - capablevms#92 (comment) - capablevms#39 (comment)
probablytom
force-pushed
the
example_cheri_cap_build
branch
from
ba68b10 to
63a8bbe
Compare
|
Squashed! |
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
|
Please squash. |
Adds an example comparing `cheri_cap_build` and `cheri_address_set`. `cheri_cap_build` and `cheri_address_set` are very similar, but not quite the same. We were previously unsure of what the difference between the two was; this example uses both and explains the differences between the two. Briefly put, `cheri_address_set` takes two capabilities as arguments and returns a new capability with the metadata of the first arg and the address of the second. `cheri_cap_build` takes a capability and a `uintcap_t` — some bits to interpret as a capability, but not actually a capability — and returns a new capability constructed from the bits of the second (`uintcap_t`) argument, which is valid if and only if it is no more permissive than the first (cap) argument. There's a little more detail, but that's a summary. For more, there are a couple of useful comments on github: - capablevms#92 (comment) - capablevms#39 (comment)
probablytom
force-pushed
the
example_cheri_cap_build
branch
from
a3d1d11 to
e156027
Compare
|
Squashed. |
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
cheri_cap_buildandcheri_address_setare similar, but not quite the same. We were previously unsure of what the difference between the two was; this example uses both and explains the differences between the two.It's pretty explicit about what's going on and prints detailled messages describing the capabilities it constructs & prints. I figured it'd be useful to have some detail in there so we didn't have to re-parse the code every time we wanted to remember what the difference between the functions is.
Put together mostly by @0152la; I just cut down the program we were using as a scratchpad when figuring this out and tidied it into an example.