Details

Reviewers

kib
markj
jhb
jrtc27

Group Reviewers

cheri

Summary

Add kernel-only provenance-discarding memcpy_data and
memmove_data APIs intended to copy raw data which does not contain
pointers (e.g., buffers on their way to or from network or storage
devices). On CHERI architectures, they will explicitly remove tags
from capabilities, removing any provenance. This reduces the risk of
accidental spread of pointers on CHERI system.

This includes a simple C implementation for CHERI targets.

Effort: CHERI upstreaming
Sponsored by: DARPA, AFRL, Innovate UK

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Passed

Unit

No Test Coverage

Build Status

Buildable 74236
Build 71119: arc lint + arc unit

Event Timeline

brooks created this revision.Fri, Jun 19, 2:12 PM

Herald added subscribers: ziaee, imp. · View Herald TranscriptFri, Jun 19, 2:12 PM

brooks requested review of this revision.Fri, Jun 19, 2:12 PM

Harbormaster completed remote builds in B73997: Diff 180057.Fri, Jun 19, 2:12 PM

Herald added a reviewer: cheri. · View Herald TranscriptFri, Jun 19, 2:12 PM

Herald added a reviewer: cheri. · View Herald Transcript

brooks added a parent revision: D57661: Add kernel manpages for bcopy, memcpy, and memmove.Fri, Jun 19, 2:12 PM

brooks added a child revision: D57663: CHERI: declare copy{in,out}ptr{,_nofault}.

ziaee added inline comments.Fri, Jun 19, 3:35 PM

share/man/man9/memcpy.9
94	typo

Fix typo

Harbormaster completed remote builds in B74011: Diff 180075.Fri, Jun 19, 5:23 PM

brooks marked an inline comment as done.Fri, Jun 19, 5:23 PM

emaste added a subscriber: emaste.Fri, Jun 19, 5:24 PM

emaste added inline comments.

sys/sys/systm.h
295	How widely used is bcopy_data in CHERI? Is it reasonable to move those to memmove_data (possibly moving to memmove first in FreeBSD)? It seems slightly unfortunate to make a new version of a legacy/obsolete interface.

brooks added inline comments.Fri, Jun 19, 5:40 PM

sys/sys/systm.h
295	None of these are widely used. memmove_data is currently completely unused except to implement bcopy_data. I actually think most (or even all) could be memcpy_data (I don't think any of these overlap). The one slightly perverse argument for bcopy_data is that it's safely outside the reserved mem* namespace.

brooks added inline comments.Fri, Jun 19, 6:51 PM

sys/sys/systm.h
295	I'll make the s/bcopy/memcpy changes and do some consolidation along the way.

Rebase after removing references to strings in base manpages

Harbormaster completed remote builds in B74025: Diff 180095.Fri, Jun 19, 7:27 PM

Drop bcopy_data

Harbormaster completed remote builds in B74061: Diff 180170.Sat, Jun 20, 3:43 PM

brooks retitled this revision from CHERI: add mem{cpy,move}_data and bcopy_data to CHERI: add mem{cpy,move}_data.Sat, Jun 20, 5:07 PM

brooks edited the summary of this revision. (Show Details)

adrian added a subscriber: adrian.Mon, Jun 22, 5:08 PM

adrian added inline comments.

share/man/man9/memcpy.9
63	where is "pointer provenance" defined?

Link manpages to the description of pointer provenacne in arch(7)

Harbormaster completed remote builds in B74194: Diff 180517.Wed, Jun 24, 10:08 AM

brooks marked an inline comment as done.Wed, Jun 24, 10:09 AM

brooks added inline comments.

share/man/man9/memcpy.9
63	Now linked to a discussion in arch(7).

brooks added a parent revision: D57812: memory_model(7): create and document pointer provenance.Wed, Jun 24, 10:10 AM

markj added inline comments.Wed, Jun 24, 2:52 PM

share/man/man9/memmove.9
36–37
59
sys/libkern/bcopy.c
66	Do you not get a warning about `keeptags` being unused in non-CHERI kernels?
161
170

emaste added inline comments.Wed, Jun 24, 6:56 PM

share/man/man9/memcpy.9
53–55
63	Given our explicit decision of making this the non-default case, do we want to make this read a bit more in an active sense -- something along the lines of "discards" rather than "does not preserve"? "Discards pointer provenance" is not quite right though. In a CHERI sense we could maybe use "discards capability validity." Anyway, a suggestion if you can find a good way to express this, otherwise we can leave it until CHERI-specific content starts getting added.
share/man/man9/memmove.9
60	Same comment as above

Address feedback, switch references to memory_model.7

Harbormaster completed remote builds in B74236: Diff 180608.Thu, Jun 25, 10:22 AM

brooks added inline comments.Thu, Jun 25, 10:22 AM

share/man/man9/memcpy.9
63	I've added some more active CHERI-specific content. In the non-CHERI case it's probably best to be somewhat passive here since it's literally a no-op today.
sys/libkern/bcopy.c
66	I've added a __maybe_unused.

brooks marked an inline comment as done.Thu, Jun 25, 12:26 PM

emaste added inline comments.Thu, Jun 25, 12:34 PM

share/man/man9/memcpy.9
66

fix typo

Harbormaster completed remote builds in B74249: Diff 180622.Thu, Jun 25, 3:17 PM

brooks marked an inline comment as done.Thu, Jun 25, 3:17 PM

CHERI: add mem{cpy,move}_data
Needs ReviewPublic
Actions

Details

Diff Detail

Event Timeline

Revision Contents
Changeset List

Diff 180608

share/man/man9/Makefile

share/man/man9/bcopy.9

share/man/man9/memcpy.9

share/man/man9/memmove.9

sys/libkern/bcopy.c

sys/sys/systm.h

CHERI: add mem{cpy,move}_dataNeeds ReviewPublicActions

Details

Diff Detail

Event Timeline

Revision ContentsChangeset List

Diff 180608

share/man/man9/Makefile

share/man/man9/bcopy.9

share/man/man9/memcpy.9

share/man/man9/memmove.9

sys/libkern/bcopy.c

sys/sys/systm.h

CHERI: add mem{cpy,move}_data
Needs ReviewPublic
Actions

Revision Contents
Changeset List