Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixes and improvements to secgate macros and upcalls #170

Merged
merged 19 commits into from
Mar 15, 2024
Merged

Fixes and improvements to secgate macros and upcalls #170

merged 19 commits into from
Mar 15, 2024

Conversation

dbittman
Copy link
Contributor

@dbittman dbittman commented Feb 9, 2024

This PR fixes a number of issues with upcalls and sec gates.

  • Fix resume-from-upcall in-kernel
  • Update upcall structs and configuration
  • Move thread-spawn functionality into monitor
  • Add support for basic compartmentalization in dynlink and monitor
  • Add support for per-compartment TLS management
  • Add support for gate call info to secure gates
  • Allow secure gates with no arguments
  • Add monitor-api crate for managing the connection between runtime and monitor (this is slightly complex, as it needs to break a circular dependency)

@dbittman dbittman added enhancement New feature or request kernel Internal kernel issues labels Feb 9, 2024
@dbittman dbittman self-assigned this Feb 9, 2024
@dbittman dbittman force-pushed the dbittman-secgate-cut1 branch from f6c3022 to aab885c Compare February 9, 2024 22:13
@dbittman dbittman marked this pull request as ready for review February 9, 2024 23:00
@dbittman dbittman requested a review from gvnn3 as a code owner February 9, 2024 23:00
@dbittman dbittman requested review from PandaZ3D and gvnn3 and removed request for gvnn3 February 9, 2024 23:00
PandaZ3D
PandaZ3D requested changes Feb 23, 2024
View reviewed changes
Copy link
Contributor

@PandaZ3D PandaZ3D left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. I mostly have questions.

src/runtime/dynlink/src/compartment/tls.rs
@@ -44,18 +50,17 @@ impl<Backing: BackingData> Compartment<Backing> {
let alloc_layout = tls_info
.allocation_layout::<T>()
.map_err(DynlinkErrorKind::from)?;
let base = alloc(alloc_layout).ok_or_else(|| DynlinkErrorKind::FailedToAllocate {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know the RFC mentions this, but can we add a comment saying that the the idea here is that each compartment has its own copy of std so using alloc directly here is ok?

src/runtime/monitor/src/compartment.rs
object::{MAX_SIZE, NULLPAGE_SIZE},
syscall::{sys_object_create, BackingType, LifetimeType, ObjectCreate, ObjectCreateFlags},
};
use twizzler_object::ObjID;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Where should ObjID come from? twizzler_object, twizzler_abi, or twizzler_runtime_api?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm going to merge these types in a future PR, I'll open an issue

src/runtime/monitor/src/compartment.rs
let temp = Box::new(TlsTemplateInfo::from(template_info));
let temp = Box::leak(temp);
let cc = comp
.monitor_new(SharedCompConfig::new(sctx_id, temp))
Copy link
Contributor

@PandaZ3D PandaZ3D Feb 23, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How do the addresses in the TLS template info make sense for SharedCompConfig? Wouldn't they be different for the monitor and the compartment since the same alloc obj would be mapped to different slots?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So, the box::new here is wrong, but the addresses in the tls template get rebased over to the compartment when it loads the template into a new tls region for a new thread. See TlsTemplateInfo::init_new_tls_region.

I have fixed the Box::new issue in a future upcoming patch, since it doesn't matter yet in this PR (none of it is secure anyway)

src/runtime/dynlink/src/library.rs
@@ -29,10 +29,6 @@ pub trait BackingData: Clone {
/// region is valid.
fn data(&self) -> (*mut u8, usize);

/// Make a new backing data for holding allocated data for the dynamic linker.
fn new_data() -> Result<Self, DynlinkError>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What was the reason for removing new data? Is this related to the use of alloc directly?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, different design for dealing with allocating objects within a compartment.

PandaZ3D
PandaZ3D approved these changes Feb 24, 2024
View reviewed changes
Copy link
Contributor

@PandaZ3D PandaZ3D left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@dbittman dbittman merged commit 68aee81 into main Mar 15, 2024
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@PandaZ3D PandaZ3D PandaZ3D approved these changes

@gvnn3 gvnn3 Awaiting requested review from gvnn3 gvnn3 is a code owner

Assignees

@dbittman dbittman

Labels
enhancement New feature or request kernel Internal kernel issues
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@dbittman @PandaZ3D @blaster23