drew/acadia
1
0
Fork 0
Code Issues 6 Pull requests Projects Releases Packages Wiki Activity Actions

[Zion] Add the ability to pass capabilities via endpoint call.

Browse source
This commit is contained in:
Drew Galbraith 2023-10-24 23:32:05 -07:00
parent 5b781bb394
commit b516087922
18 changed files with 218 additions and 131 deletions
Download patch file Download diff file Expand all files Collapse all files

1
zion/TODO.md
View file

@ -39,6 +39,7 @@
- Add syscalls for inspecting capabilities.
- Randomize/obfuscate capability numbers passed to user space.
- Remove ReplyPort capabilities once the response is sent.
## Scheduling

91
zion/include/zcall.h
View file

@ -2,90 +2,9 @@
#include <stdint.h>
#include "zcall_macros.h"
#include "ztypes.h"
#define SYS0(name) \
struct Z##name##Req {}; \
[[nodiscard]] inline z_err_t Z##name() { \
Z##name##Req req{}; \
return SysCall1(kZion##name, &req); \
}
#define SYS1(name, t1, a1) \
struct Z##name##Req { \
t1 a1; \
}; \
[[nodiscard]] inline z_err_t Z##name(t1 a1) { \
Z##name##Req req{ \
.a1 = a1, \
}; \
return SysCall1(kZion##name, &req); \
}
#define SYS2(name, t1, a1, t2, a2) \
struct Z##name##Req { \
t1 a1; \
t2 a2; \
}; \
[[nodiscard]] inline z_err_t Z##name(t1 a1, t2 a2) { \
Z##name##Req req{ \
.a1 = a1, \
.a2 = a2, \
}; \
return SysCall1(kZion##name, &req); \
}
#define SYS3(name, t1, a1, t2, a2, t3, a3) \
struct Z##name##Req { \
t1 a1; \
t2 a2; \
t3 a3; \
}; \
[[nodiscard]] inline z_err_t Z##name(t1 a1, t2 a2, t3 a3) { \
Z##name##Req req{ \
.a1 = a1, \
.a2 = a2, \
.a3 = a3, \
}; \
return SysCall1(kZion##name, &req); \
}
#define SYS4(name, t1, a1, t2, a2, t3, a3, t4, a4) \
struct Z##name##Req { \
t1 a1; \
t2 a2; \
t3 a3; \
t4 a4; \
}; \
[[nodiscard]] inline z_err_t Z##name(t1 a1, t2 a2, t3 a3, t4 a4) { \
Z##name##Req req{ \
.a1 = a1, \
.a2 = a2, \
.a3 = a3, \
.a4 = a4, \
}; \
return SysCall1(kZion##name, &req); \
}
#define SYS5(name, t1, a1, t2, a2, t3, a3, t4, a4, t5, a5) \
struct Z##name##Req { \
t1 a1; \
t2 a2; \
t3 a3; \
t4 a4; \
t5 a5; \
}; \
[[nodiscard]] inline z_err_t Z##name(t1 a1, t2 a2, t3 a3, t4 a4, t5 a5) { \
Z##name##Req req{ \
.a1 = a1, \
.a2 = a2, \
.a3 = a3, \
.a4 = a4, \
.a5 = a5, \
}; \
return SysCall1(kZion##name, &req); \
}
z_err_t SysCall1(uint64_t code, const void* req);
SYS1(ProcessExit, uint64_t, code);
@ -127,10 +46,10 @@ SYS5(PortPoll, z_cap_t, port_cap, uint64_t*, num_bytes, void*, data, uint64_t*,
SYS2(IrqRegister, uint64_t, irq_num, z_cap_t*, port_cap);
SYS1(EndpointCreate, z_cap_t*, endpoint_cap);
SYS4(EndpointSend, z_cap_t, endpoint_cap, uint64_t, num_bytes, const void*,
data, z_cap_t*, reply_port_cap);
SYS4(EndpointRecv, z_cap_t, endpoint_cap, uint64_t*, num_bytes, void*, data,
z_cap_t*, reply_port_cap);
SYS6(EndpointSend, z_cap_t, endpoint_cap, uint64_t, num_bytes, const void*,
data, uint64_t, num_caps, const z_cap_t*, caps, z_cap_t*, reply_port_cap);
SYS6(EndpointRecv, z_cap_t, endpoint_cap, uint64_t*, num_bytes, void*, data,
uint64_t*, num_caps, z_cap_t*, caps, z_cap_t*, reply_port_cap);
SYS5(ReplyPortSend, z_cap_t, reply_port_cap, uint64_t, num_bytes, const void*,
data, uint64_t, num_caps, z_cap_t*, caps);
SYS5(ReplyPortRecv, z_cap_t, reply_port_cap, uint64_t*, num_bytes, void*, data,

104
zion/include/zcall_macros.h Normal file
View file

@ -0,0 +1,104 @@
#pragma once
#define SYS0(name) \
struct Z##name##Req {}; \
[[nodiscard]] inline z_err_t Z##name() { \
Z##name##Req req{}; \
return SysCall1(kZion##name, &req); \
}
#define SYS1(name, t1, a1) \
struct Z##name##Req { \
t1 a1; \
}; \
[[nodiscard]] inline z_err_t Z##name(t1 a1) { \
Z##name##Req req{ \
.a1 = a1, \
}; \
return SysCall1(kZion##name, &req); \
}
#define SYS2(name, t1, a1, t2, a2) \
struct Z##name##Req { \
t1 a1; \
t2 a2; \
}; \
[[nodiscard]] inline z_err_t Z##name(t1 a1, t2 a2) { \
Z##name##Req req{ \
.a1 = a1, \
.a2 = a2, \
}; \
return SysCall1(kZion##name, &req); \
}
#define SYS3(name, t1, a1, t2, a2, t3, a3) \
struct Z##name##Req { \
t1 a1; \
t2 a2; \
t3 a3; \
}; \
[[nodiscard]] inline z_err_t Z##name(t1 a1, t2 a2, t3 a3) { \
Z##name##Req req{ \
.a1 = a1, \
.a2 = a2, \
.a3 = a3, \
}; \
return SysCall1(kZion##name, &req); \
}
#define SYS4(name, t1, a1, t2, a2, t3, a3, t4, a4) \
struct Z##name##Req { \
t1 a1; \
t2 a2; \
t3 a3; \
t4 a4; \
}; \
[[nodiscard]] inline z_err_t Z##name(t1 a1, t2 a2, t3 a3, t4 a4) { \
Z##name##Req req{ \
.a1 = a1, \
.a2 = a2, \
.a3 = a3, \
.a4 = a4, \
}; \
return SysCall1(kZion##name, &req); \
}
#define SYS5(name, t1, a1, t2, a2, t3, a3, t4, a4, t5, a5) \
struct Z##name##Req { \
t1 a1; \
t2 a2; \
t3 a3; \
t4 a4; \
t5 a5; \
}; \
[[nodiscard]] inline z_err_t Z##name(t1 a1, t2 a2, t3 a3, t4 a4, t5 a5) { \
Z##name##Req req{ \
.a1 = a1, \
.a2 = a2, \
.a3 = a3, \
.a4 = a4, \
.a5 = a5, \
}; \
return SysCall1(kZion##name, &req); \
}
#define SYS6(name, t1, a1, t2, a2, t3, a3, t4, a4, t5, a5, t6, a6) \
struct Z##name##Req { \
t1 a1; \
t2 a2; \
t3 a3; \
t4 a4; \
t5 a5; \
t6 a6; \
}; \
[[nodiscard]] inline z_err_t Z##name(t1 a1, t2 a2, t3 a3, t4 a4, t5 a5, \
t6 a6) { \
Z##name##Req req{ \
.a1 = a1, \
.a2 = a2, \
.a3 = a3, \
.a4 = a4, \
.a5 = a5, \
.a6 = a6, \
}; \
return SysCall1(kZion##name, &req); \
}

2
zion/include/ztypes.h
View file

@ -63,6 +63,8 @@ const uint64_t kZionDebug = 0x1'0000;
typedef uint64_t z_cap_t;
const uint64_t kZionInvalidCapability = 0x0;
// General Capability Permissions
const uint64_t kZionPerm_Write = 0x1;
const uint64_t kZionPerm_Read = 0x2;

40
zion/lib/message_queue.cpp
View file

@ -4,8 +4,8 @@
#include "scheduler/scheduler.h"
z_err_t UnboundedMessageQueue::PushBack(uint64_t num_bytes, const void* bytes,
uint64_t num_caps,
const z_cap_t* caps) {
uint64_t num_caps, const z_cap_t* caps,
z_cap_t reply_cap) {
if (num_bytes > 0x1000) {
dbgln("Large message size unimplemented: %x", num_bytes);
return glcr::UNIMPLEMENTED;
@ -18,6 +18,12 @@ z_err_t UnboundedMessageQueue::PushBack(uint64_t num_bytes, const void* bytes,
message->bytes[i] = static_cast<const uint8_t*>(bytes)[i];
}
if (reply_cap != kZionInvalidCapability) {
// FIXME: We're just trusting that capability has the correct permissions.
message->reply_cap =
gScheduler->CurrentProcess().ReleaseCapability(reply_cap);
}
for (uint64_t i = 0; i < num_caps; i++) {
// FIXME: This would feel safer closer to the relevant syscall.
// FIXME: Race conditions on get->check->release here. Would be better to
@ -46,7 +52,8 @@ z_err_t UnboundedMessageQueue::PushBack(uint64_t num_bytes, const void* bytes,
}
z_err_t UnboundedMessageQueue::PopFront(uint64_t* num_bytes, void* bytes,
uint64_t* num_caps, z_cap_t* caps) {
uint64_t* num_caps, z_cap_t* caps,
z_cap_t* reply_cap) {
mutex_.Lock();
while (pending_messages_.empty()) {
auto thread = gScheduler->CurrentThread();
@ -75,8 +82,16 @@ z_err_t UnboundedMessageQueue::PopFront(uint64_t* num_bytes, void* bytes,
static_cast<uint8_t*>(bytes)[i] = next_msg->bytes[i];
}
*num_caps = next_msg->caps.size();
auto& proc = gScheduler->CurrentProcess();
if (reply_cap != nullptr) {
if (!next_msg->reply_cap) {
dbgln("Tried to read reply capability off of a message without one");
return glcr::INTERNAL;
}
*reply_cap = proc.AddExistingCapability(next_msg->reply_cap);
}
*num_caps = next_msg->caps.size();
for (uint64_t i = 0; i < *num_caps; i++) {
caps[i] = proc.AddExistingCapability(next_msg->caps.PopFront());
}
@ -102,7 +117,8 @@ void UnboundedMessageQueue::WriteKernel(uint64_t init,
glcr::ErrorCode SingleMessageQueue::PushBack(uint64_t num_bytes,
const void* bytes,
uint64_t num_caps,
const z_cap_t* caps) {
const z_cap_t* caps,
z_cap_t reply_port) {
MutexHolder h(mutex_);
if (has_written_) {
return glcr::FAILED_PRECONDITION;
@ -114,6 +130,11 @@ glcr::ErrorCode SingleMessageQueue::PushBack(uint64_t num_bytes,
bytes_[i] = reinterpret_cast<const uint8_t*>(bytes)[i];
}
if (reply_port != kZionInvalidCapability) {
dbgln("Sent a reply port to a single message queue");
return glcr::INTERNAL;
}
for (uint64_t i = 0; i < num_caps; i++) {
// FIXME: This would feel safer closer to the relevant syscall.
auto cap = gScheduler->CurrentProcess().GetCapability(caps[i]);
@ -139,8 +160,8 @@ glcr::ErrorCode SingleMessageQueue::PushBack(uint64_t num_bytes,
}
glcr::ErrorCode SingleMessageQueue::PopFront(uint64_t* num_bytes, void* bytes,
uint64_t* num_caps,
z_cap_t* caps) {
uint64_t* num_caps, z_cap_t* caps,
z_cap_t* reply_port) {
mutex_.Lock();
while (!has_written_) {
auto thread = gScheduler->CurrentThread();
@ -169,6 +190,11 @@ glcr::ErrorCode SingleMessageQueue::PopFront(uint64_t* num_bytes, void* bytes,
reinterpret_cast<uint8_t*>(bytes)[i] = bytes_[i];
}
if (reply_port != nullptr) {
dbgln("Tried to read a reply port a single message queue");
return glcr::INTERNAL;
}
*num_caps = caps_.size();
auto& proc = gScheduler->CurrentProcess();
for (uint64_t i = 0; i < *num_caps; i++) {

17
zion/lib/message_queue.h
View file

@ -15,9 +15,11 @@ class MessageQueue {
virtual ~MessageQueue() {}
virtual glcr::ErrorCode PushBack(uint64_t num_bytes, const void* bytes,
uint64_t num_caps, const z_cap_t* caps) = 0;
uint64_t num_caps, const z_cap_t* caps,
z_cap_t reply_cap = 0) = 0;
virtual glcr::ErrorCode PopFront(uint64_t* num_bytes, void* bytes,
uint64_t* num_caps, z_cap_t* caps) = 0;
uint64_t* num_caps, z_cap_t* caps,
z_cap_t* reply_cap = nullptr) = 0;
virtual bool empty() = 0;
protected:
@ -35,9 +37,10 @@ class UnboundedMessageQueue : public MessageQueue {
virtual ~UnboundedMessageQueue() override {}
glcr::ErrorCode PushBack(uint64_t num_bytes, const void* bytes,
uint64_t num_caps, const z_cap_t* caps) override;
uint64_t num_caps, const z_cap_t* caps,
z_cap_t reply_cap) override;
glcr::ErrorCode PopFront(uint64_t* num_bytes, void* bytes, uint64_t* num_caps,
z_cap_t* caps) override;
z_cap_t* caps, z_cap_t* reply_cap) override;
void WriteKernel(uint64_t init, glcr::RefPtr<Capability> cap);
@ -52,6 +55,7 @@ class UnboundedMessageQueue : public MessageQueue {
uint8_t* bytes;
glcr::LinkedList<glcr::RefPtr<Capability>> caps;
glcr::RefPtr<Capability> reply_cap;
};
glcr::LinkedList<glcr::SharedPtr<Message>> pending_messages_;
@ -65,9 +69,10 @@ class SingleMessageQueue : public MessageQueue {
virtual ~SingleMessageQueue() override {}
glcr::ErrorCode PushBack(uint64_t num_bytes, const void* bytes,
uint64_t num_caps, const z_cap_t* caps) override;
uint64_t num_caps, const z_cap_t* caps,
z_cap_t reply_cap) override;
glcr::ErrorCode PopFront(uint64_t* num_bytes, void* bytes, uint64_t* num_caps,
z_cap_t* caps) override;
z_cap_t* caps, z_cap_t* reply_cap) override;
bool empty() override {
MutexHolder h(mutex_);

15
zion/object/endpoint.cpp
View file

@ -5,3 +5,18 @@
glcr::RefPtr<Endpoint> Endpoint::Create() {
return glcr::AdoptPtr(new Endpoint);
}
glcr::ErrorCode Endpoint::Send(uint64_t num_bytes, const void* data,
uint64_t num_caps, const z_cap_t* caps,
z_cap_t reply_port_cap) {
auto& message_queue = GetSendMessageQueue();
return message_queue.PushBack(num_bytes, data, num_caps, caps,
reply_port_cap);
}
glcr::ErrorCode Endpoint::Recv(uint64_t* num_bytes, void* data,
uint64_t* num_caps, z_cap_t* caps,
z_cap_t* reply_port_cap) {
auto& message_queue = GetRecvMessageQueue();
return message_queue.PopFront(num_bytes, data, num_caps, caps,
reply_port_cap);
}

7
zion/object/endpoint.h
View file

@ -27,8 +27,11 @@ class Endpoint : public IpcObject {
static glcr::RefPtr<Endpoint> Create();
glcr::ErrorCode Read(uint64_t* num_bytes, void* data,
z_cap_t* reply_port_cap);
// FIXME: These are hacky "almost" overrides that could lead to bugs.
glcr::ErrorCode Send(uint64_t num_bytes, const void* data, uint64_t num_caps,
const z_cap_t* caps, z_cap_t reply_port_cap);
glcr::ErrorCode Recv(uint64_t* num_bytes, void* data, uint64_t* num_caps,
z_cap_t* caps, z_cap_t* reply_port_cap);
virtual MessageQueue& GetSendMessageQueue() override {
return message_queue_;

5
zion/syscall/ipc.cpp
View file

@ -106,7 +106,8 @@ glcr::ErrorCode EndpointSend(ZEndpointSendReq* req) {
*req->reply_port_cap = proc.AddNewCapability(reply_port, kZionPerm_Read);
uint64_t reply_port_cap_to_send =
proc.AddNewCapability(reply_port, kZionPerm_Write | kZionPerm_Transmit);
return endpoint->Send(req->num_bytes, req->data, 1, &reply_port_cap_to_send);
return endpoint->Send(req->num_bytes, req->data, req->num_caps, req->caps,
reply_port_cap_to_send);
}
glcr::ErrorCode EndpointRecv(ZEndpointRecvReq* req) {
@ -117,7 +118,7 @@ glcr::ErrorCode EndpointRecv(ZEndpointRecvReq* req) {
auto endpoint = endpoint_cap->obj<Endpoint>();
uint64_t num_caps = 1;
RET_ERR(endpoint->Recv(req->num_bytes, req->data, &num_caps,
RET_ERR(endpoint->Recv(req->num_bytes, req->data, req->num_caps, req->caps,
req->reply_port_cap));
if (num_caps != 1) {
return glcr::INTERNAL;