c18n: Compartment switch tracing & counting for CHERI-RISC-V

dpgao · dpgao · commit def568997942 · 2025-02-02T20:42:26.000Z
diff --git a/libexec/rtld-elf/aarch64/rtld_c18n_asm.S b/libexec/rtld-elf/aarch64/rtld_c18n_asm.S
@@ -217,7 +217,6 @@ ENTRY(tramp_hook)
 
 	mov	c0, c10
 	mov	c1, c11
-	mrs	c2, TRUSTED_STACK
 	bl	tramp_hook_impl
 
 	restore_arguments
diff --git a/libexec/rtld-elf/riscv/rtld_c18n_asm.S b/libexec/rtld-elf/riscv/rtld_c18n_asm.S
@@ -166,6 +166,30 @@ ENTRY(create_untrusted_stk)
 	cjr		cs8
 END(create_untrusted_stk)
 
+/*
+ * The tramp_hook function has non-standard ABI and is only called by
+ * trampolines to trace compartment transitions.
+ */
+ENTRY(tramp_hook)
+	/*
+	 * NON-STANDARD CALLING CONVENTION
+	 *
+	 * ct0-ct1 hold the first two arguments of tramp_hook.
+	 *
+	 * All argument registers and callee-saved registers must be preserved.
+	 */
+
+	save_arguments
+
+	cmove		ca0, ct0
+	cmove		ca1, ct1
+	cjal		tramp_hook_impl
+
+	restore_arguments
+
+	cret
+END(tramp_hook)
+
 /*
  * The trampoline templates are assembly code sequences used to construct
  * trampolines by tramp_compile. They are code but reside in rodata. Hence a new
@@ -322,7 +346,25 @@ TRAMP(tramp_push_frame)
 	 * Save the the compartment ID of the caller.
 	 */
 	csw		t4, (-CLEN_BYTES * TRUSTED_FRAME_SIZE + TRUSTED_FRAME_CALLER)(TRUSTED_STACK_C)
+TRAMPEND(tramp_push_frame)
+
+PATCH_POINT(tramp_push_frame, pcc, 1b)
+PATCH_POINT(tramp_push_frame, unsealer, 2b)
+PATCH_POINT(tramp_push_frame, cid, 3b)
+PATCH_POINT(tramp_push_frame, target, 5b)
+
+TRAMP(tramp_count_entry)
+.option push
+.option norvc
+1:	clc		cs6, 0(ct0)		/* To be patched at runtime */
+.option pop
+	li		s7, 1
+	camoadd.d	x0, s7, (cs6)
+TRAMPEND(tramp_count_entry)
+
+PATCH_POINT(tramp_count_entry, counter, 1b)
 
+TRAMP(tramp_push_frame_2)
 	/*
 	 * Get the landing address.
 	 */
@@ -373,14 +415,27 @@ TRAMP(tramp_push_frame)
 	 * trusted frame would be inconsistent with the untrusted stack.
 	 */
 	set_untrusted_stk	cs5
-TRAMPEND(tramp_push_frame)
+TRAMPEND(tramp_push_frame_2)
 
-PATCH_POINT(tramp_push_frame, pcc, 1b)
-PATCH_POINT(tramp_push_frame, unsealer, 2b)
-PATCH_POINT(tramp_push_frame, cid, 3b)
-PATCH_POINT(tramp_push_frame, target, 5b)
-PATCH_POINT(tramp_push_frame, landing, 7b)
-PATCH_POINT(tramp_push_frame, n_rets, 10b)
+PATCH_POINT(tramp_push_frame_2, landing, 7b)
+PATCH_POINT(tramp_push_frame_2, n_rets, 10b)
+
+TRAMP(tramp_call_hook)
+1:	auipcc		ct1, 0
+.option push
+.option norvc
+2:	clc		cra, 0(ct1)		/* To be patched at runtime */
+
+3:	addi		t0, x0, 0		/* To be patched at runtime */
+4:	cincoffsetimm	ct1, ct1, 0		/* To be patched at runtime */
+.option pop
+	cjalr		cra, cra
+TRAMPEND(tramp_call_hook)
+
+PATCH_POINT(tramp_call_hook, pcc, 1b)
+PATCH_POINT(tramp_call_hook, function, 2b)
+PATCH_POINT(tramp_call_hook, event, 3b)
+PATCH_POINT(tramp_call_hook, header, 4b)
 
 /*
  * Save the address of the current frame to fp so that unwinders can locate it.
@@ -427,6 +482,10 @@ TRAMP(tramp_invoke)
 	cjalr		cra, cs4
 TRAMPEND(tramp_invoke)
 
+TRAMP(tramp_count_return)
+	camoadd.d	x0, s7, (cs6)
+TRAMPEND(tramp_count_return)
+
 TRAMP(tramp_pop_frame)
 1:	auipcc		ct4, 0
 	/*
diff --git a/libexec/rtld-elf/riscv/rtld_c18n_machdep.c b/libexec/rtld-elf/riscv/rtld_c18n_machdep.c
@@ -38,6 +38,7 @@
 #include "rtld.h"
 #include "rtld_c18n.h"
 #include "rtld_libc.h"
+#include "rtld_utrace.h"
 
 /*
  * Trampolines
@@ -50,15 +51,23 @@ tramp_compile(char **entry, const struct tramp_data *data)
 	extern const size_t size_tramp_##template
 
 	IMPORT(push_frame);
+	IMPORT(count_entry);
+	IMPORT(push_frame_2);
+	IMPORT(call_hook);
 	IMPORT(update_fp);
 	IMPORT(update_fp_untagged);
 	IMPORT(clear_args);
 	IMPORT(invoke);
+	IMPORT(count_return);
 	IMPORT(pop_frame);
 
 	size_t size = 0;
 	char *buf = *entry;
+	size_t count_off, hook_off, hook_pcc_off, header_off;
 	size_t sealer_off, target_off, pcc_off, landing_off, unused_regs;
+	bool count = ld_compartment_switch_count != NULL;
+	bool hook = ld_compartment_utrace != NULL ||
+	    ld_compartment_overhead != NULL;
 
 #define	COPY_VALUE(val)	({				\
 	size_t _old_size = size;			\
@@ -103,6 +112,12 @@ tramp_compile(char **entry, const struct tramp_data *data)
 		*PATCH_INS(PATCH_OFF(tramp, name)) |= _value;		\
 	} while (0)
 
+	if (count)
+		count_off = COPY_VALUE(&c18n_stats->rcs_switch);
+
+	if (hook)
+		hook_off = COPY_VALUE(&tramp_hook);
+
 	sealer_off = COPY_VALUE(sealer_tidc);
 
 	*(struct tramp_header *)(buf + size) = (struct tramp_header) {
@@ -112,6 +127,7 @@ tramp_compile(char **entry, const struct tramp_data *data)
 		    0 : data->def - data->defobj->symtab,
 		.sig = data->sig
 	};
+	header_off = size;
 	target_off = size + offsetof(struct tramp_header, target);
 	*entry = buf + size;
 	size += offsetof(struct tramp_header, entry);
@@ -122,17 +138,32 @@ tramp_compile(char **entry, const struct tramp_data *data)
 	PATCH_I_TYPE(push_frame, cid,
 	    cid_to_index(data->defobj->compart_id).val);
 	PATCH_I_TYPE(push_frame, target, target_off - pcc_off);
-	landing_off = PATCH_OFF(push_frame, landing);
+
+	if (count) {
+		COPY(count_entry);
+		PATCH_I_TYPE(count_entry, counter, count_off - pcc_off);
+	}
+
+	COPY(push_frame_2);
+	landing_off = PATCH_OFF(push_frame_2, landing);
 	/*
 	 * The number of return value registers is encoded as follows:
 	 * - TWO:	0b00
 	 * - ONE:	0b01
 	 * - NONE:	0b10
 	 * - INDIRECT:	0b11
 	 */
-	PATCH_I_TYPE(push_frame, n_rets,
+	PATCH_I_TYPE(push_frame_2, n_rets,
 	    data->sig.valid ? data->sig.ret_args : 0);
 
+	if (hook) {
+		COPY(call_hook);
+		hook_pcc_off = PATCH_OFF(call_hook, pcc);
+		PATCH_I_TYPE(call_hook, function, hook_off - hook_pcc_off);
+		PATCH_I_TYPE(call_hook, event, UTRACE_COMPARTMENT_ENTER);
+		PATCH_I_TYPE(call_hook, header, header_off - hook_pcc_off);
+	}
+
 	if (ld_compartment_unwind != NULL)
 		COPY(update_fp);
 	else
@@ -148,6 +179,17 @@ tramp_compile(char **entry, const struct tramp_data *data)
 	COPY(invoke);
 	PATCH_LANDING(landing_off, size - pcc_off);
 
+	if (count)
+		COPY(count_return);
+
+	if (hook) {
+		COPY(call_hook);
+		hook_pcc_off = PATCH_OFF(call_hook, pcc);
+		PATCH_I_TYPE(call_hook, function, hook_off - hook_pcc_off);
+		PATCH_I_TYPE(call_hook, event, UTRACE_COMPARTMENT_LEAVE);
+		PATCH_I_TYPE(call_hook, header, header_off - hook_pcc_off);
+	}
+
 	COPY(pop_frame);
 	pcc_off = PATCH_OFF(pop_frame, pcc);
 	PATCH_I_TYPE(pop_frame, unsealer, sealer_off - pcc_off);
diff --git a/libexec/rtld-elf/rtld_c18n.c b/libexec/rtld-elf/rtld_c18n.c
@@ -1348,16 +1348,16 @@ resize_table(int exp)
 }
 
 void
-tramp_hook_impl(int, const struct tramp_header *, const struct trusted_frame *);
+tramp_hook_impl(int, const struct tramp_header *);
 
 void
-tramp_hook_impl(int event, const struct tramp_header *hdr,
-    const struct trusted_frame *tf)
+tramp_hook_impl(int event, const struct tramp_header *hdr)
 {
 	const char *sym;
 	const char *callee;
 	const char *caller;
 	struct utrace_c18n ut;
+	const struct trusted_frame *tf = get_trusted_stk();
 
 	if (ld_compartment_utrace != NULL) {
 		if (hdr->symnum == 0)
