riscv-mit / riscv-isa-sim Goto Github PK

Need to:

• add new instructions for dealing with tags directly
• add support to operations which mov/add/manipulate data ensuring the tags are respected (eg add a, b has the appropriate conjunction of tags on the output register)

and handlers in the proxy kernel? / linux?

and presumably end tag enforce as well
"tag supporting executables" will have this instruction

Return address is stored once, but loaded twice. Second load does not have correct tag.

store-tag

• build linux appropriately
• boot built linux in spike
• document process on wiki

Hi,

I've been trying to add a new instruction to spike and to gcc. For now, I've added it to riscv-opcodes successfully, added the correct header file to spike, ran make install in riscv-opcodes and the headers get created and copied to the right place (for gcc, binutils and spike). However, after all this and rebuilding gcc, it still does not recognize the instruction in my code. I've been using inline assembler and it works with an existing instruction (I've used add), but somehow gcc does not recognize it although the masks are defined.

It's a bit difficult to provide a working example, but maybe you have an idea, anyway. What's the process of creating an instruction and getting gcc to recognize it?

Thanks!

linux/setup_disk.sh used to take a folder that would be copied as an argument...now, what are the arguments controlling? I get an error when running without any arguments.
perhaps a usage message would be in order here (one for linux/run_in_spike_linux.sh as well).

See mmu.{h,cc}

Ensure that if a user program executes the tagenforce instruction on startup, tag enforcement will occur, but otherwise will not. There is no way for the program to exit this mode. This may require blessing the existing return address depending on when it is executed (if executed near the beginning of main(), it may be needed).

A simpler way of controlling tag enforcement behavior could be to have it on for ALL user-level programs (on at start), and have scall/sret toggle its behavior, but this may be too extreme.

Implementing the first suggestion requires changes to the Linux kernel, and could take some time.

To generate

• the ISA extension instructions enforcing policy
• the "tag file" for an executable

It seems we're going to have to have gettag to complement settag. The kernel is going to need it for COW pages as well as suspending a process to disk / swapping out pages to a swap file. (Feel free to argue that we don't need it though...)

Maybe we want to not make a new instruction, but implement by having settag optionally reading from a register?

(this should really be In riscv-gnu-toolchain but this repo has all the issues at the moment it seems)

• get wrapper functions for malloc() and free() finished so that we can play around with temporal tags

See ROP defender paper: https://www.trust.cased.de/fileadmin/user_upload/Group_TRUST/PubsPDF/ropdefender.pdf

(Class 1) A called function does not return, i.e., the control is transferred out of the function before its return instruction has been reached

• cases: setjmp/longjmp

(Class 2) A function is invoked without explicitly using a call instruction.

• cases: unix signals, lazy binding

(Class 3) A different return address is computed while the function is running

• c++ exceptions

probably most difficult task so far

Selectively enabling our tags only for the userspace program, ensure that we can successfully run all of the programs here:
https://github.com/riscv-mit/riscv-isa-sim/tree/tags/rop-defender-tests

Some will work on the proxy kernel but others will need full Linux; we might as well go full Linux anyways as we need to make the changes to full libc not just the stripped-down newlib. Also, we can use the CHERI FreeBSD as a reference. For instance this is how they handle setjmp: https://github.com/CTSRD-CHERI/cheribsd/commits/master/include/setjmp.h