143 lines
7.0 KiB
C
143 lines
7.0 KiB
C
/*
|
|
* Copyright (C) 2015-2016, Intel Corporation. All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
*
|
|
* 3. Neither the name of the copyright holder nor the names of its
|
|
* contributors may be used to endorse or promote products derived
|
|
* from this software without specific prior written permission.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
|
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
|
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
|
|
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
|
|
* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
|
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
|
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
|
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
|
* OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
*/
|
|
|
|
#ifndef CPU_X86_MM_SYSCALLS_H_
|
|
#define CPU_X86_MM_SYSCALLS_H_
|
|
|
|
#include "helpers.h"
|
|
#include "prot-domains.h"
|
|
#include <stdbool.h>
|
|
|
|
typedef uint32_t dom_id_bitmap_t;
|
|
|
|
typedef struct syscalls_entrypoint {
|
|
uintptr_t entrypoint;
|
|
dom_id_bitmap_t doms;
|
|
} syscalls_entrypoint_t;
|
|
extern syscalls_entrypoint_t ATTR_KERN_ADDR_SPACE syscalls_entrypoints[];
|
|
extern syscalls_entrypoint_t ATTR_KERN_ADDR_SPACE syscalls_entrypoints_end[];
|
|
|
|
#define SYSCALLS_ACTUAL_CNT (syscalls_entrypoints_end - syscalls_entrypoints)
|
|
|
|
#if X86_CONF_PROT_DOMAINS != X86_CONF_PROT_DOMAINS__NONE
|
|
|
|
#define SYSCALLS_ALLOC_ENTRYPOINT(nm) \
|
|
syscalls_entrypoint_t __attribute__((section(".syscall_bss"))) \
|
|
ATTR_KERN_ADDR_SPACE _syscall_ent_##nm
|
|
|
|
#define SYSCALLS_INIT(nm) \
|
|
KERN_WRITEL(_syscall_ent_##nm.entrypoint, (uintptr_t)_syscall_##nm); \
|
|
KERN_WRITEL(_syscall_ent_##nm.doms, 0)
|
|
|
|
#define SYSCALLS_DEFINE(nm, ...) \
|
|
void _syscall_##nm(__VA_ARGS__); \
|
|
SYSCALLS_STUB(nm); \
|
|
void _syscall_##nm(__VA_ARGS__)
|
|
|
|
#define SYSCALLS_DEFINE_SINGLETON(nm, dcd, ...) \
|
|
void _syscall_##nm(__VA_ARGS__); \
|
|
SYSCALLS_STUB_SINGLETON(nm, dcd); \
|
|
void _syscall_##nm(__VA_ARGS__)
|
|
|
|
#define SYSCALLS_AUTHZ_UPD(nm, drv, set) \
|
|
{ \
|
|
dom_id_t _sc_tmp_id; \
|
|
dom_id_bitmap_t _sc_tmp_bm; \
|
|
KERN_READL(_sc_tmp_id, (drv).dom_id); \
|
|
KERN_READL(_sc_tmp_bm, _syscall_ent_##nm.doms); \
|
|
if(set) { \
|
|
_sc_tmp_bm |= BIT(_sc_tmp_id); \
|
|
} else { \
|
|
_sc_tmp_bm &= ~BIT(_sc_tmp_id); \
|
|
} \
|
|
KERN_WRITEL(_syscall_ent_##nm.doms, _sc_tmp_bm); \
|
|
}
|
|
|
|
/**
|
|
* Check that any untrusted pointer that could have been influenced by a caller
|
|
* (i.e. a stack parameter or global variable) refers to a location at or above
|
|
* a certain stack boundary and halt otherwise. This is used to prevent a
|
|
* protection domain from calling a different protection domain and passing a
|
|
* pointer that references a location in the callee's stack other than its
|
|
* parameters.
|
|
*
|
|
* This also checks that the pointer is either within the stack region or the
|
|
* shared data region, which is important for preventing redirection of data
|
|
* accesses to MMIO or metadata regions. This check is omitted for multi-
|
|
* segment protection domain implementations, since the segment settings
|
|
* already enforce this property for pointers dereferenced in DS. Pointers
|
|
* that can be influenced by a caller should not be dereferenced in any other
|
|
* segment.
|
|
*
|
|
* The pointer is both validated and copied to a new storage location, which
|
|
* must be within the callee's local stack region (excluding the parameter
|
|
* region). This is to mitigate scenarios such as two pointers being validated
|
|
* and an adversary later inducing a write through one of the pointers to the
|
|
* other pointer to corrupt the latter pointer before it is used.
|
|
*
|
|
* The frame address is adjusted to account for the first word pushed on the
|
|
* local frame and the return address, since neither of those should ever be
|
|
* referenced by an incoming pointer. In particular, if an incoming pointer
|
|
* references the return address, it could potentially redirect execution with
|
|
* the privileges of the callee protection domain.
|
|
*/
|
|
#if X86_CONF_PROT_DOMAINS_MULTI_SEG
|
|
#define PROT_DOMAINS_VALIDATE_PTR(validated, untrusted, sz) \
|
|
validated = untrusted; \
|
|
if(((uintptr_t)(validated)) < \
|
|
((2 * sizeof(uintptr_t)) + (uintptr_t)__builtin_frame_address(0))) { \
|
|
halt(); \
|
|
}
|
|
#else
|
|
#define PROT_DOMAINS_VALIDATE_PTR(validated, untrusted, sz) \
|
|
validated = untrusted; \
|
|
if((((uintptr_t)(validated)) < \
|
|
((2 * sizeof(uintptr_t)) + (uintptr_t)__builtin_frame_address(0))) || \
|
|
(((uintptr_t)&_edata_addr) <= (((uintptr_t)(validated)) + (sz)))) { \
|
|
halt(); \
|
|
}
|
|
#endif
|
|
|
|
#else
|
|
|
|
#define SYSCALLS_ALLOC_ENTRYPOINT(nm)
|
|
#define SYSCALLS_INIT(nm)
|
|
#define SYSCALLS_DEFINE(nm, ...) void nm(__VA_ARGS__)
|
|
#define SYSCALLS_DEFINE_SINGLETON(nm, dcd, ...) void nm(__VA_ARGS__)
|
|
#define SYSCALLS_AUTHZ_UPD(nm, drv, set)
|
|
#define PROT_DOMAINS_VALIDATE_PTR(validated, untrusted, sz) validated = untrusted
|
|
|
|
#endif
|
|
|
|
#define SYSCALLS_AUTHZ(nm, drv) SYSCALLS_AUTHZ_UPD(nm, drv, true)
|
|
#define SYSCALLS_DEAUTHZ(nm, drv) SYSCALLS_AUTHZ_UPD(nm, drv, false)
|
|
|
|
#endif /* CPU_X86_MM_SYSCALLS_H_ */
|