c18n: Expose unified unwinding APIs to setjmp/longjmp and libunwind

Previously, libunwind hard-codes knowledge about the layout of the
trusted frame and has read access to the trusted stack. This is fragile
and insecure.

Now, the task of extracting the relevant registers from the trusted
stack is delegated to RTLD, and libunwind no longer has access to the
trusted stack.

The unified unwinding APIs are declared as dl_c18n_* functions in
link.h. setjmp/longjmp have been updated to use them.

lib/libc/aarch64/gen/_setjmp.S

@@ -37,6 +37,13 @@ ENTRY(_setjmp)
 	ldr	x8, .Lmagic
 	mov	REG(9), REGN(sp)
 	stp	REG(8), REG(9), [REG(0)], #(REG_WIDTH * 2)
+#ifdef CHERI_LIB_C18N
+	/* Store the trusted stack pointer */
+	stp	c0, c30, [csp, #-0x20]!
+	bl	dl_c18n_get_trusted_stk
+	ldp	c0, c30, [csp], #0x20
+	add	c0, c0, #REG_WIDTH
+#endif
 
 	/* Store the general purpose registers and lr */
 	stp	REG(19), REG(20), [REG(0)], #(REG_WIDTH * 2)
@@ -55,18 +62,8 @@ ENTRY(_setjmp)
 #endif
 
 	/* Return value */
-#ifdef CHERI_LIB_C18N
-	mov	c1, c0
-#endif
 	mov	x0, #0
-#ifdef CHERI_LIB_C18N
-	/*
-	 * Tail-call to save Executive mode state
-	 */
-	b	_rtld_setjmp
-#else
 	RETURN
-#endif
 	.align	3
 .Lmagic:
 	.quad	_JB_MAGIC__SETJMP
@@ -79,12 +76,26 @@ ENTRY(_longjmp)
 	cmp	x8, x9
 	b.ne	botch
 
+#ifdef CHERI_LIB_C18N
+	/*
+	 * Preserve the arguments in callee-saved registers instead of pushing
+	 * them onto the stack because stack unwinding will switch the stack.
+	 */
+	mov	c19, c0
+	mov	c20, c1
+	/* Pass the target untrusted stack pointer and trusted stack pointer */
+	ldp	c0, c1, [c0]
+	bl	dl_c18n_unwind_trusted_stk
+	mov	c0, c19
+	mov	c1, c20
+#endif
+
 	/* Restore the stack pointer */
 	ldr	REG(8), [REG(0)], #(REG_WIDTH)
-#ifdef CHERI_LIB_C18N
-	mov	c2, c8
-#else
 	mov	REGN(sp), REG(8)
+#ifdef CHERI_LIB_C18N
+	/* Skip the trusted stack pointer */
+	add	c0, c0, #REG_WIDTH
 #endif
 
 	/* Restore the general purpose registers and lr */
@@ -104,19 +115,9 @@ ENTRY(_longjmp)
 #endif
 
 	/* Load the return value */
-#ifdef CHERI_LIB_C18N
-	mov	c3, c0
-#endif
 	cmp	x1, #0
 	csinc	x0, x1, xzr, ne
-#ifdef CHERI_LIB_C18N
-	/*
-	 * Tail-call to restore Executive mode state
-	 */
-	b	_rtld_longjmp
-#else
 	RETURN
-#endif
 
 botch:
 #ifdef _STANDALONE

lib/libc/aarch64/gen/setjmp.S

@@ -32,11 +32,6 @@
 #include <machine/setjmp.h>
 #include <sys/elf_common.h>
 
-#ifdef CHERI_LIB_C18N
-.weak _rtld_setjmp
-.weak _rtld_longjmp
-#endif
-
 ENTRY(setjmp)
 	sub	REGN(sp), REGN(sp), #(REG_WIDTH * 2)
 	stp	REG(0), REGN(lr), [REGN(sp)]
@@ -54,6 +49,13 @@ ENTRY(setjmp)
 	ldr	x8, .Lmagic
 	mov	REG(9), REGN(sp)
 	stp	REG(8), REG(9), [REG(0)], #(REG_WIDTH * 2)
+#ifdef CHERI_LIB_C18N
+	/* Store the trusted stack pointer */
+	stp	c0, c30, [csp, #-0x20]!
+	bl	dl_c18n_get_trusted_stk
+	ldp	c0, c30, [csp], #0x20
+	add	c0, c0, #REG_WIDTH
+#endif
 
 	/* Store the general purpose registers and lr */
 	stp	REG(19), REG(20), [REG(0)], #(REG_WIDTH * 2)
@@ -70,24 +72,28 @@ ENTRY(setjmp)
 	stp	d14, d15, [REG(0)], #16
 
 	/* Return value */
-#ifdef CHERI_LIB_C18N
-	mov	c1, c0
-#endif
 	mov	x0, #0
-#ifdef CHERI_LIB_C18N
-	/*
-	 * Tail-call to save Executive mode state
-	 */
-	b	_rtld_setjmp
-#else
 	RETURN
-#endif
 	.align	3
 .Lmagic:
 	.quad	_JB_MAGIC_SETJMP
 END(setjmp)
 
 ENTRY(longjmp)
+#ifdef CHERI_LIB_C18N
+	/*
+	 * Preserve the arguments in callee-saved registers instead of pushing
+	 * them onto the stack because stack unwinding will switch the stack.
+	 */
+	mov	c19, c0
+	mov	c20, c1
+	/* Pass the target untrusted stack pointer and trusted stack pointer */
+	ldp	c0, c1, [c0, #(REG_WIDTH * 1)]
+	bl	dl_c18n_unwind_trusted_stk
+	mov	c0, c19
+	mov	c1, c20
+#endif
+
 	sub	REGN(sp), REGN(sp), #(REG_WIDTH * 4)
 	stp	REG(0), REGN(lr), [REGN(sp)]
 	str	REG(1), [REGN(sp), #(REG_WIDTH * 2)]
@@ -110,10 +116,10 @@ ENTRY(longjmp)
 
 	/* Restore the stack pointer */
 	ldr	REG(8), [REG(0)], #(REG_WIDTH)
-#ifdef CHERI_LIB_C18N
-	mov	c2, c8
-#else
 	mov	REGN(sp), REG(8)
+#ifdef CHERI_LIB_C18N
+	/* Skip the trusted stack pointer */
+	add	c0, c0, #REG_WIDTH
 #endif
 
 	/* Restore the general purpose registers and lr */
@@ -131,19 +137,9 @@ ENTRY(longjmp)
 	ldp	d14, d15, [REG(0)], #16
 
 	/* Load the return value */
-#ifdef CHERI_LIB_C18N
-	mov	c3, c0
-#endif
 	cmp	x1, #0
 	csinc	x0, x1, xzr, ne
-#ifdef CHERI_LIB_C18N
-	/*
-	 * Tail-call to restore Executive mode state
-	 */
-	b	_rtld_longjmp
-#else
 	RETURN
-#endif
 
 botch:
 	bl	_C_LABEL(longjmperror)

lib/libgcc_s/Makefile

@@ -53,10 +53,9 @@ SRCS+=		s_logbl.c
 SRCS+=		s_scalbnl.c
 .endif
 
-# LIBUNWIND_SANDBOX_OTYPES is only supported on aarch64 (Morello).
+# c18n is only supported on Morello.
 .if ${MACHINE_ABI:Mpurecap} && ${MACHINE_CPUARCH} == "aarch64"
 SYMBOL_MAPS+=	${.CURDIR}/Symbol-c18n.map
-CFLAGS+=	-D_LIBUNWIND_CHERI_C18N_SUPPORT
 .endif
 
 .include <bsd.lib.mk>

lib/libgcc_s/Symbol-c18n.map

@@ -1,5 +1,6 @@
 FBSDprivate_1.0 {
-	_rtld_unw_getcontext;
-	_rtld_unw_setcontext;
-	_rtld_unw_getsealer;
+	dl_c18n_get_trusted_stk;
+	dl_c18n_unwind_trusted_stk;
+	dl_c18n_is_tramp;
+	dl_c18n_pop_trusted_stk;
 };

libexec/rtld-elf/Symbol-c18n.map

@@ -8,13 +8,8 @@ FBSDprivate_1.0 {
     _rtld_sighandler;
     _rtld_siginvoke;
     _rtld_sigaction;
-    _rtld_setjmp;
-    _rtld_longjmp;
-    _rtld_unw_getcontext;
-    _rtld_unw_getcontext_unsealed;
-    _rtld_unw_setcontext;
-    _rtld_unw_setcontext_unsealed;
-    _rtld_unw_getsealer;
-    _rtld_safebox_code;
-    _rtld_sandbox_code;
+    dl_c18n_get_trusted_stk;
+    dl_c18n_unwind_trusted_stk;
+    dl_c18n_is_tramp;
+    dl_c18n_pop_trusted_stk;
 };

libexec/rtld-elf/aarch64/rtld_c18n_asm.S

@@ -34,46 +34,6 @@
  * See rtld_c18n.h for an overview of the design.
  */
 
-/*
- * The _rtld_unw_{get,set}context_epilogue functions are stack unwinding
- * helpers. See the 'Stack unwinding' section in rtld_c18n.c.
- */
-ENTRY(_rtld_unw_getcontext_epilogue)
-	/*
-	 * FIXME: llvm-libunwind specific ABI. This should be better specified.
-	 */
-	mov	c2, csp
-	str	c2, [c1]
-	RETURN
-END(_rtld_unw_getcontext_epilogue)
-
-/*
- * XXX: If compartmentalisation is not enabled, _rtld_unw_setcontext_ptr is NULL
- * and we simply restore a few registers and return via retr (back to Restricted
- * mode). Otherwise, call _rtld_unw_setcontext_impl via a trampoline.
- */
-ENTRY(_rtld_unw_setcontext)
-	ldr	c16, _rtld_unw_setcontext_ptr
-	cbnz	w16, 1f
-	/*
-	 * FIXME: llvm-libunwind specific ABI. This should be better specified.
-	 */
-	mov	c16, c2
-	ldp	c2, c3, [c3, #(-0x210 + 0x20)]
-	mov	csp, c16
-#ifdef __ARM_MORELLO_PURECAP_BENCHMARK_ABI
-	RETURN
-#else
-	retr	c30
-#endif
-1:
-#ifdef __ARM_MORELLO_PURECAP_BENCHMARK_ABI
-	br	x16
-#else
-	br	c16
-#endif
-END(_rtld_unw_setcontext)
-
 /*
  * The _rtld_sighandler function is the actual signal handler passed to the
  * kernel when the user calls sigaction. It dispatches the signal to the

libexec/rtld-elf/aarch64/rtld_c18n_machdep.h

@@ -133,7 +133,7 @@ set_untrusted_stk(const void *sp)
 }
 #endif
 
-struct trusted_frame {
+struct dl_c18n_compart_state {
 	void *fp;
 	void *pc;
 	/*
@@ -145,38 +145,6 @@ struct trusted_frame {
 	 * caller made the call.
 	 */
 	void *sp;
-	/*
-	 * INVARIANT: This field contains the top of the caller's stack when the
-	 * caller was last entered.
-	 */
-	void *osp;
-	/*
-	 * Address of the previous trusted frame
-	 */
-	struct trusted_frame *previous;
-	/*
-	 * Compartment ID of the caller
-	 */
-	stk_table_index caller;
-	/*
-	 * Zeros
-	 */
-	uint16_t zeros;
-	/*
-	 * Compartment ID of the callee
-	 */
-	stk_table_index callee;
-	/*
-	 * Number of return value registers, encoded in enum tramp_ret_args
-	 */
-	uint8_t ret_args : 2;
-	uint16_t reserved : 14;
-	/*
-	 * This field contains the code address in the trampoline that the
-	 * callee should return to. This is used by trampolines to detect cross-
-	 * compartment tail-calls.
-	 */
-	ptraddr_t landing;
 };
 #endif
 #endif

libexec/rtld-elf/rtld.c

@@ -1066,7 +1066,7 @@ _rtld(Elf_Addr *sp, func_ptr_type *exit_proc, Obj_Entry **objp)
 
 #ifdef CHERI_LIB_C18N
     if (C18N_ENABLED)
-	c18n_init2(&obj_rtld);
+	c18n_init2();
 #endif
 
     /*