Update: Sorry, I misunderstood a few things in the previous email. The change
was in fiasco and not sigma and therefore, in theory, no user space process
should have access to the protected region. This also implies that sigma0 will
not have access if I understand correctly which is rather nice.
So, I tried changing the handle_sigma0_page_fault function. This is located in
kernel/fiasco/src/kern/ia32/thread-ia32.cpp to prevent mapping of some range of
physical memory (NOT RAM) as follows:
IMPLEMENT inline
bool
Thread::handle_sigma0_page_fault(Address pfa)
{
size_t size;
// Check if mapping a superpage doesn't exceed the size of physical memory
if (Cpu::have_superpages()
// Some distributions do not allow to mmap below a certain threshold
// (like 64k on Ubuntu 8.04) so we cannot map a superpage at 0 if
// we're Fiasco-UX
&& (!Config::Is_ux || !(pfa < Config::SUPERPAGE_SIZE)))
{
pfa &= Config::SUPERPAGE_MASK;
size = Config::SUPERPAGE_SIZE;
}
else
{
pfa &= Config::PAGE_MASK;
size = Config::PAGE_SIZE;
}
----------------------------------------------------------------------------------------------------------------------------------
- My change start
if((pfa>=0xe0000000) && (pfa<=0xefffffff)){
printf("\nNot allowed...denying\n");
return Mem_space::Insert_err_nomem;
}
----------------------------------------------------------------------------------------------------------------------------------
- My change end
return mem_space()->v_insert(Mem_space::Phys_addr(pfa), Mem_space::Addr(pfa),
Mem_space::Size(size),
Mem_space::Page_writable
| Mem_space::Page_user_accessible)
!= Mem_space::Insert_err_nomem;
}
However, I realized that when I try to map this address space using
l4io_request_iomem, I see that it goes through and the call never reaches until
fiasco's sigma0_page_fault handler. A little more debugging revealed that it
goes as far as the following function in l4/pkg/sigma0/server/src/memmap.cc:
static
void map_mem(l4_fpage_t fp, Memory_type fn, l4_umword_t t, Answer *an)
{
an->clear();
Mem_man *m;
switch (fn)
{
case Ram:
m = Mem_man::ram();
break;
case Io_mem:
case Io_mem_cached:
m = &iomem;
break;
default:
return;
}
unsigned long addr = m->alloc(Region::bs(fp.raw & ~((1UL << 12) - 1),
1UL << l4_fpage_size(fp), t));
if (addr == ~0UL)
return;
/* the Fiasco kernel makes the page non-cachable if the frame
* address is greater than mem_high */
an->snd_base(addr);
an->snd_fpage(addr, l4_fpage_size(fp), false, fn != Io_mem);
an->tag = l4_msgtag(0, 0, 1, 0);
return;
}
>From here on, the generics make it a little hard to parse. So I am not sure
>where the control flow ends but it does not get to fiasco's sigma0 page fault
>handler. Given this,
a. does the handle_sigma0_page_fault only work on memory. The region I want to
protect is not RAM.
b. Given that the setup of sigma0's memory happens in
kernel/fiasco/src/kern/kernel_thread-std.cpp, is there more to be done here?
Thanks.
Ramya
________________________________________
From: Masti Ramya Jayaram
Sent: 10 September 2014 09:46
To: Adam Lackorzynski; [email protected]
Subject: RE: Physical memory allocation to L4linux
Hey Adam,
thanks a lot for the replies. I still have a few questions/clarifications
though. :-)
a. Is there a way to implement the "MODE=sigma" for linux? I could not find
anything that points to it.
b. Now if I were to tweak the page fault handler in sigma, then does that imply
that even a corrupt moe/ned/l4linux cannot get access to the protected part of
the address space?
c. Who are the clients of this page fault handler? Is it just what runs on top
of sigma like moe, ned, l4linux or even faisco?
d. If it is just moe, ned, l4linux, then can I use the same page fault trick to
ensure that (moe,ned,sigma) they always get memory from a certain dedicated
region?
Thanks a ton for your patience (to everyone on the list and particularly you
and Martin). I totally appreciate it.
Best,
Ramya
________________________________________
From: l4-hackers [[email protected]] on behalf of Adam
Lackorzynski [[email protected]]
Sent: 09 September 2014 23:16
To: [email protected]
Subject: Re: Physical memory allocation to L4linux
On Tue Sep 09, 2014 at 16:03:11 +0000, Masti Ramya Jayaram wrote:
> I would like to explain my situation better. Here is what I intend:
>
> a. What is the lowest module (bootstrap, fiasco, sigma, moe,
> ned,l4linux) that can be confined not access a portion of the address
> space?
Without changing anything and with this list of program, it's just
L4Linux. Reason is that ned typically has a cap to sigma0 because it
needs to give it to io.
When you would like to make a little change, in Fiasco there's a
function handle_sigma0_page_fault that covers page-fault by sigma0. So
if you add a check on pfa there and return false you should be able to
exclude a memory region from any user program.
> I know that bootstrap and fiasco run in privileged mode, so there is
> no way to stop them. What is the next module?
>
> b. Assuming that it is sigma, I would like to do the following:
> Have three regions in the physical address space (not necessarily memory):
>
> i) one for bootstrap, fiasco
> ii) moe, ned, sigma, l4linux
> iii). Special region accessible only from (i) - bootstrap and fiasco.
>
> If it is not possible to confine sigma, i.e., "hide a portion of the
> address space from it", then add sigma to lists (i,iii) and remove it
> from (ii) - and so on for the other modules.
>
> If it is moe, could my goal be reached by adding an IO device as a
> blocker but then not give moe the corresponding capability?
In the stack moe is below any notion of an IO device, so that would not
work.
Adam
--
Adam [email protected]
Lackorzynski http://os.inf.tu-dresden.de/~adam/
_______________________________________________
l4-hackers mailing list
[email protected]
http://os.inf.tu-dresden.de/mailman/listinfo/l4-hackers
_______________________________________________
l4-hackers mailing list
[email protected]
http://os.inf.tu-dresden.de/mailman/listinfo/l4-hackers
