Conversation
1. switch to purecap mode if needed 2. convert modulep to capability 3. convert pointers in metadata to capabilities
| * indicate that we have no DTB pointer. It is already included in the | ||
| * loader(8) metadata. | ||
| * | ||
| * The EFI loader is always Hybrid so convert metadata poiner to a |
| type __r; \ | ||
| ptraddr_t __res; \ | ||
| __res = MD_FETCH(mdp, info, ptraddr_t); \ | ||
| __r = (type)cheri_setaddress(kernel_root_cap, __res); \ |
There was a problem hiding this comment.
For Morello we also limit permissions to CHERI_PERMS_KERNEL_DATA (e.g. for MODINFOMD_DTBP).
Morello also fetches these as vm_offset_t and then inlines the purecap fixup for each one which might be useful if we have different permissions. For example, ksym_start/end can probably be read-only, and you can also set bounds on ksym based on the addresses using end-start as the length. Hmm, looks like ksym also use more restrictive permissions (only data, no pointers), so a reason for inlining the capability derivation as we do in Morello.
| .option nocapmode | ||
|
|
||
| /* | ||
| * The boot loader may enter in non-capmode even though |
There was a problem hiding this comment.
We should just fix this. The only reason it's like this on Morello is because loader itself isn't even hybrid, it's plain AArch64, due to the firmware. But even there we could have made loader sensible and compile the post-ExitBootServices assembly that jumps to the kernel with Morello support, so it can switch mode as needed. Let's do this better on RISC-V.
3 participants
support booting from hybrid EFI loader. Not sure the size of metadata that comes from the loader to limit bounds