Make .text execute-only; add tests #450
Conversation
adamsteen
force-pushed
the
xnor
branch
2 times, most recently
from
f1f5462 to
11895ee
Compare
mato
added
enhancement
host/openbsd
There was a problem hiding this comment.
I'll have a look in a bit more detail in due course, but you're on the right track here. It's awesome that #447 and VMM_IOC_MPROTECT_EPT on OpenBSD enable execute-only page mappings in the guest!
When you say you can't test this due to old hardware, why is that? ISTR that anything with EPT can do execute-only, but I might be wrong...
bindings/hvt/solo5_hvt.lds
Outdated
| FLAGS values come from PF_x in elf.h */ | ||
| rodata PT_LOAD FLAGS(5); |
There was a problem hiding this comment.
I think you want 4 here (PF_R only).
There was a problem hiding this comment.
your right thank you.
tenders/hvt/hvt_freebsd.c
Outdated
| * | ||
| * Guest-side page protections: | ||
| * | ||
| * Manipulating guest-side (EPT) mappings is currently not supported by | ||
| * FreeBSD vmm, so there is nothing more we can do. | ||
| */ | ||
| prot &= ~(PROT_EXEC); | ||
| prot |= PROT_READ; |
There was a problem hiding this comment.
This (and the other host variants) are a bit hard to read now. I'd make it explicit that we're "squashing" PROT_EXEC into PROT_READ on the host side, and nothing else:
if (prot & PROT_EXEC) {
prot &= ~(PROT_EXEC);
prot |= PROT_READ;
}This makes the intent crystal clear, i.e.
- PROT_READ: (no change)
- PROT_WRITE: (no change)
- PROT_EXEC: -> PROT_READ
What do you think?
There was a problem hiding this comment.
At first just reading this, i was unsure, but i thought i would implement it and then reread the code, and its much more readable.
mato
changed the title
Bit 0 does not read 1 on the hardware i have access to, so i am unable to test execute only. |
adamsteen
force-pushed
the
xnor
branch
2 times, most recently
from
5c308b6 to
bfc9458
Compare
|
this PR is ready for review and merging. I have been able to run the tests and all tests expected to pass on OpenBSD do. probably want to merge #495 first. |
|
Please note this works perfectly for the latest release OpenBSD 6.9 |
|
OpenBSD 6.8 fails, it's expected? |
|
Yes it won’t work on OpenBSD 6.8 or 6.9 I had it working for 6.8 but someone broke the kernel side for 6.9 then I got it restored for 7.0. I only run current, so testing 7.0 is hard as I don’t have the hardware! It should work for 7.0 and definitely works for Current! |
|
OpenBSD 7.1 is out very soon, is there any chance of getting the ci image updated? It should just be a matter of running, sysupgrade and pkg_add -u after each reboot a couple of times! Or following the instructions in the solo5-ci package? the current OpenBSD image is over 2 years old! |
Unfortunately, I don't have (yet) the control on the CI so it will take a time to upgrade the CI with OpenBSD 7.1. But we should definitely upgrade the CI and it's in my TODO list. |
|
@dinosaure Thank you for the update, appreciate it. |
|
@dinosaure Hi, any updates on control of the CI? |
|
/cc @TheLortex recently upgraded the CI, can you test on OpenBSD 7.1? |
|
Will do!
…On Fri, Sep 9, 2022 at 17:08, Calascibetta Romain ***@***.***> wrote:
/cc ***@***.***(https://github.com/TheLortex) recently upgraded the CI, can you test on OpenBSD 7.1?
—
Reply to this email directly, [view it on GitHub](#450 (comment)), or [unsubscribe](https://github.com/notifications/unsubscribe-auth/AB74QYBNQU4474INXG5S5YDV5L47DANCNFSM4MP3P4EQ).
You are receiving this because you authored the thread.Message ID: ***@***.***>
|
|
It's not upgraded yet, still on old OpenBSDs, I have just moved and restarted the CI infrastructure. |
|
rebased onto masted, and tests pass on |
|
Let's merge this PR 👍 Thanks for your work. |
|
Thank you! |
Now for my next trick, execute only Solo5 unikernels?
I wish i could test this, but my hardware is just too old.
Thoughts on taking this forward?
Note: this is dependant on #447 add openbsd mprotect ept support, and would need to be rebased when that went in.