Shared objects might want LoadGlobal permission

nwf · nwf · commit c1be633ae371 · 2025-08-18T19:47:46.000Z
diff --git a/sdk/core/allocator/alloc.h b/sdk/core/allocator/alloc.h
@@ -1025,7 +1025,8 @@ class MState
 	 */
 	[[nodiscard]] __always_inline auto hazard_list_begin()
 	{
-		auto    *lockWord{SHARED_OBJECT(uint32_t, allocator_epoch)};
+		auto    *lockWord{SHARED_OBJECT_WITH_DATA_PERMISSIONS(
+          uint32_t, allocator_epoch, true, true)};
 		uint32_t epoch = *lockWord >> 16;
 		Debug::Invariant(
 		  (epoch & 1) == 0,
@@ -1275,9 +1276,14 @@ class MState
 	bool hazard_pointer_check(Capability<void> allocation)
 	{
 		// It is now safe to walk the hazard list.
-		Capability<void *> hazards =
-		  const_cast<void **>(SHARED_OBJECT_WITH_PERMISSIONS(
-		    void *, allocator_hazard_pointers, true, false, true, false));
+		Capability<void *> hazards = const_cast<void **>(
+		  SHARED_OBJECT_WITH_PERMISSIONS(void *,
+		                                 allocator_hazard_pointers,
+		                                 true,
+		                                 false,
+		                                 true,
+		                                 false,
+		                                 false));
 		size_t pointers = hazards.length() / sizeof(void *);
 		for (size_t i = 0; i < pointers; i++)
 		{
diff --git a/sdk/core/allocator/main.cc b/sdk/core/allocator/main.cc
@@ -99,9 +99,13 @@ namespace
 		Capability m{tbase.cast<MState>()};
 
 		size_t hazardQuarantineSize =
-		  Capability{
-		    SHARED_OBJECT_WITH_PERMISSIONS(
-		      void *, allocator_hazard_pointers, true, false, true, false)}
+		  Capability{SHARED_OBJECT_WITH_PERMISSIONS(void *,
+		                                            allocator_hazard_pointers,
+		                                            true,
+		                                            false,
+		                                            true,
+		                                            false,
+		                                            false)}
 		    .length();
 
 		m.bounds()            = sizeof(*m);
@@ -128,13 +132,15 @@ namespace
 	{
 		if (gm == nullptr)
 		{
+			// Access without LoadGlobal to help ensure we don't break isolation
 			Capability heap = const_cast<void *>(
 			  MMIO_CAPABILITY_WITH_PERMISSIONS(void,
 			                                   heap,
 			                                   /*load*/ true,
 			                                   /*store*/ true,
 			                                   /*capabilities*/ true,
-			                                   /*loadMutable*/ true));
+			                                   /*loadMutable*/ true,
+			                                   /*loadGlobal*/ false));
 
 			revoker.init();
 			gm = mstate_init(heap, heap.bounds());
diff --git a/sdk/core/loader/types.h b/sdk/core/loader/types.h
@@ -875,12 +875,18 @@ namespace loader
 		 */
 		static constexpr size_t PermitLoadMutable = (1UL << 28);
 
+		/**
+		 * Bit in `sizeAndPermissions` indicating that this import has
+		 * load-global permission.
+		 */
+		static constexpr size_t PermitLoadGlobal = (1UL << 27);
+
 		/**
 		 * Mask for the used permissions.
 		 */
-		static constexpr size_t PermissionsMask = PermitLoad | PermitStore |
-		                                          PermitLoadStoreCapabilities |
-		                                          PermitLoadMutable;
+		static constexpr size_t PermissionsMask =
+		  PermitLoad | PermitStore | PermitLoadStoreCapabilities |
+		  PermitLoadMutable | PermitLoadGlobal;
 
 		/**
 		 * Mask for the space reserved for permissions.
@@ -959,7 +965,8 @@ namespace loader
 			  Permission::Load,
 			  Permission::Store,
 			  Permission::LoadStoreCapability,
-			  Permission::LoadMutable};
+			  Permission::LoadMutable,
+			  Permission::LoadGlobal};
 			CHERI::PermissionSet p{DefaultPermissions};
 			if ((sizeAndPermissions & PermitLoad) == 0)
 			{
@@ -977,6 +984,10 @@ namespace loader
 			{
 				p = p.without(Permission::LoadMutable);
 			}
+			if ((sizeAndPermissions & PermitLoadGlobal) == 0)
+			{
+				p = p.without(Permission::LoadGlobal);
+			}
 			return p;
 		}
 	};
diff --git a/sdk/include/compartment-macros.h b/sdk/include/compartment-macros.h
@@ -17,7 +17,8 @@
                                                   permitLoad,                  \
                                                   permitStore,                 \
                                                   permitLoadStoreCapabilities, \
-                                                  permitLoadMutable)           \
+                                                  permitLoadMutable,           \
+                                                  permitLoadGlobal)            \
 	({                                                                         \
 		type *ret; /* NOLINT(bugprone-macro-parentheses) */                    \
 		__asm(".ifndef " mangledName "\n"                                      \
@@ -39,7 +40,8 @@
 		      : "i"(((permitLoad) ? (1 << 31) : 0) +                           \
 		            ((permitStore) ? (1 << 30) : 0) +                          \
 		            ((permitLoadStoreCapabilities) ? (1 << 29) : 0) +          \
-		            ((permitLoadMutable) ? (1 << 28) : 0)));                   \
+		            ((permitLoadMutable) ? (1 << 28) : 0) +                    \
+		            ((permitLoadGlobal) ? (1 << 27) : 0)));                    \
 		ret;                                                                   \
 	})
 
@@ -52,15 +54,17 @@
                                                 permitLoad,                    \
                                                 permitStore,                   \
                                                 permitLoadStoreCapabilities,   \
-                                                permitLoadMutable)             \
+                                                permitLoadMutable,             \
+                                                permitLoadGlobal)              \
 	IMPORT_CAPABILITY_WITH_PERMISSIONS_HELPER(type,                            \
 	                                          name,                            \
 	                                          __export_mem_,                   \
 	                                          mangledName,                     \
 	                                          permitLoad,                      \
 	                                          permitStore,                     \
 	                                          permitLoadStoreCapabilities,     \
-	                                          permitLoadMutable)
+	                                          permitLoadMutable,               \
+	                                          permitLoadGlobal)
 
 /**
  * Provide a capability of the type `volatile type *` referring to the MMIO
@@ -76,16 +80,19 @@
                                          permitLoad,                           \
                                          permitStore,                          \
                                          permitLoadStoreCapabilities,          \
-                                         permitLoadMutable)                    \
+                                         permitLoadMutable,                    \
+                                         permitLoadGlobal)                     \
 	MMIO_CAPABILITY_WITH_PERMISSIONS_HELPER(                                   \
 	  volatile type, /* NOLINT(bugprone-macro-parentheses) */                  \
 	  name,                                                                    \
 	  "__import_mem_" #name "_" #permitLoad "_" #permitStore                   \
-	  "_" #permitLoadStoreCapabilities "_" #permitLoadMutable,                 \
+	  "_" #permitLoadStoreCapabilities "_" #permitLoadMutable                  \
+	  "_" #permitLoadGlobal,                                                   \
 	  permitLoad,                                                              \
 	  permitStore,                                                             \
 	  permitLoadStoreCapabilities,                                             \
-	  permitLoadMutable)
+	  permitLoadMutable,                                                       \
+	  permitLoadGlobal)
 
 /**
  * Provide a capability of the type `volatile type *` referring to the MMIO
@@ -97,7 +104,8 @@
  * MMIO_CAPABILITY_WITH_PERMISSIONS.
  */
 #define MMIO_CAPABILITY(type, name)                                            \
-	MMIO_CAPABILITY_WITH_PERMISSIONS(type, name, true, true, false, false)
+	MMIO_CAPABILITY_WITH_PERMISSIONS(                                          \
+	  type, name, true, true, false, false, false)
 
 /**
  * Provide a capability of the type `type *` referring to the pre-shared object
@@ -113,29 +121,46 @@
                                        permitLoad,                             \
                                        permitStore,                            \
                                        permitLoadStoreCapabilities,            \
-                                       permitLoadMutable)                      \
+                                       permitLoadMutable,                      \
+                                       permitLoadGlobal)                       \
 	IMPORT_CAPABILITY_WITH_PERMISSIONS_HELPER(                                 \
 	  type, /* NOLINT(bugprone-macro-parentheses) */                           \
 	  name,                                                                    \
 	  __cheriot_shared_object_,                                                \
 	  "__import_cheriot_shared_object_" #name "_" #permitLoad "_" #permitStore \
-	  "_" #permitLoadStoreCapabilities "_" #permitLoadMutable,                 \
+	  "_" #permitLoadStoreCapabilities "_" #permitLoadMutable                  \
+	  "_" #permitLoadGlobal,                                                   \
 	  permitLoad,                                                              \
 	  permitStore,                                                             \
 	  permitLoadStoreCapabilities,                                             \
-	  permitLoadMutable)
+	  permitLoadMutable,                                                       \
+	  permitLoadGlobal)
 
 /**
  * Provide a capability of the type `type *` referring to the pre-shared object
  * with `name` as its name.  This macro can be used only in code (it cannot be
  * used to initialise a global).
  *
  * Pre-shared object capabilities produced by this macro have load, store,
- * load-mutable, and load/store-capability permissions.  To define a reduced
- * set of permissions use `SHARED_OBJECT_WITH_PERMISSIONS`.
+ * load-mutable, load-global, and load/store-capability permissions.  To define
+ * a reduced set of permissions use `SHARED_OBJECT_WITH_PERMISSIONS`.
  */
 #define SHARED_OBJECT(type, name)                                              \
-	SHARED_OBJECT_WITH_PERMISSIONS(type, name, true, true, true, true)
+	SHARED_OBJECT_WITH_PERMISSIONS(type, name, true, true, true, true, true)
+
+/**
+ * Provide a capability of the type `type *` referring to the pre-shared object
+ * with `name` as its name.  This macro can be used only in code (it cannot be
+ * used to initialise a global).
+ *
+ * Pre-shared object capabilities produced by this macro have the indicated load
+ * and store permission, but no load/store-capability permissions (and,
+ * therefore, no load-mutable or load-global permissions).
+ */
+#define SHARED_OBJECT_WITH_DATA_PERMISSIONS(                                   \
+  type, name, permitLoad, permitStore)                                         \
+	SHARED_OBJECT_WITH_PERMISSIONS(                                            \
+	  type, name, permitLoad, permitStore, false, false, false)
 
 /**
  * Macro to test whether a device with a specific name exists in the board
diff --git a/sdk/lib/compartment_helpers/claim_fast.cc b/sdk/lib/compartment_helpers/claim_fast.cc
@@ -10,9 +10,9 @@
 int heap_claim_ephemeral(Timeout *timeout, const void *ptr, const void *ptr2)
 {
 	void   **hazards = switcher_thread_hazard_slots();
-	auto    *epochCounter{const_cast<
-	     cheriot::atomic<uint32_t> *>(SHARED_OBJECT_WITH_PERMISSIONS(
-      cheriot::atomic<uint32_t>, allocator_epoch, true, false, false, false))};
+	auto    *epochCounter{const_cast<cheriot::atomic<uint32_t> *>(
+      SHARED_OBJECT_WITH_DATA_PERMISSIONS(
+        cheriot::atomic<uint32_t>, allocator_epoch, true, false))};
 	uint32_t epoch  = epochCounter->load();
 	int      values = 2;
 	// Skip processing pointers that don't refer to heap memory.
diff --git a/tests.extra/regress-double_ref_shared/top1.cc b/tests.extra/regress-double_ref_shared/top1.cc
@@ -2,8 +2,7 @@
 
 void top1()
 {
-	auto ref1 =
-	  SHARED_OBJECT_WITH_PERMISSIONS(struct Foo, foo, true, true, false, false);
+	auto ref1 = SHARED_OBJECT_WITH_DATA_PERMISSIONS(Foo, foo, true, true);
 
 	ref1->bar = 1;
 }
diff --git a/tests.extra/regress-double_ref_shared/top2.cc b/tests.extra/regress-double_ref_shared/top2.cc
@@ -6,8 +6,7 @@ using Debug = ConditionalDebug<true, "top2">;
 
 void top2()
 {
-	auto ref2 = SHARED_OBJECT_WITH_PERMISSIONS(
-	  struct Foo, foo, true, false, false, false);
+	auto ref2 = SHARED_OBJECT_WITH_DATA_PERMISSIONS(Foo, foo, true, false);
 
 	Debug::log("ref2: {}", ref2->bar);
 }
diff --git a/tests/misc-test.cc b/tests/misc-test.cc
@@ -381,22 +381,30 @@ int test_misc()
 	                     Permission::Load,
 	                     Permission::Store,
 	                     Permission::LoadStoreCapability,
-	                     Permission::LoadMutable});
+	                     Permission::LoadMutable,
+	                     Permission::LoadGlobal});
 	check_shared_object(
 	  "exampleK",
-	  SHARED_OBJECT_WITH_PERMISSIONS(void, exampleK, true, true, false, false),
+	  SHARED_OBJECT_WITH_PERMISSIONS(
+	    void, exampleK, true, true, false, false, false),
 	  1024,
 	  {Permission::Global, Permission::Load, Permission::Store});
 	check_shared_object(
 	  "test_word",
-	  SHARED_OBJECT_WITH_PERMISSIONS(void, test_word, true, false, true, false),
+	  SHARED_OBJECT_WITH_PERMISSIONS(
+	    void, test_word, true, false, true, false, false),
 	  4,
 	  {Permission::Global, Permission::Load, Permission::LoadStoreCapability});
 	check_shared_object("test_word",
 	                    SHARED_OBJECT_WITH_PERMISSIONS(
-	                      void, test_word, true, false, false, false),
+	                      void, test_word, true, false, false, false, false),
 	                    4,
 	                    {Permission::Global, Permission::Load});
+	check_shared_object(
+	  "test_word data",
+	  SHARED_OBJECT_WITH_DATA_PERMISSIONS(void, test_word, true, false),
+	  4,
+	  {Permission::Global, Permission::Load});
 	check_odd_memcmp();
 	TEST_EQUAL(strnlen(*volatileString, 3),
 	           3,
diff --git a/tests/mmio-test.cc b/tests/mmio-test.cc

Original file line number	Diff line number	Diff line change
`@@ -2,8 +2,7 @@`
`2`	`2`
`3`	`3`	`void top1()`
`4`	`4`	`{`
`5`		`- auto ref1 =`
`6`		`- SHARED_OBJECT_WITH_PERMISSIONS(struct Foo, foo, true, true, false, false);`
	`5`	`+ auto ref1 = SHARED_OBJECT_WITH_DATA_PERMISSIONS(Foo, foo, true, true);`
`7`	`6`
`8`	`7`	`ref1->bar = 1;`
`9`	`8`	`}`
Original file line number	Diff line number	Diff line change
`@@ -6,8 +6,7 @@ using Debug = ConditionalDebug<true, "top2">;`
`6`	`6`
`7`	`7`	`void top2()`
`8`	`8`	`{`
`9`		`- auto ref2 = SHARED_OBJECT_WITH_PERMISSIONS(`
`10`		`- struct Foo, foo, true, false, false, false);`
	`9`	`+ auto ref2 = SHARED_OBJECT_WITH_DATA_PERMISSIONS(Foo, foo, true, false);`
`11`	`10`
`12`	`11`	`Debug::log("ref2: {}", ref2->bar);`
`13`	`12`	`}`