Shared objects might want LoadGlobal permission

nwf · nwf · commit d1ebe1ed8715 · 2025-08-28T23:23:55.000+01:00
diff --git a/sdk/core/allocator/alloc.h b/sdk/core/allocator/alloc.h
@@ -1026,7 +1026,8 @@ class MState
 	 */
 	[[nodiscard]] __always_inline auto hazard_list_begin()
 	{
-		auto    *lockWord{SHARED_OBJECT(uint32_t, allocator_epoch)};
+		auto    *lockWord{SHARED_OBJECT_WITH_DATA_PERMISSIONS(
+          uint32_t, allocator_epoch, true, true)};
 		uint32_t epoch = *lockWord >> 16;
 		Debug::Invariant(
 		  (epoch & 1) == 0,
@@ -1276,9 +1277,14 @@ class MState
 	bool hazard_pointer_check(Capability<void> allocation)
 	{
 		// It is now safe to walk the hazard list.
-		Capability<void *> hazards =
-		  const_cast<void **>(SHARED_OBJECT_WITH_PERMISSIONS(
-		    void *, allocator_hazard_pointers, true, false, true, false));
+		Capability<void *> hazards = const_cast<void **>(
+		  SHARED_OBJECT_WITH_PERMISSIONS(void *,
+		                                 allocator_hazard_pointers,
+		                                 true,
+		                                 false,
+		                                 true,
+		                                 false,
+		                                 false));
 		size_t pointers = hazards.length() / sizeof(void *);
 		for (size_t i = 0; i < pointers; i++)
 		{
diff --git a/sdk/core/allocator/main.cc b/sdk/core/allocator/main.cc
@@ -99,9 +99,13 @@ namespace
 		Capability m{tbase.cast<MState>()};
 
 		size_t hazardQuarantineSize =
-		  Capability{
-		    SHARED_OBJECT_WITH_PERMISSIONS(
-		      void *, allocator_hazard_pointers, true, false, true, false)}
+		  Capability{SHARED_OBJECT_WITH_PERMISSIONS(void *,
+		                                            allocator_hazard_pointers,
+		                                            true,
+		                                            false,
+		                                            true,
+		                                            false,
+		                                            false)}
 		    .length();
 
 		m.bounds()            = sizeof(*m);
@@ -128,13 +132,15 @@ namespace
 	{
 		if (gm == nullptr)
 		{
+			// Access without LoadGlobal to help ensure we don't break isolation
 			Capability heap = const_cast<void *>(
 			  MMIO_CAPABILITY_WITH_PERMISSIONS(void,
 			                                   heap,
 			                                   /*load*/ true,
 			                                   /*store*/ true,
 			                                   /*capabilities*/ true,
-			                                   /*loadMutable*/ true));
+			                                   /*loadMutable*/ true,
+			                                   /*loadGlobal*/ false));
 
 			revoker.init();
 			gm = mstate_init(heap, heap.bounds());
diff --git a/sdk/core/loader/types.h b/sdk/core/loader/types.h
@@ -875,12 +875,18 @@ namespace loader
 		 */
 		static constexpr size_t PermitLoadMutable = (1UL << 28);
 
+		/**
+		 * Bit in `sizeAndPermissions` indicating that this import has
+		 * load-global permission.
+		 */
+		static constexpr size_t PermitLoadGlobal = (1UL << 27);
+
 		/**
 		 * Mask for the used permissions.
 		 */
-		static constexpr size_t PermissionsMask = PermitLoad | PermitStore |
-		                                          PermitLoadStoreCapabilities |
-		                                          PermitLoadMutable;
+		static constexpr size_t PermissionsMask =
+		  PermitLoad | PermitStore | PermitLoadStoreCapabilities |
+		  PermitLoadMutable | PermitLoadGlobal;
 
 		/**
 		 * Mask for the space reserved for permissions.
@@ -959,7 +965,8 @@ namespace loader
 			  Permission::Load,
 			  Permission::Store,
 			  Permission::LoadStoreCapability,
-			  Permission::LoadMutable};
+			  Permission::LoadMutable,
+			  Permission::LoadGlobal};
 			CHERI::PermissionSet p{DefaultPermissions};
 			if ((sizeAndPermissions & PermitLoad) == 0)
 			{
@@ -977,6 +984,10 @@ namespace loader
 			{
 				p = p.without(Permission::LoadMutable);
 			}
+			if ((sizeAndPermissions & PermitLoadGlobal) == 0)
+			{
+				p = p.without(Permission::LoadGlobal);
+			}
 			return p;
 		}
 	};
diff --git a/sdk/include/compartment-macros.h b/sdk/include/compartment-macros.h
@@ -16,7 +16,7 @@
 		static const struct Perms                                              \
 		{                                                                      \
 			bool permitLoad, permitStore, permitLoadStoreCapabilities,         \
-			  permitLoadMutable;                                               \
+			  permitLoadMutable, permitLoadGlobal;                             \
 		} perms = {__VA_ARGS__};                                               \
 		type *ret; /* NOLINT(bugprone-macro-parentheses) */                    \
 		__asm(".ifndef " mangledName "\n"                                      \
@@ -38,7 +38,8 @@
 		      : "i"(((perms.permitLoad) ? (1 << 31) : 0) +                     \
 		            ((perms.permitStore) ? (1 << 30) : 0) +                    \
 		            ((perms.permitLoadStoreCapabilities) ? (1 << 29) : 0) +    \
-		            ((perms.permitLoadMutable) ? (1 << 28) : 0)));             \
+		            ((perms.permitLoadMutable) ? (1 << 28) : 0) +              \
+		            ((perms.permitLoadGlobal) ? (1 << 27) : 0)));              \
 		ret;                                                                   \
 	})
 
@@ -48,8 +49,8 @@
  * can be used only in code (it cannot be used to initialise a global).
  *
  * The last arguments specify the set of permissions that this capability
- * holds: Load Data (LD), Store Data (SD), Memory Capabilities (MC), and Load
- * Mutable (LM).
+ * holds: Load Data (LD), Store Data (SD), Memory Capabilities (MC), Load
+ * Mutable (LM), and Load Global (LG).
  *
  * MMIO capabilities are always global (GL) and without store local (SL).
  */
@@ -79,8 +80,8 @@
  * used to initialise a global).
  *
  * The last arguments specify the set of permissions that this capability
- * holds: Load Data (LD), Store Data (SD), Memory Capabilities (MC), and Load
- * Mutable (LM).
+ * holds: Load Data (LD), Store Data (SD), Memory Capabilities (MC), Load
+ * Mutable (LM), and Load Global (LG).
  *
  * Capabilities to pre-shared objects are always global (GL) and without store
  * local (SL).
@@ -103,7 +104,21 @@
  * To define a reduced set of permissions use `SHARED_OBJECT_WITH_PERMISSIONS`.
  */
 #define SHARED_OBJECT(type, name)                                              \
-	SHARED_OBJECT_WITH_PERMISSIONS(type, name, true, true, true, true)
+	SHARED_OBJECT_WITH_PERMISSIONS(type, name, true, true, true, true, true)
+
+/**
+ * Provide a capability of the type `type *` referring to the pre-shared object
+ * with `name` as its name.  This macro can be used only in code (it cannot be
+ * used to initialise a global).
+ *
+ * Pre-shared object capabilities produced by this macro have the indicated load
+ * and store permission, but no load/store-capability permissions (and,
+ * therefore, no load-mutable or load-global permissions).
+ */
+#define SHARED_OBJECT_WITH_DATA_PERMISSIONS(                                   \
+  type, name, permitLoad, permitStore)                                         \
+	SHARED_OBJECT_WITH_PERMISSIONS(                                            \
+	  type, name, permitLoad, permitStore, false, false, false)
 
 /**
  * Macro to test whether a device with a specific name exists in the board
diff --git a/sdk/lib/compartment_helpers/claim_fast.cc b/sdk/lib/compartment_helpers/claim_fast.cc
@@ -10,9 +10,9 @@
 int heap_claim_ephemeral(Timeout *timeout, const void *ptr, const void *ptr2)
 {
 	void   **hazards = switcher_thread_hazard_slots();
-	auto    *epochCounter{const_cast<
-	     cheriot::atomic<uint32_t> *>(SHARED_OBJECT_WITH_PERMISSIONS(
-      cheriot::atomic<uint32_t>, allocator_epoch, true, false, false, false))};
+	auto    *epochCounter{const_cast<cheriot::atomic<uint32_t> *>(
+      SHARED_OBJECT_WITH_DATA_PERMISSIONS(
+        cheriot::atomic<uint32_t>, allocator_epoch, true, false))};
 	uint32_t epoch  = epochCounter->load();
 	int      values = 2;
 	// Skip processing pointers that don't refer to heap memory.
diff --git a/tests.extra/regress-double_ref_shared/top1.cc b/tests.extra/regress-double_ref_shared/top1.cc
@@ -2,8 +2,7 @@
 
 void top1()
 {
-	auto ref1 =
-	  SHARED_OBJECT_WITH_PERMISSIONS(struct Foo, foo, true, true, false, false);
+	auto ref1 = SHARED_OBJECT_WITH_DATA_PERMISSIONS(Foo, foo, true, true);
 
 	ref1->bar = 1;
 }
diff --git a/tests.extra/regress-double_ref_shared/top2.cc b/tests.extra/regress-double_ref_shared/top2.cc
@@ -6,8 +6,7 @@ using Debug = ConditionalDebug<true, "top2">;
 
 void top2()
 {
-	auto ref2 = SHARED_OBJECT_WITH_PERMISSIONS(
-	  struct Foo, foo, true, false, false, false);
+	auto ref2 = SHARED_OBJECT_WITH_DATA_PERMISSIONS(Foo, foo, true, false);
 
 	Debug::log("ref2: {}", ref2->bar);
 }
diff --git a/tests/misc-test.cc b/tests/misc-test.cc
@@ -381,22 +381,30 @@ int test_misc()
 	                     Permission::Load,
 	                     Permission::Store,
 	                     Permission::LoadStoreCapability,
-	                     Permission::LoadMutable});
+	                     Permission::LoadMutable,
+	                     Permission::LoadGlobal});
 	check_shared_object(
 	  "exampleK",
-	  SHARED_OBJECT_WITH_PERMISSIONS(void, exampleK, true, true, false, false),
+	  SHARED_OBJECT_WITH_PERMISSIONS(
+	    void, exampleK, true, true, false, false, false),
 	  1024,
 	  {Permission::Global, Permission::Load, Permission::Store});
 	check_shared_object(
 	  "test_word",
-	  SHARED_OBJECT_WITH_PERMISSIONS(void, test_word, true, false, true, false),
+	  SHARED_OBJECT_WITH_PERMISSIONS(
+	    void, test_word, true, false, true, false, false),
 	  4,
 	  {Permission::Global, Permission::Load, Permission::LoadStoreCapability});
 	check_shared_object("test_word",
 	                    SHARED_OBJECT_WITH_PERMISSIONS(
-	                      void, test_word, true, false, false, false),
+	                      void, test_word, true, false, false, false, false),
 	                    4,
 	                    {Permission::Global, Permission::Load});
+	check_shared_object(
+	  "test_word data",
+	  SHARED_OBJECT_WITH_DATA_PERMISSIONS(void, test_word, true, false),
+	  4,
+	  {Permission::Global, Permission::Load});
 	check_odd_memcmp();
 	TEST_EQUAL(strnlen(*volatileString, 3),
 	           3,
diff --git a/tests/mmio-test.cc b/tests/mmio-test.cc
@@ -16,66 +16,86 @@ void check_permissions(Capability<volatile void> mmio, PermissionSet p)
 
 int test_mmio()
 {
-	check_permissions(
-	  MMIO_CAPABILITY_WITH_PERMISSIONS(Uart, uart, false, false, false, false),
-	  {Permission::Global});
-	check_permissions(
-	  MMIO_CAPABILITY_WITH_PERMISSIONS(Uart, uart, false, false, true, false),
-	  {Permission::Global});
-	check_permissions(
-	  MMIO_CAPABILITY_WITH_PERMISSIONS(Uart, uart, false, false, false, true),
-	  {Permission::Global});
-	check_permissions(
-	  MMIO_CAPABILITY_WITH_PERMISSIONS(Uart, uart, false, false, true, true),
-	  {Permission::Global});
-	check_permissions(
-	  MMIO_CAPABILITY_WITH_PERMISSIONS(Uart, uart, false, true, false, false),
-	  {Permission::Global, Permission::Store});
-	check_permissions(
-	  MMIO_CAPABILITY_WITH_PERMISSIONS(Uart, uart, false, true, true, false),
+	check_permissions(MMIO_CAPABILITY_WITH_PERMISSIONS(
+	                    Uart, uart, false, false, false, false, false),
+	                  {Permission::Global});
+	check_permissions(MMIO_CAPABILITY_WITH_PERMISSIONS(
+	                    Uart, uart, false, false, true, false, false),
+	                  {Permission::Global});
+	check_permissions(MMIO_CAPABILITY_WITH_PERMISSIONS(
+	                    Uart, uart, false, false, false, true, false),
+	                  {Permission::Global});
+	check_permissions(MMIO_CAPABILITY_WITH_PERMISSIONS(
+	                    Uart, uart, false, false, true, true, false),
+	                  {Permission::Global});
+	check_permissions(MMIO_CAPABILITY_WITH_PERMISSIONS(
+	                    Uart, uart, false, true, false, false, false),
+	                  {Permission::Global, Permission::Store});
+	check_permissions(
+	  MMIO_CAPABILITY_WITH_PERMISSIONS(
+	    Uart, uart, false, true, true, false, false),
 	  {Permission::Global, Permission::Store, Permission::LoadStoreCapability});
+	check_permissions(MMIO_CAPABILITY_WITH_PERMISSIONS(
+	                    Uart, uart, false, true, false, true, false),
+	                  {Permission::Global, Permission::Store});
 	check_permissions(
-	  MMIO_CAPABILITY_WITH_PERMISSIONS(Uart, uart, false, true, false, true),
-	  {Permission::Global, Permission::Store});
-	check_permissions(
-	  MMIO_CAPABILITY_WITH_PERMISSIONS(Uart, uart, false, true, true, true),
+	  MMIO_CAPABILITY_WITH_PERMISSIONS(
+	    Uart, uart, false, true, true, true, false),
 	  {Permission::Global, Permission::Store, Permission::LoadStoreCapability});
+	check_permissions(MMIO_CAPABILITY_WITH_PERMISSIONS(
+	                    Uart, uart, true, false, false, false, false),
+	                  {Permission::Global, Permission::Load});
 	check_permissions(
-	  MMIO_CAPABILITY_WITH_PERMISSIONS(Uart, uart, true, false, false, false),
-	  {Permission::Global, Permission::Load});
-	check_permissions(
-	  MMIO_CAPABILITY_WITH_PERMISSIONS(Uart, uart, true, false, true, false),
+	  MMIO_CAPABILITY_WITH_PERMISSIONS(
+	    Uart, uart, true, false, true, false, false),
 	  {Permission::Global, Permission::Load, Permission::LoadStoreCapability});
-	check_permissions(
-	  MMIO_CAPABILITY_WITH_PERMISSIONS(Uart, uart, true, false, false, true),
-	  {Permission::Global, Permission::Load});
-	check_permissions(
-	  MMIO_CAPABILITY_WITH_PERMISSIONS(Uart, uart, true, false, true, true),
-	  {Permission::Global,
-	   Permission::Load,
-	   Permission::LoadStoreCapability,
-	   Permission::LoadMutable});
-	check_permissions(
-	  MMIO_CAPABILITY_WITH_PERMISSIONS(Uart, uart, true, true, false, false),
+	check_permissions(MMIO_CAPABILITY_WITH_PERMISSIONS(
+	                    Uart, uart, true, false, false, true, false),
+	                  {Permission::Global, Permission::Load});
+	check_permissions(MMIO_CAPABILITY_WITH_PERMISSIONS(
+	                    Uart, uart, true, false, true, true, false),
+	                  {Permission::Global,
+	                   Permission::Load,
+	                   Permission::LoadStoreCapability,
+	                   Permission::LoadMutable});
+	check_permissions(MMIO_CAPABILITY_WITH_PERMISSIONS(
+	                    Uart, uart, true, false, true, true, true),
+	                  {Permission::Global,
+	                   Permission::Load,
+	                   Permission::LoadStoreCapability,
+	                   Permission::LoadMutable,
+	                   Permission::LoadGlobal});
+	check_permissions(
+	  MMIO_CAPABILITY_WITH_PERMISSIONS(
+	    Uart, uart, true, true, false, false, false),
 	  {Permission::Global, Permission::Load, Permission::Store});
 	check_permissions(
 	  MMIO_CAPABILITY(Uart, uart) /* check default permissions */,
 	  {Permission::Global, Permission::Load, Permission::Store});
-	check_permissions(
-	  MMIO_CAPABILITY_WITH_PERMISSIONS(Uart, uart, true, true, true, false),
-	  {Permission::Global,
-	   Permission::Load,
-	   Permission::Store,
-	   Permission::LoadStoreCapability});
-	check_permissions(
-	  MMIO_CAPABILITY_WITH_PERMISSIONS(Uart, uart, true, true, false, true),
+	check_permissions(MMIO_CAPABILITY_WITH_PERMISSIONS(
+	                    Uart, uart, true, true, true, false, false),
+	                  {Permission::Global,
+	                   Permission::Load,
+	                   Permission::Store,
+	                   Permission::LoadStoreCapability});
+	check_permissions(
+	  MMIO_CAPABILITY_WITH_PERMISSIONS(
+	    Uart, uart, true, true, false, true, false),
 	  {Permission::Global, Permission::Load, Permission::Store});
-	check_permissions(
-	  MMIO_CAPABILITY_WITH_PERMISSIONS(Uart, uart, true, true, true, true),
-	  {Permission::Global,
-	   Permission::Load,
-	   Permission::Store,
-	   Permission::LoadStoreCapability,
-	   Permission::LoadMutable});
+	check_permissions(MMIO_CAPABILITY_WITH_PERMISSIONS(
+	                    Uart, uart, true, true, true, true, false),
+	                  {Permission::Global,
+	                   Permission::Load,
+	                   Permission::Store,
+	                   Permission::LoadStoreCapability,
+	                   Permission::LoadMutable});
+	check_permissions(MMIO_CAPABILITY_WITH_PERMISSIONS(
+	                    Uart, uart, true, true, true, true, true),
+	                  {Permission::Global,
+	                   Permission::Load,
+	                   Permission::Store,
+	                   Permission::LoadStoreCapability,
+	                   Permission::LoadMutable,
+	                   Permission::LoadGlobal});
 	return 0;
 }

Original file line number	Diff line number	Diff line change
`@@ -2,8 +2,7 @@`
`2`	`2`
`3`	`3`	`void top1()`
`4`	`4`	`{`
`5`		`- auto ref1 =`
`6`		`- SHARED_OBJECT_WITH_PERMISSIONS(struct Foo, foo, true, true, false, false);`
	`5`	`+ auto ref1 = SHARED_OBJECT_WITH_DATA_PERMISSIONS(Foo, foo, true, true);`
`7`	`6`
`8`	`7`	`ref1->bar = 1;`
`9`	`8`	`}`
Original file line number	Diff line number	Diff line change
`@@ -6,8 +6,7 @@ using Debug = ConditionalDebug<true, "top2">;`
`6`	`6`
`7`	`7`	`void top2()`
`8`	`8`	`{`
`9`		`- auto ref2 = SHARED_OBJECT_WITH_PERMISSIONS(`
`10`		`- struct Foo, foo, true, false, false, false);`
	`9`	`+ auto ref2 = SHARED_OBJECT_WITH_DATA_PERMISSIONS(Foo, foo, true, false);`
`11`	`10`
`12`	`11`	`Debug::log("ref2: {}", ref2->bar);`
`13`	`12`	`}`