Fix revoker scan regions.

Neither software or hardware revoker were scanning enough of memory, as revealed by the tests in the previous commit. In the case of the software revoker we need to add the trusted stacks in the region to scan so just move __stack_space_start up a bit in the linker script. The hardware revoker is currently only setup to scan a single region so also move the stacks themselves down and put them before compartment globals and add a new symbol, __revoker_scan_start to use instead of __compart_cgps (which doesn't cover the stacks).
CHERIoT-Platform · Jan 16, 2025 · b230456 · b230456
1 parent 1c86f8d
commit b230456
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 9 deletions.
diff --git a/sdk/core/loader/boot.cc b/sdk/core/loader/boot.cc
@@ -1434,7 +1434,8 @@ extern "C" SchedulerEntryInfo loader_entry_point(const ImgHdr &imgHdr,
 	scaryCapabilities[1].address() = scaryCapabilities[1].base();
 	Debug::log("Wrote scary capability {}", scaryCapabilities[1]);
 	// Read-write capability to the entire stack.  This is scary because a bug
-	// in the revoker could violate thread isolation.
+	// in the revoker could violate thread isolation or compartment isolation
+	// (via trusted stacks).
 	scaryCapabilities[2] =
 	  build<void,
 	        Root::Type::RWStoreL,

diff --git a/sdk/firmware.ldscript.in b/sdk/firmware.ldscript.in
@@ -13,12 +13,6 @@ SECTIONS
 		*(.loader_start);
 	}
 
-	@thread_trusted_stacks@
-
-	__stack_space_start = .;
-	@thread_stacks@
-	__stack_space_end = .;
-
 	.compartment_export_tables : ALIGN(8)
 	{
 		# The scheduler and allocator's export tables are at the start.
@@ -85,6 +79,13 @@ SECTIONS
 	@pcc_ld@
 
 	__compart_pccs_end = .;
+	__revoker_scan_start = .;
+	__stack_space_start = .;
+
+	@thread_trusted_stacks@
+
+	@thread_stacks@
+	__stack_space_end = .;
 
 	__compart_cgps = ALIGN(64);
 

diff --git a/sdk/include/platform/ibex/platform-hardware_revoker.hh b/sdk/include/platform/ibex/platform-hardware_revoker.hh
@@ -87,9 +87,9 @@ namespace Ibex
 			 * revoke capabilities everywhere from the start of compartment
 			 * globals to the end of the heap.
 			 */
-			extern char __compart_cgps, __export_mem_heap_end;
+			extern char __revoker_scan_start, __export_mem_heap_end;
 
-			auto  base   = LA_ABS(__compart_cgps);
+			auto  base   = LA_ABS(__revoker_scan_start);
 			auto  top    = LA_ABS(__export_mem_heap_end);
 			auto &device = revoker_device();
 			device.base  = base;