Don't invoke error handlers when the callee errors.

I originally made a forced unwind out of a compartment invoke the
caller's error handler (if it existed) with a special error code.  The
idea was that you could use error handlers to jump to recovery paths,
rather than checking return values.

This seemed like a good idea at the time, but turned out to be a
mistake.  The only code that has ever used this behaviour was the test
suite.  Other error handlers have special-case logic to check if this is
the reason and ignore it if so.  It also added a lot of confusing
control flow in the switcher, which is bad because the switcher is the
core of the TCB.

Fixes #302
29 files changed
tree: a603dc3f1aca3f125172345d544b833a7b9e73cb
  1. .devcontainer/
  2. .github/
  3. benchmarks/
  4. docs/
  5. examples/
  6. exercises/
  7. scripts/
  8. sdk/
  9. tests/
  10. .clang-format
  11. .clang-tidy
  12. .gitignore
  13. .gitmodules
  14. azure-pipelines.yml
  15. cgmanifest.json
  16. CODE_OF_CONDUCT.md
  17. compile_flags.txt
  18. LICENSE
  19. README.md
  20. SECURITY.md
  21. SUPPORT.md
  22. THIRD_PARTY_NOTICES.txt
README.md

CHERIoT RTOS

This repository contains the core RTOS for the CHERIoT platform. This is currently a research project that has been open sourced to enable wider collaboration. It is not yet in a state where it should be used in production: in particular, security issues will currently be fixed in the main branch of the repo with no coordinated disclosure.

To use this, you will also need to install some dependencies. The getting started guide describes in detail how to build these:

These dependencies are pre-installed in the dev container that will be automatically downloaded if you open this repository in Visual Studio Code or by hitting . to open it in GitHub Code Spaces.

To clone this repository, make sure that you use git clone --recurse so that you get submodules. This repository contains symbolic links. IMPORTANT: If you wish to clone this repository on Windows, make sure that you have enabled Developer Mode and run git config --global core.symlinks true. You must do this before cloning the repository.

The getting started guide describes how to install these and how to build the test suite and examples in this repository.

The RTOS is privilege separated into a small number of core components as described in the architecture document. The C/C++ extensions used by the compartmentalisation model are described in the language extensions document.

If you have questions, please see the frequently asked questions document or raise an issue.

Building firmware images

This repo contains the infrastructure for building CHERIoT firmware images.

NOTE: The build system is currently based on xmake, but we have encountered a number of issues with our use of xmake and may switch to an alternative build system at some point.

Clone this repo into your project and create an xmake.lua referring to it. The file should start with this line:

includes("{path to this repo}/sdk")

This will enable debug and release configuration (specified with -m {release,debug}). Both are compiled with -Oz (optimise for size, even at the expense of performance).

Next you need to specify that you want to use the compiler provided by this SDK:

set_toolchains("cheriot-clang")

Now you can add targets. We provide helpers for creating library, compartment, and firmware targets. These work just like normal xmake targets:

library("lib")
    add_files("shared_c_file.c", "shared_cxx_file.cc")

compartment("example")
    add_files("example/example.c")

firmware("example-firmware")
    add_deps("lib", "example")
    on_load(function(target)
        target:values_set("threads", {
            {
                compartment = "example",
                priority = 1,
                entry_point = "entry_point",
                stack_size = 0x400,
                trusted_stack_frames = 2
            }
        })

The firmware description specifies the compartments and libraries that this system depends on and specifies the threads. Threads are listed as a Lua array of objects, each of which has the following keys:

  • compartment specifies the name of the compartment in which this thread starts.
  • entry_point specifies the name of the exported function from that compartment that the thread will start executing. This function must take no arguments and return void.
  • stack_size specifies the size, in bytes, of the stack for this thread.
  • trusted_stack_frames specifies the number of trusted stack frames (the maximum depth of cross-compartment calls possible on this thread). Note that any call that may yield is likely to require at least one additional trusted stack frame to call the scheduler so, for example, a blocking call to malloc requires three stack frames (the caller, the allocator, and the scheduler).
$ xmake config --sdk={path to CHERIoT LLVM tools}
$ xmake

This will create the output in build/cheriot/cheriot/{release,debug}/{name of firmware target}. It will also create a .dump file in the same location giving the objdump output of the same target.

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.

When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.

Trademarks

This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.