-
Notifications
You must be signed in to change notification settings - Fork 8
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
5,265 changed files
with
86,263 additions
and
0 deletions.
The diff you're trying to view is too large. We only load the first 3000 changed files.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,49 @@ | ||
| name: CI | ||
|
|
||
| on: [push] | ||
|
|
||
| env: | ||
| doc_name: cheri-architecture | ||
|
|
||
| jobs: | ||
| build: | ||
| # TODO: Run on Docker image that has latex pre-installed? | ||
| runs-on: [ubuntu-18.04] | ||
| steps: | ||
| - uses: actions/checkout@v1 | ||
| - name: Install latex | ||
| run: sudo apt-get install -y --no-install-recommends make texlive-plain-generic texlive-latex-base texlive-latex-recommended texlive-latex-extra texlive-science texlive-fonts-recommended texlive-fonts-extra texlive-bibtex-extra texlive-extra-utils biber latexmk | ||
| - name: Build document | ||
| run: make | ||
| - name: Upload artifact | ||
|
|
||
| uses: actions/upload-artifact@master | ||
| with: | ||
| name: ${{ env.doc_name }}.pdf | ||
| path: ${{ env.doc_name }}.pdf | ||
|
|
||
| - name: Get current date | ||
| id: date | ||
| run: echo "::set-output name=date::$(date +'%Y%m%d')" | ||
| - name: Create Release | ||
| id: create_release | ||
| uses: actions/create-release@v1 | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| with: | ||
| tag_name: draft-${{ steps.date.outputs.date }} | ||
| release_name: Draft release ${{ steps.date.outputs.date }} | ||
| body: Latest snapshot (${{ github.sha }}) | ||
| draft: true | ||
| prerelease: true | ||
| - name: Upload Release Asset | ||
| id: upload-release-asset | ||
| uses: actions/upload-release-asset@v1 | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| with: | ||
| upload_url: ${{ steps.create_release.outputs.upload_url }} # This pulls from the CREATE RELEASE step above, referencing it's ID to get its outputs object, which include a `upload_url`. See this blog post for more info: https://jasonet.co/posts/new-features-of-github-actions/#passing-data-to-future-steps | ||
| asset_path: ./${{ env.doc_name }}.pdf | ||
| asset_name: ${{ env.doc_name }}-snapshot-${{ github.sha }}.pdf | ||
| asset_content_type: application/pdf | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| name: Remove old artifacts | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
| schedule: | ||
| # Every day at 1am | ||
| - cron: '0 1 * * *' | ||
|
|
||
| jobs: | ||
| remove-old-artifacts: | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 10 | ||
|
|
||
| steps: | ||
| - name: Remove old artifacts | ||
| uses: c-hive/gha-remove-artifacts@v1 | ||
| with: | ||
| age: '1 month' | ||
| skip-tags: true | ||
| skip-recent: 10 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| /build | ||
| /cheri-architecture.aux | ||
| /cheri-architecture.bbl | ||
| /cheri-architecture.bcf | ||
| /cheri-architecture.blg | ||
| /cheri-architecture.fdb_latexmk | ||
| /cheri-architecture.fls | ||
| /cheri-architecture.glg | ||
| /cheri-architecture.glo | ||
| /cheri-architecture.gls | ||
| /cheri-architecture.ist | ||
| /cheri-architecture.log | ||
| /cheri-architecture.out | ||
| /cheri-architecture.pdf | ||
| /cheri-architecture.run.xml | ||
| /cheri-architecture.toc | ||
| /fig-*.fls | ||
| /fig-*.pdf | ||
|
|
||
| /sail-cheri-riscv | ||
| /sail-cheri-mips |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,168 @@ | ||
| TARGET=cheri-architecture.pdf | ||
| PREVEOUS=../branches/20150624-cheri-architecture-1-13 | ||
|
|
||
| SAIL_LATEX_MIPS_DIR=sail_latex_mips | ||
| SAIL_LATEX_RISCV_DIR=sail_latex_riscv | ||
|
|
||
| SOURCES=$(wildcard *.tex insn-mips/*.tex insn-riscv/*.tex $(SAIL_LATEX_MIPS_DIR)/*.tex $(SAIL_LATEX_RISCV_DIR)/*.tex) cheri.bib | ||
| TEXSTYLES=$(wildcard *.sty) | ||
| DIFFDIR=diff | ||
| DIFFTEX=$(SOURCES:%=${DIFFDIR}/%) | ||
| DIFFPARAM=--type=UNDERLINE --packages=amsmath,hyperref --math-markup=1 | ||
|
|
||
| TIKZFIGURES=fig-representable-regions.pdf fig-sentry-plt.pdf fig-type-token.pdf | ||
| FIGSOURCES= \ | ||
| fig-cheri-high-level.pdf \ | ||
| fig-pointer-provenance.pdf \ | ||
| fig-cheri-high-level.pdf \ | ||
| $(TIKZFIGURES) | ||
|
|
||
| V?=0 | ||
| ifeq ($(V),0) | ||
| INTERACTION=batchmode | ||
| TEXLOGANALYSER_FLAGS=-w | ||
| else | ||
| INTERACTION=nonstopmode | ||
| # Also include page numbers to make it easier to find what caused the warning | ||
| TEXLOGANALYSER_FLAGS=-w -n | ||
| endif | ||
|
|
||
| LATEXMK_COMMON_FLAGS=-bibtex -pdf | ||
| PDFLATEX_FLAGS=-file-line-error -halt-on-error -interaction=$(INTERACTION) | ||
|
|
||
| .PHONY: all | ||
| all: ${TARGET} | ||
|
|
||
| # The texloganalyser tool can be used to find all warning messages in the latex | ||
| # logfile which is useful when using interaction=batchmode. There is also | ||
| # a python package pydflatex that does the same thing (but with colours). | ||
| # Howver, texloganalyser is included by default in some TeX distributions so | ||
| # prefer that one. | ||
| # TODO: fix the broken sail hyperrefs so we don't have to filter the out. | ||
| ${TARGET}: ${SOURCES} ${FIGSOURCES} | ||
| latexmk $(LATEXMK_COMMON_FLAGS) cheri-architecture.tex $(PDFLATEX_FLAGS); ret=$$?; \ | ||
| if command -v texloganalyser >/dev/null 2>/dev/null; then \ | ||
| texloganalyser $(TEXLOGANALYSER_FLAGS) build/cheri-architecture.log; \ | ||
| fi; exit $$ret | ||
|
|
||
| $(TIKZFIGURES): %.pdf: %.tex Makefile | ||
| latexmk $(LATEXMK_COMMON_FLAGS) $(PDFLATEX_FLAGS) $< | ||
|
|
||
| .PHONY: figures | ||
| figures: $(TIKZFIGURES) | ||
|
|
||
| .PHONY: quick | ||
| quick: | ||
| pdflatex cheri-architecture.tex $(PDFLATEX_FLAGS) | ||
| @(echo "pdflatex only run once so build may be incomplete") | ||
|
|
||
| .PHONY: diff | ||
| diff: ${PREVEOUS} diffdir ${DIFFDIR}/${TARGET} | ||
|
|
||
| ${PREVEOUS}: | ||
| @((echo "ERROR: the preveous version directory (" ${PREVEOUS} ") does not exist." ; echo "Set the PREVEOUS variable in the Makefile.") && false) | ||
|
|
||
| .PHONY: diffdir | ||
| diffdir: | ||
| @(test -d ${DIFFDIR} || mkdir ${DIFFDIR}) | ||
|
|
||
| ${DIFFDIR}/$(TARGET): $(DIFFTEX) | ||
| cp Makefile ${DIFFDIR}/ | ||
| cp ${FIGSOURCES} ${DIFFDIR}/ | ||
| cp ${TEXSTYLES} ${DIFFDIR}/ | ||
| make -C ${DIFFDIR} | ||
| @(echo "diff of between "${PREVEOUS}" and this version is now in "${DIFFDIR}"/"${TARGET}) | ||
|
|
||
| ${DIFFDIR}/preamble.tex: preamble.tex | ||
| cp preamble.tex ${DIFFDIR} | ||
|
|
||
| ${DIFFDIR}/%.tex: %.tex | ||
| @(echo '\DIFaddbegin' > ${DIFFDIR}/diffbegin) | ||
| @(echo '\DIFaddend' > ${DIFFDIR}/diffend) | ||
| (if [ -f ${PREVEOUS}/$*.tex ]; then latexdiff ${DIFFPARAM} ${PREVEOUS}/$*.tex $*.tex > ${DIFFDIR}/$*.tex; else cat ${DIFFDIR}/diffbegin $*.tex ${DIFFDIR}/diffend > ${DIFFDIR}/$*.tex; fi) | ||
|
|
||
| ${DIFFDIR}/%.bib: %.bib | ||
| cp $*.bib ${DIFFDIR}/ | ||
|
|
||
|
|
||
| # The sed commands require GNU sed | ||
| ifeq ($(shell uname -s),Linux) | ||
| SED?=sed | ||
| else | ||
| SED?=gsed | ||
| endif | ||
|
|
||
| # Work around `find: fts_read: Invalid argument` on macOS | ||
| ifeq ($(shell uname -s),Darwin) | ||
| FIND?=gfind | ||
| else | ||
| FIND?=find | ||
| endif | ||
|
|
||
| $(SAIL_LATEX_MIPS_DIR) $(SAIL_LATEX_RISCV_DIR): %: | ||
| mkdir -p $@ | ||
|
|
||
| sail-cheri-mips: | ||
| git clone https://github.com/CTSRD-CHERI/sail-cheri-mips | ||
|
|
||
| SAIL_CHERI_MIPS_DIR?=sail-cheri-mips | ||
| sail-cheri-mips-latex: $(SAIL_CHERI_MIPS_DIR) | $(SAIL_LATEX_MIPS_DIR) | ||
| rm -rf $(SAIL_CHERI_MIPS_DIR)/cheri/$(SAIL_LATEX_MIPS_DIR) | ||
| $(MAKE) -C $(SAIL_CHERI_MIPS_DIR)/cheri latex_128 | ||
| chmod -R +w $(SAIL_LATEX_MIPS_DIR) | ||
| rm -rf $(SAIL_LATEX_MIPS_DIR) | ||
| cp -r $(SAIL_CHERI_MIPS_DIR)/cheri/$(SAIL_LATEX_MIPS_DIR) . | ||
| $(FIND) $(SAIL_LATEX_MIPS_DIR) -type f -name 'fcl*zexecute*.tex' -exec $(SED) -i -e '1d; 2{/^{$$/d}; $$d; s/^ //;' {} + | ||
| touch $(SAIL_LATEX_MIPS_DIR)/0GENERATED_FILES_DO_NOT_EDIT | ||
| touch $(SAIL_LATEX_MIPS_DIR)/zGENERATED_FILES_DO_NOT_EDIT | ||
| $(FIND) $(SAIL_LATEX_MIPS_DIR) -type f -exec chmod -w {} + | ||
|
|
||
|
|
||
| sail-cheri-riscv: | ||
| git clone --recurse-submodules https://github.com/CTSRD-CHERI/sail-cheri-riscv | ||
|
|
||
| SAIL_CHERI_RISCV_DIR?=sail-cheri-riscv | ||
| sail-cheri-riscv-latex: $(SAIL_CHERI_RISCV_DIR) | $(SAIL_LATEX_RISCV_DIR) | ||
| rm -rf $(SAIL_CHERI_RISCV_DIR)/$(SAIL_LATEX_RISCV_DIR) | ||
| $(MAKE) -C $(SAIL_CHERI_RISCV_DIR) latex | ||
| chmod -R +w $(SAIL_LATEX_RISCV_DIR) | ||
| rm -rf $(SAIL_LATEX_RISCV_DIR) | ||
| cp -r $(SAIL_CHERI_RISCV_DIR)/$(SAIL_LATEX_RISCV_DIR) $(SAIL_LATEX_RISCV_DIR) | ||
| $(FIND) $(SAIL_LATEX_RISCV_DIR) -type f -name 'fcl*zexecute*.tex' -exec $(SED) -i -e '1d; 2{/^{$$/d}; $$d; s/^ //;' {} + | ||
| touch $(SAIL_LATEX_RISCV_DIR)/0GENERATED_FILES_DO_NOT_EDIT | ||
| touch $(SAIL_LATEX_RISCV_DIR)/zGENERATED_FILES_DO_NOT_EDIT | ||
| $(FIND) $(SAIL_LATEX_RISCV_DIR) -type f -exec chmod -w {} + | ||
|
|
||
|
|
||
| update-sail-defs-mips: $(SAIL_CHERI_MIPS_DIR) | ||
| git -C $(SAIL_CHERI_MIPS_DIR) pull --rebase | ||
| git -C $(SAIL_CHERI_MIPS_DIR) submodule update --init --recursive | ||
| $(MAKE) sail-cheri-mips-latex | ||
|
|
||
| update-sail-defs-riscv: $(SAIL_CHERI_RISCV_DIR) | ||
| git -C $(SAIL_CHERI_RISCV_DIR) pull --rebase | ||
| git -C $(SAIL_CHERI_RISCV_DIR) submodule update --init --recursive | ||
| $(MAKE) sail-cheri-riscv-latex | ||
|
|
||
| update-sail-defs: update-sail-defs-mips update-sail-defs-riscv | ||
|
|
||
| .PHONY: clean update-sail-defs sail-cheri-riscv-latex sail-cheri-mips-latex update-sail-defs-riscv update-sail-defs-mips | ||
| clean: | ||
| latexmk -C $(LATEXMK_COMMON_FLAGS) cheri-architecture.tex | ||
| latexmk -C $(LATEXMK_COMMON_FLAGS) fig-*.tex | ||
| rm -f $(TARGET) $(TIKZFIGURES) | ||
| rm -rf $(DIFFDIR) | ||
|
|
||
| cheri-sorted.bib: cheri.bib bib-sorting.conf | ||
| biber --tool $< --sortcase=false --strip-comments --sortdebug --isbn13 --isbn-normalise --fixinits \ | ||
| --output_indent=4 --output_fieldcase=lower --sortlocale=en_GB \ | ||
| --configfile=bib-sorting.conf --validate-config --output-file=$@ | ||
|
|
||
|
|
||
| .PHONY: check-bibliography check-bibliography-strict | ||
| check-bibliography: | ||
| # For more detailed output add --debug | ||
| biber --tool cheri.bib | ||
|
|
||
| check-bibliography-strict: | ||
| biber --tool --validate-datamodel cheri.bib | grep -v "Missing mandatory field 'editor'" | grep -v "is not an integer" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,63 @@ | ||
| \section*{Abstract} | ||
|
|
||
| This technical report describes CHERI ISAv8, the eighth version of the | ||
| CHERI architecture | ||
| being developed by SRI International and the University of Cambridge. | ||
| This design captures ten years of research, development, experimentation, | ||
| refinement, formal analysis, and validation through hardware and software | ||
| implementation. | ||
|
|
||
| CHERI introduces an architecture-neutral capability-based protection | ||
| model, which has been instantiated in various commodity base architectures | ||
| to give CHERI-MIPS, | ||
| CHERI-RISC-V, Arm's prototype Morello architecture, and (sketched) | ||
| CHERI-x86-64. | ||
| It enables software | ||
| to efficiently implement fine-grained memory protection and scalable software | ||
| compartmentalization, by providing strong, non-probabilistic, efficient | ||
| mechanisms to support the principles of least privilege and intentional use | ||
| in the execution of software at multiple levels of abstraction, preventing and | ||
| mitigating vulnerabilities. | ||
| Design goals include incremental adoptability from current ISAs and | ||
| software stacks, low performance overhead for memory protection, significant | ||
| performance improvements for software compartmentalization, formal grounding, | ||
| and programmer-friendly underpinnings. | ||
|
|
||
| CHERI blends traditional paged virtual memory with an | ||
| in-address-space capability model that includes capability values in registers, | ||
| capability instructions, and tagged memory to enforce capability integrity. | ||
| This hybrid approach, inspired by the Capsicum security model, addresses the performance and robustness issues that arise | ||
| when trying to express more secure programming models, minimising | ||
| privilege, above conventional architectures that provide only | ||
| MMU-based protection. | ||
| CHERI builds on the C-language fat-pointer literature: its capabilities can | ||
| describe fine-grained regions of memory, and can be substituted for data or | ||
| code pointers in generated code, protecting data and improving | ||
| control-flow robustness. | ||
| Strong capability integrity and monotonicity properties allow CHERI | ||
| to express a variety of protection idioms, from enforcing valid C-language | ||
| pointer provenance and bounds checking to implementing the isolation and | ||
| controlled communication structures required for software | ||
| compartmentalization. | ||
|
|
||
| CHERI's hybrid approach allows incremental adoption of capability-oriented design: | ||
| critical components can be ported and recompiled to use capabilities throughout, | ||
| providing fine-grain memory protection, or be largely unmodified but encapsulated in ways that permit | ||
| only controlled interaction. | ||
| Potential early deployment scenarios include low-level software Trusted Computing | ||
| Bases (TCBs) such as separation kernels, hypervisors, and operating-system | ||
| kernels, userspace TCBs such as language runtimes and web browsers, | ||
| and particularly high-risk | ||
| software libraries such as data compression, protocol parsing, and image | ||
| processing (which are concentrations of both complex and historically | ||
| vulnerability-prone code exposed to untrustworthy data sources). | ||
|
|
||
| CHERI ISAv8 is a substantial enhancement to prior ISA versions. | ||
| Capability compression is now part of the abstract model. | ||
| Both 32-bit and 64-bit architectural address sizes are supported. | ||
| Various previously experimental features, such as sentry capabilities and | ||
| CHERI-RISC-V, are now considered mature. | ||
| We have defined a number of new temporal memory-safety acceleration features | ||
| including MMU assistance for a load-side-barrier revocation model. | ||
| We have added a chapter on practical CHERI microarchitecture. | ||
| CHERI ISAv8 is synchronized with Arm Morello. |
Oops, something went wrong.