09 April 2025



## IMPLEMENTATION OF CHERI CAPABILITIES IN A SAFETY-CRITICAL REAL-TIME OPERATING SYSTEM FOR INTELLIGENT EDGE SYSTEMS

**Dmytro Yeliseyev** Software Architect, Wind River

### O Agenda

- Approach
- Source of inspiration
- VxWorks
- Conclusion







### O Approach



Due to the **complexity** of the overall system architecture and dependencies of system components, it was decided to take an incremental development approach involving **smaller steps** that would enable progress to be assessed and validated, which would reduce overall technical risk compared to attempting to integrate modifications of multiple system architecture components in a single step.

- • Get VxWorks RTOS running on Morello silicon but without enabling support for CHERI capabilities.
  - Get the VxWorks RTOS kernel running in hybrid mode.
    - Enable the pure capability mode support only in VxWorks user space.

While estimating the changes needed in the kernel running in the hybrid mode to support pure capability mode in the user space, it was found that this effort is comparable to the effort needed to run the entire kernel in pure capability mode. It was therefore decided to skip this step.

Enable pure capability mode support in the VxWorks kernel.





# Source of inspiration





### $\bigcirc$ SOURCE OF INSPIRATION





https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/

## A script to build and run CHERI-related software—one build tool to rule them all: cheribuild <a href="https://github.com/CTSRD-CHERI/cheribuild">https://github.com/CTSRD-CHERI/cheribuild</a>

Supported operating systems include Ubuntu.

- **CheriBSD**: A complete memory- and pointer-safe FreeBSD C/C++ kernel + user space, which is very useful to get examples of how to use the CHERI software and tools existing so far.
- The Morello SoC is a prototype silicon implementation of a capability hardware CPU instruction set architecture (ISA): an experimental application of CHERI ISAv8 to ARMv8-A. The Morello SoC is based on the Arm Neoverse N1 core with tagged memory support.
- **ARM Development Studio (Morello Edition)** can be configured to use the embedded JTAG probe on the ARM Morello SDP.

Adversarial CHERI exercises and missions: <u>https://ctsrd-cheri.github.io/cheri-exercises</u>







### ○ VxWorks – build system

- wr-llvm-morello an *LLVM* tool chain wrapped by the *wr-llvm* environment and containing changes from the *morello-llvm* project implementing CHERI extension for the ARM8A architecture.
- --target=arm64 -> --target=aarch64
  - $\circ$  -march=morello+noa64c
  - o -march=morello+a64c
  - -march=morello+c64 -mabi=purecap

#### Idarm64 -> Id.IId

- .cpu\_private (DSECT) ->
   .cpu\_private (COPY)
- \_\_cap\_reloc split .text vs .rodata
- $\circ\,$  .size for asm symbols

0 ...

The installer can incrementally add new layers (Wind River or customer) into the Wind River installation.

### **VxWorks Build System**





### ○ VxWorks – RTOS components

#### • HW Support - Morello SDP + QEMU :

- Architecture support Neoverse N1 CPU.
- BSP + PSL (FDT, boardLib, std drivers)
- MMU (> 512GB mem addr space, etc.)

#### Startup

- Vectors
- MMU enable RW of capabilities
- Enable CHERI instructions
- \_\_cap\_reloc runtime initialization

#### Scheduler

- Extend TCBs, 128bit regs + special regs etc.
- Align structures, system call APIs, etc.

#### Exceptions

- E.g. ERET required CELR instead of ELR
- New exception types -> handlers
- Memory Managers
- Kernel libraries API
  - Tasks, Signals, Utils, Shell, User Space...
- User Space
  - RTP DLL: TLS descriptor reloc types support







### O VxWorks: SOURCE CODE

#### **Expected problems:**

#else Alignment issues: Capabilities are always typedef uintptr t ARM REG TYPE; #endif naturally aligned. This is a requirement of the hardware. sizeof (ARM REG TYPE)) #define ARM REG ALIGN Alignas (there is one tag bit per 128 bits/16 bytes) ARM REG\_ALIGN ARM\_REG\_TYPE #define ARM REG M /\* /\* REG SET - ARM Register set \* REG SET - ARM Register set \*/ \*/ typedef struct /\* REG SET - ARM register set \*/ /\* REG SET - ARM register set \*/ typedef struct ARM REG M r[ GREG NUM]; /\* general purpose registers \*/ /\* general purpose registers \*/ Vx ULONG r[ GREG NUM]; ARM REG M /\* stack pointer Vx ULONG /\* stack pointer \*/ sp; \*/ sp; /\* program counter /\* program counter ARM REG M pc; \*/ Vx INSTR \* pc; \*/

**bcopy**: To be able to copy memory blocks with capabilities inside, you must use capability load and store instructions to propagate capability metadata and tags.

- The source address must be 16-byte aligned before whole 16-byte chunks are copied, so copy small chunks first until the address is aligned.
- Modify copy instructions:



#if \_\_has\_feature(capabilities)

typedef uintcap t ARM REG TYPE;



### O VxWorks: SOURCE CODE

#### <u>Unexpected problems</u>

Atomic op: Non-morello: LDAXR/STLXR;

|       |          | vxAtomic@ | 54Cas                           |
|-------|----------|-----------|---------------------------------|
| 38B8  | D10103FF | SUB       | sp,sp,#0x40                     |
| )38BC | F9001FE0 | STR       | x0,[sp,#0x38]                   |
| )38CØ | F9001BE1 | STR       | x1,[sp,#0x30]                   |
| )38C4 | F90017E2 | STR       | x2,[sp,#0x28]                   |
| 38C8  | F9401FEB | LDR       | x11,[sp,#0x38]                  |
| )38CC | F94017E8 | LDR       | x8,[sp,#0x28]                   |
| )38D0 | F9000FE8 | STR       | x8,[sp,#0x18]                   |
| )38D4 | F9401BE9 | LDR       | x9,[sp,#0x30]                   |
| )38D8 | F9400FEC | I DR      | x12,[sp,#0x18]                  |
|       | C85FFD_8 |           | x8,[x11]                        |
| )38E0 | EB09011F | CMP       | x8, x9                          |
| )38E4 | 5400 061 | B.NE      | /xAtomic64Cas+56 ; 0xFFFFFFF80  |
| )38E8 | C80AFD6C | STLXR     | w10,x12,[x11]                   |
| )38EC | 35FFFF1A | CBNZ      | w10,vxAtomic64Cas+36 ; 0xFFFFFF |
| )38F0 | F90007E8 | JIK       | x8,[sp,#8]                      |
| )38F4 | EB09010A | SUBS      | x10,x8,x9                       |
| )38F8 | 1A9F17EA | CSET      | w10,EQ                          |
| )38FC | B90013EA | STR       | w10,[sp,#0x10]                  |
| 3900  | EB090108 | SUBS      | x8, x8, x9                      |
| 3904  | 54000060 | B.EQ      | vxAtomic64Cas+88 ; 0xFFFFFFF80  |
| 3908  | F94007E8 | LDR       | x8,[sp,#8]                      |
|       |          |           |                                 |

#### Morello: CAS – crash without ISB in front of it

|      |                       | vxAtomic64Cas |                         |  |
|------|-----------------------|---------------|-------------------------|--|
| 01EC | D10103FF              | SUB           | sp,sp,#0x40             |  |
| 01F0 | F9001FE0              | STR           | x0,[sp,#0x38]           |  |
| 01F4 | F9001BE1              | STR           | x1,[sp,#0x30]           |  |
| 01F8 | F90017E2              | STR           | x2,[sp,#0x28]           |  |
| 01FC | F9401FEB              | LDR           | x11,[sp,#0x38]          |  |
| 0200 | F94017E8              | LDR           | x8,[sp,#0x28]           |  |
| 0204 | F9000FE8              | STR           | x8,[sp,#0x18]           |  |
| 0208 | F9401BE8              | LDR           | x8,[sp,#0x30]           |  |
| 020C | F9400FF1              | LUR           | x10,[sp,#0x18]          |  |
| 0210 | AA080_E9              | MOV           | x9,x8                   |  |
| 0214 | C8A9 <sup>°</sup> D6A | CAS           | x9,x10,[x11]            |  |
| 0218 | EB080128              | SUBS          | x8,x9,x8                |  |
| 021C | 1A9F17L2              | CSET          | w8,EQ                   |  |
| 0220 | F90007E9              | STR           | x9,[sp,#8]              |  |
| 0224 | 2A0803E9              | MOV           | w9,w8                   |  |
| 0228 | B90013E9              | STR           | w9,[sp,#0x10]           |  |
| 022C | 370000A8              | TBNZ          | w8,#0,vxAtomic64Cas+84  |  |
| 0230 | 14000001              | В             | vxAtomic64Cas+72 ; 0xFF |  |
|      |                       |               |                         |  |







#### VxWorks Source Build (VSB) in pure capability mode:

- ~115 warnings not related to capabilities
- ~2,345 warnings related to capabilities
- Breakdown by type of warning:
  - 2,160 (~92%): Cast from provenance-free integer type to pointer type will give pointer that cannot be dereferenced
  - 110 (~5%): Alignment problems of various types; for example, structure members
  - 67 (~3%): Implicit conversion loses capability metadata
  - 8 (0.3%): Binary expression on capability types, not clear which is source of provenance

The vast majority of warnings are indicators of **traditionally-written code**, especially when assumptions are made about arbitrarily-sized integers (that is, long) being able to store pointer values.







### O VxWorks – problems detected in compile-time

### **Resolution:**

- Apply VxWorks CHERI coding rules!
  - C/C++: Macros throughout to handle conversion between pointer and integer values
  - ASM: Macros for registers and common operations
- Modify kernel APIs using VIRT\_ADDR, where a pointer (capability) is really intended/required.
- Add support for atomic operations on capabilities (128-bit values).
- Rework structure alignment as needed to be sympathetic to capabilities.
- GOT: <u>cap\_reloc</u> runtime initialization:

#define SYS\_BOOT\_LINE\_LEN 256 char bootLine[SYS\_BOOT\_LINE\_LEN]; void\* addr = (void\*) &bootLine;



cheri init globals 3();

void\* addr = (void\*) 0x1C090000;



size\_t len = SYS\_BOOT\_LINE\_LEN; VIRT\_ADDR const tmp = ADR\_FROM\_PTR (\*addr); \*addr = DATA\_PTR\_FROM\_ADR\_WITH\_LEN (tmp, len);







#### © (i) (i) 09 April 2025

### ○ CONCLUSION

- Team of four engineers—two years
- CHERI tool chain
- Morello hardware and QEMU support
- VxTest and CHERI tests
  - Regression test suite
  - OS integration tests
  - CHERI core functionality tests
- Hybrid capability mode
- Pure capability mode
  - Kernel: The final adjustments are in progress at the time of this material's creation.
  - User space is coming.

1..... \...\ / . . . . . . . . . VxWorks Cert Edition SMP 64-bit Release version: 23.06 \ . . . . . . . . **\ \**./ Build date: Jan 16 2025 17:15:49 . . . . . . . \ Copyright Wind River Systems, Inc. 1984-2025 1.\ 1. . .

Board: Arm Morello (FDT) CPU Count: 1 OS Memory Size: 14208MB ED&R Policy Mode: Deployed

Adding 14983 symbols for standalone.

```
vxTestOptions: -em -v 4
->
-> vxTest
```





Target Name: vxTarget