# CHERITech'25 CONFERENCE





cheri-alliance.org



# Industrializing CHERI for Safety-Critical Real-Time and Virtualized Systems

Capability Support in Hypervisor and VxWorks RTOS

**Dmytro Yeliseyev** Software Architect, Wind River Systems





## Approach

Due to the **complexity** of the overall system architecture and dependencies of system components, it was decided to take an incremental development approach involving **smaller steps** that would enable progress to be assessed and validated, which would reduce overall technical risk compared to attempting to integrate modifications of multiple system architecture components in a single step.

- Get VxWorks RTOS running on Morello silicon but without enabling support for CHERI capabilities.
  - Get the VxWorks RTOS kernel running in hybrid mode.
    - Enable the pure capability mode support only in VxWorks user space.

While estimating the changes needed in the kernel running in the hybrid mode to support pure capability mode in the user space, it was found that this effort is comparable to the effort needed to run the entire kernel in pure capability mode. It was therefore decided to skip this step.

Enable pure capability mode support in the VxWorks kernel.





### SOURCE OF INSPIRATION



https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/

# A script to build and run CHERI-related software—one build tool to rule them all: **cheribuild** <a href="https://github.com/CTSRD-CHERI/cheribuild">https://github.com/CTSRD-CHERI/cheribuild</a>

Supported operating systems include Ubuntu.

- **CheriBSD**: A complete memory- and pointer-safe FreeBSD C/C++ kernel + user space, which is very useful to get examples of how to use the CHERI software and tools existing so far.
- The Morello SoC is a prototype silicon implementation of a capability hardware CPU instruction set architecture
  (ISA): an experimental application of CHERI ISAv8 to ARMv8-A. The Morello SoC is based on the Arm Neoverse
  N1 core with tagged memory support.
- ARM Development Studio (Morello Edition) can be configured to use the embedded JTAG probe on the ARM Morello SDP.

Adversarial CHERI exercises and missions: <a href="https://ctsrd-cheri.github.io/cheri-exercises">https://ctsrd-cheri.github.io/cheri-exercises</a>





# VxWorks – build system

- wr-llvm-morello an LLVM tool chain wrapped by the wr-llvm environment and containing changes from the morello-llvm project implementing CHERI extension for the ARM8A architecture.
- --target=arm64 -> --target=aarch64
  - o -march=morello+noa64c
  - -march=morello+a64c
  - -march=morello+c64 -mabi=purecap
- Idarm64 -> Id.IId
  - .cpu\_private (DSECT) ->.cpu\_private (COPY)
  - o \_\_cap\_reloc split .text vs .rodata
  - o .size for asm symbols
  - 0 ...

The installer can incrementally add new layers (Wind River or customer) into the Wind River installation.

## **VxWorks Build System**



# VxWorks – RTOS components

#### HW Support - Morello SDP + QEMU :

- Architecture support Neoverse N1 CPU.
- BSP + PSL (FDT, boardLib, std drivers)
- MMU (> 512GB mem addr space, etc.)

#### Startup

- Vectors
- MMU enable RW of capabilities
- Enable CHERI instructions
- cap reloc runtime initialization

#### Scheduler

- Extend TCBs, 128bit regs + special regs etc.
- Align structures, system call APIs, etc.

#### Exceptions

- E.g. ERET required CELR instead of ELR
- New exception types -> handlers

#### Memory Managers

- Kernel libraries API
  - Tasks, Signals, Utils, Shell, User Space...

#### User Space

RTP DLL: TLS descriptor reloc types support





## VxWorks: SOURCE CODE

#### **Expected problems:**

**Alignment issues**: Capabilities are always naturally aligned. This is a requirement of the hardware.

(there is one **tag** bit per 128 bits/16 bytes)

```
#if has feature(capabilities)
              typedef uintcap t ARM REG TYPE;
#else
              typedef uintptr t ARM REG TYPE;
#endif
                                /sizeof (ARM REG TYPE))
#define ARM REG ALIGN
                         Alignas
                        ARM REG_ALIGN ARM_REG_TYPE
#define ARM REG M
 * REG SET - ARM Register set
                        /* REG SET - ARM register set */
typedef struct
                 r[ GREG NUM]; /* general purpose registers */
   ARM REG M
   ARM REG M
                                /* stack pointer
                                                              */
                                /* program counter
   ARM REG M
                 pc;
                                                              */
```

**bcopy**: To be able to copy memory blocks with capabilities inside, you must use capability load and store instructions to propagate capability metadata and tags.

- The source address must be 16-byte aligned before whole 16-byte chunks are copied, so copy small chunks first until the address is aligned.
- Modify copy instructions:

```
ldp x1, x2, [x0], #16
stp x1, x2, [x0], #16
str c1, [c0], #16
```



## VxWorks: SOURCE CODE

#### Unexpected problems

Atomic op:

Non-morello: LDAXR/STLXR;

```
vxAtomic64Cas
38B8 D10103FF SUB
                        sp, sp, #0x40
                       x0, [sp, #0x38]
38BC F9001FE0 STR
                       x1,[sp,#0x30]
38C0 F9001BE1 STR
                       x2, [sp,#0x28]
38C4 F90017E2 STR
38C8 F9401FEB LDR
                       x11, [sp, #0x38]
38CC F94017E8 LDR
                       x8, [sp,#0x28]
                       x8, [sp, #0x18]
38D0 F9000FE8 STR
                        x9, [sp, #0x30]
38D4 F9401BE9 LDR
38D8 F9400FEC LDR
                        x12, [sp, #0x18]
38DC C85FFD68 LDAXR
                        x8, [x11]
38E0 EB09011F CMP
                        x8, x9
38E4 54000061 B.NE
                        vxAtomic64Cas+56 ; 0xFFFFFFFF80
38E8 C80AFD6C STLXR
                        w10, x12, [x11]
                        w10, vxAtomic64Cas+36; 0xFFFFFF
35FFFF8A CBNZ
38F0 F90007E8 STR
                        x8, [sp, #8]
38F4 EB09010A SUBS
                        x10, x8, x9
38F8 1A9F17EA CSET
                        w10,EQ
38FC B90013EA STR
                        w10, [sp, #0x10]
                        x8, x8, x9
13900 EB090108 SUBS
13904 54000060 B.EO
                        vxAtomic64Cas+88 ; 0xFFFFFFF80
13908 F94007E8 LDR
                        x8, [sp,#8]
```

Morello: CAS - crash without ISB in front of it

```
vxAtomic64Cas
01EC D10103FF SUB
                        sp, sp, #0x40
01F0 F9001FE0 STR
                       x0, [sp, #0x38]
                       x1, [sp, #0x30]
01F4 F9001BE1 STR
01F8|F90017E2|STR
                       x2, [sp, #0x28]
                       x11, [sp, #0x38]
01FC F9401FEB LDR
0200 F94017E8 LDR
                       x8, [sp, #0x28]
0204 F9000FE8 STR
                       x8, [sp, #0x18]
0208 F9401BE8 LDR
                       x8, [sp, #0x30]
                       x10, [sp, #0x18]
020C F9400FEA LDR
                       x9, x8
0210 AA0803E9 MOV
0214 C8A97D6A CAS
                       x9, x10, [x11]
0218 EB080128 SUBS
                       x8, x9, x8
                        w8,EQ
021C 1A9F17E8 CSET
                       x9, [sp, #8]
0220 F90007E9 STR
                        w9,w8
0224 2A0803E9 MOV
0228 B90013E9 STR
                        w9, [sp, #0x10]
022C 370000A8 TBNZ
                        w8,#0,vxAtomic64Cas+84
                        vxAtomic64Cas+72; 0xFF
0230 14000001 B
```



## VxWorks – problems detected in compile-time

### VxWorks Source Build (VSB) in pure capability mode:

- ~115 warnings not related to capabilities
- ~2,345 warnings related to capabilities
- Breakdown by type of warning:
  - 2,160 (~92%): Cast from provenance-free integer type to pointer type will give pointer that cannot be dereferenced
  - 110 (~5%): Alignment problems of various types; for example, structure members
  - o 67 (~3%): Implicit conversion loses capability metadata
  - o 8 (0.3%): Binary expression on capability types, not clear which is source of provenance

The vast majority of warnings are indicators of **traditionally-written code**, especially when assumptions are made about arbitrarily-sized integers (that is, long) being able to store pointer values.

The core **solution** is to enforce strict CHERI-aware **coding rules** through mandatory macros or templates.





### CONCLUSION

- Team of four engineers two years
- CHERI tool chain
- Morello hardware and QEMU support
- VxTest and CHERI tests
  - Regression test suite
  - OS integration tests
  - CHERI core functionality tests
- Hybrid capability mode
- Pure capability mode
  - Kernel.
  - User space.
  - VxWorks debugging facilities still in progress...
  - CHERI compartmentalization prototypes under construction
  - Bounds tightening for DDC-derived objects planned...
  - Vulnerability analysis...



