mbox series

[v2,0/7] Allow semihosting from user mode

Message ID 20220822141230.3658237-1-peter.maydell@linaro.org
Headers show
Series Allow semihosting from user mode | expand

Message

Peter Maydell Aug. 22, 2022, 2:12 p.m. UTC 
Currently our semihosting implementations usually prohibit use of
semihosting calls in system emulation from the guest userspace.  This
is a very long standing behaviour justified originally "to provide
some semblance of security" (since code with access to the semihosting
ABI can do things like read and write arbitrary files on the host
system).  However, it is sometimes useful to be able to run trusted
guest code which performs semihosting calls from guest userspace,
notably for test code.

This patchset adds a command line suboption to the existing
semihosting-config option group so that you can explicitly opt in to
semihosting from guest userspace with "-semihosting-config
userspace=on".

It also brings all our target architectures into line about
how they handle semihosting. Currently these fall into three
different groups:

 * semihosting permitted only in privileged mode and only
   if enabled on the command line:
   - arm
   - m68k
 * semihosting permitted in any mode, if enabled on the command line:
   - mips
   - nios2
   - xtensa
 * semihosting permitted only in privileged mode, but fails
   to honour the existing "enable semihosting" option, instead
   enabling it all the time:
   - riscv

The effect of the new option for group 1 is:
 * user can now optionally also allow semihosting in usermode

For group 2 it is:
 * usermode semihosting used to be permitted, but now changes
   to default-disabled, needing explicit enablement

For group 3 it is:
 * semihosting overall used to be default-enabled and is
   now default-disabled, needing explicit enablement.
   Semihosting in usermode can also be enabled.

That means this is a "things that used to work no longer do
unless you change your commandline" change for groups 2 and 3
(so, mips, nios2. xtensa, riscv). Consensus seems to be that
it's OK to call this "fixing a bug" and note it in the
changelog/releasenotes.

Changes v1->v2:
 * make riscv check for semihosting being disabled at
   translate time, not runtime

Only patch 7 needs review.

thanks
-- PMM

Peter Maydell (7):
  semihosting: Allow optional use of semihosting from userspace
  target/arm: Honour -semihosting-config userspace=on
  target/m68k: Honour -semihosting-config userspace=on
  target/mips: Honour -semihosting-config userspace=on
  target/nios2: Honour -semihosting-config userspace=on
  target/xtensa: Honour -semihosting-config userspace=on
  target/riscv: Honour -semihosting-config userspace=on and enable=on

 include/semihosting/semihost.h                 | 10 ++++++++--
 semihosting/config.c                           | 10 ++++++++--
 softmmu/vl.c                                   |  2 +-
 stubs/semihost.c                               |  2 +-
 target/arm/translate-a64.c                     | 12 +-----------
 target/arm/translate.c                         | 16 ++++------------
 target/m68k/op_helper.c                        |  3 +--
 target/mips/tcg/translate.c                    |  9 +++++----
 target/nios2/translate.c                       |  3 ++-
 target/riscv/cpu_helper.c                      |  9 +++------
 target/riscv/translate.c                       |  1 +
 target/xtensa/translate.c                      |  7 ++++---
 target/mips/tcg/micromips_translate.c.inc      |  6 +++---
 target/mips/tcg/mips16e_translate.c.inc        |  2 +-
 target/mips/tcg/nanomips_translate.c.inc       |  4 ++--
 target/riscv/insn_trans/trans_privileged.c.inc |  3 ++-
 qemu-options.hx                                | 11 +++++++++--
 17 files changed, 56 insertions(+), 54 deletions(-)

Comments

Richard Henderson Sept. 6, 2022, 7:50 a.m. UTC | #1 
On 8/22/22 15:12, Peter Maydell wrote:
> Currently our semihosting implementations usually prohibit use of
> semihosting calls in system emulation from the guest userspace.  This
> is a very long standing behaviour justified originally "to provide
> some semblance of security" (since code with access to the semihosting
> ABI can do things like read and write arbitrary files on the host
> system).  However, it is sometimes useful to be able to run trusted
> guest code which performs semihosting calls from guest userspace,
> notably for test code.
> 
> This patchset adds a command line suboption to the existing
> semihosting-config option group so that you can explicitly opt in to
> semihosting from guest userspace with "-semihosting-config
> userspace=on".
> 
> It also brings all our target architectures into line about
> how they handle semihosting. Currently these fall into three
> different groups:
> 
>   * semihosting permitted only in privileged mode and only
>     if enabled on the command line:
>     - arm
>     - m68k
>   * semihosting permitted in any mode, if enabled on the command line:
>     - mips
>     - nios2
>     - xtensa
>   * semihosting permitted only in privileged mode, but fails
>     to honour the existing "enable semihosting" option, instead
>     enabling it all the time:
>     - riscv
> 
> The effect of the new option for group 1 is:
>   * user can now optionally also allow semihosting in usermode
> 
> For group 2 it is:
>   * usermode semihosting used to be permitted, but now changes
>     to default-disabled, needing explicit enablement
> 
> For group 3 it is:
>   * semihosting overall used to be default-enabled and is
>     now default-disabled, needing explicit enablement.
>     Semihosting in usermode can also be enabled.
> 
> That means this is a "things that used to work no longer do
> unless you change your commandline" change for groups 2 and 3
> (so, mips, nios2. xtensa, riscv). Consensus seems to be that
> it's OK to call this "fixing a bug" and note it in the
> changelog/releasenotes.
> 
> Changes v1->v2:
>   * make riscv check for semihosting being disabled at
>     translate time, not runtime
> 
> Only patch 7 needs review.

Thanks, queued to semihosting-next.


r~