1*c54f35caSApple OSS Distributions /*
2*c54f35caSApple OSS Distributions * Copyright (c) 2022 Apple Computer, Inc. All rights reserved.
3*c54f35caSApple OSS Distributions *
4*c54f35caSApple OSS Distributions * @APPLE_LICENSE_HEADER_START@
5*c54f35caSApple OSS Distributions *
6*c54f35caSApple OSS Distributions * The contents of this file constitute Original Code as defined in and
7*c54f35caSApple OSS Distributions * are subject to the Apple Public Source License Version 1.1 (the
8*c54f35caSApple OSS Distributions * "License"). You may not use this file except in compliance with the
9*c54f35caSApple OSS Distributions * License. Please obtain a copy of the License at
10*c54f35caSApple OSS Distributions * http://www.apple.com/publicsource and read it before using this file.
11*c54f35caSApple OSS Distributions *
12*c54f35caSApple OSS Distributions * This Original Code and all software distributed under the License are
13*c54f35caSApple OSS Distributions * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
14*c54f35caSApple OSS Distributions * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
15*c54f35caSApple OSS Distributions * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
16*c54f35caSApple OSS Distributions * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the
17*c54f35caSApple OSS Distributions * License for the specific language governing rights and limitations
18*c54f35caSApple OSS Distributions * under the License.
19*c54f35caSApple OSS Distributions *
20*c54f35caSApple OSS Distributions * @APPLE_LICENSE_HEADER_END@
21*c54f35caSApple OSS Distributions */
22*c54f35caSApple OSS Distributions
23*c54f35caSApple OSS Distributions #include <os/overflow.h>
24*c54f35caSApple OSS Distributions #include <machine/atomic.h>
25*c54f35caSApple OSS Distributions #include <mach/vm_param.h>
26*c54f35caSApple OSS Distributions #include <vm/vm_kern.h>
27*c54f35caSApple OSS Distributions #include <kern/zalloc.h>
28*c54f35caSApple OSS Distributions #include <kern/kalloc.h>
29*c54f35caSApple OSS Distributions #include <kern/assert.h>
30*c54f35caSApple OSS Distributions #include <kern/locks.h>
31*c54f35caSApple OSS Distributions #include <kern/lock_rw.h>
32*c54f35caSApple OSS Distributions #include <libkern/libkern.h>
33*c54f35caSApple OSS Distributions #include <libkern/section_keywords.h>
34*c54f35caSApple OSS Distributions #include <libkern/coretrust/coretrust.h>
35*c54f35caSApple OSS Distributions #include <pexpert/pexpert.h>
36*c54f35caSApple OSS Distributions #include <sys/vm.h>
37*c54f35caSApple OSS Distributions #include <sys/proc.h>
38*c54f35caSApple OSS Distributions #include <sys/codesign.h>
39*c54f35caSApple OSS Distributions #include <sys/code_signing.h>
40*c54f35caSApple OSS Distributions #include <uuid/uuid.h>
41*c54f35caSApple OSS Distributions #include <IOKit/IOBSD.h>
42*c54f35caSApple OSS Distributions
43*c54f35caSApple OSS Distributions #if PMAP_CS_PPL_MONITOR
44*c54f35caSApple OSS Distributions /*
45*c54f35caSApple OSS Distributions * The Page Protection Layer layer implements the PMAP_CS monitor environment which
46*c54f35caSApple OSS Distributions * provides code signing and memory isolation enforcements for data structures which
47*c54f35caSApple OSS Distributions * are critical to ensuring that all code executed on the system is authorized to do
48*c54f35caSApple OSS Distributions * so.
49*c54f35caSApple OSS Distributions *
50*c54f35caSApple OSS Distributions * Unless the data is managed by the PPL itself, XNU needs to page-align everything,
51*c54f35caSApple OSS Distributions * and then reference the memory as read-only.
52*c54f35caSApple OSS Distributions */
53*c54f35caSApple OSS Distributions
54*c54f35caSApple OSS Distributions typedef uint64_t pmap_paddr_t __kernel_ptr_semantics;
55*c54f35caSApple OSS Distributions extern vm_map_address_t phystokv(pmap_paddr_t pa);
56*c54f35caSApple OSS Distributions extern pmap_paddr_t kvtophys_nofail(vm_offset_t va);
57*c54f35caSApple OSS Distributions
58*c54f35caSApple OSS Distributions #pragma mark Initialization
59*c54f35caSApple OSS Distributions
60*c54f35caSApple OSS Distributions void
code_signing_init()61*c54f35caSApple OSS Distributions code_signing_init()
62*c54f35caSApple OSS Distributions {
63*c54f35caSApple OSS Distributions /* Does nothing */
64*c54f35caSApple OSS Distributions }
65*c54f35caSApple OSS Distributions
66*c54f35caSApple OSS Distributions #pragma mark Developer Mode
67*c54f35caSApple OSS Distributions
68*c54f35caSApple OSS Distributions SECURITY_READ_ONLY_LATE(bool*) developer_mode_enabled = &ppl_developer_mode_storage;
69*c54f35caSApple OSS Distributions
70*c54f35caSApple OSS Distributions void
ppl_toggle_developer_mode(bool state)71*c54f35caSApple OSS Distributions ppl_toggle_developer_mode(
72*c54f35caSApple OSS Distributions bool state)
73*c54f35caSApple OSS Distributions {
74*c54f35caSApple OSS Distributions pmap_toggle_developer_mode(state);
75*c54f35caSApple OSS Distributions }
76*c54f35caSApple OSS Distributions
77*c54f35caSApple OSS Distributions #pragma mark Code Signing and Provisioning Profiles
78*c54f35caSApple OSS Distributions
79*c54f35caSApple OSS Distributions bool
ppl_code_signing_enabled(void)80*c54f35caSApple OSS Distributions ppl_code_signing_enabled(void)
81*c54f35caSApple OSS Distributions {
82*c54f35caSApple OSS Distributions return pmap_cs_enabled();
83*c54f35caSApple OSS Distributions }
84*c54f35caSApple OSS Distributions
85*c54f35caSApple OSS Distributions kern_return_t
ppl_register_provisioning_profile(const void * profile_blob,const size_t profile_blob_size,void ** profile_obj)86*c54f35caSApple OSS Distributions ppl_register_provisioning_profile(
87*c54f35caSApple OSS Distributions const void *profile_blob,
88*c54f35caSApple OSS Distributions const size_t profile_blob_size,
89*c54f35caSApple OSS Distributions void **profile_obj)
90*c54f35caSApple OSS Distributions {
91*c54f35caSApple OSS Distributions pmap_profile_payload_t *pmap_payload = NULL;
92*c54f35caSApple OSS Distributions vm_address_t payload_addr = 0;
93*c54f35caSApple OSS Distributions vm_size_t payload_size = 0;
94*c54f35caSApple OSS Distributions vm_size_t payload_size_aligned = 0;
95*c54f35caSApple OSS Distributions kern_return_t ret = KERN_DENIED;
96*c54f35caSApple OSS Distributions
97*c54f35caSApple OSS Distributions if (os_add_overflow(sizeof(*pmap_payload), profile_blob_size, &payload_size)) {
98*c54f35caSApple OSS Distributions panic("attempted to load a too-large profile: %lu bytes", profile_blob_size);
99*c54f35caSApple OSS Distributions }
100*c54f35caSApple OSS Distributions payload_size_aligned = round_page(payload_size);
101*c54f35caSApple OSS Distributions
102*c54f35caSApple OSS Distributions ret = kmem_alloc(kernel_map, &payload_addr, payload_size_aligned,
103*c54f35caSApple OSS Distributions KMA_KOBJECT | KMA_DATA | KMA_ZERO, VM_KERN_MEMORY_SECURITY);
104*c54f35caSApple OSS Distributions if (ret != KERN_SUCCESS) {
105*c54f35caSApple OSS Distributions printf("unable to allocate memory for pmap profile payload: %d\n", ret);
106*c54f35caSApple OSS Distributions goto exit;
107*c54f35caSApple OSS Distributions }
108*c54f35caSApple OSS Distributions
109*c54f35caSApple OSS Distributions /* We need to setup the payload before we send it to the PPL */
110*c54f35caSApple OSS Distributions pmap_payload = (pmap_profile_payload_t*)payload_addr;
111*c54f35caSApple OSS Distributions
112*c54f35caSApple OSS Distributions pmap_payload->profile_blob_size = profile_blob_size;
113*c54f35caSApple OSS Distributions memcpy(pmap_payload->profile_blob, profile_blob, profile_blob_size);
114*c54f35caSApple OSS Distributions
115*c54f35caSApple OSS Distributions ret = pmap_register_provisioning_profile(payload_addr, payload_size_aligned);
116*c54f35caSApple OSS Distributions if (ret == KERN_SUCCESS) {
117*c54f35caSApple OSS Distributions *profile_obj = &pmap_payload->profile_obj_storage;
118*c54f35caSApple OSS Distributions *profile_obj = (pmap_cs_profile_t*)phystokv(kvtophys_nofail((vm_offset_t)*profile_obj));
119*c54f35caSApple OSS Distributions }
120*c54f35caSApple OSS Distributions
121*c54f35caSApple OSS Distributions exit:
122*c54f35caSApple OSS Distributions if ((ret != KERN_SUCCESS) && (payload_addr != 0)) {
123*c54f35caSApple OSS Distributions kmem_free(kernel_map, payload_addr, payload_size_aligned);
124*c54f35caSApple OSS Distributions payload_addr = 0;
125*c54f35caSApple OSS Distributions payload_size_aligned = 0;
126*c54f35caSApple OSS Distributions }
127*c54f35caSApple OSS Distributions
128*c54f35caSApple OSS Distributions return ret;
129*c54f35caSApple OSS Distributions }
130*c54f35caSApple OSS Distributions
131*c54f35caSApple OSS Distributions kern_return_t
ppl_unregister_provisioning_profile(void * profile_obj)132*c54f35caSApple OSS Distributions ppl_unregister_provisioning_profile(
133*c54f35caSApple OSS Distributions void *profile_obj)
134*c54f35caSApple OSS Distributions {
135*c54f35caSApple OSS Distributions pmap_cs_profile_t *ppl_profile_obj = profile_obj;
136*c54f35caSApple OSS Distributions kern_return_t ret = KERN_DENIED;
137*c54f35caSApple OSS Distributions
138*c54f35caSApple OSS Distributions ret = pmap_unregister_provisioning_profile(ppl_profile_obj);
139*c54f35caSApple OSS Distributions if (ret != KERN_SUCCESS) {
140*c54f35caSApple OSS Distributions return ret;
141*c54f35caSApple OSS Distributions }
142*c54f35caSApple OSS Distributions
143*c54f35caSApple OSS Distributions /* Get the original payload address */
144*c54f35caSApple OSS Distributions const pmap_profile_payload_t *pmap_payload = ppl_profile_obj->original_payload;
145*c54f35caSApple OSS Distributions const vm_address_t payload_addr = (const vm_address_t)pmap_payload;
146*c54f35caSApple OSS Distributions
147*c54f35caSApple OSS Distributions /* Get the original payload size */
148*c54f35caSApple OSS Distributions vm_size_t payload_size = pmap_payload->profile_blob_size + sizeof(*pmap_payload);
149*c54f35caSApple OSS Distributions payload_size = round_page(payload_size);
150*c54f35caSApple OSS Distributions
151*c54f35caSApple OSS Distributions /* Free the payload */
152*c54f35caSApple OSS Distributions kmem_free(kernel_map, payload_addr, payload_size);
153*c54f35caSApple OSS Distributions pmap_payload = NULL;
154*c54f35caSApple OSS Distributions
155*c54f35caSApple OSS Distributions return KERN_SUCCESS;
156*c54f35caSApple OSS Distributions }
157*c54f35caSApple OSS Distributions
158*c54f35caSApple OSS Distributions kern_return_t
ppl_associate_provisioning_profile(void * sig_obj,void * profile_obj)159*c54f35caSApple OSS Distributions ppl_associate_provisioning_profile(
160*c54f35caSApple OSS Distributions void *sig_obj,
161*c54f35caSApple OSS Distributions void *profile_obj)
162*c54f35caSApple OSS Distributions {
163*c54f35caSApple OSS Distributions return pmap_associate_provisioning_profile(sig_obj, profile_obj);
164*c54f35caSApple OSS Distributions }
165*c54f35caSApple OSS Distributions
166*c54f35caSApple OSS Distributions kern_return_t
ppl_disassociate_provisioning_profile(void * sig_obj)167*c54f35caSApple OSS Distributions ppl_disassociate_provisioning_profile(
168*c54f35caSApple OSS Distributions void *sig_obj)
169*c54f35caSApple OSS Distributions {
170*c54f35caSApple OSS Distributions return pmap_disassociate_provisioning_profile(sig_obj);
171*c54f35caSApple OSS Distributions }
172*c54f35caSApple OSS Distributions
173*c54f35caSApple OSS Distributions void
ppl_set_compilation_service_cdhash(const uint8_t cdhash[CS_CDHASH_LEN])174*c54f35caSApple OSS Distributions ppl_set_compilation_service_cdhash(
175*c54f35caSApple OSS Distributions const uint8_t cdhash[CS_CDHASH_LEN])
176*c54f35caSApple OSS Distributions {
177*c54f35caSApple OSS Distributions pmap_set_compilation_service_cdhash(cdhash);
178*c54f35caSApple OSS Distributions }
179*c54f35caSApple OSS Distributions
180*c54f35caSApple OSS Distributions bool
ppl_match_compilation_service_cdhash(const uint8_t cdhash[CS_CDHASH_LEN])181*c54f35caSApple OSS Distributions ppl_match_compilation_service_cdhash(
182*c54f35caSApple OSS Distributions const uint8_t cdhash[CS_CDHASH_LEN])
183*c54f35caSApple OSS Distributions {
184*c54f35caSApple OSS Distributions return pmap_match_compilation_service_cdhash(cdhash);
185*c54f35caSApple OSS Distributions }
186*c54f35caSApple OSS Distributions
187*c54f35caSApple OSS Distributions void
ppl_set_local_signing_public_key(const uint8_t public_key[XNU_LOCAL_SIGNING_KEY_SIZE])188*c54f35caSApple OSS Distributions ppl_set_local_signing_public_key(
189*c54f35caSApple OSS Distributions const uint8_t public_key[XNU_LOCAL_SIGNING_KEY_SIZE])
190*c54f35caSApple OSS Distributions {
191*c54f35caSApple OSS Distributions return pmap_set_local_signing_public_key(public_key);
192*c54f35caSApple OSS Distributions }
193*c54f35caSApple OSS Distributions
194*c54f35caSApple OSS Distributions uint8_t*
ppl_get_local_signing_public_key(void)195*c54f35caSApple OSS Distributions ppl_get_local_signing_public_key(void)
196*c54f35caSApple OSS Distributions {
197*c54f35caSApple OSS Distributions return pmap_get_local_signing_public_key();
198*c54f35caSApple OSS Distributions }
199*c54f35caSApple OSS Distributions
200*c54f35caSApple OSS Distributions void
ppl_unrestrict_local_signing_cdhash(const uint8_t cdhash[CS_CDHASH_LEN])201*c54f35caSApple OSS Distributions ppl_unrestrict_local_signing_cdhash(
202*c54f35caSApple OSS Distributions const uint8_t cdhash[CS_CDHASH_LEN])
203*c54f35caSApple OSS Distributions {
204*c54f35caSApple OSS Distributions pmap_unrestrict_local_signing(cdhash);
205*c54f35caSApple OSS Distributions }
206*c54f35caSApple OSS Distributions
207*c54f35caSApple OSS Distributions vm_size_t
ppl_managed_code_signature_size(void)208*c54f35caSApple OSS Distributions ppl_managed_code_signature_size(void)
209*c54f35caSApple OSS Distributions {
210*c54f35caSApple OSS Distributions return pmap_cs_blob_limit;
211*c54f35caSApple OSS Distributions }
212*c54f35caSApple OSS Distributions
213*c54f35caSApple OSS Distributions kern_return_t
ppl_register_code_signature(const vm_address_t signature_addr,const vm_size_t signature_size,const vm_offset_t code_directory_offset,const char * signature_path,void ** sig_obj,vm_address_t * ppl_signature_addr)214*c54f35caSApple OSS Distributions ppl_register_code_signature(
215*c54f35caSApple OSS Distributions const vm_address_t signature_addr,
216*c54f35caSApple OSS Distributions const vm_size_t signature_size,
217*c54f35caSApple OSS Distributions const vm_offset_t code_directory_offset,
218*c54f35caSApple OSS Distributions const char *signature_path,
219*c54f35caSApple OSS Distributions void **sig_obj,
220*c54f35caSApple OSS Distributions vm_address_t *ppl_signature_addr)
221*c54f35caSApple OSS Distributions {
222*c54f35caSApple OSS Distributions pmap_cs_code_directory_t *cd_entry = NULL;
223*c54f35caSApple OSS Distributions
224*c54f35caSApple OSS Distributions /* PPL doesn't care about the signature path */
225*c54f35caSApple OSS Distributions (void)signature_path;
226*c54f35caSApple OSS Distributions
227*c54f35caSApple OSS Distributions kern_return_t ret = pmap_cs_register_code_signature_blob(
228*c54f35caSApple OSS Distributions signature_addr,
229*c54f35caSApple OSS Distributions signature_size,
230*c54f35caSApple OSS Distributions code_directory_offset,
231*c54f35caSApple OSS Distributions (pmap_cs_code_directory_t**)sig_obj);
232*c54f35caSApple OSS Distributions
233*c54f35caSApple OSS Distributions if (ret != KERN_SUCCESS) {
234*c54f35caSApple OSS Distributions return ret;
235*c54f35caSApple OSS Distributions }
236*c54f35caSApple OSS Distributions cd_entry = *((pmap_cs_code_directory_t**)sig_obj);
237*c54f35caSApple OSS Distributions
238*c54f35caSApple OSS Distributions if (ppl_signature_addr) {
239*c54f35caSApple OSS Distributions *ppl_signature_addr = (vm_address_t)cd_entry->superblob;
240*c54f35caSApple OSS Distributions }
241*c54f35caSApple OSS Distributions
242*c54f35caSApple OSS Distributions return KERN_SUCCESS;
243*c54f35caSApple OSS Distributions }
244*c54f35caSApple OSS Distributions
245*c54f35caSApple OSS Distributions kern_return_t
ppl_unregister_code_signature(void * sig_obj)246*c54f35caSApple OSS Distributions ppl_unregister_code_signature(
247*c54f35caSApple OSS Distributions void *sig_obj)
248*c54f35caSApple OSS Distributions {
249*c54f35caSApple OSS Distributions return pmap_cs_unregister_code_signature_blob(sig_obj);
250*c54f35caSApple OSS Distributions }
251*c54f35caSApple OSS Distributions
252*c54f35caSApple OSS Distributions kern_return_t
ppl_verify_code_signature(void * sig_obj)253*c54f35caSApple OSS Distributions ppl_verify_code_signature(
254*c54f35caSApple OSS Distributions void *sig_obj)
255*c54f35caSApple OSS Distributions {
256*c54f35caSApple OSS Distributions return pmap_cs_verify_code_signature_blob(sig_obj);
257*c54f35caSApple OSS Distributions }
258*c54f35caSApple OSS Distributions
259*c54f35caSApple OSS Distributions kern_return_t
ppl_reconstitute_code_signature(void * sig_obj,vm_address_t * unneeded_addr,vm_size_t * unneeded_size)260*c54f35caSApple OSS Distributions ppl_reconstitute_code_signature(
261*c54f35caSApple OSS Distributions void *sig_obj,
262*c54f35caSApple OSS Distributions vm_address_t *unneeded_addr,
263*c54f35caSApple OSS Distributions vm_size_t *unneeded_size)
264*c54f35caSApple OSS Distributions {
265*c54f35caSApple OSS Distributions return pmap_cs_unlock_unneeded_code_signature(
266*c54f35caSApple OSS Distributions sig_obj,
267*c54f35caSApple OSS Distributions unneeded_addr,
268*c54f35caSApple OSS Distributions unneeded_size);
269*c54f35caSApple OSS Distributions }
270*c54f35caSApple OSS Distributions
271*c54f35caSApple OSS Distributions #pragma mark Address Spaces
272*c54f35caSApple OSS Distributions
273*c54f35caSApple OSS Distributions kern_return_t
ppl_associate_code_signature(pmap_t pmap,void * sig_obj,const vm_address_t region_addr,const vm_size_t region_size,const vm_offset_t region_offset)274*c54f35caSApple OSS Distributions ppl_associate_code_signature(
275*c54f35caSApple OSS Distributions pmap_t pmap,
276*c54f35caSApple OSS Distributions void *sig_obj,
277*c54f35caSApple OSS Distributions const vm_address_t region_addr,
278*c54f35caSApple OSS Distributions const vm_size_t region_size,
279*c54f35caSApple OSS Distributions const vm_offset_t region_offset)
280*c54f35caSApple OSS Distributions {
281*c54f35caSApple OSS Distributions return pmap_cs_associate(
282*c54f35caSApple OSS Distributions pmap,
283*c54f35caSApple OSS Distributions sig_obj,
284*c54f35caSApple OSS Distributions region_addr,
285*c54f35caSApple OSS Distributions region_size,
286*c54f35caSApple OSS Distributions region_offset);
287*c54f35caSApple OSS Distributions }
288*c54f35caSApple OSS Distributions
289*c54f35caSApple OSS Distributions kern_return_t
ppl_associate_jit_region(pmap_t pmap,const vm_address_t region_addr,const vm_size_t region_size)290*c54f35caSApple OSS Distributions ppl_associate_jit_region(
291*c54f35caSApple OSS Distributions pmap_t pmap,
292*c54f35caSApple OSS Distributions const vm_address_t region_addr,
293*c54f35caSApple OSS Distributions const vm_size_t region_size)
294*c54f35caSApple OSS Distributions {
295*c54f35caSApple OSS Distributions return pmap_cs_associate(
296*c54f35caSApple OSS Distributions pmap,
297*c54f35caSApple OSS Distributions PMAP_CS_ASSOCIATE_JIT,
298*c54f35caSApple OSS Distributions region_addr,
299*c54f35caSApple OSS Distributions region_size,
300*c54f35caSApple OSS Distributions 0);
301*c54f35caSApple OSS Distributions }
302*c54f35caSApple OSS Distributions
303*c54f35caSApple OSS Distributions kern_return_t
ppl_associate_debug_region(pmap_t pmap,const vm_address_t region_addr,const vm_size_t region_size)304*c54f35caSApple OSS Distributions ppl_associate_debug_region(
305*c54f35caSApple OSS Distributions pmap_t pmap,
306*c54f35caSApple OSS Distributions const vm_address_t region_addr,
307*c54f35caSApple OSS Distributions const vm_size_t region_size)
308*c54f35caSApple OSS Distributions {
309*c54f35caSApple OSS Distributions return pmap_cs_associate(
310*c54f35caSApple OSS Distributions pmap,
311*c54f35caSApple OSS Distributions PMAP_CS_ASSOCIATE_COW,
312*c54f35caSApple OSS Distributions region_addr,
313*c54f35caSApple OSS Distributions region_size,
314*c54f35caSApple OSS Distributions 0);
315*c54f35caSApple OSS Distributions }
316*c54f35caSApple OSS Distributions
317*c54f35caSApple OSS Distributions kern_return_t
ppl_allow_invalid_code(pmap_t pmap)318*c54f35caSApple OSS Distributions ppl_allow_invalid_code(
319*c54f35caSApple OSS Distributions pmap_t pmap)
320*c54f35caSApple OSS Distributions {
321*c54f35caSApple OSS Distributions return pmap_cs_allow_invalid(pmap);
322*c54f35caSApple OSS Distributions }
323*c54f35caSApple OSS Distributions
324*c54f35caSApple OSS Distributions kern_return_t
ppl_address_space_exempt(const pmap_t pmap)325*c54f35caSApple OSS Distributions ppl_address_space_exempt(
326*c54f35caSApple OSS Distributions const pmap_t pmap)
327*c54f35caSApple OSS Distributions {
328*c54f35caSApple OSS Distributions if (pmap_performs_stage2_translations(pmap) == true) {
329*c54f35caSApple OSS Distributions return KERN_SUCCESS;
330*c54f35caSApple OSS Distributions }
331*c54f35caSApple OSS Distributions
332*c54f35caSApple OSS Distributions return KERN_DENIED;
333*c54f35caSApple OSS Distributions }
334*c54f35caSApple OSS Distributions
335*c54f35caSApple OSS Distributions kern_return_t
ppl_fork_prepare(pmap_t old_pmap,pmap_t new_pmap)336*c54f35caSApple OSS Distributions ppl_fork_prepare(
337*c54f35caSApple OSS Distributions pmap_t old_pmap,
338*c54f35caSApple OSS Distributions pmap_t new_pmap)
339*c54f35caSApple OSS Distributions {
340*c54f35caSApple OSS Distributions return pmap_cs_fork_prepare(old_pmap, new_pmap);
341*c54f35caSApple OSS Distributions }
342*c54f35caSApple OSS Distributions
343*c54f35caSApple OSS Distributions kern_return_t
ppl_acquire_signing_identifier(const void * sig_obj,const char ** signing_id)344*c54f35caSApple OSS Distributions ppl_acquire_signing_identifier(
345*c54f35caSApple OSS Distributions const void *sig_obj,
346*c54f35caSApple OSS Distributions const char **signing_id)
347*c54f35caSApple OSS Distributions {
348*c54f35caSApple OSS Distributions const pmap_cs_code_directory_t *cd_entry = sig_obj;
349*c54f35caSApple OSS Distributions
350*c54f35caSApple OSS Distributions /* If we reach here, the identifier must have been setup */
351*c54f35caSApple OSS Distributions assert(cd_entry->identifier != NULL);
352*c54f35caSApple OSS Distributions
353*c54f35caSApple OSS Distributions if (signing_id) {
354*c54f35caSApple OSS Distributions *signing_id = cd_entry->identifier;
355*c54f35caSApple OSS Distributions }
356*c54f35caSApple OSS Distributions
357*c54f35caSApple OSS Distributions return KERN_SUCCESS;
358*c54f35caSApple OSS Distributions }
359*c54f35caSApple OSS Distributions
360*c54f35caSApple OSS Distributions #pragma mark Entitlements
361*c54f35caSApple OSS Distributions
362*c54f35caSApple OSS Distributions kern_return_t
ppl_associate_kernel_entitlements(void * sig_obj,const void * kernel_entitlements)363*c54f35caSApple OSS Distributions ppl_associate_kernel_entitlements(
364*c54f35caSApple OSS Distributions void *sig_obj,
365*c54f35caSApple OSS Distributions const void *kernel_entitlements)
366*c54f35caSApple OSS Distributions {
367*c54f35caSApple OSS Distributions pmap_cs_code_directory_t *cd_entry = sig_obj;
368*c54f35caSApple OSS Distributions return pmap_associate_kernel_entitlements(cd_entry, kernel_entitlements);
369*c54f35caSApple OSS Distributions }
370*c54f35caSApple OSS Distributions
371*c54f35caSApple OSS Distributions kern_return_t
ppl_resolve_kernel_entitlements(pmap_t pmap,const void ** kernel_entitlements)372*c54f35caSApple OSS Distributions ppl_resolve_kernel_entitlements(
373*c54f35caSApple OSS Distributions pmap_t pmap,
374*c54f35caSApple OSS Distributions const void **kernel_entitlements)
375*c54f35caSApple OSS Distributions {
376*c54f35caSApple OSS Distributions kern_return_t ret = KERN_DENIED;
377*c54f35caSApple OSS Distributions const void *entitlements = NULL;
378*c54f35caSApple OSS Distributions
379*c54f35caSApple OSS Distributions ret = pmap_resolve_kernel_entitlements(pmap, &entitlements);
380*c54f35caSApple OSS Distributions if ((ret == KERN_SUCCESS) && (kernel_entitlements != NULL)) {
381*c54f35caSApple OSS Distributions *kernel_entitlements = entitlements;
382*c54f35caSApple OSS Distributions }
383*c54f35caSApple OSS Distributions
384*c54f35caSApple OSS Distributions return ret;
385*c54f35caSApple OSS Distributions }
386*c54f35caSApple OSS Distributions
387*c54f35caSApple OSS Distributions kern_return_t
ppl_accelerate_entitlements(void * sig_obj,CEQueryContext_t * ce_ctx)388*c54f35caSApple OSS Distributions ppl_accelerate_entitlements(
389*c54f35caSApple OSS Distributions void *sig_obj,
390*c54f35caSApple OSS Distributions CEQueryContext_t *ce_ctx)
391*c54f35caSApple OSS Distributions {
392*c54f35caSApple OSS Distributions pmap_cs_code_directory_t *cd_entry = sig_obj;
393*c54f35caSApple OSS Distributions kern_return_t ret = KERN_DENIED;
394*c54f35caSApple OSS Distributions
395*c54f35caSApple OSS Distributions ret = pmap_accelerate_entitlements(cd_entry);
396*c54f35caSApple OSS Distributions
397*c54f35caSApple OSS Distributions /*
398*c54f35caSApple OSS Distributions * We only ever get KERN_ABORTED when we cannot accelerate the entitlements
399*c54f35caSApple OSS Distributions * because it would consume too much memory. In this case, we still want to
400*c54f35caSApple OSS Distributions * return the ce_ctx since we don't want the system to fall-back to non-PPL
401*c54f35caSApple OSS Distributions * locked down memory, so we switch this to a success case.
402*c54f35caSApple OSS Distributions */
403*c54f35caSApple OSS Distributions if (ret == KERN_ABORTED) {
404*c54f35caSApple OSS Distributions ret = KERN_SUCCESS;
405*c54f35caSApple OSS Distributions }
406*c54f35caSApple OSS Distributions
407*c54f35caSApple OSS Distributions /* Return the accelerated context to the caller */
408*c54f35caSApple OSS Distributions if ((ret == KERN_SUCCESS) && (ce_ctx != NULL)) {
409*c54f35caSApple OSS Distributions *ce_ctx = cd_entry->ce_ctx;
410*c54f35caSApple OSS Distributions }
411*c54f35caSApple OSS Distributions
412*c54f35caSApple OSS Distributions return ret;
413*c54f35caSApple OSS Distributions }
414*c54f35caSApple OSS Distributions
415*c54f35caSApple OSS Distributions #pragma mark Image4
416*c54f35caSApple OSS Distributions
417*c54f35caSApple OSS Distributions void*
ppl_image4_storage_data(size_t * allocated_size)418*c54f35caSApple OSS Distributions ppl_image4_storage_data(
419*c54f35caSApple OSS Distributions size_t *allocated_size)
420*c54f35caSApple OSS Distributions {
421*c54f35caSApple OSS Distributions return pmap_image4_pmap_data(allocated_size);
422*c54f35caSApple OSS Distributions }
423*c54f35caSApple OSS Distributions
424*c54f35caSApple OSS Distributions void
ppl_image4_set_nonce(const img4_nonce_domain_index_t ndi,const img4_nonce_t * nonce)425*c54f35caSApple OSS Distributions ppl_image4_set_nonce(
426*c54f35caSApple OSS Distributions const img4_nonce_domain_index_t ndi,
427*c54f35caSApple OSS Distributions const img4_nonce_t *nonce)
428*c54f35caSApple OSS Distributions {
429*c54f35caSApple OSS Distributions return pmap_image4_set_nonce(ndi, nonce);
430*c54f35caSApple OSS Distributions }
431*c54f35caSApple OSS Distributions
432*c54f35caSApple OSS Distributions void
ppl_image4_roll_nonce(const img4_nonce_domain_index_t ndi)433*c54f35caSApple OSS Distributions ppl_image4_roll_nonce(
434*c54f35caSApple OSS Distributions const img4_nonce_domain_index_t ndi)
435*c54f35caSApple OSS Distributions {
436*c54f35caSApple OSS Distributions return pmap_image4_roll_nonce(ndi);
437*c54f35caSApple OSS Distributions }
438*c54f35caSApple OSS Distributions
439*c54f35caSApple OSS Distributions errno_t
ppl_image4_copy_nonce(const img4_nonce_domain_index_t ndi,img4_nonce_t * nonce_out)440*c54f35caSApple OSS Distributions ppl_image4_copy_nonce(
441*c54f35caSApple OSS Distributions const img4_nonce_domain_index_t ndi,
442*c54f35caSApple OSS Distributions img4_nonce_t *nonce_out)
443*c54f35caSApple OSS Distributions {
444*c54f35caSApple OSS Distributions return pmap_image4_copy_nonce(ndi, nonce_out);
445*c54f35caSApple OSS Distributions }
446*c54f35caSApple OSS Distributions
447*c54f35caSApple OSS Distributions errno_t
ppl_image4_execute_object(img4_runtime_object_spec_index_t obj_spec_index,const img4_buff_t * payload,const img4_buff_t * manifest)448*c54f35caSApple OSS Distributions ppl_image4_execute_object(
449*c54f35caSApple OSS Distributions img4_runtime_object_spec_index_t obj_spec_index,
450*c54f35caSApple OSS Distributions const img4_buff_t *payload,
451*c54f35caSApple OSS Distributions const img4_buff_t *manifest)
452*c54f35caSApple OSS Distributions {
453*c54f35caSApple OSS Distributions errno_t err = EINVAL;
454*c54f35caSApple OSS Distributions kern_return_t kr = KERN_DENIED;
455*c54f35caSApple OSS Distributions img4_buff_t payload_aligned = IMG4_BUFF_INIT;
456*c54f35caSApple OSS Distributions img4_buff_t manifest_aligned = IMG4_BUFF_INIT;
457*c54f35caSApple OSS Distributions vm_address_t payload_addr = 0;
458*c54f35caSApple OSS Distributions vm_size_t payload_len_aligned = 0;
459*c54f35caSApple OSS Distributions vm_address_t manifest_addr = 0;
460*c54f35caSApple OSS Distributions vm_size_t manifest_len_aligned = 0;
461*c54f35caSApple OSS Distributions
462*c54f35caSApple OSS Distributions if (payload == NULL) {
463*c54f35caSApple OSS Distributions printf("invalid object execution request: no payload\n");
464*c54f35caSApple OSS Distributions goto out;
465*c54f35caSApple OSS Distributions }
466*c54f35caSApple OSS Distributions
467*c54f35caSApple OSS Distributions /*
468*c54f35caSApple OSS Distributions * The PPL will attempt to lockdown both the payload and the manifest before executing
469*c54f35caSApple OSS Distributions * the object. In order for that to happen, both the artifacts need to be page-aligned.
470*c54f35caSApple OSS Distributions */
471*c54f35caSApple OSS Distributions payload_len_aligned = round_page(payload->i4b_len);
472*c54f35caSApple OSS Distributions if (manifest != NULL) {
473*c54f35caSApple OSS Distributions manifest_len_aligned = round_page(manifest->i4b_len);
474*c54f35caSApple OSS Distributions }
475*c54f35caSApple OSS Distributions
476*c54f35caSApple OSS Distributions kr = kmem_alloc(
477*c54f35caSApple OSS Distributions kernel_map,
478*c54f35caSApple OSS Distributions &payload_addr,
479*c54f35caSApple OSS Distributions payload_len_aligned,
480*c54f35caSApple OSS Distributions KMA_KOBJECT,
481*c54f35caSApple OSS Distributions VM_KERN_MEMORY_SECURITY);
482*c54f35caSApple OSS Distributions
483*c54f35caSApple OSS Distributions if (kr != KERN_SUCCESS) {
484*c54f35caSApple OSS Distributions printf("unable to allocate memory for image4 payload: %d\n", kr);
485*c54f35caSApple OSS Distributions err = ENOMEM;
486*c54f35caSApple OSS Distributions goto out;
487*c54f35caSApple OSS Distributions }
488*c54f35caSApple OSS Distributions
489*c54f35caSApple OSS Distributions /* Copy in the payload */
490*c54f35caSApple OSS Distributions memcpy((uint8_t*)payload_addr, payload->i4b_bytes, payload->i4b_len);
491*c54f35caSApple OSS Distributions
492*c54f35caSApple OSS Distributions /* Construct the aligned payload buffer */
493*c54f35caSApple OSS Distributions payload_aligned.i4b_bytes = (uint8_t*)payload_addr;
494*c54f35caSApple OSS Distributions payload_aligned.i4b_len = payload->i4b_len;
495*c54f35caSApple OSS Distributions
496*c54f35caSApple OSS Distributions if (manifest != NULL) {
497*c54f35caSApple OSS Distributions kr = kmem_alloc(
498*c54f35caSApple OSS Distributions kernel_map,
499*c54f35caSApple OSS Distributions &manifest_addr,
500*c54f35caSApple OSS Distributions manifest_len_aligned,
501*c54f35caSApple OSS Distributions KMA_KOBJECT,
502*c54f35caSApple OSS Distributions VM_KERN_MEMORY_SECURITY);
503*c54f35caSApple OSS Distributions
504*c54f35caSApple OSS Distributions if (kr != KERN_SUCCESS) {
505*c54f35caSApple OSS Distributions printf("unable to allocate memory for image4 manifest: %d\n", kr);
506*c54f35caSApple OSS Distributions err = ENOMEM;
507*c54f35caSApple OSS Distributions goto out;
508*c54f35caSApple OSS Distributions }
509*c54f35caSApple OSS Distributions
510*c54f35caSApple OSS Distributions /* Construct the aligned manifest buffer */
511*c54f35caSApple OSS Distributions manifest_aligned.i4b_bytes = (uint8_t*)manifest_addr;
512*c54f35caSApple OSS Distributions manifest_aligned.i4b_len = manifest->i4b_len;
513*c54f35caSApple OSS Distributions
514*c54f35caSApple OSS Distributions /* Copy in the manifest */
515*c54f35caSApple OSS Distributions memcpy((uint8_t*)manifest_addr, manifest->i4b_bytes, manifest->i4b_len);
516*c54f35caSApple OSS Distributions }
517*c54f35caSApple OSS Distributions
518*c54f35caSApple OSS Distributions err = pmap_image4_execute_object(obj_spec_index, &payload_aligned, &manifest_aligned);
519*c54f35caSApple OSS Distributions if (err != 0) {
520*c54f35caSApple OSS Distributions printf("unable to execute image4 object: %d\n", err);
521*c54f35caSApple OSS Distributions goto out;
522*c54f35caSApple OSS Distributions }
523*c54f35caSApple OSS Distributions
524*c54f35caSApple OSS Distributions out:
525*c54f35caSApple OSS Distributions /* We always free the manifest as it isn't required anymore */
526*c54f35caSApple OSS Distributions if (manifest_addr != 0) {
527*c54f35caSApple OSS Distributions kmem_free(kernel_map, manifest_addr, manifest_len_aligned);
528*c54f35caSApple OSS Distributions manifest_addr = 0;
529*c54f35caSApple OSS Distributions manifest_len_aligned = 0;
530*c54f35caSApple OSS Distributions }
531*c54f35caSApple OSS Distributions
532*c54f35caSApple OSS Distributions /* If we encountered an error -- free the allocated payload */
533*c54f35caSApple OSS Distributions if ((err != 0) && (payload_addr != 0)) {
534*c54f35caSApple OSS Distributions kmem_free(kernel_map, payload_addr, payload_len_aligned);
535*c54f35caSApple OSS Distributions payload_addr = 0;
536*c54f35caSApple OSS Distributions payload_len_aligned = 0;
537*c54f35caSApple OSS Distributions }
538*c54f35caSApple OSS Distributions
539*c54f35caSApple OSS Distributions return err;
540*c54f35caSApple OSS Distributions }
541*c54f35caSApple OSS Distributions
542*c54f35caSApple OSS Distributions errno_t
ppl_image4_copy_object(img4_runtime_object_spec_index_t obj_spec_index,vm_address_t object_out,size_t * object_length)543*c54f35caSApple OSS Distributions ppl_image4_copy_object(
544*c54f35caSApple OSS Distributions img4_runtime_object_spec_index_t obj_spec_index,
545*c54f35caSApple OSS Distributions vm_address_t object_out,
546*c54f35caSApple OSS Distributions size_t *object_length)
547*c54f35caSApple OSS Distributions {
548*c54f35caSApple OSS Distributions errno_t err = EINVAL;
549*c54f35caSApple OSS Distributions kern_return_t kr = KERN_DENIED;
550*c54f35caSApple OSS Distributions vm_address_t object_addr = 0;
551*c54f35caSApple OSS Distributions vm_size_t object_len_aligned = 0;
552*c54f35caSApple OSS Distributions
553*c54f35caSApple OSS Distributions if (object_out == 0) {
554*c54f35caSApple OSS Distributions printf("invalid object copy request: no object input buffer\n");
555*c54f35caSApple OSS Distributions goto out;
556*c54f35caSApple OSS Distributions } else if (object_length == NULL) {
557*c54f35caSApple OSS Distributions printf("invalid object copy request: no object input length\n");
558*c54f35caSApple OSS Distributions goto out;
559*c54f35caSApple OSS Distributions }
560*c54f35caSApple OSS Distributions
561*c54f35caSApple OSS Distributions /*
562*c54f35caSApple OSS Distributions * The PPL will attempt to pin the input buffer in order to ensure that the kernel
563*c54f35caSApple OSS Distributions * didn't pass in PPL-owned buffers. The PPL cannot pin the same page more than once,
564*c54f35caSApple OSS Distributions * and attempting to do so will panic the system. Hence, we allocate fresh pages for
565*c54f35caSApple OSS Distributions * for the PPL to pin.
566*c54f35caSApple OSS Distributions *
567*c54f35caSApple OSS Distributions * We can send in the address for the length pointer since that is allocated on the
568*c54f35caSApple OSS Distributions * stack, so the PPL can pin our stack for the duration of the call as no other
569*c54f35caSApple OSS Distributions * thread can be using our stack, meaning the PPL will never attempt to double-pin
570*c54f35caSApple OSS Distributions * the page.
571*c54f35caSApple OSS Distributions */
572*c54f35caSApple OSS Distributions object_len_aligned = round_page(*object_length);
573*c54f35caSApple OSS Distributions
574*c54f35caSApple OSS Distributions kr = kmem_alloc(
575*c54f35caSApple OSS Distributions kernel_map,
576*c54f35caSApple OSS Distributions &object_addr,
577*c54f35caSApple OSS Distributions object_len_aligned,
578*c54f35caSApple OSS Distributions KMA_KOBJECT,
579*c54f35caSApple OSS Distributions VM_KERN_MEMORY_SECURITY);
580*c54f35caSApple OSS Distributions
581*c54f35caSApple OSS Distributions if (kr != KERN_SUCCESS) {
582*c54f35caSApple OSS Distributions printf("unable to allocate memory for image4 object: %d\n", kr);
583*c54f35caSApple OSS Distributions err = ENOMEM;
584*c54f35caSApple OSS Distributions goto out;
585*c54f35caSApple OSS Distributions }
586*c54f35caSApple OSS Distributions
587*c54f35caSApple OSS Distributions err = pmap_image4_copy_object(obj_spec_index, object_addr, object_length);
588*c54f35caSApple OSS Distributions if (err != 0) {
589*c54f35caSApple OSS Distributions printf("unable to copy image4 object: %d\n", err);
590*c54f35caSApple OSS Distributions goto out;
591*c54f35caSApple OSS Distributions }
592*c54f35caSApple OSS Distributions
593*c54f35caSApple OSS Distributions /* Copy the data back into the caller passed buffer */
594*c54f35caSApple OSS Distributions memcpy((void*)object_out, (void*)object_addr, *object_length);
595*c54f35caSApple OSS Distributions
596*c54f35caSApple OSS Distributions out:
597*c54f35caSApple OSS Distributions /* We don't ever need to keep around our page-aligned buffer */
598*c54f35caSApple OSS Distributions if (object_addr != 0) {
599*c54f35caSApple OSS Distributions kmem_free(kernel_map, object_addr, object_len_aligned);
600*c54f35caSApple OSS Distributions object_addr = 0;
601*c54f35caSApple OSS Distributions object_len_aligned = 0;
602*c54f35caSApple OSS Distributions }
603*c54f35caSApple OSS Distributions
604*c54f35caSApple OSS Distributions return err;
605*c54f35caSApple OSS Distributions }
606*c54f35caSApple OSS Distributions
607*c54f35caSApple OSS Distributions const void*
ppl_image4_get_monitor_exports(void)608*c54f35caSApple OSS Distributions ppl_image4_get_monitor_exports(void)
609*c54f35caSApple OSS Distributions {
610*c54f35caSApple OSS Distributions /*
611*c54f35caSApple OSS Distributions * AppleImage4 can query the PMAP_CS runtime on its own since the PMAP_CS
612*c54f35caSApple OSS Distributions * runtime is compiled within the kernel extension itself. As a result, we
613*c54f35caSApple OSS Distributions * never expect this KPI to be called when the system uses the PPL monitor.
614*c54f35caSApple OSS Distributions */
615*c54f35caSApple OSS Distributions
616*c54f35caSApple OSS Distributions printf("explicit monitor-exports-get not required for the PPL\n");
617*c54f35caSApple OSS Distributions return NULL;
618*c54f35caSApple OSS Distributions }
619*c54f35caSApple OSS Distributions
620*c54f35caSApple OSS Distributions errno_t
ppl_image4_set_release_type(__unused const char * release_type)621*c54f35caSApple OSS Distributions ppl_image4_set_release_type(
622*c54f35caSApple OSS Distributions __unused const char *release_type)
623*c54f35caSApple OSS Distributions {
624*c54f35caSApple OSS Distributions /*
625*c54f35caSApple OSS Distributions * AppleImage4 stores the release type in the CTRR protected memory region
626*c54f35caSApple OSS Distributions * of its kernel extension. This is accessible by the PMAP_CS runtime as the
627*c54f35caSApple OSS Distributions * runtime is compiled alongside the kernel extension. As a result, we never
628*c54f35caSApple OSS Distributions * expect this KPI to be called when the system uses the PPL monitor.
629*c54f35caSApple OSS Distributions */
630*c54f35caSApple OSS Distributions
631*c54f35caSApple OSS Distributions printf("explicit release-type-set set not required for the PPL\n");
632*c54f35caSApple OSS Distributions return ENOTSUP;
633*c54f35caSApple OSS Distributions }
634*c54f35caSApple OSS Distributions
635*c54f35caSApple OSS Distributions errno_t
ppl_image4_set_bnch_shadow(__unused const img4_nonce_domain_index_t ndi)636*c54f35caSApple OSS Distributions ppl_image4_set_bnch_shadow(
637*c54f35caSApple OSS Distributions __unused const img4_nonce_domain_index_t ndi)
638*c54f35caSApple OSS Distributions {
639*c54f35caSApple OSS Distributions /*
640*c54f35caSApple OSS Distributions * AppleImage4 stores the BNCH shadow in the CTRR protected memory region
641*c54f35caSApple OSS Distributions * of its kernel extension. This is accessible by the PMAP_CS runtime as the
642*c54f35caSApple OSS Distributions * runtime is compiled alongside the kernel extension. As a result, we never
643*c54f35caSApple OSS Distributions * expect this KPI to be called when the system uses the PPL monitor.
644*c54f35caSApple OSS Distributions */
645*c54f35caSApple OSS Distributions
646*c54f35caSApple OSS Distributions printf("explicit BNCH-shadow-set not required for the PPL\n");
647*c54f35caSApple OSS Distributions return ENOTSUP;
648*c54f35caSApple OSS Distributions }
649*c54f35caSApple OSS Distributions
650*c54f35caSApple OSS Distributions #endif /* PMAP_CS_PPL_MONITOR */
651