Line data    Source code

       1             : #ifndef HEADER_fd_src_ballet_sbpf_fd_sbpf_loader_h
       2             : #define HEADER_fd_src_ballet_sbpf_fd_sbpf_loader_h
       3             : 
       4             : /* fd_sbpf_loader prepares an sBPF program for execution.  This involves
       5             :    parsing and dynamic relocation.
       6             : 
       7             :    Due to historical reasons, this loader is neither a pure static
       8             :    linker nor a real dynamic loader.  For instance, it will ignore the
       9             :    program header table and instead load specific sections at predefined
      10             :    addresses.  However, it will perform dynamic relocation. */
      11             : 
      12             : #include "../../util/fd_util_base.h"
      13             : #include "../elf/fd_elf64.h"
      14             : 
      15             : /* Error types ********************************************************/
      16             : 
      17             : /* FIXME make error types more specific */
      18             : #define FD_SBPF_ERR_INVALID_ELF (1)
      19           6 : #define FD_SBPF_PROG_RODATA_ALIGN 8UL
      20             : 
      21             : /* https://github.com/anza-xyz/sbpf/blob/v0.12.2/src/elf_parser/mod.rs#L17 */
      22             : #define FD_SBPF_ELF_PARSER_SUCCESS                           ( 0)
      23           0 : #define FD_SBPF_ELF_PARSER_ERR_INVALID_FILE_HEADER           (-1)
      24           0 : #define FD_SBPF_ELF_PARSER_ERR_INVALID_PROGRAM_HEADER        (-2)
      25           0 : #define FD_SBPF_ELF_PARSER_ERR_INVALID_SECTION_HEADER        (-3)
      26             : #define FD_SBPF_ELF_PARSER_ERR_INVALID_STRING                (-4)
      27           3 : #define FD_SBPF_ELF_PARSER_ERR_STRING_TOO_LONG               (-5)
      28           0 : #define FD_SBPF_ELF_PARSER_ERR_OUT_OF_BOUNDS                 (-6)
      29           0 : #define FD_SBPF_ELF_PARSER_ERR_INVALID_SIZE                  (-7)
      30           0 : #define FD_SBPF_ELF_PARSER_ERR_OVERLAP                       (-8)
      31           0 : #define FD_SBPF_ELF_PARSER_ERR_SECTION_NOT_IN_ORDER          (-9)
      32           0 : #define FD_SBPF_ELF_PARSER_ERR_NO_SECTION_NAME_STRING_TABLE  (-10)
      33           0 : #define FD_SBPF_ELF_PARSER_ERR_INVALID_DYNAMIC_SECTION_TABLE (-11)
      34             : #define FD_SBPF_ELF_PARSER_ERR_INVALID_RELOCATION_TABLE      (-12)
      35           0 : #define FD_SBPF_ELF_PARSER_ERR_INVALID_ALIGNMENT             (-13)
      36             : #define FD_SBPF_ELF_PARSER_ERR_NO_STRING_TABLE               (-14)
      37             : #define FD_SBPF_ELF_PARSER_ERR_NO_DYNAMIC_STRING_TABLE       (-15)
      38             : 
      39             : /* Map Rust ElfError (elf.rs v0.12.2) to C error codes */
      40             : /* https://github.com/anza-xyz/sbpf/blob/v0.12.2/src/elf.rs#L40-L66 */
      41       16833 : #define FD_SBPF_ELF_SUCCESS                                  (  0)
      42           3 : #define FD_SBPF_ELF_ERR_FAILED_TO_PARSE                      ( -1)
      43           0 : #define FD_SBPF_ELF_ERR_ENTRYPOINT_OUT_OF_BOUNDS             ( -2)
      44           0 : #define FD_SBPF_ELF_ERR_INVALID_ENTRYPOINT                   ( -3)
      45             : #define FD_SBPF_ELF_ERR_FAILED_TO_GET_SECTION                ( -4)
      46           0 : #define FD_SBPF_ELF_ERR_UNRESOLVED_SYMBOL                    ( -5)
      47             : #define FD_SBPF_ELF_ERR_SECTION_NOT_FOUND                    ( -6)
      48           0 : #define FD_SBPF_ELF_ERR_RELATIVE_JUMP_OUT_OF_BOUNDS          ( -7)
      49           0 : #define FD_SBPF_ELF_ERR_SYMBOL_HASH_COLLISION                ( -8)
      50           0 : #define FD_SBPF_ELF_ERR_WRONG_ENDIANNESS                     ( -9)
      51           0 : #define FD_SBPF_ELF_ERR_WRONG_ABI                            (-10)
      52           0 : #define FD_SBPF_ELF_ERR_WRONG_MACHINE                        (-11)
      53           0 : #define FD_SBPF_ELF_ERR_WRONG_CLASS                          (-12)
      54           0 : #define FD_SBPF_ELF_ERR_NOT_ONE_TEXT_SECTION                 (-13)
      55           3 : #define FD_SBPF_ELF_ERR_WRITABLE_SECTION_NOT_SUPPORTED       (-14)
      56             : #define FD_SBPF_ELF_ERR_ADDRESS_OUTSIDE_LOADABLE_SECTION     (-15)
      57           0 : #define FD_SBPF_ELF_ERR_INVALID_VIRTUAL_ADDRESS              (-16)
      58           0 : #define FD_SBPF_ELF_ERR_UNKNOWN_RELOCATION                   (-17)
      59             : #define FD_SBPF_ELF_ERR_FAILED_TO_READ_RELOCATION_INFO       (-18)
      60           0 : #define FD_SBPF_ELF_ERR_WRONG_TYPE                           (-19)
      61           0 : #define FD_SBPF_ELF_ERR_UNKNOWN_SYMBOL                       (-20)
      62           0 : #define FD_SBPF_ELF_ERR_VALUE_OUT_OF_BOUNDS                  (-21)
      63          42 : #define FD_SBPF_ELF_ERR_UNSUPPORTED_SBPF_VERSION             (-22)
      64           0 : #define FD_SBPF_ELF_ERR_INVALID_PROGRAM_HEADER               (-23)
      65             : 
      66             : /* https://github.com/anza-xyz/sbpf/blob/v0.12.2/src/program.rs */
      67         168 : #define FD_SBPF_VERSION_COUNT (5U)
      68         264 : #define FD_SBPF_V0            (0U)
      69       17805 : #define FD_SBPF_V1            (1U)
      70     2338953 : #define FD_SBPF_V2            (2U)
      71   805611294 : #define FD_SBPF_V3            (3U)
      72             : #define FD_SBPF_V4            (4U)
      73         168 : #define FD_SBPF_RESERVED      (FD_SBPF_VERSION_COUNT)
      74             : 
      75             : /* Hardcoded constant for the murmur3_32 hash of the entrypoint. */
      76        9408 : #define FD_SBPF_ENTRYPOINT_PC   (0xb00c380U)
      77          78 : #define FD_SBPF_ENTRYPOINT_HASH (0x71e3cf81U) /* fd_pchash( FD_SBPF_ENTRYPOINT_PC ) */
      78             : 
      79          12 : #define E_FLAGS_SBPF_V2         (0x20U)
      80             : 
      81             : /* Program struct *****************************************************/
      82             : 
      83             : /* fd_sbpf_calldests is a bit vector of valid call destinations.
      84             :    Should be configured to fit any possible program counter.  The max
      85             :    program counter is <size of ELF binary> divided by 8. */
      86             : 
      87             : #define SET_NAME fd_sbpf_calldests
      88             : #include "../../util/tmpl/fd_set_dynamic.c"
      89             : 
      90             : /* fd_sbpf_syscall_func_t is a callback implementing an sBPF syscall.
      91             :    vm is a handle to the running VM.  Returns 0 on suceess or an integer
      92             :    error code on failure.
      93             : 
      94             :    IMPORTANT SAFETY TIP!  See notes in
      95             :    flamenco/vm/syscall/fd_vm_syscall.h on what a syscall should expect
      96             :    to see and expect to return. */
      97             : 
      98             : /* FIXME: THIS BELONGS IN FLAMENCO/VM */
      99             : 
     100             : typedef int
     101             : (*fd_sbpf_syscall_func_t)( void *  vm,
     102             :                            ulong   arg0,
     103             :                            ulong   arg1,
     104             :                            ulong   arg2,
     105             :                            ulong   arg3,
     106             :                            ulong   arg4,
     107             :                            ulong * _ret );
     108             : 
     109             : /* fd_sbpf_syscalls_t maps syscall IDs => a name and a VM specific
     110             :    context.  FIXME: THIS ALSO PROBABLY BELONGS IN FLAMENCO/VM */
     111             : 
     112     1021047 : #define FD_SBPF_SYSCALLS_LG_SLOT_CNT (7)
     113             : #define FD_SBPF_SYSCALLS_SLOT_CNT    (1UL<<FD_SBPF_SYSCALLS_LG_SLOT_CNT)
     114             : 
     115             : /* The syscalls map keys should technically be of type uint since they are
     116             :    just murmur32 hashes. However, Agave's BTree allows the full range to be
     117             :    used as a key [0, UINT_MAX]. So we need to define a wider key type to
     118             :    allow for a NULL value that is outside this range. We use ulong here. */
     119             : 
     120             : struct fd_sbpf_syscalls {
     121             :   ulong                  key;  /* Murmur3-32 hash of function name */
     122             :   fd_sbpf_syscall_func_t func; /* Function pointer */
     123             :   char const *           name; /* Infinite lifetime pointer to function name */
     124             : };
     125             : 
     126             : typedef struct fd_sbpf_syscalls fd_sbpf_syscalls_t;
     127             : 
     128             : #define MAP_NAME              fd_sbpf_syscalls
     129       14847 : #define MAP_T                 fd_sbpf_syscalls_t
     130        7122 : #define MAP_HASH_T            ulong
     131      993033 : #define MAP_KEY_NULL          ULONG_MAX         /* Any number greater than UINT_MAX works */
     132       11355 : #define MAP_KEY_INVAL(k)      ( k > UINT_MAX )  /* Force keys to uint size */
     133        9051 : #define MAP_KEY_EQUAL(k0,k1)  (k0)==(k1)
     134             : #define MAP_KEY_EQUAL_IS_SLOW 0
     135        7122 : #define MAP_KEY_HASH(k)       (k)
     136             : #define MAP_MEMOIZE           0
     137     1021047 : #define MAP_LG_SLOT_CNT       FD_SBPF_SYSCALLS_LG_SLOT_CNT
     138             : #include "../../util/tmpl/fd_map.c"
     139             : 
     140             : #define FD_SBPF_SYSCALLS_FOOTPRINT (sizeof(fd_sbpf_syscalls_t) * (1UL<<FD_SBPF_SYSCALLS_LG_SLOT_CNT))
     141             : #define FD_SBPF_SYSCALLS_ALIGN     alignof(fd_sbpf_syscalls_t)
     142             : 
     143             : /* fd_sbpf_elf_info_t contains basic information extracted from an ELF
     144             :    binary. Indicates how much scratch memory and buffer size is required
     145             :    to fully load the program. */
     146             : 
     147             : struct fd_sbpf_elf_info {
     148             :   ulong bin_sz;   /* size of ELF binary */
     149             : 
     150             :   uint  text_off; /* File offset of .text section (overlaps rodata segment) */
     151             :   uint  text_cnt; /* Instruction count */
     152             :   ulong text_sz;  /* size of text segment. Guaranteed to be <= bin_sz. */
     153             : 
     154             :   /* Known section indices
     155             :      In [-1,USHORT_MAX) where -1 means "not found" */
     156             :   int shndx_text;
     157             :   int shndx_symtab;
     158             :   int shndx_strtab;
     159             :   int shndx_dyn;
     160             :   int shndx_dynstr;
     161             :   int shndx_dynsymtab; /* Section header index of the dynamic symbol table */
     162             : 
     163             :   /* Known program header indices (like shndx_*) */
     164             :   int phndx_dyn;
     165             : 
     166             :   /* Dynamic relocation table entries */
     167             :   uint dt_rel_off; /* File offset of dynamic relocation table */
     168             :   uint dt_rel_sz;  /* Number of dynamic relocation table entries */
     169             : 
     170             :   /* SBPF version, SIMD-0161 */
     171             :   ulong sbpf_version;
     172             : };
     173             : typedef struct fd_sbpf_elf_info fd_sbpf_elf_info_t;
     174             : 
     175             : /* fd_sbpf_program_t describes a loaded program in memory.
     176             : 
     177             :    [rodata,rodata+bin_sz) is an externally allocated buffer holding
     178             :    the read-only segment to be loaded into the VM.  WARNING: The rodata
     179             :    area required doing load (bin_sz) is larger than the area mapped into
     180             :    the VM (rodata_sz).
     181             : 
     182             :    [text,text+8*text_cnt) is a sub-region of the read-only segment
     183             :    containing executable code.
     184             : 
     185             :    We need to maintain a separate value tracking the entrypoint calldest
     186             :    because we lay out our calldests in a set instead of a map (like
     187             :    Agave does), which is more performant but comes with a few footguns.
     188             :    Since we only store the target PC and not a keypair of <hash, target
     189             :    PC>, we need to make sure we unregister the correct target PC from
     190             :    the map. For all other cases besides the b"entrypoint" string, we can
     191             :    simply check for membership within the calldests set because the
     192             :    32-bit murmur3 hash function is bijective, implying key collision iff
     193             :    value collision. However, the b"entrypoint" string is a special case
     194             :    because the key is the hardcoded hash of the b"entrypoint" string,
     195             :    but the value can correspond to any target PC. This means that
     196             :    someone could register several different target PCs with the same
     197             :    entrypoint PC, and we cannot figure out which target PC we must
     198             :    unregister. Additionally, we would not be able to check for
     199             :    collisions for multiple registered b"entrypoint" strings with
     200             :    different target PCs.
     201             : 
     202             :    Once entry_pc is set, any future calls to set the entry_pc within the
     203             :    loader will error out with FD_SBPF_ELF_ERR_SYMBOL_HASH_COLLISION. */
     204             : 
     205             : struct __attribute__((aligned(32UL))) fd_sbpf_program {
     206             :   fd_sbpf_elf_info_t info;
     207             : 
     208             :   /* rodata segment to be mapped into VM memory */
     209             :   void * rodata;     /* rodata segment data */
     210             :   ulong  rodata_sz;  /* size of read-only data */
     211             : 
     212             :   /* text section within rodata segment */
     213             :   ulong * text;
     214             :   ulong   entry_pc;  /* entrypoint PC (at text[ entry_pc ]). ULONG_MAX if not set. */
     215             : 
     216             :   /* Bit vector of valid call destinations (bit count is text_cnt). */
     217             :   void * calldests_shmem;
     218             :   /* Local join to bit vector of valid call destinations (target PCs) */
     219             :   fd_sbpf_calldests_t * calldests;
     220             : };
     221             : typedef struct fd_sbpf_program fd_sbpf_program_t;
     222             : 
     223             : struct fd_sbpf_loader_config {
     224             :   union {
     225             :    int elf_deploy_checks;
     226             :    int reject_broken_elfs;
     227             :   };
     228             :   uint sbpf_min_version;
     229             :   uint sbpf_max_version;
     230             : };
     231             : typedef struct fd_sbpf_loader_config fd_sbpf_loader_config_t;
     232             : 
     233             : /* Prototypes *********************************************************/
     234             : 
     235             : FD_PROTOTYPES_BEGIN
     236             : 
     237             : /* fd_sbpf_elf_peek partially parses the given ELF file in memory region
     238             :    [bin,bin+bin_sz)  Populates `info`.  Returns `info` on success.  On
     239             :    failure, returns NULL.
     240             : 
     241             :    elf_deploy_checks: The Agave ELF loader introduced additional checks
     242             :    that would fail on (certain) existing mainnet programs. Since it is
     243             :    impossible to retroactively enforce these checks on already deployed programs,
     244             :    a guard flag is used to enable these checks only when deploying programs.
     245             : 
     246             :    sbpf_min_version, sbpf_max_version: determine the min, max SBPF version
     247             :    allowed, version is retrieved from the ELF header. See SIMD-0161. */
     248             : 
     249             : int
     250             : fd_sbpf_elf_peek( fd_sbpf_elf_info_t *            info,
     251             :                   void const *                    bin,
     252             :                   ulong                           bin_sz,
     253             :                   fd_sbpf_loader_config_t const * config );
     254             : 
     255             : /* fd_sbpf_program_{align,footprint} return the alignment and size
     256             :    requirements of the memory region backing the fd_sbpf_program_t
     257             :    object. */
     258             : 
     259             : FD_FN_CONST ulong
     260             : fd_sbpf_program_align( void );
     261             : 
     262             : FD_FN_PURE ulong
     263             : fd_sbpf_program_footprint( fd_sbpf_elf_info_t const * info );
     264             : 
     265             : /* fd_sbpf_program_new formats prog_mem to hold an fd_sbpf_program_t.
     266             :    prog_mem must match footprint requirements of the given elf_info.
     267             :    elf_info may be deallocated on return.
     268             : 
     269             :    rodata is the read-only segment buffer that the program is configured
     270             :    against and must be valid for the lifetime of the program object. It
     271             :    should also meet the alignment requirements of the program object.
     272             :    */
     273             : 
     274             : fd_sbpf_program_t *
     275             : fd_sbpf_program_new( void *                     prog_mem,
     276             :                      fd_sbpf_elf_info_t const * elf_info,
     277             :                      void *                     rodata );
     278             : 
     279             : /* fd_sbpf_program_load loads an eBPF program for execution.
     280             : 
     281             :    prog is a program object allocated with fd_sbpf_program_new and must
     282             :    match the footprint requirements of this ELF file.
     283             : 
     284             :    Initializes and populates the program struct with information about
     285             :    the program and prepares the read-only segment provided in
     286             :    fd_sbpf_program_new. This includes performing relocations in the
     287             :    ELF file and zeroing gaps between rodata sections.
     288             : 
     289             :    Memory region [bin,bin+bin_sz) contains the ELF file to be loaded.
     290             : 
     291             :    syscalls should be a pointer to a map of registered syscalls and
     292             :    will be checked against when registering calldests for potential
     293             :    symbol collisions.
     294             : 
     295             :    scratch should be a pointer to a scratch area with size scratch_sz,
     296             :    used to allocate a temporary buffer for the parsed rodata sections
     297             :    before copying it back into the rodata.  recommended size is bin_sz.
     298             : 
     299             :    On success, returns 0.
     300             :    On error, returns FD_SBPF_ERR_*.
     301             : 
     302             :    ### Compliance
     303             : 
     304             :    As of writing, this loader is conformant with Solana SBPF v0.12.2,
     305             :    SBPF versions V0, V1, and V2.
     306             :    */
     307             : 
     308             : int
     309             : fd_sbpf_program_load( fd_sbpf_program_t *             prog,
     310             :                       void const *                    bin,
     311             :                       ulong                           bin_sz,
     312             :                       fd_sbpf_syscalls_t *            syscalls,
     313             :                       fd_sbpf_loader_config_t const * config,
     314             :                       void *                          scratch,
     315             :                       ulong                           scratch_sz );
     316             : 
     317             : /* fd_sbpf_program_delete destroys the program object and unformats the
     318             :    memory regions holding it. */
     319             : 
     320             : void *
     321             : fd_sbpf_program_delete( fd_sbpf_program_t * program );
     322             : 
     323             : /* SBPF versions and features. This should stay in sync with the macro
     324             :    definitions in fd_vm_private.h until they are removed (once Agave
     325             :    cleans up the jump table).
     326             :    https://github.com/anza-xyz/sbpf/blob/v0.12.2/src/program.rs#L28 */
     327             : 
     328          12 : #define FD_VM_SBPF_DYNAMIC_STACK_FRAMES_ALIGN (64U)
     329             : 
     330             : /* SIMD-0166 */
     331         297 : static inline int fd_sbpf_dynamic_stack_frames_enabled       ( ulong sbpf_version ) { return sbpf_version>=FD_SBPF_V1; }
     332             : 
     333             : /* SIMD-0173 */
     334          42 : static inline int fd_sbpf_callx_uses_src_reg_enabled         ( ulong sbpf_version ) { return sbpf_version>=FD_SBPF_V2; }
     335           0 : static inline int fd_sbpf_enable_lddw_enabled                ( ulong sbpf_version ) { return sbpf_version<FD_SBPF_V2; }
     336           0 : static inline int fd_sbpf_enable_le_enabled                  ( ulong sbpf_version ) { return sbpf_version<FD_SBPF_V2; }
     337           0 : static inline int fd_sbpf_move_memory_ix_classes_enabled     ( ulong sbpf_version ) { return sbpf_version>=FD_SBPF_V2; }
     338             : 
     339             : /* SIMD-0174 */
     340           0 : static inline int fd_sbpf_enable_neg_enabled                 ( ulong sbpf_version ) { return sbpf_version<FD_SBPF_V2; }
     341           0 : static inline int fd_sbpf_swap_sub_reg_imm_operands_enabled  ( ulong sbpf_version ) { return sbpf_version>=FD_SBPF_V2; }
     342           0 : static inline int fd_sbpf_explicit_sign_ext_enabled          ( ulong sbpf_version ) { return sbpf_version>=FD_SBPF_V2; }
     343           0 : static inline int fd_sbpf_enable_pqr_enabled                 ( ulong sbpf_version ) { return sbpf_version>=FD_SBPF_V2; }
     344             : 
     345             : /* SIMD-0178 */
     346           0 : static inline int fd_sbpf_static_syscalls_enabled            ( ulong sbpf_version ) { return sbpf_version>=FD_SBPF_V3; }
     347           0 : static inline int fd_sbpf_enable_elf_vaddr_enabled           ( ulong sbpf_version ) { return sbpf_version!=FD_SBPF_V0; }
     348           0 : static inline int fd_sbpf_reject_rodata_stack_overlap_enabled( ulong sbpf_version ) { return sbpf_version!=FD_SBPF_V0; }
     349             : 
     350             : /* SIMD-0189 */
     351   805455198 : static inline int fd_sbpf_enable_stricter_elf_headers_enabled( ulong sbpf_version ) { return sbpf_version>=FD_SBPF_V3; }
     352           0 : static inline int fd_sbpf_enable_lower_bytecode_vaddr_enabled( ulong sbpf_version ) { return sbpf_version>=FD_SBPF_V3; }
     353             : 
     354             : FD_PROTOTYPES_END
     355             : 
     356             : #endif /* HEADER_fd_src_ballet_sbpf_fd_sbpf_loader_h */