Line data Source code
1 : #ifndef HEADER_fd_src_ballet_sbpf_fd_sbpf_loader_h 2 : #define HEADER_fd_src_ballet_sbpf_fd_sbpf_loader_h 3 : 4 : /* fd_sbpf_loader prepares an sBPF program for execution. This involves 5 : parsing and dynamic relocation. 6 : 7 : Due to historical reasons, this loader is neither a pure static 8 : linker nor a real dynamic loader. For instance, it will ignore the 9 : program header table and instead load specific sections at predefined 10 : addresses. However, it will perform dynamic relocation. */ 11 : 12 : #include "../../util/fd_util_base.h" 13 : #include "../elf/fd_elf64.h" 14 : 15 : /* Error types ********************************************************/ 16 : 17 : /* FIXME make error types more specific */ 18 : #define FD_SBPF_ERR_INVALID_ELF (1) 19 6 : #define FD_SBPF_PROG_RODATA_ALIGN 8UL 20 : 21 : /* https://github.com/anza-xyz/sbpf/blob/v0.12.2/src/elf_parser/mod.rs#L17 */ 22 : #define FD_SBPF_ELF_PARSER_SUCCESS ( 0) 23 0 : #define FD_SBPF_ELF_PARSER_ERR_INVALID_FILE_HEADER (-1) 24 0 : #define FD_SBPF_ELF_PARSER_ERR_INVALID_PROGRAM_HEADER (-2) 25 0 : #define FD_SBPF_ELF_PARSER_ERR_INVALID_SECTION_HEADER (-3) 26 : #define FD_SBPF_ELF_PARSER_ERR_INVALID_STRING (-4) 27 3 : #define FD_SBPF_ELF_PARSER_ERR_STRING_TOO_LONG (-5) 28 0 : #define FD_SBPF_ELF_PARSER_ERR_OUT_OF_BOUNDS (-6) 29 0 : #define FD_SBPF_ELF_PARSER_ERR_INVALID_SIZE (-7) 30 0 : #define FD_SBPF_ELF_PARSER_ERR_OVERLAP (-8) 31 0 : #define FD_SBPF_ELF_PARSER_ERR_SECTION_NOT_IN_ORDER (-9) 32 0 : #define FD_SBPF_ELF_PARSER_ERR_NO_SECTION_NAME_STRING_TABLE (-10) 33 0 : #define FD_SBPF_ELF_PARSER_ERR_INVALID_DYNAMIC_SECTION_TABLE (-11) 34 : #define FD_SBPF_ELF_PARSER_ERR_INVALID_RELOCATION_TABLE (-12) 35 0 : #define FD_SBPF_ELF_PARSER_ERR_INVALID_ALIGNMENT (-13) 36 : #define FD_SBPF_ELF_PARSER_ERR_NO_STRING_TABLE (-14) 37 : #define FD_SBPF_ELF_PARSER_ERR_NO_DYNAMIC_STRING_TABLE (-15) 38 : 39 : /* Map Rust ElfError (elf.rs v0.12.2) to C error codes */ 40 : /* https://github.com/anza-xyz/sbpf/blob/v0.12.2/src/elf.rs#L40-L66 */ 41 17067 : #define FD_SBPF_ELF_SUCCESS ( 0) 42 3 : #define FD_SBPF_ELF_ERR_FAILED_TO_PARSE ( -1) 43 0 : #define FD_SBPF_ELF_ERR_ENTRYPOINT_OUT_OF_BOUNDS ( -2) 44 0 : #define FD_SBPF_ELF_ERR_INVALID_ENTRYPOINT ( -3) 45 : #define FD_SBPF_ELF_ERR_FAILED_TO_GET_SECTION ( -4) 46 0 : #define FD_SBPF_ELF_ERR_UNRESOLVED_SYMBOL ( -5) 47 : #define FD_SBPF_ELF_ERR_SECTION_NOT_FOUND ( -6) 48 0 : #define FD_SBPF_ELF_ERR_RELATIVE_JUMP_OUT_OF_BOUNDS ( -7) 49 0 : #define FD_SBPF_ELF_ERR_SYMBOL_HASH_COLLISION ( -8) 50 0 : #define FD_SBPF_ELF_ERR_WRONG_ENDIANNESS ( -9) 51 0 : #define FD_SBPF_ELF_ERR_WRONG_ABI (-10) 52 0 : #define FD_SBPF_ELF_ERR_WRONG_MACHINE (-11) 53 0 : #define FD_SBPF_ELF_ERR_WRONG_CLASS (-12) 54 0 : #define FD_SBPF_ELF_ERR_NOT_ONE_TEXT_SECTION (-13) 55 3 : #define FD_SBPF_ELF_ERR_WRITABLE_SECTION_NOT_SUPPORTED (-14) 56 : #define FD_SBPF_ELF_ERR_ADDRESS_OUTSIDE_LOADABLE_SECTION (-15) 57 0 : #define FD_SBPF_ELF_ERR_INVALID_VIRTUAL_ADDRESS (-16) 58 0 : #define FD_SBPF_ELF_ERR_UNKNOWN_RELOCATION (-17) 59 : #define FD_SBPF_ELF_ERR_FAILED_TO_READ_RELOCATION_INFO (-18) 60 0 : #define FD_SBPF_ELF_ERR_WRONG_TYPE (-19) 61 0 : #define FD_SBPF_ELF_ERR_UNKNOWN_SYMBOL (-20) 62 9 : #define FD_SBPF_ELF_ERR_VALUE_OUT_OF_BOUNDS (-21) 63 42 : #define FD_SBPF_ELF_ERR_UNSUPPORTED_SBPF_VERSION (-22) 64 0 : #define FD_SBPF_ELF_ERR_INVALID_PROGRAM_HEADER (-23) 65 : 66 : /* https://github.com/anza-xyz/sbpf/blob/v0.12.2/src/program.rs */ 67 171 : #define FD_SBPF_VERSION_COUNT (5U) 68 276 : #define FD_SBPF_V0 (0U) 69 17778 : #define FD_SBPF_V1 (1U) 70 2339121 : #define FD_SBPF_V2 (2U) 71 805613397 : #define FD_SBPF_V3 (3U) 72 : #define FD_SBPF_V4 (4U) 73 171 : #define FD_SBPF_RESERVED (FD_SBPF_VERSION_COUNT) 74 : 75 : /* Hardcoded constant for the murmur3_32 hash of the entrypoint. */ 76 9405 : #define FD_SBPF_ENTRYPOINT_PC (0xb00c380U) 77 81 : #define FD_SBPF_ENTRYPOINT_HASH (0x71e3cf81U) /* fd_pchash( FD_SBPF_ENTRYPOINT_PC ) */ 78 : 79 12 : #define E_FLAGS_SBPF_V2 (0x20U) 80 : 81 : /* Program struct *****************************************************/ 82 : 83 : /* fd_sbpf_calldests is a bit vector of valid call destinations. 84 : Should be configured to fit any possible program counter. The max 85 : program counter is <size of ELF binary> divided by 8. */ 86 : 87 : #define SET_NAME fd_sbpf_calldests 88 : #include "../../util/tmpl/fd_set_dynamic.c" 89 : 90 : /* fd_sbpf_syscall_func_t is a callback implementing an sBPF syscall. 91 : vm is a handle to the running VM. Returns 0 on suceess or an integer 92 : error code on failure. 93 : 94 : IMPORTANT SAFETY TIP! See notes in 95 : flamenco/vm/syscall/fd_vm_syscall.h on what a syscall should expect 96 : to see and expect to return. */ 97 : 98 : /* FIXME: THIS BELONGS IN FLAMENCO/VM */ 99 : 100 : typedef int 101 : (*fd_sbpf_syscall_func_t)( void * vm, 102 : ulong arg0, 103 : ulong arg1, 104 : ulong arg2, 105 : ulong arg3, 106 : ulong arg4, 107 : ulong * _ret ); 108 : 109 : /* fd_sbpf_syscalls_t maps syscall IDs => a name and a VM specific 110 : context. FIXME: THIS ALSO PROBABLY BELONGS IN FLAMENCO/VM */ 111 : 112 1021953 : #define FD_SBPF_SYSCALLS_LG_SLOT_CNT (7) 113 : #define FD_SBPF_SYSCALLS_SLOT_CNT (1UL<<FD_SBPF_SYSCALLS_LG_SLOT_CNT) 114 : 115 : /* The syscalls map keys should technically be of type uint since they are 116 : just murmur32 hashes. However, Agave's BTree allows the full range to be 117 : used as a key [0, UINT_MAX]. So we need to define a wider key type to 118 : allow for a NULL value that is outside this range. We use ulong here. */ 119 : 120 : struct fd_sbpf_syscalls { 121 : ulong key; /* Murmur3-32 hash of function name */ 122 : fd_sbpf_syscall_func_t func; /* Function pointer */ 123 : char const * name; /* Infinite lifetime pointer to function name */ 124 : }; 125 : 126 : typedef struct fd_sbpf_syscalls fd_sbpf_syscalls_t; 127 : 128 : #define MAP_NAME fd_sbpf_syscalls 129 14961 : #define MAP_T fd_sbpf_syscalls_t 130 7233 : #define MAP_HASH_T ulong 131 993801 : #define MAP_KEY_NULL ULONG_MAX /* Any number greater than UINT_MAX works */ 132 11340 : #define MAP_KEY_INVAL(k) ( k > UINT_MAX ) /* Force keys to uint size */ 133 8925 : #define MAP_KEY_EQUAL(k0,k1) (k0)==(k1) 134 : #define MAP_KEY_EQUAL_IS_SLOW 0 135 7233 : #define MAP_KEY_HASH(k) (k) 136 : #define MAP_MEMOIZE 0 137 1021953 : #define MAP_LG_SLOT_CNT FD_SBPF_SYSCALLS_LG_SLOT_CNT 138 : #include "../../util/tmpl/fd_map.c" 139 : 140 : #define FD_SBPF_SYSCALLS_FOOTPRINT (sizeof(fd_sbpf_syscalls_t) * (1UL<<FD_SBPF_SYSCALLS_LG_SLOT_CNT)) 141 : #define FD_SBPF_SYSCALLS_ALIGN alignof(fd_sbpf_syscalls_t) 142 : 143 : /* fd_sbpf_elf_info_t contains basic information extracted from an ELF 144 : binary. Indicates how much scratch memory and buffer size is required 145 : to fully load the program. */ 146 : 147 : struct fd_sbpf_elf_info { 148 : ulong bin_sz; /* size of ELF binary */ 149 : 150 : uint text_off; /* File offset of .text section (overlaps rodata segment) */ 151 : uint text_cnt; /* Instruction count */ 152 : ulong text_sz; /* size of text segment. Guaranteed to be <= bin_sz. */ 153 : 154 : /* Known section indices 155 : In [-1,USHORT_MAX) where -1 means "not found" */ 156 : int shndx_text; 157 : int shndx_symtab; 158 : int shndx_strtab; 159 : int shndx_dyn; 160 : int shndx_dynstr; 161 : int shndx_dynsymtab; /* Section header index of the dynamic symbol table */ 162 : 163 : /* Known program header indices (like shndx_*) */ 164 : int phndx_dyn; 165 : 166 : /* Dynamic relocation table entries */ 167 : uint dt_rel_off; /* File offset of dynamic relocation table */ 168 : uint dt_rel_sz; /* Number of dynamic relocation table entries */ 169 : 170 : /* SBPF version, SIMD-0161 */ 171 : ulong sbpf_version; 172 : }; 173 : typedef struct fd_sbpf_elf_info fd_sbpf_elf_info_t; 174 : 175 : /* fd_sbpf_program_t describes a loaded program in memory. 176 : 177 : [rodata,rodata+bin_sz) is an externally allocated buffer holding 178 : the read-only segment to be loaded into the VM. WARNING: The rodata 179 : area required doing load (bin_sz) is larger than the area mapped into 180 : the VM (rodata_sz). 181 : 182 : [text,text+8*text_cnt) is a sub-region of the read-only segment 183 : containing executable code. 184 : 185 : We need to maintain a separate value tracking the entrypoint calldest 186 : because we lay out our calldests in a set instead of a map (like 187 : Agave does), which is more performant but comes with a few footguns. 188 : Since we only store the target PC and not a keypair of <hash, target 189 : PC>, we need to make sure we unregister the correct target PC from 190 : the map. For all other cases besides the b"entrypoint" string, we can 191 : simply check for membership within the calldests set because the 192 : 32-bit murmur3 hash function is bijective, implying key collision iff 193 : value collision. However, the b"entrypoint" string is a special case 194 : because the key is the hardcoded hash of the b"entrypoint" string, 195 : but the value can correspond to any target PC. This means that 196 : someone could register several different target PCs with the same 197 : entrypoint PC, and we cannot figure out which target PC we must 198 : unregister. Additionally, we would not be able to check for 199 : collisions for multiple registered b"entrypoint" strings with 200 : different target PCs. 201 : 202 : Once entry_pc is set, any future calls to set the entry_pc within the 203 : loader will error out with FD_SBPF_ELF_ERR_SYMBOL_HASH_COLLISION. */ 204 : 205 : struct __attribute__((aligned(32UL))) fd_sbpf_program { 206 : fd_sbpf_elf_info_t info; 207 : 208 : /* rodata segment to be mapped into VM memory */ 209 : void * rodata; /* rodata segment data */ 210 : ulong rodata_sz; /* size of read-only data */ 211 : 212 : /* text section within rodata segment */ 213 : ulong * text; 214 : ulong entry_pc; /* entrypoint PC (at text[ entry_pc ]). ULONG_MAX if not set. */ 215 : 216 : /* Bit vector of valid call destinations (bit count is text_cnt). */ 217 : void * calldests_shmem; 218 : /* Local join to bit vector of valid call destinations (target PCs) */ 219 : fd_sbpf_calldests_t * calldests; 220 : }; 221 : typedef struct fd_sbpf_program fd_sbpf_program_t; 222 : 223 : struct fd_sbpf_loader_config { 224 : union { 225 : int elf_deploy_checks; 226 : int reject_broken_elfs; 227 : }; 228 : uint sbpf_min_version; 229 : uint sbpf_max_version; 230 : }; 231 : typedef struct fd_sbpf_loader_config fd_sbpf_loader_config_t; 232 : 233 : /* Prototypes *********************************************************/ 234 : 235 : FD_PROTOTYPES_BEGIN 236 : 237 : /* fd_sbpf_elf_peek partially parses the given ELF file in memory region 238 : [bin,bin+bin_sz) Populates `info`. Returns `info` on success. On 239 : failure, returns NULL. 240 : 241 : elf_deploy_checks: The Agave ELF loader introduced additional checks 242 : that would fail on (certain) existing mainnet programs. Since it is 243 : impossible to retroactively enforce these checks on already deployed programs, 244 : a guard flag is used to enable these checks only when deploying programs. 245 : 246 : sbpf_min_version, sbpf_max_version: determine the min, max SBPF version 247 : allowed, version is retrieved from the ELF header. See SIMD-0161. */ 248 : 249 : int 250 : fd_sbpf_elf_peek( fd_sbpf_elf_info_t * info, 251 : void const * bin, 252 : ulong bin_sz, 253 : fd_sbpf_loader_config_t const * config ); 254 : 255 : /* fd_sbpf_program_{align,footprint} return the alignment and size 256 : requirements of the memory region backing the fd_sbpf_program_t 257 : object. */ 258 : 259 : FD_FN_CONST ulong 260 : fd_sbpf_program_align( void ); 261 : 262 : FD_FN_PURE ulong 263 : fd_sbpf_program_footprint( fd_sbpf_elf_info_t const * info ); 264 : 265 : /* fd_sbpf_program_new formats prog_mem to hold an fd_sbpf_program_t. 266 : prog_mem must match footprint requirements of the given elf_info. 267 : elf_info may be deallocated on return. 268 : 269 : rodata is the read-only segment buffer that the program is configured 270 : against and must be valid for the lifetime of the program object. It 271 : should also meet the alignment requirements of the program object. 272 : */ 273 : 274 : fd_sbpf_program_t * 275 : fd_sbpf_program_new( void * prog_mem, 276 : fd_sbpf_elf_info_t const * elf_info, 277 : void * rodata ); 278 : 279 : /* fd_sbpf_program_load loads an eBPF program for execution. 280 : 281 : prog is a program object allocated with fd_sbpf_program_new and must 282 : match the footprint requirements of this ELF file. 283 : 284 : Initializes and populates the program struct with information about 285 : the program and prepares the read-only segment provided in 286 : fd_sbpf_program_new. This includes performing relocations in the 287 : ELF file and zeroing gaps between rodata sections. 288 : 289 : Memory region [bin,bin+bin_sz) contains the ELF file to be loaded. 290 : 291 : syscalls should be a pointer to a map of registered syscalls and 292 : will be checked against when registering calldests for potential 293 : symbol collisions. 294 : 295 : On success, returns 0. 296 : On error, returns FD_SBPF_ERR_*. 297 : 298 : ### Compliance 299 : 300 : As of writing, this loader is conformant with Solana SBPF v0.12.2, 301 : SBPF versions V0, V1, and V2. 302 : */ 303 : 304 : int 305 : fd_sbpf_program_load( fd_sbpf_program_t * prog, 306 : void const * bin, 307 : ulong bin_sz, 308 : fd_sbpf_syscalls_t * syscalls, 309 : fd_sbpf_loader_config_t const * config ); 310 : 311 : /* fd_sbpf_program_delete destroys the program object and unformats the 312 : memory regions holding it. */ 313 : 314 : void * 315 : fd_sbpf_program_delete( fd_sbpf_program_t * program ); 316 : 317 : /* SBPF versions and features. This should stay in sync with the macro 318 : definitions in fd_vm_private.h until they are removed (once Agave 319 : cleans up the jump table). 320 : https://github.com/anza-xyz/sbpf/blob/v0.12.2/src/program.rs#L28 */ 321 : 322 12 : #define FD_VM_SBPF_DYNAMIC_STACK_FRAMES_ALIGN (64U) 323 : 324 : /* SIMD-0166 */ 325 225 : static inline int fd_sbpf_dynamic_stack_frames_enabled ( ulong sbpf_version ) { return sbpf_version>=FD_SBPF_V1; } 326 : 327 : /* SIMD-0173 */ 328 42 : static inline int fd_sbpf_callx_uses_src_reg_enabled ( ulong sbpf_version ) { return sbpf_version>=FD_SBPF_V2; } 329 0 : static inline int fd_sbpf_enable_lddw_enabled ( ulong sbpf_version ) { return sbpf_version<FD_SBPF_V2; } 330 0 : static inline int fd_sbpf_enable_le_enabled ( ulong sbpf_version ) { return sbpf_version<FD_SBPF_V2; } 331 0 : static inline int fd_sbpf_move_memory_ix_classes_enabled ( ulong sbpf_version ) { return sbpf_version>=FD_SBPF_V2; } 332 : 333 : /* SIMD-0174 */ 334 0 : static inline int fd_sbpf_enable_neg_enabled ( ulong sbpf_version ) { return sbpf_version<FD_SBPF_V2; } 335 0 : static inline int fd_sbpf_swap_sub_reg_imm_operands_enabled ( ulong sbpf_version ) { return sbpf_version>=FD_SBPF_V2; } 336 0 : static inline int fd_sbpf_explicit_sign_ext_enabled ( ulong sbpf_version ) { return sbpf_version>=FD_SBPF_V2; } 337 0 : static inline int fd_sbpf_enable_pqr_enabled ( ulong sbpf_version ) { return sbpf_version>=FD_SBPF_V2; } 338 : 339 : /* SIMD-0178 */ 340 0 : static inline int fd_sbpf_static_syscalls_enabled ( ulong sbpf_version ) { return sbpf_version>=FD_SBPF_V3; } 341 0 : static inline int fd_sbpf_enable_elf_vaddr_enabled ( ulong sbpf_version ) { return sbpf_version!=FD_SBPF_V0; } 342 0 : static inline int fd_sbpf_reject_rodata_stack_overlap_enabled( ulong sbpf_version ) { return sbpf_version!=FD_SBPF_V0; } 343 : 344 : /* SIMD-0189 */ 345 805457265 : static inline int fd_sbpf_enable_stricter_elf_headers_enabled( ulong sbpf_version ) { return sbpf_version>=FD_SBPF_V3; } 346 0 : static inline int fd_sbpf_enable_lower_bytecode_vaddr_enabled( ulong sbpf_version ) { return sbpf_version>=FD_SBPF_V3; } 347 : 348 : FD_PROTOTYPES_END 349 : 350 : #endif /* HEADER_fd_src_ballet_sbpf_fd_sbpf_loader_h */