libseccomp icon indicating copy to clipboard operation
libseccomp copied to clipboard

Published 20 hours ago verified publisher icon seccomp

RFE: add 64-bit LoongArch support

Open yetist opened this issue 3 years ago • 27 comments

LoongArch is a new instruction set of Loongson 3A5000 CPU, you can read the documents or visit the development community to get more infomation.

Now I porting the libseccomp to support loongarch64, please review, thanks.

The test results of make check: make-check-main.log

yetist avatar Nov 05 '21 07:11 yetist

I haven't had a chance to look through the patches yet; I'll likely get to them next week.

The DCO check is failing because the commits don't have a Signed-off-by: tag. See other commits to libseccomp for an example. Here's the thought process behind a signed-off tag if you haven't worked with them before: https://developercertificate.org/

drakenclimber avatar Nov 05 '21 17:11 drakenclimber

Coverage Status

Coverage: 89.724% (+0.01%) from 89.71% when pulling c01c4fdc0e8f7ee9b2e0e9dfa7f88b6c0c1b76b0 on loongarch64:dev-main into 73be05e88623ebc6fcad3e04109c4fc47b7fc474 on seccomp:main.

coveralls avatar Nov 05 '21 17:11 coveralls

Building upon what @drakenclimber already said, we have a CONTRIBUTING.md doc which describes the DCO and other important requirements for submitting patches to this project.

pcmoore avatar Nov 05 '21 19:11 pcmoore

The results of make check:

Regression Test Summary
 tests run: 4693
 tests skipped: 121
 tests passed: 4693
 tests failed: 0
 tests errored: 0

The results of (cd tests; ./regression -T live):

Regression Test Summary
 tests run: 11
 tests skipped: 0
 tests passed: 5
 tests failed: 6
 tests errored: 0

Failed tests:

Test 20-live-basic_die%%003-00001 result:   FAILURE 20-live-basic_die 1 ERRNO rc=38
Test 24-live-arg_allow%%001-00001 result:   FAILURE 24-live-arg_allow 1 ALLOW rc=161
Test 44-live-a2_order%%001-00001 result:   FAILURE 44-live-a2_order 1 ALLOW rc=1
Test 51-live-user_notification%%001-00001 result:   FAILURE 51-live-user_notification 5 ALLOW rc=14
Test 54-live-binary_tree%%001-00001 result:   FAILURE 54-live-binary_tree 1 ALLOW rc=161
Test 58-live-tsync_notify%%001-00001 result:   FAILURE 58-live-tsync_notify 6 ALLOW rc=14

yetist avatar Nov 06 '21 09:11 yetist

After updating the kernel, the tests passed:

Regression Test Summary
 tests run: 4693
 tests skipped: 121
 tests passed: 4693
 tests failed: 0
 tests errored: 0
============================================================
PASS: regression
=============
1 test passed
=============

Regression Test Summary
 tests run: 11
 tests skipped: 0
 tests passed: 11
 tests failed: 0
 tests errored: 0

The full logs are as follows:

check-syntax.log make-check.log regression.log

yetist avatar Dec 03 '21 02:12 yetist 

Regression Test Summary
 tests run: 4693
 tests skipped: 121
 tests passed: 4693
 tests failed: 0
 tests errored: 0
============================================================
PASS: regression
=============
1 test passed
=============

Regression Test Summary
 tests run: 11
 tests skipped: 0
 tests passed: 11
 tests failed: 0
 tests errored: 0

@yetist, just to be clear - are these results from running the tests on loongarch?

drakenclimber avatar Jan 05 '22 15:01 drakenclimber

Also, it doesn't appear that support for the LoongArch architecture has been accepted into Linus' tree yet, is this correct?

While we are always happy to add new processor architectures to libseccomp, the architecture must first be present in the mainline Linux Kernel.

pcmoore avatar Jan 05 '22 22:01 pcmoore

@yetist, just to be clear - are these results from running the tests on loongarch?

Yes.

yetist avatar Jan 06 '22 07:01 yetist

While we are always happy to add new processor architectures to libseccomp, the architecture must first be present in the mainline Linux Kernel.

Thank you for your reply, let's wait for the kernel.

yetist avatar Jan 06 '22 07:01 yetist

Thanks, @yetist. I briefly looked through these changes last week, and they looked good to me.

Ping us once the LoongArch changes are in the kernel, and we can work on getting this into libseccomp.

drakenclimber avatar Jan 10 '22 15:01 drakenclimber

Rebased on top of current main branch; tests passed locally, but @yetist please confirm they're still up to date as of 2.5.4.

xen0n avatar Apr 25 '22 05:04 xen0n

Just a note to myself, as of v5.18-rc4 LoongArch does not appear to be present in the upstream Linux Kernel.

pcmoore avatar Apr 25 '22 19:04 pcmoore

Hi @yetist, as the LoongArch system call interface is already merged for 5.19, could you update the syscall numbers here (resolving conflicts btw)?

xen0n avatar Jun 05 '22 07:06 xen0n

So there's a datestamp inside syscalls.csv, I think it would be better to wait until Linux v5.19-rc1 is tagged.

xen0n avatar Jun 05 '22 07:06 xen0n

As there seems to be another conflict caused by 72198d99dd6fda40c1e6d0524caa61d82eddcf45, I've rebased anyway so we can regenerate the syscalls.csv easily later.

xen0n avatar Jun 05 '22 07:06 xen0n

So there's a datestamp inside syscalls.csv, I think it would be better to wait until Linux v5.19-rc1 is tagged.

Yes, we need to wait for linux 5.19-rc1 to be tagged.

yetist avatar Jun 05 '22 09:06 yetist

Hmm, how do I write "on every arch except this" for tests? LoongArch is the first architecture supported by Linux that doesn't have fstat or newfstatat, and this certainly broke some tests :facepalm:

xen0n avatar Jun 07 '22 07:06 xen0n

Hmm, how do I write "on every arch except this" for tests? LoongArch is the first architecture supported by Linux that doesn't have fstat or newfstatat, and this certainly broke some tests facepalm

Looking quickly at the tests I don't see a lot of issues around fstat() and newfstatat(), I think in many of those cases they could be replaced with another roughly equivalent syscall. However, I do know that @drakenclimber chose the syscalls carefully in tests "53-sim-binary_tree" and "55-basic-pfc_binary_tree" to shape the binary tree in a specific way, what do you think @drakenclimber?

% grep "fstat" tests/*.{c,py}
tests/06-sim-actions.c: rc = seccomp_rule_add(ctx, SCMP_ACT_KILL_PROCESS, SCMP_SYS(fstat), 0);
tests/38-basic-pfc_coverage.c:  rc = seccomp_rule_add(ctx, SCMP_ACT_KILL_PROCESS, SCMP_SYS(fstat), 0);
tests/53-sim-binary_tree.c:     { SCMP_SYS(fstat), 5, 0, { 0, 0 } },
tests/55-basic-pfc_binary_tree.c:       { SCMP_SYS(fstat), 5, 1, { 103, 0 } },
tests/06-sim-actions.py:    f.add_rule(KILL_PROCESS, "fstat")
tests/21-live-basic_allow.py:    f.add_rule(ALLOW, "fstat")
tests/32-live-tsync_allow.py:    f.add_rule(ALLOW, "fstat")
tests/53-sim-binary_tree.py:    {"syscall": "fstat", "error": 5, "arg_cnt": 0 },
tests/54-live-binary_tree.py:    f.add_rule(ALLOW, "fstat")

pcmoore avatar Jun 07 '22 19:06 pcmoore

In my test, the results of make check:

Regression Test Summary
 tests run: 5042
 tests skipped: 123
 tests passed: 5042
 tests failed: 0
 tests errored: 0
============================================================
PASS: regression
=============
1 test passed
=============
Making check in doc

The results of (cd tests; ./regression -T live):

Regression Test Summary
 tests run: 11
 tests skipped: 0
 tests passed: 11
 tests failed: 0
 tests errored: 0
============================================================

@drakenclimber Can you review it again? thanks.

@xen0n If you have time, please help to test it, thank you.

yetist avatar Jun 08 '22 01:06 yetist

Tests now pass on my box; @yetist thanks for fixing! Now we can just wait for @drakenclimber to have a look at the test changes.

xen0n avatar Jun 08 '22 07:06 xen0n

Looking quickly at the tests I don't see a lot of issues around fstat() and newfstatat(), I think in many of those cases they could be replaced with another roughly equivalent syscall. However, I do know that @drakenclimber chose the syscalls carefully in tests "53-sim-binary_tree" and "55-basic-pfc_binary_tree" to shape the binary tree in a specific way, what do you think @drakenclimber?

I tried to build a filter that had a good mix of PNR syscalls as well as a decent range of "real" syscall numbers. My goal was to ensure that the tree could balance the entire range of syscalls we support.

I briefly looked through the binary tree changes in patch 4 and at first glance they look correct. Thank you.

drakenclimber avatar Jun 08 '22 13:06 drakenclimber

In my test, the results of make check:

Regression Test Summary
 tests run: 5042
 tests skipped: 123
 tests passed: 5042
 tests failed: 0
 tests errored: 0
============================================================
PASS: regression
=============
1 test passed
=============
Making check in doc

The results of (cd tests; ./regression -T live):

Regression Test Summary
 tests run: 11
 tests skipped: 0
 tests passed: 11
 tests failed: 0
 tests errored: 0
============================================================

@drakenclimber Can you review it again? thanks.

@xen0n If you have time, please help to test it, thank you.

Are these results from an x86_64 or a loongarch machine? Our automated testing will obviously run against x86_64, but I don't have a way to test against loongarch.

drakenclimber avatar Jun 08 '22 13:06 drakenclimber

(snip)

Are these results from an x86_64 or a loongarch machine? Our automated testing will obviously run against x86_64, but I don't have a way to test against loongarch.

I can confirm these tests are run on LoongArch.

On my own box:

(snip)

Regression Test Summary
 tests run: 5042
 tests skipped: 123
 tests passed: 5042
 tests failed: 0
 tests errored: 0
============================================================
PASS: regression
=============
1 test passed
=============
Making check in doc
$ uname -a
Linux lily 5.17.0-00066-ga4e08c7a13ae #8 SMP PREEMPT Sun May 22 09:34:01 AM CST 2022 loongarch64 GNU/Linux

(My kernel is a bit old, with the LoongArch patchset applied and then some, but the UAPI including the syscall interface should be the same.)

xen0n avatar Jun 08 '22 13:06 xen0n

Are these results from an x86_64 or a loongarch machine? Our automated testing will obviously run against x86_64, but I don't have a way to test against loongarch.

These test results come from LoongArch machine.

yetist avatar Jun 09 '22 01:06 yetist

Hi, may I ask what's blocking this PR from merging? Do we want to wait until the official Linux 5.19 release, or does the code need some more thorough review?

xen0n avatar Jun 12 '22 06:06 xen0n

Hi, may I ask what's blocking this PR from merging? Do we want to wait until the official Linux 5.19 release, or does the code need some more thorough review?

Both @drakenclimber and I need to fully review the latest patches and yes, it would be nice to see a proper release tag, e.g. v5.19, with support included.

pcmoore avatar Jul 29 '22 01:07 pcmoore

Rebased, updated syscall numbers to v5.19 final (nothing changed since rc1), tests all passed:

amd64

Regression Test Summary
 tests run: 7891
 tests skipped: 46
 tests passed: 7891
 tests failed: 0
 tests errored: 0

Kernel version: 5.19.0

loongarch64

Regression Test Summary
 tests run: 5042
 tests skipped: 123
 tests passed: 5042
 tests failed: 0
 tests errored: 0

Kernel version: 5.19.0-rc8-00054-gdd42bdaf64f0

xen0n avatar Aug 15 '22 10:08 xen0n

Aside from the couple of very minor tweaks, this looks pretty good; thanks for you patience and work on this @yetist! Thoughts on this PR @drakenclimber?

@yetist if you don't mind, when you update this PR could you also update the syscall CSV table with the Linux v6.0 info (replacing/updating your v5.19-rc1 commit)?

Done, please review again. Thank you.

yetist avatar Oct 15 '22 13:10 yetist

@drakenclimber

Done.

yetist avatar Oct 28 '22 11:10 yetist

FYI - @yetist, there's still a small test failure in test 6:

Test 06-sim-actions%%005-00001 result:   FAILURE bpf_sim resulted in KILL

drakenclimber avatar Nov 01 '22 14:11 drakenclimber