Month: 2025-05 — CTSRD-CHERI/cheribsd: Security-focused refactor of the runtime linker compartment transition logic. Replaced manual compartment transitions with trampolines in the runtime linker (rtld), ensuring RTLD hooks (_rtld_bind_start) and TLS-related functions execute in Restricted mode consistently across ABIs. The change simplifies the transition path, improves consistency across compartments, and strengthens security context handling during transitions, with a focus on maintainability and future-proofing against ABI drift.

March 2025 monthly summary for CTSRD-CHERI/cheribsd: Delivered security-focused CHERI C18N enhancements, strengthened thread termination robustness, and performed codebase cleanup to reduce maintenance risk. These efforts improve security, reliability, and developer productivity, enabling safer deployments of CHERI-enabled binaries.

February 2025 monthly summary for CTSRD-CHERI/cheribsd focusing on security, stability, and observability improvements in CHERI-enabled workflows.

January 2025 monthly summary for CTSRD-CHERI/cheribsd: Delivered a new Compartment Information Exposure and Inspection Tools feature set that enhances security observability and process isolation management. Implemented kernel exposure of compartment metadata and user-space tooling to query compartment information, enabling operators and automated systems to inspect compartment associations per process. This was achieved by introducing the cheri_c18n_info structure with a generation counter exported to the kernel, enabling stable visibility of compartment metadata; extending kernel-side extraction of compartment names via sysctl; and enhancing libprocstat and the procstat utility to display compartment details for a given process. The changes improve incident response, governance, and isolation verification in CHERI-enabled environments.

December 2024 monthly summary for CTSRD-CHERI/cheribsd: Delivered key code-pointer relocation enhancements and cross-architecture support. Highlights include lazy trampoline creation with partial initialization, an optional world/kernel build path enabled by -cheri-codeptr-relocs, and the LD_COMPARTMENT_FPTR flag to wrap all function pointers with trampolines. Extended runtime linker and kernel support for R_AARCH64_FUNC_RELATIVE and R_MORELLO_FUNC_RELATIVE relocations to correctly resolve function-relative addresses on AArch64 and Morello. Strengthened validation via canonicity tests and related test updates (including signal_returncap adjustments). These changes improve correctness and security of function-relative addressing, enable more flexible builds, and lay groundwork for future CHERI relocation features.

Concise monthly summary for 2024-10: Delivered disk image library inclusion in CTSRD-CHERI/cheribuild, enhancing image readiness and cross-target compatibility. The change ensures lib64cb/c18n libraries are packaged with correct compatibility libraries and symlinks for minimal and mfs-root disk images, reducing runtime dependency issues and supporting smoother deployments. This work strengthens release artifact quality and deployment reliability across CHERI builds.