kata-os-camkes: wrap request ipc buffer capability handling

Add Camkes::set_request_cap to attach an seL4 capability to an outbound
ipc message. The return value is an RAII wrapper that cleans up state
and must be held until after the CAmkES rpc call completes

Change-Id: I0672c59e0b5e43e39c9ea3fb16809270a33f51ef
GitOrigin-RevId: 56be13a2c05fcc1b4a1aa5c8e0eab47bcd0f2345

apps/system/components/MemoryManager/kata-memory-interface/src/lib.rs

@@ -7,6 +7,7 @@ extern crate alloc;
 use alloc::vec;
 use alloc::vec::Vec;
 use core::fmt;
+use kata_os_common::camkes::Camkes;
 use kata_os_common::slot_allocator;
 use kata_os_common::sel4_sys;
 use log::trace;
@@ -19,7 +20,6 @@ use sel4_sys::seL4_ObjectType::*;
 use sel4_sys::seL4_ObjectType;
 use sel4_sys::seL4_PageBits;
 use sel4_sys::seL4_Result;
-use sel4_sys::seL4_SetCap;
 use sel4_sys::seL4_WordBits;
 
 use slot_allocator::KATA_CSPACE_SLOTS;
@@ -385,8 +385,9 @@ pub fn kata_object_alloc(
         // Attach our CNode for returning objects; the CAmkES template
         // forces extraCaps=1 when constructing the MessageInfo struct
         // used by the seL4_Call inside memory_alloc.
+        // NB: scrubbing the IPC buffer is done on drop of |cleanup|
         sel4_sys::debug_assert_slot_cnode!(request.cnode);
-        seL4_SetCap(0, request.cnode);
+        let _cleanup = Camkes::set_request_cap(request.cnode);
 
         memory_alloc(raw_data.len() as u32, raw_data.as_ptr()).into()
     }
@@ -418,7 +419,6 @@ pub fn kata_object_alloc_in_toplevel(
 // in a new CNode allocated with sufficient capacity.
 // Note the objects' cptr's are assumed to be consecutive and start at zero.
 // Note the returned |ObjDescBundle| has the new CNode marked as the container.
-// TODO(sleffler): not used any more, remove?
 #[inline]
 pub fn kata_object_alloc_in_cnode(
     objs: Vec<ObjDesc>,
@@ -622,8 +622,9 @@ pub fn kata_object_free(
         // Attach our CNode for returning objects; the CAmkES template
         // forces extraCaps=1 when constructing the MessageInfo struct
         // used in the seL4_Call.
+        // NB: scrubbing the IPC buffer is done on drop of |cleanup|
         sel4_sys::debug_assert_slot_cnode!(request.cnode);
-        seL4_SetCap(0, request.cnode);
+        let _cleanup = Camkes::set_request_cap(request.cnode);
 
         memory_free(raw_data.len() as u32, raw_data.as_ptr()).into()
     }
@@ -654,6 +655,8 @@ pub fn kata_object_free_toplevel(objs: &ObjDescBundle)
     -> Result<(), MemoryManagerError>
 {
     let mut objs_mut = objs.clone();
+    // Move ojbects to the pre-allocated container. Note this returns
+    // the toplevel slots to the slot allocator.
     objs_mut.move_objects_from_toplevel(
         unsafe { MEMORY_RECV_CNODE },
         unsafe { MEMORY_RECV_CNODE_DEPTH }

apps/system/components/ProcessManager/kata-proc-interface/src/lib.rs

@@ -10,12 +10,10 @@ use core::str;
 use cstr_core::CString;
 use kata_memory_interface::ObjDescBundle;
 use kata_memory_interface::RAW_OBJ_DESC_DATA_SIZE;
-use kata_os_common::sel4_sys;
+use kata_os_common::camkes::Camkes;
 use kata_security_interface::SecurityRequestError;
 use serde::{Deserialize, Serialize};
 
-use sel4_sys::seL4_SetCap;
-
 mod bundle_image;
 pub use bundle_image::*;
 
@@ -192,7 +190,7 @@ pub fn kata_pkg_mgmt_install(pkg_contents: &ObjDescBundle) -> Result<String, Pro
     let request = postcard::to_slice(&pkg_contents, raw_request)?;
     let raw_data = &mut [0u8; RAW_BUNDLE_ID_DATA_SIZE];
     match unsafe {
-        seL4_SetCap(0, pkg_contents.cnode);
+        let _cleanup = Camkes::set_request_cap(pkg_contents.cnode);
         pkg_mgmt_install(request.len() as u32, request.as_ptr(), raw_data as *mut _)
     } {
         ProcessManagerError::Success => {

apps/system/components/SecurityCoordinator/kata-security-interface/src/lib.rs

@@ -6,6 +6,7 @@ extern crate alloc;
 use alloc::string::{String, ToString};
 use core::str;
 use kata_memory_interface::ObjDescBundle;
+use kata_os_common::camkes::Camkes;
 use kata_os_common::cspace_slot::CSpaceSlot;
 use kata_os_common::sel4_sys;
 use kata_storage_interface::KeyValueData;
@@ -14,7 +15,6 @@ use log::trace;
 use serde::{Deserialize, Serialize};
 
 use sel4_sys::seL4_CPtr;
-use sel4_sys::seL4_SetCap;
 
 // NB: serde helper for arrays w/ >32 elements
 //   c.f. https://github.com/serde-rs/serde/pull/1860
@@ -280,14 +280,21 @@ pub fn kata_security_request<T: Serialize + SecurityCapability>(
         .map_err(|_| SecurityRequestError::SreSerializeFailed)?;
     match unsafe {
         if let Some(cap) = request_args.get_container_cap() {
-            seL4_SetCap(0, cap);
+            let _cleanup = Camkes::set_request_cap(cap);
+            security_request(
+                request,
+                request_buffer.len() as u32,
+                request_buffer.as_ptr(),
+                reply_buffer as *mut _,
+            )
+        } else {
+            security_request(
+                request,
+                request_buffer.len() as u32,
+                request_buffer.as_ptr(),
+                reply_buffer as *mut _,
+            )
         }
-        security_request(
-            request,
-            request_buffer.len() as u32,
-            request_buffer.as_ptr(),
-            reply_buffer as *mut _,
-        )
     } {
         SecurityRequestError::SreSuccess => Ok(()),
         status => Err(status),

apps/system/components/kata-os-common/src/camkes/src/lib.rs

@@ -12,6 +12,7 @@ use sel4_sys;
 use sel4_sys::seL4_CNode_Delete;
 use sel4_sys::seL4_CPtr;
 use sel4_sys::seL4_GetCapReceivePath;
+use sel4_sys::seL4_SetCap;
 use sel4_sys::seL4_SetCapReceivePath;
 use sel4_sys::seL4_Word;
 use sel4_sys::seL4_WordBits;
@@ -28,6 +29,14 @@ extern "C" {
     static SELF_CNODE_LAST_SLOT: seL4_CPtr;
 }
 
+// RAII wrapper for handling request cap cleanup.
+pub struct RequestCapCleanup {}
+impl Drop for RequestCapCleanup {
+    fn drop(&mut self) {
+        unsafe { seL4_SetCap(0, 0); }
+    }
+}
+
 pub struct Camkes {
     name: &'static str, // Component name
     recv_path: seL4_CPath, // IPCBuffer receive path
@@ -115,6 +124,14 @@ impl Camkes {
                 self.get_current_recv_path(), self.recv_path);
     }
 
+    // Attaches a capability to a CAmkES RPC request msg. seL4 will copy
+    // the capabiltiy.
+    #[must_use]
+    pub fn set_request_cap(cptr: seL4_CPtr) -> RequestCapCleanup {
+        unsafe { seL4_SetCap(0, cptr); }
+        RequestCapCleanup{}
+    }
+
     // Wrappers for sel4_sys::debug_assert macros.
     pub fn debug_assert_slot_empty(tag: &str, path: &seL4_CPath) {
         sel4_sys::debug_assert_slot_empty!(path.1,