diff --git a/apps/system/components/SecurityCoordinator/kata-security-common/src/lib.rs b/apps/system/components/SecurityCoordinator/kata-security-common/src/lib.rs index 72c0ca5..431d325 100644 --- a/apps/system/components/SecurityCoordinator/kata-security-common/src/lib.rs +++ b/apps/system/components/SecurityCoordinator/kata-security-common/src/lib.rs @@ -125,8 +125,13 @@ pub enum SecurityRequestError { SreValueInvalid, SreKeyInvalid, // Generic errors, mostly used in unit tests + SreEchoFailed, SreInstallFailed, SreUninstallFailed, + SreSizeBufferFailed, + SreGetManifestFailed, + SreLoadApplicationFailed, + SreLoadModelFailed, SreReadFailed, SreWriteFailed, SreDeleteFailed, diff --git a/apps/system/components/SecurityCoordinator/kata-security-coordinator/Cargo.toml b/apps/system/components/SecurityCoordinator/kata-security-coordinator/Cargo.toml index a196f43..8fc175f 100644 --- a/apps/system/components/SecurityCoordinator/kata-security-coordinator/Cargo.toml +++ b/apps/system/components/SecurityCoordinator/kata-security-coordinator/Cargo.toml @@ -3,6 +3,11 @@ name = "kata-security-coordinator" version = "0.1.0" edition = "2018" +[features] +default = ["fake"] # TODO(sleffler): sel4 once it exists +fake = [] +sel4 = [] + [dependencies] kata-security-common = { path = "../kata-security-common" } log = "0.4" diff --git a/apps/system/components/SecurityCoordinator/kata-security-coordinator/src/fakeimpl/mod.rs b/apps/system/components/SecurityCoordinator/kata-security-coordinator/src/fakeimpl/mod.rs new file mode 100644 index 0000000..7856e0c --- /dev/null +++ b/apps/system/components/SecurityCoordinator/kata-security-coordinator/src/fakeimpl/mod.rs @@ -0,0 +1,152 @@ +//! Kata OS security coordinator fake support + +extern crate alloc; +use alloc::string::ToString; +use kata_security_common::*; +use log::trace; +use postcard; + +pub struct FakeSecurityCoordinatorInterface { + // TODO(sleffler): mailbox ipc state +} +impl FakeSecurityCoordinatorInterface { + pub fn new() -> Self { + FakeSecurityCoordinatorInterface {} + } +} +pub type KataSecurityCoordinatorInterface = FakeSecurityCoordinatorInterface; + +impl SecurityCoordinatorInterface for FakeSecurityCoordinatorInterface { + fn request( + &mut self, + request_id: SecurityRequest, + request_buffer: &[u8], + reply_buffer: &mut [u8], + ) -> Result<(), SecurityRequestError> { + use SecurityRequestError::*; + + fn serialize_failure(e: postcard::Error) -> SecurityRequestError { + trace!("serialize failed: {:?}", e); + SreBundleDataInvalid + } + fn deserialize_failure(e: postcard::Error) -> SecurityRequestError { + trace!("deserialize failed: {:?}", e); + SreBundleDataInvalid + } + + // TODO(sleffler): mailbox ipc + match request_id { + SecurityRequest::SrEcho => { + trace!("ECHO {:?}", request_buffer); + reply_buffer[0..request_buffer.len()].copy_from_slice(&request_buffer[..]); + Ok(()) + } + SecurityRequest::SrInstall => { + trace!( + "INSTALL addr {:p} len {}", + request_buffer.as_ptr(), + request_buffer.len() + ); + let _ = postcard::to_slice( + &(request_buffer.as_ptr() as usize).to_string(), + reply_buffer, + ) + .map_err(serialize_failure)?; + Ok(()) + } + SecurityRequest::SrUninstall => { + let request = postcard::from_bytes::(&request_buffer[..]) + .map_err(deserialize_failure)?; + trace!("UNINSTALL {}", request.bundle_id); + Ok(()) + } + SecurityRequest::SrSizeBuffer => { + let request = postcard::from_bytes::(&request_buffer[..]) + .map_err(deserialize_failure)?; + trace!("SIZE BUFFER bundle_id {}", request.bundle_id); + let _ = postcard::to_slice( + &0u32, // TODO(sleffler): fill-in + reply_buffer, + ) + .map_err(serialize_failure)?; + Ok(()) + } + SecurityRequest::SrGetManifest => { + let request = postcard::from_bytes::(&request_buffer[..]) + .map_err(deserialize_failure)?; + trace!("GET MANIFEST bundle_id {}", request.bundle_id); + let _ = postcard::to_slice( + "# Comments like this + [Manifest] + BundleId=com.google.cerebra.hw.HelloWorld + + [Binaries] + App=HelloWorldBin + Model=NeuralNetworkName + + [Storage] + Required=1 + ", // TODO(sleffler): fill-in + reply_buffer, + ) + .map_err(serialize_failure)?; + Ok(()) + } + SecurityRequest::SrLoadApplication => { + let request = postcard::from_bytes::(&request_buffer[..]) + .map_err(deserialize_failure)?; + trace!( + "LOAD APPLICATION bundle_id {} addr {:p}", + request.bundle_id, + request.app_binary + ); + Ok(()) + } + SecurityRequest::SrLoadModel => { + let request = postcard::from_bytes::(&request_buffer[..]) + .map_err(deserialize_failure)?; + trace!( + "LOAD MODEL bundle_id {} model_id {} addr {:p}", + request.bundle_id, + request.model_id, + request.model_binary + ); + Ok(()) + } + SecurityRequest::SrReadKey => { + let request = postcard::from_bytes::(&request_buffer[..]) + .map_err(deserialize_failure)?; + trace!( + "READ KEY bundle_id {} key {}", + request.bundle_id, + request.key, + ); + // TODO(sleffler): fill-in + Err(SreReadFailed) + } + SecurityRequest::SrWriteKey => { + let request = postcard::from_bytes::(&request_buffer[..]) + .map_err(deserialize_failure)?; + trace!( + "WRITE KEY bundle_id {} key {} value {:?}", + request.bundle_id, + request.key, + request.value, + ); + // TODO(sleffler): fill-in + Err(SreWriteFailed) + } + SecurityRequest::SrDeleteKey => { + let request = postcard::from_bytes::(&request_buffer[..]) + .map_err(deserialize_failure)?; + trace!( + "DELETE KEY bundle_id {} key {}", + request.bundle_id, + request.key, + ); + // TODO(sleffler): fill-in + Err(SreDeleteFailed) + } + } + } +} diff --git a/apps/system/components/SecurityCoordinator/kata-security-coordinator/src/impl.rs b/apps/system/components/SecurityCoordinator/kata-security-coordinator/src/impl.rs new file mode 100644 index 0000000..8bc157e --- /dev/null +++ b/apps/system/components/SecurityCoordinator/kata-security-coordinator/src/impl.rs @@ -0,0 +1,132 @@ +//! Kata OS security coordinator seL4 support + +extern crate alloc; +use kata_security_common::*; +use log::trace; +use postcard; + +pub struct SeL4SecurityCoordinatorInterface { + // TODO(sleffler): mailbox ipc state +} +impl SeL4SecurityCoordinatorInterface { + pub fn new() -> Self { + SeL4SecurityCoordinatorInterface {} + } +} +pub type KataSecurityCoordinatorInterface = SeL4SecurityCoordinatorInterface; + +impl SecurityCoordinatorInterface for SeL4SecurityCoordinatorInterface { + fn request( + &mut self, + request_id: SecurityRequest, + request_buffer: &[u8], + _reply_buffer: &mut [u8], + ) -> Result<(), SecurityRequestError> { + use SecurityRequestError::*; + + fn _serialize_failure(e: postcard::Error) -> SecurityRequestError { + trace!("serialize failed: {:?}", e); + SreBundleDataInvalid + } + fn deserialize_failure(e: postcard::Error) -> SecurityRequestError { + trace!("deserialize failed: {:?}", e); + SreBundleDataInvalid + } + + // TODO(sleffler): mailbox ipc + match request_id { + SecurityRequest::SrEcho => { + trace!("ECHO {:?}", request_buffer); + // TODO(sleffler): fill-in + Err(SreEchoFailed) + } + SecurityRequest::SrInstall => { + trace!( + "INSTALL addr {:p} len {}", + request_buffer.as_ptr(), + request_buffer.len() + ); + // TODO(sleffler): fill-in + Err(SreInstallFailed) + } + SecurityRequest::SrUninstall => { + let request = postcard::from_bytes::(&request_buffer[..]) + .map_err(deserialize_failure)?; + trace!("UNINSTALL {}", request.bundle_id); + // TODO(sleffler): fill-in + Err(SreUninstallFailed) + } + SecurityRequest::SrSizeBuffer => { + let request = postcard::from_bytes::(&request_buffer[..]) + .map_err(deserialize_failure)?; + trace!("SIZE BUFFER bundle_id {}", request.bundle_id); + // TODO(sleffler): fill-in + Err(SreSizeBufferFailed) + } + SecurityRequest::SrGetManifest => { + let request = postcard::from_bytes::(&request_buffer[..]) + .map_err(deserialize_failure)?; + trace!("GET MANIFEST bundle_id {}", request.bundle_id); + // TODO(sleffler): fill-in + Err(SreGetManifestFailed) + } + SecurityRequest::SrLoadApplication => { + let request = postcard::from_bytes::(&request_buffer[..]) + .map_err(deserialize_failure)?; + trace!( + "LOAD APPLICATION bundle_id {} addr {:p}", + request.bundle_id, + request.app_binary + ); + // TODO(sleffler): fill-in + Err(SreLoadApplicationFailed) + } + SecurityRequest::SrLoadModel => { + let request = postcard::from_bytes::(&request_buffer[..]) + .map_err(deserialize_failure)?; + trace!( + "LOAD MODEL bundle_id {} model_id {} addr {:p}", + request.bundle_id, + request.model_id, + request.model_binary + ); + // TODO(sleffler): fill-in + Err(SreLoadModelFailed) + } + SecurityRequest::SrReadKey => { + let request = postcard::from_bytes::(&request_buffer[..]) + .map_err(deserialize_failure)?; + trace!( + "READ KEY bundle_id {} key {}", + request.bundle_id, + request.key, + ); + // TODO(sleffler): fill-in + Err(SreReadFailed) + } + SecurityRequest::SrWriteKey => { + let request = postcard::from_bytes::(&request_buffer[..]) + .map_err(deserialize_failure)?; + trace!( + "WRITE KEY bundle_id {} key {} value {:?}", + request.bundle_id, + request.key, + request.value, + ); + // TODO(sleffler): fill-in + Err(SreWriteFailed) + } + SecurityRequest::SrDeleteKey => { + let request = postcard::from_bytes::(&request_buffer[..]) + .map_err(deserialize_failure)?; + trace!( + "DELETE KEY bundle_id {} key {}", + request.bundle_id, + request.key, + ); + // TODO(sleffler): fill-in + Err(SreDeleteFailed) + } + } + } +} diff --git a/apps/system/components/SecurityCoordinator/kata-security-coordinator/src/lib.rs b/apps/system/components/SecurityCoordinator/kata-security-coordinator/src/lib.rs index 47575c3..4a9c2f3 100644 --- a/apps/system/components/SecurityCoordinator/kata-security-coordinator/src/lib.rs +++ b/apps/system/components/SecurityCoordinator/kata-security-coordinator/src/lib.rs @@ -6,10 +6,15 @@ extern crate alloc; use alloc::boxed::Box; -use alloc::string::ToString; use kata_security_common::*; -use log::trace; -use postcard; + +#[cfg(all(feature = "fake", feature = "sel4"))] +compile_error!("features \"fake\" and \"sel4\" are mutually exclusive"); + +#[cfg_attr(feature = "sel4", path = "impl.rs")] +#[cfg_attr(feature = "fake", path = "fakeimpl/mod.rs")] +mod platform; +pub use platform::KataSecurityCoordinatorInterface; #[cfg(not(test))] pub static mut KATA_SECURITY: KataSecurityCoordinator = KataSecurityCoordinator::empty(); @@ -20,7 +25,6 @@ pub static mut KATA_SECURITY: KataSecurityCoordinator = KataSecurityCoordinator: // NB: no locking is done; we assume the caller/user is single-threaded pub struct KataSecurityCoordinator { manager: Option>, - // TODO(sleffler): mailbox ipc state } impl KataSecurityCoordinator { // Constructs a partially-initialized instance; to complete call init(). @@ -30,7 +34,7 @@ impl KataSecurityCoordinator { } pub fn init(&mut self) { - self.manager = Some(Box::new(KataSecurityCoordinatorInterface)); + self.manager = Some(Box::new(KataSecurityCoordinatorInterface::new())); } } impl SecurityCoordinatorInterface for KataSecurityCoordinator { @@ -46,105 +50,3 @@ impl SecurityCoordinatorInterface for KataSecurityCoordinator { .request(request_id, request_buffer, reply_buffer) } } - -struct KataSecurityCoordinatorInterface; -// TODO(sleffler): move this to a feature-controlled fake -impl SecurityCoordinatorInterface for KataSecurityCoordinatorInterface { - fn request( - &mut self, - request_id: SecurityRequest, - request_buffer: &[u8], - reply_buffer: &mut [u8], - ) -> Result<(), SecurityRequestError> { - fn serialize_failure(e: postcard::Error) -> SecurityRequestError { - trace!("serialize failed: {:?}", e); - SecurityRequestError::SreBundleDataInvalid - } - fn deserialize_failure(e: postcard::Error) -> SecurityRequestError { - trace!("deserialize failed: {:?}", e); - SecurityRequestError::SreBundleDataInvalid - } - - // TODO(sleffler): mailbox ipc - match request_id { - SecurityRequest::SrEcho => { - trace!("ECHO {:?}", request_buffer); - reply_buffer[0..request_buffer.len()].copy_from_slice(&request_buffer[..]); - Ok(()) - } - SecurityRequest::SrInstall => { - trace!( - "INSTALL addr {:p} len {}", - request_buffer.as_ptr(), - request_buffer.len() - ); - let _ = postcard::to_slice( - &(request_buffer.as_ptr() as usize).to_string(), - reply_buffer, - ) - .map_err(serialize_failure)?; - Ok(()) - } - SecurityRequest::SrUninstall => { - let request = postcard::from_bytes::(&request_buffer[..]) - .map_err(deserialize_failure)?; - trace!("UNINSTALL {}", request.bundle_id); - Ok(()) - } - SecurityRequest::SrSizeBuffer => { - let request = postcard::from_bytes::(&request_buffer[..]) - .map_err(deserialize_failure)?; - trace!("SIZE BUFFER bundle_id {}", request.bundle_id); - let _ = postcard::to_slice( - &0u32, // TODO(sleffler): fill-in - reply_buffer - ).map_err(serialize_failure)?; - Ok(()) - } - SecurityRequest::SrGetManifest => { - let request = postcard::from_bytes::(&request_buffer[..]) - .map_err(deserialize_failure)?; - trace!("GET MANIFEST bundle_id {}", request.bundle_id); - let _ = postcard::to_slice( - "# Comments like this - [Manifest] - BundleId=com.google.cerebra.hw.HelloWorld - - [Binaries] - App=HelloWorldBin - Model=NeuralNetworkName - - [Storage] - Required=1 - ", // TODO(sleffler): fill-in - reply_buffer - ).map_err(serialize_failure)?; - Ok(()) - } - SecurityRequest::SrLoadApplication => { - let request = postcard::from_bytes::(&request_buffer[..]) - .map_err(deserialize_failure)?; - trace!( - "LOAD APPLICATION bundle_id {} addr {:p}", - request.bundle_id, - request.app_binary - ); - Ok(()) - } - SecurityRequest::SrLoadModel => { - let request = postcard::from_bytes::(&request_buffer[..]) - .map_err(deserialize_failure)?; - trace!( - "LOAD MODEL bundle_id {} model_id {} addr {:p}", - request.bundle_id, - request.model_id, - request.model_binary - ); - Ok(()) - } - SecurityRequest::SrReadKey => Err(SecurityRequestError::SreReadFailed), - SecurityRequest::SrWriteKey => Err(SecurityRequestError::SreWriteFailed), - SecurityRequest::SrDeleteKey => Err(SecurityRequestError::SreDeleteFailed), - } - } -}