Merge "kata-security-coordinator: split impl into fake & sel4"

GitOrigin-RevId: 397cf136e3375588082b8508fd2060116b3101cd
This commit is contained in:
Sam Leffler 2021-09-21 16:00:51 +00:00
parent 0633ce6761
commit c0a44de935
5 changed files with 303 additions and 107 deletions

View File

@ -125,8 +125,13 @@ pub enum SecurityRequestError {
SreValueInvalid, SreValueInvalid,
SreKeyInvalid, SreKeyInvalid,
// Generic errors, mostly used in unit tests // Generic errors, mostly used in unit tests
SreEchoFailed,
SreInstallFailed, SreInstallFailed,
SreUninstallFailed, SreUninstallFailed,
SreSizeBufferFailed,
SreGetManifestFailed,
SreLoadApplicationFailed,
SreLoadModelFailed,
SreReadFailed, SreReadFailed,
SreWriteFailed, SreWriteFailed,
SreDeleteFailed, SreDeleteFailed,

View File

@ -3,6 +3,11 @@ name = "kata-security-coordinator"
version = "0.1.0" version = "0.1.0"
edition = "2018" edition = "2018"
[features]
default = ["fake"] # TODO(sleffler): sel4 once it exists
fake = []
sel4 = []
[dependencies] [dependencies]
kata-security-common = { path = "../kata-security-common" } kata-security-common = { path = "../kata-security-common" }
log = "0.4" log = "0.4"

View File

@ -0,0 +1,152 @@
//! Kata OS security coordinator fake support
extern crate alloc;
use alloc::string::ToString;
use kata_security_common::*;
use log::trace;
use postcard;
pub struct FakeSecurityCoordinatorInterface {
// TODO(sleffler): mailbox ipc state
}
impl FakeSecurityCoordinatorInterface {
pub fn new() -> Self {
FakeSecurityCoordinatorInterface {}
}
}
pub type KataSecurityCoordinatorInterface = FakeSecurityCoordinatorInterface;
impl SecurityCoordinatorInterface for FakeSecurityCoordinatorInterface {
fn request(
&mut self,
request_id: SecurityRequest,
request_buffer: &[u8],
reply_buffer: &mut [u8],
) -> Result<(), SecurityRequestError> {
use SecurityRequestError::*;
fn serialize_failure(e: postcard::Error) -> SecurityRequestError {
trace!("serialize failed: {:?}", e);
SreBundleDataInvalid
}
fn deserialize_failure(e: postcard::Error) -> SecurityRequestError {
trace!("deserialize failed: {:?}", e);
SreBundleDataInvalid
}
// TODO(sleffler): mailbox ipc
match request_id {
SecurityRequest::SrEcho => {
trace!("ECHO {:?}", request_buffer);
reply_buffer[0..request_buffer.len()].copy_from_slice(&request_buffer[..]);
Ok(())
}
SecurityRequest::SrInstall => {
trace!(
"INSTALL addr {:p} len {}",
request_buffer.as_ptr(),
request_buffer.len()
);
let _ = postcard::to_slice(
&(request_buffer.as_ptr() as usize).to_string(),
reply_buffer,
)
.map_err(serialize_failure)?;
Ok(())
}
SecurityRequest::SrUninstall => {
let request = postcard::from_bytes::<UninstallRequest>(&request_buffer[..])
.map_err(deserialize_failure)?;
trace!("UNINSTALL {}", request.bundle_id);
Ok(())
}
SecurityRequest::SrSizeBuffer => {
let request = postcard::from_bytes::<SizeBufferRequest>(&request_buffer[..])
.map_err(deserialize_failure)?;
trace!("SIZE BUFFER bundle_id {}", request.bundle_id);
let _ = postcard::to_slice(
&0u32, // TODO(sleffler): fill-in
reply_buffer,
)
.map_err(serialize_failure)?;
Ok(())
}
SecurityRequest::SrGetManifest => {
let request = postcard::from_bytes::<SizeBufferRequest>(&request_buffer[..])
.map_err(deserialize_failure)?;
trace!("GET MANIFEST bundle_id {}", request.bundle_id);
let _ = postcard::to_slice(
"# Comments like this
[Manifest]
BundleId=com.google.cerebra.hw.HelloWorld
[Binaries]
App=HelloWorldBin
Model=NeuralNetworkName
[Storage]
Required=1
", // TODO(sleffler): fill-in
reply_buffer,
)
.map_err(serialize_failure)?;
Ok(())
}
SecurityRequest::SrLoadApplication => {
let request = postcard::from_bytes::<LoadApplicationRequest>(&request_buffer[..])
.map_err(deserialize_failure)?;
trace!(
"LOAD APPLICATION bundle_id {} addr {:p}",
request.bundle_id,
request.app_binary
);
Ok(())
}
SecurityRequest::SrLoadModel => {
let request = postcard::from_bytes::<LoadModelRequest>(&request_buffer[..])
.map_err(deserialize_failure)?;
trace!(
"LOAD MODEL bundle_id {} model_id {} addr {:p}",
request.bundle_id,
request.model_id,
request.model_binary
);
Ok(())
}
SecurityRequest::SrReadKey => {
let request = postcard::from_bytes::<ReadKeyRequest>(&request_buffer[..])
.map_err(deserialize_failure)?;
trace!(
"READ KEY bundle_id {} key {}",
request.bundle_id,
request.key,
);
// TODO(sleffler): fill-in
Err(SreReadFailed)
}
SecurityRequest::SrWriteKey => {
let request = postcard::from_bytes::<WriteKeyRequest>(&request_buffer[..])
.map_err(deserialize_failure)?;
trace!(
"WRITE KEY bundle_id {} key {} value {:?}",
request.bundle_id,
request.key,
request.value,
);
// TODO(sleffler): fill-in
Err(SreWriteFailed)
}
SecurityRequest::SrDeleteKey => {
let request = postcard::from_bytes::<DeleteKeyRequest>(&request_buffer[..])
.map_err(deserialize_failure)?;
trace!(
"DELETE KEY bundle_id {} key {}",
request.bundle_id,
request.key,
);
// TODO(sleffler): fill-in
Err(SreDeleteFailed)
}
}
}
}

View File

@ -0,0 +1,132 @@
//! Kata OS security coordinator seL4 support
extern crate alloc;
use kata_security_common::*;
use log::trace;
use postcard;
pub struct SeL4SecurityCoordinatorInterface {
// TODO(sleffler): mailbox ipc state
}
impl SeL4SecurityCoordinatorInterface {
pub fn new() -> Self {
SeL4SecurityCoordinatorInterface {}
}
}
pub type KataSecurityCoordinatorInterface = SeL4SecurityCoordinatorInterface;
impl SecurityCoordinatorInterface for SeL4SecurityCoordinatorInterface {
fn request(
&mut self,
request_id: SecurityRequest,
request_buffer: &[u8],
_reply_buffer: &mut [u8],
) -> Result<(), SecurityRequestError> {
use SecurityRequestError::*;
fn _serialize_failure(e: postcard::Error) -> SecurityRequestError {
trace!("serialize failed: {:?}", e);
SreBundleDataInvalid
}
fn deserialize_failure(e: postcard::Error) -> SecurityRequestError {
trace!("deserialize failed: {:?}", e);
SreBundleDataInvalid
}
// TODO(sleffler): mailbox ipc
match request_id {
SecurityRequest::SrEcho => {
trace!("ECHO {:?}", request_buffer);
// TODO(sleffler): fill-in
Err(SreEchoFailed)
}
SecurityRequest::SrInstall => {
trace!(
"INSTALL addr {:p} len {}",
request_buffer.as_ptr(),
request_buffer.len()
);
// TODO(sleffler): fill-in
Err(SreInstallFailed)
}
SecurityRequest::SrUninstall => {
let request = postcard::from_bytes::<UninstallRequest>(&request_buffer[..])
.map_err(deserialize_failure)?;
trace!("UNINSTALL {}", request.bundle_id);
// TODO(sleffler): fill-in
Err(SreUninstallFailed)
}
SecurityRequest::SrSizeBuffer => {
let request = postcard::from_bytes::<SizeBufferRequest>(&request_buffer[..])
.map_err(deserialize_failure)?;
trace!("SIZE BUFFER bundle_id {}", request.bundle_id);
// TODO(sleffler): fill-in
Err(SreSizeBufferFailed)
}
SecurityRequest::SrGetManifest => {
let request = postcard::from_bytes::<SizeBufferRequest>(&request_buffer[..])
.map_err(deserialize_failure)?;
trace!("GET MANIFEST bundle_id {}", request.bundle_id);
// TODO(sleffler): fill-in
Err(SreGetManifestFailed)
}
SecurityRequest::SrLoadApplication => {
let request = postcard::from_bytes::<LoadApplicationRequest>(&request_buffer[..])
.map_err(deserialize_failure)?;
trace!(
"LOAD APPLICATION bundle_id {} addr {:p}",
request.bundle_id,
request.app_binary
);
// TODO(sleffler): fill-in
Err(SreLoadApplicationFailed)
}
SecurityRequest::SrLoadModel => {
let request = postcard::from_bytes::<LoadModelRequest>(&request_buffer[..])
.map_err(deserialize_failure)?;
trace!(
"LOAD MODEL bundle_id {} model_id {} addr {:p}",
request.bundle_id,
request.model_id,
request.model_binary
);
// TODO(sleffler): fill-in
Err(SreLoadModelFailed)
}
SecurityRequest::SrReadKey => {
let request = postcard::from_bytes::<ReadKeyRequest>(&request_buffer[..])
.map_err(deserialize_failure)?;
trace!(
"READ KEY bundle_id {} key {}",
request.bundle_id,
request.key,
);
// TODO(sleffler): fill-in
Err(SreReadFailed)
}
SecurityRequest::SrWriteKey => {
let request = postcard::from_bytes::<WriteKeyRequest>(&request_buffer[..])
.map_err(deserialize_failure)?;
trace!(
"WRITE KEY bundle_id {} key {} value {:?}",
request.bundle_id,
request.key,
request.value,
);
// TODO(sleffler): fill-in
Err(SreWriteFailed)
}
SecurityRequest::SrDeleteKey => {
let request = postcard::from_bytes::<DeleteKeyRequest>(&request_buffer[..])
.map_err(deserialize_failure)?;
trace!(
"DELETE KEY bundle_id {} key {}",
request.bundle_id,
request.key,
);
// TODO(sleffler): fill-in
Err(SreDeleteFailed)
}
}
}
}

View File

@ -6,10 +6,15 @@
extern crate alloc; extern crate alloc;
use alloc::boxed::Box; use alloc::boxed::Box;
use alloc::string::ToString;
use kata_security_common::*; use kata_security_common::*;
use log::trace;
use postcard; #[cfg(all(feature = "fake", feature = "sel4"))]
compile_error!("features \"fake\" and \"sel4\" are mutually exclusive");
#[cfg_attr(feature = "sel4", path = "impl.rs")]
#[cfg_attr(feature = "fake", path = "fakeimpl/mod.rs")]
mod platform;
pub use platform::KataSecurityCoordinatorInterface;
#[cfg(not(test))] #[cfg(not(test))]
pub static mut KATA_SECURITY: KataSecurityCoordinator = KataSecurityCoordinator::empty(); pub static mut KATA_SECURITY: KataSecurityCoordinator = KataSecurityCoordinator::empty();
@ -20,7 +25,6 @@ pub static mut KATA_SECURITY: KataSecurityCoordinator = KataSecurityCoordinator:
// NB: no locking is done; we assume the caller/user is single-threaded // NB: no locking is done; we assume the caller/user is single-threaded
pub struct KataSecurityCoordinator { pub struct KataSecurityCoordinator {
manager: Option<Box<dyn SecurityCoordinatorInterface + Sync>>, manager: Option<Box<dyn SecurityCoordinatorInterface + Sync>>,
// TODO(sleffler): mailbox ipc state
} }
impl KataSecurityCoordinator { impl KataSecurityCoordinator {
// Constructs a partially-initialized instance; to complete call init(). // Constructs a partially-initialized instance; to complete call init().
@ -30,7 +34,7 @@ impl KataSecurityCoordinator {
} }
pub fn init(&mut self) { pub fn init(&mut self) {
self.manager = Some(Box::new(KataSecurityCoordinatorInterface)); self.manager = Some(Box::new(KataSecurityCoordinatorInterface::new()));
} }
} }
impl SecurityCoordinatorInterface for KataSecurityCoordinator { impl SecurityCoordinatorInterface for KataSecurityCoordinator {
@ -46,105 +50,3 @@ impl SecurityCoordinatorInterface for KataSecurityCoordinator {
.request(request_id, request_buffer, reply_buffer) .request(request_id, request_buffer, reply_buffer)
} }
} }
struct KataSecurityCoordinatorInterface;
// TODO(sleffler): move this to a feature-controlled fake
impl SecurityCoordinatorInterface for KataSecurityCoordinatorInterface {
fn request(
&mut self,
request_id: SecurityRequest,
request_buffer: &[u8],
reply_buffer: &mut [u8],
) -> Result<(), SecurityRequestError> {
fn serialize_failure(e: postcard::Error) -> SecurityRequestError {
trace!("serialize failed: {:?}", e);
SecurityRequestError::SreBundleDataInvalid
}
fn deserialize_failure(e: postcard::Error) -> SecurityRequestError {
trace!("deserialize failed: {:?}", e);
SecurityRequestError::SreBundleDataInvalid
}
// TODO(sleffler): mailbox ipc
match request_id {
SecurityRequest::SrEcho => {
trace!("ECHO {:?}", request_buffer);
reply_buffer[0..request_buffer.len()].copy_from_slice(&request_buffer[..]);
Ok(())
}
SecurityRequest::SrInstall => {
trace!(
"INSTALL addr {:p} len {}",
request_buffer.as_ptr(),
request_buffer.len()
);
let _ = postcard::to_slice(
&(request_buffer.as_ptr() as usize).to_string(),
reply_buffer,
)
.map_err(serialize_failure)?;
Ok(())
}
SecurityRequest::SrUninstall => {
let request = postcard::from_bytes::<UninstallRequest>(&request_buffer[..])
.map_err(deserialize_failure)?;
trace!("UNINSTALL {}", request.bundle_id);
Ok(())
}
SecurityRequest::SrSizeBuffer => {
let request = postcard::from_bytes::<SizeBufferRequest>(&request_buffer[..])
.map_err(deserialize_failure)?;
trace!("SIZE BUFFER bundle_id {}", request.bundle_id);
let _ = postcard::to_slice(
&0u32, // TODO(sleffler): fill-in
reply_buffer
).map_err(serialize_failure)?;
Ok(())
}
SecurityRequest::SrGetManifest => {
let request = postcard::from_bytes::<SizeBufferRequest>(&request_buffer[..])
.map_err(deserialize_failure)?;
trace!("GET MANIFEST bundle_id {}", request.bundle_id);
let _ = postcard::to_slice(
"# Comments like this
[Manifest]
BundleId=com.google.cerebra.hw.HelloWorld
[Binaries]
App=HelloWorldBin
Model=NeuralNetworkName
[Storage]
Required=1
", // TODO(sleffler): fill-in
reply_buffer
).map_err(serialize_failure)?;
Ok(())
}
SecurityRequest::SrLoadApplication => {
let request = postcard::from_bytes::<LoadApplicationRequest>(&request_buffer[..])
.map_err(deserialize_failure)?;
trace!(
"LOAD APPLICATION bundle_id {} addr {:p}",
request.bundle_id,
request.app_binary
);
Ok(())
}
SecurityRequest::SrLoadModel => {
let request = postcard::from_bytes::<LoadModelRequest>(&request_buffer[..])
.map_err(deserialize_failure)?;
trace!(
"LOAD MODEL bundle_id {} model_id {} addr {:p}",
request.bundle_id,
request.model_id,
request.model_binary
);
Ok(())
}
SecurityRequest::SrReadKey => Err(SecurityRequestError::SreReadFailed),
SecurityRequest::SrWriteKey => Err(SecurityRequestError::SreWriteFailed),
SecurityRequest::SrDeleteKey => Err(SecurityRequestError::SreDeleteFailed),
}
}
}