kata-security-interface: guard against sending a random cap

- assert kata_security_install is really sending a CNode - have kata_security_request clear any unexpected capability associated with the ipcbuffer; this mostly guards against a received badge being treated as a cap if the ipcbuffer is turned around from recv to send Change-Id: I8ac6634809aa11f0f249a7be296b43807d56dff8 GitOrigin-RevId: 21930c5f7a5e809460348da0d0b617004e77e065
2025-05-06 22:46:44 +00:00 · 2022-09-22 00:39:07 +00:00 · 2022-09-22 00:39:07 +00:00 · d25dffb3dd
commit d25dffb3dd
parent a36368cf63
2 changed files with 10 additions and 1 deletions
--- a/apps/system/components/SecurityCoordinator/kata-security-coordinator/src/lib.rs
+++ b/apps/system/components/SecurityCoordinator/kata-security-coordinator/src/lib.rs
@ -22,9 +22,9 @@ extern crate alloc;
 use alloc::boxed::Box;
 use alloc::string::String;
 use kata_memory_interface::ObjDescBundle;
+use kata_security_interface::KeyValueData;
 use kata_security_interface::SecurityCoordinatorInterface;
 use kata_security_interface::SecurityRequestError;
-use kata_security_interface::KeyValueData;

 #[cfg(all(feature = "fake", feature = "sel4"))]
 compile_error!("features \"fake\" and \"sel4\" are mutually exclusive");
--- a/apps/system/components/SecurityCoordinator/kata-security-interface/src/lib.rs
+++ b/apps/system/components/SecurityCoordinator/kata-security-interface/src/lib.rs
@ -305,6 +305,11 @@ pub fn kata_security_request<T: Serialize + SecurityCapability>(
                reply_buffer as *mut _,
            )
        } else {
+            // NB: guard against a received badge being treated as an
+            // outbound capability. This is needed because the code CAmkES
+            // generates for security_request always enables possible xmit
+            // of 1 capability.
+            Camkes::clear_request_cap();
            security_request(
                request,
                request_buffer.len() as u32,
@ -335,6 +340,10 @@ pub fn kata_security_echo(request: &str) -> Result<String, SecurityRequestError>
 #[inline]
 #[allow(dead_code)]
 pub fn kata_security_install(pkg_contents: &ObjDescBundle) -> Result<String, SecurityRequestError> {
+    Camkes::debug_assert_slot_cnode(
+        "kata_security_install",
+        &Camkes::top_level_path(pkg_contents.cnode),
+    );
    let reply = &mut [0u8; SECURITY_REPLY_DATA_SIZE];
    kata_security_request(
        SecurityRequest::SrInstall,