From d25dffb3dd671ece98edaa3eed5d8eeec0af1a7f Mon Sep 17 00:00:00 2001
From: Sam Leffler <sleffler@google.com>
Date: Thu, 22 Sep 2022 00:39:07 +0000
Subject: [PATCH] kata-security-interface: guard against sending a random cap

- assert kata_security_install is really sending a CNode
- have kata_security_request clear any unexpected capability associated
  with the ipcbuffer; this mostly guards against a received badge being
  treated as a cap if the ipcbuffer is turned around from recv to send

Change-Id: I8ac6634809aa11f0f249a7be296b43807d56dff8
GitOrigin-RevId: 21930c5f7a5e809460348da0d0b617004e77e065
---
 .../kata-security-coordinator/src/lib.rs                 | 2 +-
 .../kata-security-interface/src/lib.rs                   | 9 +++++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/apps/system/components/SecurityCoordinator/kata-security-coordinator/src/lib.rs b/apps/system/components/SecurityCoordinator/kata-security-coordinator/src/lib.rs
index ce2dc87..95c2cb4 100644
--- a/apps/system/components/SecurityCoordinator/kata-security-coordinator/src/lib.rs
+++ b/apps/system/components/SecurityCoordinator/kata-security-coordinator/src/lib.rs
@@ -22,9 +22,9 @@ extern crate alloc;
 use alloc::boxed::Box;
 use alloc::string::String;
 use kata_memory_interface::ObjDescBundle;
+use kata_security_interface::KeyValueData;
 use kata_security_interface::SecurityCoordinatorInterface;
 use kata_security_interface::SecurityRequestError;
-use kata_security_interface::KeyValueData;
 
 #[cfg(all(feature = "fake", feature = "sel4"))]
 compile_error!("features \"fake\" and \"sel4\" are mutually exclusive");
diff --git a/apps/system/components/SecurityCoordinator/kata-security-interface/src/lib.rs b/apps/system/components/SecurityCoordinator/kata-security-interface/src/lib.rs
index ae620a6..75856f6 100644
--- a/apps/system/components/SecurityCoordinator/kata-security-interface/src/lib.rs
+++ b/apps/system/components/SecurityCoordinator/kata-security-interface/src/lib.rs
@@ -305,6 +305,11 @@ pub fn kata_security_request<T: Serialize + SecurityCapability>(
                 reply_buffer as *mut _,
             )
         } else {
+            // NB: guard against a received badge being treated as an
+            // outbound capability. This is needed because the code CAmkES
+            // generates for security_request always enables possible xmit
+            // of 1 capability.
+            Camkes::clear_request_cap();
             security_request(
                 request,
                 request_buffer.len() as u32,
@@ -335,6 +340,10 @@ pub fn kata_security_echo(request: &str) -> Result<String, SecurityRequestError>
 #[inline]
 #[allow(dead_code)]
 pub fn kata_security_install(pkg_contents: &ObjDescBundle) -> Result<String, SecurityRequestError> {
+    Camkes::debug_assert_slot_cnode(
+        "kata_security_install",
+        &Camkes::top_level_path(pkg_contents.cnode),
+    );
     let reply = &mut [0u8; SECURITY_REPLY_DATA_SIZE];
     kata_security_request(
         SecurityRequest::SrInstall,