many less trusted/ignored

PLSysSec · Jul 31, 2024 · ed37589 · ed37589
1 parent 0daa1a2
commit ed37589
Show file tree

Hide file tree

Showing 6 changed files with 27 additions and 13 deletions.
diff --git a/kernel/src/deferred_call.rs b/kernel/src/deferred_call.rs
@@ -95,6 +95,7 @@ impl<'a> DynDefCallRef<'a> {
     // are identical, making this zero-cost, but saving us from having to trust
     // that `fn(*const ())` and `fn handle_deferred_call(&self)` will always have the same calling
     // convention for any type.
+    #[flux::trusted]
     fn new<T: DeferredCallClient>(x: &'a T) -> Self {
         Self {
             data: x as *const _ as *const (),
@@ -106,6 +107,7 @@ impl<'a> DynDefCallRef<'a> {
 
 impl DynDefCallRef<'_> {
     // more efficient pass by `self` if we don't have to implement `DeferredCallClient` directly
+    #[flux::trusted]
     fn handle_deferred_call(self) {
         (self.callback)(self.data)
     }
@@ -139,6 +141,7 @@ pub struct DeferredCall {
     idx: usize,
 }
 
+#[flux::trusted]
 impl DeferredCall {
     /// Creates a new deferred call with a unique ID.
     pub fn new() -> Self {

diff --git a/kernel/src/grant.rs b/kernel/src/grant.rs
@@ -272,6 +272,7 @@ impl<'a> EnteredGrantKernelManagedLayout<'a> {
     /// `EnteredGrantKernelManagedLayout` for the given `base_ptr` at the same
     /// time, otherwise multiple mutable references to the same upcall/allow
     /// slices could be created.
+    #[flux::trusted]
     unsafe fn read_from_base(
         base_ptr: NonNull<u8>,
         process: &'a dyn Process,
@@ -309,6 +310,7 @@ impl<'a> EnteredGrantKernelManagedLayout<'a> {
     /// not be any other `EnteredGrantKernelManagedLayout` for
     /// the given `base_ptr` at the same time, otherwise multiple mutable
     /// references to the same upcall/allow slices could be created.
+    #[flux::trusted]
     unsafe fn initialize_from_counts(
         base_ptr: NonNull<u8>,
         upcalls_num_val: UpcallItems,
@@ -347,6 +349,7 @@ impl<'a> EnteredGrantKernelManagedLayout<'a> {
     /// Returns the entire grant size including the kernel owned memory,
     /// padding, and data for T. Requires that grant_t_align be a power of 2,
     /// which is guaranteed from align_of rust calls.
+    #[flux::trusted]
     fn grant_size(
         upcalls_num: UpcallItems,
         allow_ro_num: AllowRoItems,
@@ -394,6 +397,7 @@ impl<'a> EnteredGrantKernelManagedLayout<'a> {
         // grant region. Caller must verify that memory is accessible and well
         // aligned to T.
         let grant_t_size_usize: usize = grant_t_size.0;
+        assume(grant_size > grant_t_size_usize);
         NonNull::new_unchecked(base_ptr.as_ptr().add(grant_size - grant_t_size_usize))
     }
 
@@ -571,6 +575,7 @@ pub struct GrantKernelData<'a> {
 impl<'a> GrantKernelData<'a> {
     /// Create a `GrantKernelData` object to provide a handle for capsules to
     /// call Upcalls.
+    #[flux::trusted]
     fn new(
         upcalls: &'a [SavedUpcall],
         allow_ro: &'a [SavedAllowRo],
@@ -634,6 +639,7 @@ impl<'a> GrantKernelData<'a> {
     /// be returned. This returns a process::Error to allow for easy chaining of
     /// this function with the ReadOnlyProcessBuffer::enter function with
     /// `and_then`.
+    #[flux::trusted]
     pub fn get_readonly_processbuffer(
         &self,
         allow_ro_num: usize,
@@ -673,6 +679,7 @@ impl<'a> GrantKernelData<'a> {
     /// be return. This returns a process::Error to allow for easy chaining of
     /// this function with the `ReadWriteProcessBuffer::enter()` function with
     /// `and_then`.
+    #[flux::trusted]
     pub fn get_readwrite_processbuffer(
         &self,
         allow_rw_num: usize,
@@ -1199,6 +1206,7 @@ impl<'a, T: Default, Upcalls: UpcallSize, AllowROs: AllowRoSize, AllowRWs: Allow
     /// Note, a grant can only be entered once at a time. Attempting to call
     /// `.enter()` on a grant while it is already entered will result in a
     /// panic!()`. See the comment in `access_grant()` for more information.
+    #[flux::trusted]
     pub fn enter<F, R>(self, fun: F) -> R
     where
         F: FnOnce(&mut GrantData<T>, &GrantKernelData) -> R,
@@ -1264,6 +1272,7 @@ impl<'a, T: Default, Upcalls: UpcallSize, AllowROs: AllowRoSize, AllowRWs: Allow
     ///
     /// Returns `None` if the grant is already entered. Otherwise returns
     /// `Some(fun())`.
+    #[flux::trusted]
     pub fn try_enter<F, R>(self, fun: F) -> Option<R>
     where
         F: FnOnce(&mut GrantData<T>, &GrantKernelData) -> R,
@@ -1282,6 +1291,7 @@ impl<'a, T: Default, Upcalls: UpcallSize, AllowROs: AllowRoSize, AllowRWs: Allow
     /// Note, a grant can only be entered once at a time. Attempting to call
     /// `.enter()` on a grant while it is already entered will result in a
     /// panic!()`. See the comment in `access_grant()` for more information.
+    #[flux::trusted]
     pub fn enter_with_allocator<F, R>(self, fun: F) -> R
     where
         F: FnOnce(&mut GrantData<T>, &GrantKernelData, &mut GrantRegionAllocator) -> R,
@@ -1300,6 +1310,7 @@ impl<'a, T: Default, Upcalls: UpcallSize, AllowROs: AllowRoSize, AllowRWs: Allow
     /// If `panic_on_reenter` is `true`, this will panic if the grant region is
     /// already currently entered. If `panic_on_reenter` is `false`, this will
     /// return `None` if the grant region is entered and do nothing.
+    #[flux::trusted]
     fn access_grant<F, R>(self, fun: F, panic_on_reenter: bool) -> Option<R>
     where
         F: FnOnce(&mut GrantData<T>, &GrantKernelData) -> R,
@@ -1316,6 +1327,7 @@ impl<'a, T: Default, Upcalls: UpcallSize, AllowROs: AllowRoSize, AllowRWs: Allow
     /// If `panic_on_reenter` is `true`, this will panic if the grant region is
     /// already currently entered. If `panic_on_reenter` is `false`, this will
     /// return `None` if the grant region is entered and do nothing.
+    #[flux::trusted]
     fn access_grant_with_allocator<F, R>(self, fun: F, panic_on_reenter: bool) -> Option<R>
     where
         F: FnOnce(&mut GrantData<T>, &GrantKernelData, &mut GrantRegionAllocator) -> R,
@@ -1498,6 +1510,7 @@ impl<T> CustomGrant<T> {
     /// Because this function requires `&mut self`, it should be impossible to
     /// access the inner data of a given `CustomGrant` reentrantly. Thus the
     /// reentrance detection we use for non-custom grants is not needed here.
+    #[flux::trusted]
     pub fn enter<F, R>(&mut self, fun: F) -> Result<R, Error>
     where
         F: FnOnce(GrantData<'_, T>) -> R,
@@ -1550,6 +1563,7 @@ impl GrantRegionAllocator {
     /// # Panic Safety
     ///
     /// If `init` panics, the freshly allocated memory may leak.
+    #[flux::trusted]
     pub fn alloc_with<T, F>(&mut self, init: F) -> Result<CustomGrant<T>, Error>
     where
         F: FnOnce() -> T,
@@ -1579,6 +1593,7 @@ impl GrantRegionAllocator {
     ///
     /// If `val_func` panics, the freshly allocated memory and any values
     /// already written will be leaked.
+    #[flux::trusted]
     pub fn alloc_n_with<T, F, const NUM_ITEMS: usize>(
         &mut self,
         mut init: F,
@@ -1698,6 +1713,7 @@ impl<T: Default, Upcalls: UpcallSize, AllowROs: AllowRoSize, AllowRWs: AllowRwSi
     /// This creates a `ProcessGrant` which is a handle for a grant allocated
     /// for a specific process. Then, that `ProcessGrant` is entered and the
     /// provided closure is run with access to the memory in the grant region.
+    #[flux::trusted]
     pub fn enter<F, R>(&self, processid: ProcessId, fun: F) -> Result<R, Error>
     where
         F: FnOnce(&mut GrantData<T>, &GrantKernelData) -> R,
@@ -1719,6 +1735,7 @@ impl<T: Default, Upcalls: UpcallSize, AllowROs: AllowRoSize, AllowRWs: AllowRwSi
     ///
     /// The allocator allows the caller to dynamically allocate additional
     /// memory in the process's grant region.
+    #[flux::trusted]
     pub fn enter_with_allocator<F, R>(&self, processid: ProcessId, fun: F) -> Result<R, Error>
     where
         F: FnOnce(&mut GrantData<T>, &GrantKernelData, &mut GrantRegionAllocator) -> R,
@@ -1744,6 +1761,7 @@ impl<T: Default, Upcalls: UpcallSize, AllowROs: AllowRoSize, AllowRWs: AllowRwSi
     ///
     /// Calling this function when an `ProcessGrant` for a process is currently
     /// entered will result in a panic.
+    #[flux::trusted]
     pub fn each<F>(&self, mut fun: F)
     where
         F: FnMut(ProcessId, &mut GrantData<T>, &GrantKernelData),

diff --git a/kernel/src/ipc.rs b/kernel/src/ipc.rs
@@ -42,18 +42,11 @@ pub enum IPCUpcallType {
 struct IPCData;
 
 /// The IPC mechanism struct.
-#[flux::ignore]
 pub struct IPC<const NUM_PROCS: u8> {
     /// The grant regions for each process that holds the per-process IPC data.
-    data: Grant<
-        IPCData,
-        UpcallCount<NUM_PROCS>,
-        AllowRoCount<{ ro_allow::COUNT }>,
-        AllowRwCount<NUM_PROCS>,
-    >,
+    data: Grant<IPCData, UpcallCount<NUM_PROCS>, AllowRoCount<1>, AllowRwCount<NUM_PROCS>>,
 }
 
-#[flux::ignore]
 impl<const NUM_PROCS: u8> IPC<NUM_PROCS> {
     pub fn new(
         kernel: &'static Kernel,
@@ -67,6 +60,7 @@ impl<const NUM_PROCS: u8> IPC<NUM_PROCS> {
 
     /// Schedule an IPC upcall for a process. This is called by the main
     /// scheduler loop if an IPC task was queued for the process.
+    #[flux::trusted]
     pub(crate) unsafe fn schedule_upcall(
         &self,
         schedule_on: ProcessId,
@@ -104,7 +98,7 @@ impl<const NUM_PROCS: u8> IPC<NUM_PROCS> {
     }
 }
 
-#[flux::ignore]
+// #[flux::ignore]
 impl<const NUM_PROCS: u8> SyscallDriver for IPC<NUM_PROCS> {
     /// command is how notify() is implemented.
     /// Notifying an IPC service is done by setting client_or_svc to 0,
@@ -127,6 +121,7 @@ impl<const NUM_PROCS: u8> SyscallDriver for IPC<NUM_PROCS> {
     /// - `3`: Notify a client with descriptor `target_id`, typically in response to a previous
     ///        notify from the client. Returns an error if `target_id` refers to an invalid client
     ///        or the notify fails to enqueue.
+    #[flux::trusted]
     fn command(
         &self,
         command_number: usize,

diff --git a/kernel/src/lib.rs b/kernel/src/lib.rs
@@ -108,14 +108,11 @@ pub mod capabilities;
 pub mod collections;
 pub mod component;
 pub mod debug;
-#[flux::trusted]
 pub mod deferred_call;
 pub mod errorcode;
-#[flux::trusted]
 pub mod grant;
 pub mod hil;
 pub mod introspection;
-#[flux::trusted]
 pub mod ipc;
 pub mod platform;
 pub mod process;

diff --git a/kernel/src/process_printer.rs b/kernel/src/process_printer.rs
@@ -98,7 +98,7 @@ impl ProcessPrinter for ProcessPrinterText {
     //    being duplicated. However, it does not make sense that the kernel
     //    would want to run the process while it is displaying debugging
     //    information about it, so this should be a safe assumption.
-    #[flux::trusted]
+    #[flux::trusted] // VTOCK-note: times out
     fn print_overview(
         &self,
         process: &dyn Process,

diff --git a/kernel/src/utilities/binary_write.rs b/kernel/src/utilities/binary_write.rs
@@ -109,6 +109,7 @@ impl<'a> core::fmt::Write for WriteToBinaryOffsetWrapper<'a> {
                 0
             } else {
                 // We want to start in the middle.
+                // assume(self.offset > self.index);
                 self.offset - self.index
             };