From 278cdb567abf491e17b909daf81fa218bd9d42f2 Mon Sep 17 00:00:00 2001
From: Robin Krahl <robin@nitrokey.com>
Date: Tue, 12 Dec 2023 21:06:56 +0100
Subject: [PATCH] Put unused syscalls behind features

CounterClient and CryptoClient::attest are not currently used by the
solo2 or nk3 firmwares, but due to the indirect dispatch of Trussed
requests, they cannot be optimized out by the linker.  This patch
introduces feature flags for these syscalls that are enabled by default.
---
 CHANGELOG.md     |  2 ++
 Cargo.toml       |  8 ++++++--
 src/client.rs    |  3 +++
 src/service.rs   | 13 +++++++++++++
 tests/counter.rs |  1 +
 5 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index dabc23c5aeb..8401642fa9e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -39,6 +39,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Made `postcard_deserialize`, `postcard_serialize` and
   `postcard_serialize_bytes` private.
 - Changed `&PathBuf` to `&Path` where possible.
+- Put `CounterClient` and `CryptoClient::attest` behind feature flags (enabled
+  by default).
 
 ### Fixed
 
diff --git a/Cargo.toml b/Cargo.toml
index 6084de22824..db144704176 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -60,7 +60,7 @@ serde_cbor = { feature = "0.11.2", features = ["std"] }
 # rand_core = { version = "0.5", features = ["getrandom"] }
 
 [features]
-default = ["default-mechanisms", "clients-5"]
+default = ["default-mechanisms", "default-syscalls", "clients-5"]
 serde-extensions = []
 std = []
 verbose-tests = ["littlefs2/ll-assertions"]
@@ -75,7 +75,6 @@ log-warn = []
 log-error = []
 
 # mechanisms
-# default-mechanisms = ["aes256-cbc", "chacha8-poly1305", "ed255", "hmac-sha256", "p256", "sha256", "trng"]
 default-mechanisms = [
     "aes256-cbc",
     "chacha8-poly1305",
@@ -107,6 +106,11 @@ tdes = ["des"]
 totp = ["sha-1"]
 trng = ["sha-1"]
 
+# syscalls
+default-syscalls = ["counter-client", "crypto-client-attest"]
+counter-client = []
+crypto-client-attest = []
+
 clients-1 = []
 clients-2 = []
 clients-3 = []
diff --git a/src/client.rs b/src/client.rs
index b3456dfd13b..1c9cf1d9c02 100644
--- a/src/client.rs
+++ b/src/client.rs
@@ -305,6 +305,7 @@ pub trait CryptoClient: PollClient {
         })
     }
 
+    #[cfg(feature = "crypto-client-attest")]
     fn attest(
         &mut self,
         signing_mechanism: Mechanism,
@@ -568,6 +569,7 @@ pub trait CryptoClient: PollClient {
 
 /// Create counters, increment existing counters.
 pub trait CounterClient: PollClient {
+    #[cfg(feature = "counter-client")]
     fn create_counter(
         &mut self,
         location: Location,
@@ -575,6 +577,7 @@ pub trait CounterClient: PollClient {
         self.request(request::CreateCounter { location })
     }
 
+    #[cfg(feature = "counter-client")]
     fn increment_counter(
         &mut self,
         id: CounterId,
diff --git a/src/service.rs b/src/service.rs
index 03b88ca97c8..3e8bc3e1f36 100644
--- a/src/service.rs
+++ b/src/service.rs
@@ -150,6 +150,7 @@ impl<P: Platform> ServiceResources<P> {
 
         let keystore = once(|this, ctx| this.keystore(ctx.path.clone()));
         let certstore = once(|this, ctx| this.certstore(ctx));
+        #[cfg(feature = "counter-client")]
         let counterstore = once(|this, ctx| this.counterstore(ctx));
 
         let filestore = &mut self.filestore(ctx.path.clone());
@@ -170,6 +171,7 @@ impl<P: Platform> ServiceResources<P> {
                 }.map(Reply::Agree)
             },
 
+            #[cfg(feature = "crypto-client-attest")]
             Request::Attest(request) => {
                 let mut attn_keystore: ClientKeystore<P::S> = ClientKeystore::new(
                     PathBuf::from("attn"),
@@ -179,6 +181,9 @@ impl<P: Platform> ServiceResources<P> {
                 attest::try_attest(&mut attn_keystore, &mut certstore(self, ctx)?, &mut keystore(self, ctx)?, request).map(Reply::Attest)
             }
 
+            #[cfg(not(feature = "crypto-client-attest"))]
+            Request::Attest(_) => Err(Error::RequestNotAvailable),
+
             Request::Decrypt(request) => {
                 match request.mechanism {
 
@@ -609,16 +614,24 @@ impl<P: Platform> ServiceResources<P> {
                 Ok(Reply::SetCustomStatus(reply::SetCustomStatus {}))
             }
 
+            #[cfg(feature = "counter-client")]
             Request::CreateCounter(request) => {
                 counterstore(self, ctx)?.create(request.location)
                     .map(|id| Reply::CreateCounter(reply::CreateCounter { id } ))
             }
 
+            #[cfg(not(feature = "counter-client"))]
+            Request::CreateCounter(_) => Err(Error::RequestNotAvailable),
+
+            #[cfg(feature = "counter-client")]
             Request::IncrementCounter(request) => {
                 counterstore(self, ctx)?.increment(request.id)
                     .map(|counter| Reply::IncrementCounter(reply::IncrementCounter { counter } ))
             }
 
+            #[cfg(not(feature = "counter-client"))]
+            Request::IncrementCounter(_) => Err(Error::RequestNotAvailable),
+
             Request::DeleteCertificate(request) => {
                  certstore(self, ctx)?.delete_certificate(request.id)
                     .map(|_| Reply::DeleteCertificate(reply::DeleteCertificate {} ))
diff --git a/tests/counter.rs b/tests/counter.rs
index 8c94fc0038f..0e177d2eb1f 100644
--- a/tests/counter.rs
+++ b/tests/counter.rs
@@ -1,4 +1,5 @@
 #![cfg(feature = "virt")]
+#![cfg(feature = "counter-client")]
 
 mod client;
 mod store;