Interruptions of user presence check

[sosthene-nitrokey]

As described in trussed-dev/ctaphid-dispatch#2, there is currently no way to cancel the user presence request. This is useful when a command expects a user presence check but is cancelled, which renders the device unresponsive for

Currently the looping and the timeout is implemented in trussed: https://github.com/trussed-dev/trussed/blob/main/src/service.rs#L528.
The service implementation could simply check in each iteration if the interchange from which the request comes has been cancelled. This would allow the apps to cancel the requests. However apps can't actually use this since they run in a lower-priority task than trussed.

The solution I see would be to have instead the usbd-{ctaphid/ccid} drivers trigger the cancellation of the ongoing request. I would:

• Check in the loop that the request has not been cancelled
• When polling, check that channels are not cancelled and if they are acknowledge the cancellation.
• Add a method on an interchange Channel that can cancel an ongoing request from a simple reference.
• Add an AtomicPtr<Channel> shared between the dispatch and usbd structs. When a request is in flight, the -dispatch crates would set it to point to the trussed interchange of the client of the app that is responding. When the usbd crate triggers a cancellation, it would load this pointer to cancel the running app. Null means nothing to cancel. This is safe because all interchanges are 'static.

Other options I see would be to add explicit AtomicBool or AtomicU8 that would convey cancellation information, but this would be more intrusive, duplicate cancellation logic with interchanges.

I generally feel like it's shouldn't really be the usbd-* crates job to cancel requests at the trussed level but I don't see how to do it better. Ideally it should be the dispatch crates but they can't actually do because they're in the same task as the apps.

[sosthene-nitrokey]

Progress:

• Interchange interrupts from a channel ref: Add support for interrupt interchange#13
• Trussed cancellation of requests: Support cancellation of requests #125

[sosthene-nitrokey]

Fully implemented cancellation for FIDO:
Nitrokey/nitrokey-3-firmware#272

[sosthene-nitrokey]

In the end the Interchange cannot be used for cancellation. Being able to cancel any request means that any request can fail. With the current poll implementation, this would lead to an infinite loop when the interchange is Idle, since ready is always returned.
Making it return an error instead would make syscall! panic for any request, which would make it useless, and force using try_syscall instead.

As such, I changed the approach to use an InterruptFlag.
Before being called, this flag is set to Working, and after the call it is set to Idle again. Interrupts can only happen while it is Working.
Syscalls (and backends) that can support cancellation need to check this flag (in the CoreContext) to see if they can cancel early.

This flag can be interrupted by anything with a reference to it.
In practice, it is triggered by the usbd-ctaphid crate, since the ctaphid-dispatch is blocked by the application that is running.
To communicate the correct flag to interrupt, ctaphid-dispatch writes an AtomicPtr (safely wrapped by ref-swap and usbd-ctaphid  loads it.

[sosthene-nitrokey]

Here is a detailed list of the PRs that are involved in making this work.

Trussed must accept and check an interrupt flag

• Support cancellation of requests #125

Dispatcher and usb drivers needs to exchange the InterruptFlag of the running application

Similar work will be needed for the CCID stack too, but is not as urgent, so to simplify we just do CTAPHID

• Add request interrupt mechanism  ctaphid-dispatch#4
• Support request interrupt mechanism usbd-ctaphid#5

Backends need adaptation

There is a breaking change. Since the CoreContext holds a reference to the interrupt flag, it can't be created as easily as before, and therefore the Fliestore need to take a ClientId rather than a CoreContext to be created.

• Adapt to trussed support for interrupts trussed-auth#35
• https://github.com/Nitrokey/trussed-staging/pull/7

All apps must be updated to make their interrupt flag accessible to the dispatch

• Adapt to interrupt mechanism Nitrokey/admin-app#4
• Adapt to interrupt mechanism Nitrokey/fido-authenticator#15
• Adapt to interrupt trussed changes Nitrokey/trussed-secrets-app#72

Other needed adaptations

• Support cancellations pc-usbip-runner#26

RefSwap

Safe wrapper around AtomicPtr for exchanging interrupt flags between the driver and the dispatch.

In the runner:

Apps need to all have a static InterruptFlag. The dispatch crates need to share an OptionRefSwap to exchange the InterruptFlag.

This PR contains implements it for the NK3: Nitrokey/nitrokey-3-firmware#272