Enable robustness against malicious drivers

Cargo.toml

@@ -55,7 +55,6 @@ members = [
     "crates/sel4-async/network",
     "crates/sel4-async/network/mbedtls",
     "crates/sel4-async/network/mbedtls/mozilla-ca-list",
-    "crates/sel4-async/request-statuses",
     "crates/sel4-async/single-threaded-executor",
     "crates/sel4-async/time",
     "crates/sel4-async/unsync",
@@ -108,6 +107,7 @@ members = [
     "crates/sel4-shared-ring-buffer",
     "crates/sel4-shared-ring-buffer/block-io",
     "crates/sel4-shared-ring-buffer/block-io/types",
+    "crates/sel4-shared-ring-buffer/bookkeeping",
     "crates/sel4-shared-ring-buffer/smoltcp",
     "crates/sel4-sync",
     "crates/sel4/bitfield-ops",

crates/examples/microkit/http-server/http-server.system

@@ -23,7 +23,6 @@
 
         <map mr="virtio_net_client_dma" vaddr="0x1_000_000_000" perms="rw" cached="true" setvar_vaddr="virtio_net_client_dma_vaddr" />
         <setvar symbol="virtio_net_client_dma_size" vaddr="0x200_000" />
-        <setvar symbol="virtio_net_client_dma_paddr" region_paddr="virtio_net_client_dma" />
 
         <map mr="virtio_net_rx_free" vaddr="0x2_000_000_000" perms="rw" cached="true" setvar_vaddr="virtio_net_rx_free" />
         <map mr="virtio_net_rx_used" vaddr="0x2_001_000_000" perms="rw" cached="true" setvar_vaddr="virtio_net_rx_used" />
@@ -32,7 +31,6 @@
 
         <map mr="virtio_blk_client_dma" vaddr="0x3_000_000_000" perms="rw" cached="true" setvar_vaddr="virtio_blk_client_dma_vaddr" />
         <setvar symbol="virtio_blk_client_dma_size" vaddr="0x200_000" />
-        <setvar symbol="virtio_blk_client_dma_paddr" region_paddr="virtio_blk_client_dma" />
 
         <map mr="virtio_blk_free" vaddr="0x4_000_000_000" perms="rw" cached="true" setvar_vaddr="virtio_blk_free" />
         <map mr="virtio_blk_used" vaddr="0x4_001_000_000" perms="rw" cached="true" setvar_vaddr="virtio_blk_used" />
@@ -57,7 +55,6 @@
 
         <map mr="virtio_net_client_dma" vaddr="0x1_000_000_000" perms="rw" cached="true" setvar_vaddr="virtio_net_client_dma_vaddr" />
         <setvar symbol="virtio_net_client_dma_size" vaddr="0x200_000" />
-        <setvar symbol="virtio_net_client_dma_paddr" region_paddr="virtio_net_client_dma" />
 
         <map mr="virtio_net_rx_free" vaddr="0x2_000_000_000" perms="rw" cached="true" setvar_vaddr="virtio_net_rx_free" />
         <map mr="virtio_net_rx_used" vaddr="0x2_001_000_000" perms="rw" cached="true" setvar_vaddr="virtio_net_rx_used" />
@@ -79,7 +76,6 @@
 
         <map mr="virtio_blk_client_dma" vaddr="0x3_000_000_000" perms="rw" cached="true" setvar_vaddr="virtio_blk_client_dma_vaddr" />
         <setvar symbol="virtio_blk_client_dma_size" vaddr="0x200_000" />
-        <setvar symbol="virtio_blk_client_dma_paddr" region_paddr="virtio_blk_client_dma" />
 
         <map mr="virtio_blk_free" vaddr="0x4_000_000_000" perms="rw" cached="true" setvar_vaddr="virtio_blk_free" />
         <map mr="virtio_blk_used" vaddr="0x4_001_000_000" perms="rw" cached="true" setvar_vaddr="virtio_blk_used" />

crates/examples/microkit/http-server/pds/server/Cargo.toml

@@ -14,7 +14,6 @@ sel4 = { path = "../../../../../sel4" }
 sel4-async-block-io = { path = "../../../../../sel4-async/block-io" }
 sel4-async-block-io-fat = { path = "../../../../../sel4-async/block-io/fat" }
 sel4-async-network = { path = "../../../../../sel4-async/network" }
-sel4-async-request-statuses = { path = "../../../../../sel4-async/request-statuses" }
 sel4-async-time = { path = "../../../../../sel4-async/time" }
 sel4-bounce-buffer-allocator = { path = "../../../../../sel4-bounce-buffer-allocator" }
 sel4-immediate-sync-once-cell = { path = "../../../../../sel4-immediate-sync-once-cell" }
@@ -53,6 +52,9 @@ features = ["nosys", "all-symbols", "sel4-panicking-env"]
 [dependencies.sel4-shared-ring-buffer-block-io-types]
 path = "../../../../../sel4-shared-ring-buffer/block-io/types"
 
+[dependencies.sel4-shared-ring-buffer-bookkeeping]
+path = "../../../../../sel4-shared-ring-buffer/bookkeeping"
+
 [dependencies.smoltcp]
 version = "0.10.0"
 default-features = false

crates/examples/microkit/http-server/pds/server/core/src/lib.rs

@@ -12,7 +12,7 @@ use futures::task::LocalSpawnExt;
 
 use mbedtls::ssl::async_io::ClosedError;
 
-use sel4_async_block_io::{constant_block_sizes, BlockIO};
+use sel4_async_block_io::{access::ReadOnly, constant_block_sizes, BlockIO};
 use sel4_async_block_io_fat as fat;
 use sel4_async_network::{ManagedInterface, TcpSocketError};
 use sel4_async_network_mbedtls::{
@@ -29,7 +29,9 @@ use server::Server;
 const HTTP_PORT: u16 = 80;
 const HTTPS_PORT: u16 = 443;
 
-pub async fn run_server<T: BlockIO<BlockSize = constant_block_sizes::BlockSize512> + Clone>(
+pub async fn run_server<
+    T: BlockIO<ReadOnly, BlockSize = constant_block_sizes::BlockSize512> + Clone,
+>(
     _timers_ctx: TimerManager,
     network_ctx: ManagedInterface,
     fs_block_io: T,
@@ -101,7 +103,7 @@ pub async fn run_server<T: BlockIO<BlockSize = constant_block_sizes::BlockSize51
 
 type SocketUser<T> = Box<
     dyn Fn(
-        Server<fat::BlockIOWrapper<T>, fat::DummyTimeSource>,
+        Server<fat::BlockIOWrapper<T, ReadOnly>, fat::DummyTimeSource>,
         TcpSocketWrapper,
     ) -> LocalBoxFuture<'static, ()>,
 >;

crates/examples/microkit/http-server/pds/server/src/handler.rs

@@ -8,10 +8,11 @@ use futures::future::LocalBoxFuture;
 use smoltcp::iface::Config;
 use smoltcp::time::Instant as SmoltcpInstant;
 
-use sel4_async_block_io::constant_block_sizes::BlockSize512;
+use sel4_async_block_io::{access::ReadOnly, constant_block_sizes::BlockSize512};
 use sel4_async_network::{DhcpOverrides, ManagedInterface};
 use sel4_async_single_threaded_executor::{LocalPool, LocalSpawner};
 use sel4_async_time::{Instant, TimerManager};
+use sel4_bounce_buffer_allocator::Basic;
 use sel4_shared_ring_buffer_block_io::SharedRingBufferBlockIO;
 
 use crate::{DeviceImpl, TimerClient};
@@ -21,8 +22,8 @@ pub(crate) struct HandlerImpl {
     net_driver_channel: sel4_microkit::Channel,
     block_driver_channel: sel4_microkit::Channel,
     timer: TimerClient,
-    net_device: DeviceImpl,
-    shared_block_io: SharedRingBufferBlockIO<BlockSize512>,
+    net_device: DeviceImpl<Basic>,
+    shared_block_io: SharedRingBufferBlockIO<BlockSize512, ReadOnly, Basic, fn()>,
     shared_timers: TimerManager,
     shared_network: ManagedInterface,
     local_pool: LocalPool,
@@ -36,9 +37,9 @@ impl HandlerImpl {
         net_driver_channel: sel4_microkit::Channel,
         block_driver_channel: sel4_microkit::Channel,
         timer: TimerClient,
-        mut net_device: DeviceImpl,
+        mut net_device: DeviceImpl<Basic>,
         net_config: Config,
-        shared_block_io: SharedRingBufferBlockIO<BlockSize512>,
+        shared_block_io: SharedRingBufferBlockIO<BlockSize512, ReadOnly, Basic, fn()>,
         f: impl FnOnce(TimerManager, ManagedInterface, LocalSpawner) -> T,
     ) -> Self {
         let now = Self::now_with_timer_client(&timer);
@@ -103,7 +104,7 @@ impl HandlerImpl {
             activity |= self.shared_timers.poll(now);
             activity |= self.net_device.poll();
             activity |= self.shared_network.poll(now_smoltcp, &mut self.net_device);
-            activity |= self.shared_block_io.poll();
+            activity |= self.shared_block_io.poll().unwrap();
             if !activity {
                 let delays = &[
                     self.shared_timers.poll_at().map(|absolute| absolute - now),

crates/examples/microkit/http-server/pds/server/src/main.rs

@@ -20,10 +20,11 @@ use smoltcp::wire::{EthernetAddress, HardwareAddress};
 use sel4_async_block_io::{
     constant_block_sizes::BlockSize512, disk::Disk, CachedBlockIO, ConstantBlockSize,
 };
+use sel4_bounce_buffer_allocator::{Basic, BounceBufferAllocator};
 use sel4_externally_shared::ExternallySharedRef;
 use sel4_logging::{LevelFilter, Logger, LoggerBuilder};
 use sel4_microkit::{memory_region_symbol, protection_domain, var, Channel, Handler};
-use sel4_shared_ring_buffer::{RingBuffer, RingBuffers};
+use sel4_shared_ring_buffer::RingBuffers;
 use sel4_shared_ring_buffer_block_io::SharedRingBufferBlockIO;
 use sel4_shared_ring_buffer_smoltcp::DeviceImpl;
 
@@ -75,43 +76,46 @@ fn init() -> impl Handler {
     let net_client = NetClient::new(NET_DRIVER);
     let block_client = BlockClient::new(BLOCK_DRIVER);
 
-    let notify_net = || {
-        NET_DRIVER.notify();
-        Ok::<_, !>(())
-    };
-
-    let notify_block = || {
-        BLOCK_DRIVER.notify();
-        Ok::<_, !>(())
-    };
+    let notify_net: fn() = || NET_DRIVER.notify();
+    let notify_block: fn() = || BLOCK_DRIVER.notify();
 
-    let net_device = DeviceImpl::new(
-        unsafe {
+    let net_device = {
+        let dma_region = unsafe {
             ExternallySharedRef::<'static, _>::new(
                 memory_region_symbol!(virtio_net_client_dma_vaddr: *mut [u8], n = *var!(virtio_net_client_dma_size: usize = 0)),
             )
-        },
-        *var!(virtio_net_client_dma_paddr: usize = 0),
-        unsafe {
-            RingBuffers::new(
-                RingBuffer::from_ptr(memory_region_symbol!(virtio_net_rx_free: *mut _)),
-                RingBuffer::from_ptr(memory_region_symbol!(virtio_net_rx_used: *mut _)),
+        };
+
+        let bounce_buffer_allocator =
+            BounceBufferAllocator::new(Basic::new(dma_region.as_ptr().len()), 1);
+
+        DeviceImpl::new(
+            dma_region,
+            bounce_buffer_allocator,
+            RingBuffers::from_ptrs_using_default_initialization_strategy_for_role(
+                unsafe {
+                    ExternallySharedRef::new(memory_region_symbol!(virtio_net_rx_free: *mut _))
+                },
+                unsafe {
+                    ExternallySharedRef::new(memory_region_symbol!(virtio_net_rx_used: *mut _))
+                },
                 notify_net,
-                true,
-            )
-        },
-        unsafe {
-            RingBuffers::new(
-                RingBuffer::from_ptr(memory_region_symbol!(virtio_net_tx_free: *mut _)),
-                RingBuffer::from_ptr(memory_region_symbol!(virtio_net_tx_used: *mut _)),
+            ),
+            RingBuffers::from_ptrs_using_default_initialization_strategy_for_role(
+                unsafe {
+                    ExternallySharedRef::new(memory_region_symbol!(virtio_net_tx_free: *mut _))
+                },
+                unsafe {
+                    ExternallySharedRef::new(memory_region_symbol!(virtio_net_tx_used: *mut _))
+                },
                 notify_net,
-                true,
-            )
-        },
-        16,
-        2048,
-        1500,
-    );
+            ),
+            16,
+            2048,
+            1500,
+        )
+        .unwrap()
+    };
 
     let net_config = {
         assert_eq!(net_device.capabilities().medium, Medium::Ethernet);
@@ -124,24 +128,28 @@ fn init() -> impl Handler {
 
     let num_blocks = block_client.get_num_blocks();
 
-    let shared_block_io = SharedRingBufferBlockIO::new(
-        BlockSize512::SINGLETON,
-        num_blocks,
-        unsafe {
+    let shared_block_io = {
+        let dma_region = unsafe {
             ExternallySharedRef::<'static, _>::new(
                 memory_region_symbol!(virtio_blk_client_dma_vaddr: *mut [u8], n = *var!(virtio_blk_client_dma_size: usize = 0)),
             )
-        },
-        *var!(virtio_blk_client_dma_paddr: usize = 0),
-        unsafe {
-            RingBuffers::new(
-                RingBuffer::from_ptr(memory_region_symbol!(virtio_blk_free: *mut _)),
-                RingBuffer::from_ptr(memory_region_symbol!(virtio_blk_used: *mut _)),
+        };
+
+        let bounce_buffer_allocator =
+            BounceBufferAllocator::new(Basic::new(dma_region.as_ptr().len()), 1);
+
+        SharedRingBufferBlockIO::new(
+            BlockSize512::BLOCK_SIZE,
+            num_blocks,
+            dma_region,
+            bounce_buffer_allocator,
+            RingBuffers::from_ptrs_using_default_initialization_strategy_for_role(
+                unsafe { ExternallySharedRef::new(memory_region_symbol!(virtio_blk_free: *mut _)) },
+                unsafe { ExternallySharedRef::new(memory_region_symbol!(virtio_blk_used: *mut _)) },
                 notify_block,
-                true,
-            )
-        },
-    );
+            ),
+        )
+    };
 
     HandlerImpl::new(
         TIMER_DRIVER,