islet_rmm/granule/array/

entry.rs

use crate::config;
use crate::granule::array::GRANULE_STATUS_TABLE;
use crate::rmi::error::Error;

use super::{GranuleState, GRANULE_SIZE};
use core::sync::atomic::{AtomicU8, Ordering};
use safe_abstraction::raw_ptr;
use spinning_top::{Spinlock, SpinlockGuard};
use vmsa::guard::Content;

// Safety: concurrency safety
//  - For a granule status table that manages granules, it doesn't use a big lock for efficiency.
//    So, we need to associate "lock" with each granule entry.

#[cfg(not(any(kani, miri, test, fuzzing)))]
#[derive(Debug)]
pub struct Granule {
    /// granule state
    state: u8,
    /// granule ref count
    ref_count: AtomicU8,
}
#[cfg(any(kani, miri, test, fuzzing))]
// DIFF: `gpt` ghost field is added to track GPT entry's status
pub struct Granule {
    /// granule state
    state: u8,
    /// granule ref count
    ref_count: AtomicU8,
    /// granule protection table (ghost field)
    pub gpt: GranuleGpt,
}

#[cfg(kani)]
#[derive(Copy, Clone, PartialEq, kani::Arbitrary)]
pub enum GranuleGpt {
    GPT_NS,
    GPT_OTHER,
    GPT_REALM,
}

#[cfg(any(miri, test, fuzzing))]
#[derive(Copy, Clone, PartialEq)]
pub enum GranuleGpt {
    GPT_NS,
    GPT_OTHER,
    GPT_REALM,
}

impl Granule {
    #[cfg(not(any(kani, miri, test, fuzzing)))]
    fn new() -> Self {
        let state = GranuleState::Undelegated;
        let ref_count = AtomicU8::new(0);
        Granule { state, ref_count }
    }
    #[cfg(any(kani, miri, test, fuzzing))]
    // DIFF: `state` and `gpt` are filled with non-deterministic values
    fn new() -> Self {
        #[cfg(kani)]
        {
            let state = kani::any();
            let ref_count = AtomicU8::new(kani::any());
            kani::assume(state >= GranuleState::Undelegated && state <= GranuleState::RTT);
            let gpt = {
                if state != GranuleState::Undelegated {
                    GranuleGpt::GPT_REALM
                } else {
                    let gpt = kani::any();
                    kani::assume(gpt != GranuleGpt::GPT_REALM);
                    gpt
                }
            };
            Granule {
                state,
                ref_count,
                gpt,
            }
        }

        #[cfg(any(miri, test, fuzzing))]
        {
            Self {
                state: GranuleState::Undelegated,
                ref_count: AtomicU8::new(0),
                gpt: GranuleGpt::GPT_NS,
            }
        }
    }

    pub fn inc_count(&mut self) {
        let _ = self.ref_count.fetch_add(1, Ordering::SeqCst);
    }

    pub fn dec_count(&mut self) {
        let _ = self.ref_count.fetch_sub(1, Ordering::SeqCst);
    }

    pub fn load_count(&self) -> u8 {
        self.ref_count.load(Ordering::SeqCst)
    }

    pub fn num_children(&self) -> usize {
        self.ref_count.load(Ordering::SeqCst) as usize
    }

    #[cfg(any(kani, miri, test, fuzzing))]
    pub fn set_gpt(&mut self, gpt: GranuleGpt) {
        self.gpt = gpt;
    }

    #[cfg(any(kani, miri, test, fuzzing))]
    pub fn is_valid(&self) -> bool {
        self.state >= GranuleState::Undelegated &&
        self.state <= GranuleState::RTT &&
        // XXX: the below condition holds from beta0 to eac4
        if self.state != GranuleState::Undelegated {
            self.gpt == GranuleGpt::GPT_REALM
        } else {
            self.gpt != GranuleGpt::GPT_REALM
        }
    }

    pub fn state(&self) -> u8 {
        self.state
    }

    pub fn set_state(&mut self, state: u8) -> Result<(), Error> {
        let prev = self.state;
        if (prev == GranuleState::Delegated && state == GranuleState::Undelegated)
            || (state == GranuleState::Delegated)
        {
            self.zeroize();
        }
        self.state = state;
        Ok(())
    }

    pub fn content_mut<T>(&mut self) -> Result<raw_ptr::SafetyAssumed<T>, Error>
    where
        T: Content + raw_ptr::SafetyChecked + raw_ptr::SafetyAssured,
    {
        let addr = self.index_to_addr();
        Ok(raw_ptr::assume_safe::<T>(addr)?)
    }

    pub fn new_uninit_with<T>(&mut self, value: T) -> Result<raw_ptr::SafetyAssumed<T>, Error>
    where
        T: Content + raw_ptr::SafetyChecked + raw_ptr::SafetyAssured,
    {
        let addr = self.index_to_addr();
        Ok(raw_ptr::assume_safe_uninit_with::<T>(addr, value)?)
    }

    pub fn content<T>(&self) -> Result<raw_ptr::SafetyAssumed<T>, Error>
    where
        T: Content + raw_ptr::SafetyChecked + raw_ptr::SafetyAssured,
    {
        let addr = self.index_to_addr();
        Ok(raw_ptr::assume_safe::<T>(addr)?)
    }

    fn index(&self) -> usize {
        let entry_size = core::mem::size_of::<Entry>();
        let granule_size = core::mem::size_of::<Granule>();
        //  XXX: is there a clever way of getting the Entry from Granule (e.g., container_of())?
        //  [        Entry        ]
        //  [  offset ] [ Granule ]
        let granule_offset = entry_size - granule_size;
        let granule_addr = self as *const Granule as usize;
        let entry_addr = granule_addr - granule_offset;
        let gst = &GRANULE_STATUS_TABLE;
        let table_base = gst.entries.as_ptr() as usize;
        (entry_addr - table_base) / core::mem::size_of::<Entry>()
    }

    #[cfg(not(any(kani, miri, test, fuzzing)))]
    fn index_to_addr(&self) -> usize {
        let mut idx = self.index();
        let regions = config::NS_DRAM_REGIONS.lock();

        for range in regions.iter() {
            let region_max = (range.end - range.start) / GRANULE_SIZE;
            if idx < region_max {
                return range.start + (idx * GRANULE_SIZE);
            }
            idx -= region_max;
        }
        0
    }
    #[cfg(any(kani, miri, test, fuzzing))]
    // DIFF: calculate addr using GRANULE_REGION
    pub fn index_to_addr(&self) -> usize {
        use crate::granule::{GRANULE_REGION, GRANULE_STATUS_TABLE_SIZE};
        let idx = self.index();
        assert!(idx < GRANULE_STATUS_TABLE_SIZE);

        #[cfg(any(miri, test, fuzzing))]
        return crate::test_utils::align_up(unsafe {
            GRANULE_REGION.as_ptr() as usize + (idx * GRANULE_SIZE)
        });

        #[cfg(kani)]
        return unsafe { GRANULE_REGION.as_ptr() as usize + (idx * GRANULE_SIZE) };
    }

    #[cfg(not(any(kani, miri, test, fuzzing)))]
    fn zeroize(&mut self) {
        let addr = self.index_to_addr();

        // Safety: This operation writes to a Granule outside the RMM Memory region,
        //         thus not violating RMM's Memory Safety.
        //         (ref. RMM Specification A2.2.4 Granule Wiping)
        unsafe {
            core::ptr::write_bytes(addr as *mut u8, 0x0, GRANULE_SIZE);
        }
    }
    #[cfg(any(kani, miri, test, fuzzing))]
    // DIFF: assertion is added to reduce the proof burden
    //       `write_bytes()` uses a small count value
    fn zeroize(&mut self) {
        let addr = self.index_to_addr();
        let g_start = unsafe { crate::granule::array::GRANULE_REGION.as_ptr() as usize };
        let g_end = g_start + crate::granule::array::GRANULE_MEM_SIZE;
        assert!(addr >= g_start && addr < g_end);

        unsafe {
            core::ptr::write_bytes(addr as *mut u8, 0x0, 8);
            assert!(*(addr as *const u8) == 0);
        }
    }
}

pub struct Entry(Spinlock<Granule>);
impl Entry {
    #[cfg(not(any(kani, miri, test, fuzzing)))]
    pub fn new() -> Self {
        Self(Spinlock::new(Granule::new()))
    }
    #[cfg(any(kani, miri, test, fuzzing))]
    // DIFF: assertion is added to reduce the proof burden
    pub fn new() -> Self {
        let granule = Granule::new();
        assert!(granule.is_valid());
        Self(Spinlock::new(granule))
    }

    pub fn lock(&self) -> Result<SpinlockGuard<'_, Granule>, Error> {
        let granule = self.0.lock();
        Ok(granule)
    }
}