Add a note that validation of validation was implemented in metatest.c
and explain briefly what that program is for.
Signed-off-by: David Horstmann <david.horstmann@arm.com>
The configuration of memory poisoning is now performed via
compile-time detection setting MBEDTLS_MEMORY_CAN_POISON. Update
the design to take account of this.
Signed-off-by: David Horstmann <david.horstmann@arm.com>
Since this is just an example, remove specific-sounding references to
mbedtls_psa_core_poison_memory() and replace with more abstract and
generic-sounding memory_poison_hook() and memory_unpoison_hook().
Signed-off-by: David Horstmann <david.horstmann@arm.com>
The actual functions were called mbedtls_test_memory_poison()
and mbedtls_test_memory_unpoison(). Update the design section to
reflect this.
Signed-off-by: David Horstmann <david.horstmann@arm.com>
We were successful in adding transparent memory-poisoning testing, so
simplify to the real design decision we made.
Signed-off-by: David Horstmann <david.horstmann@arm.com>
The finally implemented functions were significantly different from the
initial design idea, so update the document accordingly.
Signed-off-by: David Horstmann <david.horstmann@arm.com>
Automatic testing of our testing is not essential, as our testing
framework may be manually tested. Having automated tests to test our
tests may be left to future work.
Signed-off-by: David Horstmann <david.horstmann@arm.com>
Describe the approach of platform-specific code and draw a comparison
with the constant-time module.
Signed-off-by: David Horstmann <david.horstmann@arm.com>
These cover the fact that we need to test our test framework to make
sure it really detects incorrect accesses.
Signed-off-by: David Horstmann <david.horstmann@arm.com>
* Rename config options to have MBEDTLS_TEST_ prefix
* Clarify that these config options should not exist in mbedtls_config.h
Signed-off-by: David Horstmann <david.horstmann@arm.com>
This is already covered in the design exploration and since the other
approach was chose, we do not need to discuss it in the detailed design
section.
Signed-off-by: David Horstmann <david.horstmann@arm.com>
New tests are needed (rather than existing ones) because the complexity
of setting up careful-access tests would make it difficult to build atop
existing tests.
Signed-off-by: David Horstmann <david.horstmann@arm.com>
This consists in outlining the prototyping and evaluation of different
possible testing approaches.
Signed-off-by: David Horstmann <david.horstmann@arm.com>
Add lengths to structs in the convenience functions to allocate and copy
input and output buffers. It seems better to ensure we always store a
buffer with its length.
Signed-off-by: David Horstmann <david.horstmann@arm.com>
And clarify our potential use of it as a starting point for writing
memory poisoning tests from scratch.
Signed-off-by: David Horstmann <david.horstmann@arm.com>
In light of choosing Valgrind/ASan over mprotect()-based poisoning,
update the detailed design of copy validation.
Signed-off-by: David Horstmann <david.horstmann@arm.com>
Main changes:
* New tests are easier to write than first stated
* Use of existing tests is ledd beneficial
* But using existing tests is a benefit if it can be done transparently
Signed-off-by: David Horstmann <david.horstmann@arm.com>
Consider MSan, ASan and Valgrind as options for implementing memory
poisoning tests. Come to the altered conclusion that Valgrind is the
best option.
Signed-off-by: David Horstmann <david.horstmann@arm.com>
* Remove references to the platform - this is unlikely to affect whether
copies are optimized.
* Note that the evaluation should test extreme optimisation settings.
Signed-off-by: David Horstmann <david.horstmann@arm.com>
