New tests are needed (rather than existing ones) because the complexity
of setting up careful-access tests would make it difficult to build atop
existing tests.
Signed-off-by: David Horstmann <david.horstmann@arm.com>
This consists in outlining the prototyping and evaluation of different
possible testing approaches.
Signed-off-by: David Horstmann <david.horstmann@arm.com>
Add lengths to structs in the convenience functions to allocate and copy
input and output buffers. It seems better to ensure we always store a
buffer with its length.
Signed-off-by: David Horstmann <david.horstmann@arm.com>
And clarify our potential use of it as a starting point for writing
memory poisoning tests from scratch.
Signed-off-by: David Horstmann <david.horstmann@arm.com>
In light of choosing Valgrind/ASan over mprotect()-based poisoning,
update the detailed design of copy validation.
Signed-off-by: David Horstmann <david.horstmann@arm.com>
Main changes:
* New tests are easier to write than first stated
* Use of existing tests is ledd beneficial
* But using existing tests is a benefit if it can be done transparently
Signed-off-by: David Horstmann <david.horstmann@arm.com>
Consider MSan, ASan and Valgrind as options for implementing memory
poisoning tests. Come to the altered conclusion that Valgrind is the
best option.
Signed-off-by: David Horstmann <david.horstmann@arm.com>
* Remove references to the platform - this is unlikely to affect whether
copies are optimized.
* Note that the evaluation should test extreme optimisation settings.
Signed-off-by: David Horstmann <david.horstmann@arm.com>
Using a dedicated field allows clean separatin between key attributes
and slot state. This allows us to use the same mechanics for attributes
and key content. Which in turn means lower code size and easier
maintenance.
Signed-off-by: Janos Follath <janos.follath@arm.com>
Separate design analysis from plans and make the distinction clear
between what is implemented, what is planned to be implemented soon,
what is planned to be implemented in the future, and what is ideas that
are rejected.
(The distinction between the last two categories doesn't have to be
clear, we can't and shouldn't plan that far ahead.)
Signed-off-by: Janos Follath <janos.follath@arm.com>
There are many reasons why a driver might violate the security requirements
for plaintext or ciphertext buffers, so mandate copying.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
It's a security violation, although it's not clear whether it really needs
to influence the design.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
