file_vault: version 23.05

* ARM support and detaching from Ada/SPARK

  * Remove all CBE-related code - especially the Ada/SPARK-based CBE library.

    * We have no means or motivation of further maintaining big projects in
      Ada/SPARK (the core Genode team is native to C++).

    * The Genode Ada/SPARK toolchain and runtime don't support ARM so far - an
      important architecture for Genode. This would mean extra commitment in
      Ada/SPARK.

    * We realize that block encryption more and more becomes a fundamental
      feature of Genode systems.

  * Implement a new block encryption library named Tresor that is inspired by
    the design and feature set of the former CBE library and that is entirely
    C++ and part of the Genode gems repository.

    * The Tresor block encryption is backwards-compatible with the on-disk
      data layout of the former CBE block encryption.

    * Except from the snapshot management and the "dump" tool, the Tresor
      block encryption provides the same feature set as the former CBE block
      encryption and accepts the same user requests at the level of the
      Tresor library API.

    * So far, the Tresor block encryption does not support the creation of
      user-defined snapshots.

    * In contrast to the former CBE, the Tresor ecosystem has
      no "dump" tool beause with the CBE library it turned out to be rarely of
      use.

    * In contrast to the Block back-end of the CBE "init" tool, the Tresor
      "init" tool uses a File System back-end.

    * The former CBE VFS-plugin is replaced with a new Tresor VFS-Plugin.

      * The Tresor-VFS plugin in general is similar to the former CBE VFS but
        has a slightly different API when it comes to re-keying and re-sizing.
        Each of these operations now is controlled via two files. The first
        file is named <operation> and the user writes the start command to it.
        The user must then read this file once in order to drive the operation.
        The read returns the result of the operation, once it is finished.
        The second file is named <operation>_progress and can be watched and
        read for obtaining the progress of the operation as percentage.

    * The file vault is adapted to use the new Tresor ecosystem
      instead of the former CBE ecosystem and thereby also gains ARM support.

    * The former CBE tester and CBE VFS-tests are replaced by equivalent
      Tresor variants and are now run on ARM as well (testing with a persistent
      storage back-end is supported only when running on Linux).

    * So far, the new Tresor block encryption has no internal cache for meta
      data blocks like the former CBE.

* Add config/report user interface

  * Add a second option for the administration front end to the file vault
    named "config and report". With this front end the File Vault communicates
    with the user via XML strings. A ROM session is requested for user input
    and a Report session for user output. The front end type must be set at
    startup via the component config and is a static setting. The graphical
    front end that was used up to now is named "menu view" and remains the
    default.

  * The File Vault can now reflect its internal state and user input ("config
    and report" mode only) at the LOG session via two new static config
    attributes "verbose_state" and "verbose_ui_config" (both defaulting to
    "no").

  * The Shutdown button in "menu view" mode is replaced with a Lock button. The
    new button doesn't terminate the File Vault but merely lock the encrypted
    container and return to a cleared passphrase input. The same transition is
    also provided in "config and report" mode.

  * The file_vault.run script is replaced with file_vault_menu_view.run and
    file_vault_cfg_report.run that address the two front end modes. In contrast
    to the former script, which is interactive, the latter script is suitable
    for automatic testing.

  * There is a new recipe/pkg/test-file_vault_cfg_report that essentially does
    the same as file_vault_cfg_report.run but uses the File Vault package and
    can be executed with the Depot Autopilot. The new test package is added to
    the default test list of depot_autopilot.run

  * The File Vault README is updated to the new version of the component and
    has gained a chapter "functional description".

  * Fixes a regression with the cbe_init_trust_anchor component that prevented
    reacting to a failed unlock attempt in the File Vault.

* The new Tresor software Trust Anchor has an optional deterministic mode in
  which it replaces the normally randomized symmetric keys with 0. This mode
  comes in handy for debugging. However, it should never be activated in
  productive systems. When activated, the user is warned extensively on the
  LOG that this system mode is insecure.

Ref 
This commit is contained in:
Martin Stein 2023-05-22 14:37:13 +02:00 committed by Christian Helmuth
parent d3d3351b99
commit aeb65d6b1b
216 changed files with 25067 additions and 11522 deletions

View File

@ -1,59 +0,0 @@
/*
* \brief Integration of the Consistent Block Encrypter (CBE)
* \author Martin Stein
* \author Josef Soentgen
* \date 2020-11-10
*/
/*
* Copyright (C) 2020 Genode Labs GmbH
*
* This file is part of the Genode OS framework, which is distributed
* under the terms of the GNU Affero General Public License version 3.
*/
#ifndef _CBE__CHECK__LIBRARY_H_
#define _CBE__CHECK__LIBRARY_H_
/* CBE includes */
#include <cbe/types.h>
#include <cbe/spark_object.h>
extern "C" void cbe_check_cxx_init();
extern "C" void cbe_check_cxx_final();
namespace Cbe_check {
class Library;
Genode::uint32_t object_size(Library const &);
}
struct Cbe_check::Library : Cbe::Spark_object<46160>
{
Library();
bool client_request_acceptable() const;
void submit_client_request(Cbe::Request const &request);
Cbe::Request peek_completed_client_request() const;
void drop_completed_client_request(Cbe::Request const &req);
void execute(Cbe::Io_buffer const &io_buf);
bool execute_progress() const;
void io_request_completed(Cbe::Io_buffer::Index const &data_index,
bool const success);
void has_io_request(Cbe::Request &, Cbe::Io_buffer::Index &) const;
void io_request_in_progress(Cbe::Io_buffer::Index const &data_index);
};
#endif /* _CBE__CHECK__LIBRARY_H_ */

View File

@ -1,101 +0,0 @@
/*
* \brief Integration of the Consistent Block Encrypter (CBE)
* \author Martin Stein
* \author Josef Soentgen
* \date 2020-11-10
*/
/*
* Copyright (C) 2020 Genode Labs GmbH
*
* This file is part of the Genode OS framework, which is distributed
* under the terms of the GNU Affero General Public License version 3.
*/
#ifndef _CBE__DUMP__CONFIGURATION_H_
#define _CBE__DUMP__CONFIGURATION_H_
/* Genode includes */
#include <util/xml_node.h>
namespace Cbe_dump { class Configuration; }
class Cbe_dump::Configuration
{
private:
bool _unused_nodes;
Genode::uint32_t _max_superblocks;
Genode::uint32_t _max_snapshots;
bool _vbd;
bool _vbd_pba_filter_enabled;
Genode::uint64_t _vbd_pba_filter;
bool _vbd_vba_filter_enabled;
Genode::uint64_t _vbd_vba_filter;
bool _free_tree;
bool _meta_tree;
bool _hashes;
public:
Configuration (Genode::Xml_node const &node)
:
_unused_nodes { node.attribute_value("unused_nodes", true) },
_max_superblocks { node.attribute_value("max_superblocks", ~(Genode::uint32_t)0) },
_max_snapshots { node.attribute_value("max_snapshots", ~(Genode::uint32_t)0) },
_vbd { node.attribute_value("vbd", true) },
_vbd_pba_filter_enabled { node.attribute_value("vbd_pba_filter_enabled", false) },
_vbd_pba_filter { node.attribute_value("vbd_pba_filter", (Genode::uint64_t)0) },
_vbd_vba_filter_enabled { node.attribute_value("vbd_vba_filter_enabled", false) },
_vbd_vba_filter { node.attribute_value("vbd_vba_filter", (Genode::uint64_t)0) },
_free_tree { node.attribute_value("free_tree", true) },
_meta_tree { node.attribute_value("meta_tree", true) },
_hashes { node.attribute_value("hashes", true) }
{ }
Configuration (Configuration const &other)
:
_unused_nodes { other._unused_nodes },
_max_superblocks { other._max_superblocks },
_max_snapshots { other._max_snapshots },
_vbd { other._vbd },
_vbd_pba_filter_enabled { other._vbd_pba_filter_enabled },
_vbd_pba_filter { other._vbd_pba_filter },
_vbd_vba_filter_enabled { other._vbd_vba_filter_enabled },
_vbd_vba_filter { other._vbd_vba_filter },
_free_tree { other._free_tree },
_meta_tree { other._meta_tree },
_hashes { other._hashes }
{ }
bool unused_nodes() const { return _unused_nodes; }
Genode::uint32_t max_superblocks() const { return _max_superblocks; }
Genode::uint32_t max_snapshots() const { return _max_snapshots; }
bool vbd() const { return _vbd; }
bool vbd_pba_filter_enabled() const { return _vbd_pba_filter_enabled; }
Genode::uint64_t vbd_pba_filter() const { return _vbd_pba_filter; }
bool vbd_vba_filter_enabled() const { return _vbd_vba_filter_enabled; }
Genode::uint64_t vbd_vba_filter() const { return _vbd_vba_filter; }
bool free_tree() const { return _free_tree; }
bool meta_tree() const { return _meta_tree; }
bool hashes() const { return _hashes; }
void print(Genode::Output &out) const
{
Genode::print(out,
"unused_nodes=", _unused_nodes ,
" max_superblocks=", _max_superblocks ,
" max_snapshots=", _max_snapshots ,
" vbd=", _vbd ,
" vbd_pba_filter_enabled=", _vbd_pba_filter_enabled,
" vbd_pba_filter=", _vbd_pba_filter ,
" vbd_vba_filter_enabled=", _vbd_vba_filter_enabled,
" vbd_vba_filter=", _vbd_vba_filter ,
" free_tree=", _free_tree ,
" meta_tree=", _meta_tree ,
" hashes=", _hashes );
}
} __attribute__((packed));
#endif /* _CBE__DUMP__CONFIGURATION_H_ */

View File

@ -1,63 +0,0 @@
/*
* \brief Integration of the Consistent Block Encrypter (CBE)
* \author Martin Stein
* \author Josef Soentgen
* \date 2020-11-10
*/
/*
* Copyright (C) 2020 Genode Labs GmbH
*
* This file is part of the Genode OS framework, which is distributed
* under the terms of the GNU Affero General Public License version 3.
*/
#ifndef _CBE__DUMP__LIBRARY_H_
#define _CBE__DUMP__LIBRARY_H_
/* CBE includes */
#include <cbe/types.h>
#include <cbe/spark_object.h>
/* CBE dump includes */
#include <cbe/dump/configuration.h>
extern "C" void cbe_dump_cxx_init();
extern "C" void cbe_dump_cxx_final();
namespace Cbe_dump {
class Library;
Genode::uint32_t object_size(Library const &);
}
struct Cbe_dump::Library : Cbe::Spark_object<49240>
{
Library();
bool client_request_acceptable() const;
void submit_client_request(Cbe::Request const &request,
Configuration const &cfg);
Cbe::Request peek_completed_client_request() const;
void drop_completed_client_request(Cbe::Request const &req);
void execute(Cbe::Io_buffer const &io_buf);
bool execute_progress() const;
void io_request_completed(Cbe::Io_buffer::Index const &data_index,
bool const success);
void has_io_request(Cbe::Request &, Cbe::Io_buffer::Index &) const;
void io_request_in_progress(Cbe::Io_buffer::Index const &data_index);
};
#endif /* _CBE__DUMP__LIBRARY_H_ */

View File

@ -1,100 +0,0 @@
/*
* \brief Integration of the Consistent Block Encrypter (CBE)
* \author Martin Stein
* \author Josef Soentgen
* \date 2020-11-10
*/
/*
* Copyright (C) 2020 Genode Labs GmbH
*
* This file is part of the Genode OS framework, which is distributed
* under the terms of the GNU Affero General Public License version 3.
*/
#ifndef _CBE__INIT__CONFIGURATION_H_
#define _CBE__INIT__CONFIGURATION_H_
/* Genode includes */
#include <util/xml_node.h>
namespace Cbe_init { class Configuration; }
class Cbe_init::Configuration
{
private:
Genode::uint64_t _vbd_nr_of_lvls { 0 };
Genode::uint64_t _vbd_nr_of_children { 0 };
Genode::uint64_t _vbd_nr_of_leafs { 0 };
Genode::uint64_t _ft_nr_of_lvls { 0 };
Genode::uint64_t _ft_nr_of_children { 0 };
Genode::uint64_t _ft_nr_of_leafs { 0 };
public:
struct Invalid : Genode::Exception { };
Configuration (Genode::Xml_node const &node)
{
node.with_optional_sub_node("virtual-block-device",
[&] (Genode::Xml_node const &vbd)
{
_vbd_nr_of_lvls =
vbd.attribute_value("nr_of_levels", (Genode::uint64_t)0);
_vbd_nr_of_children =
vbd.attribute_value("nr_of_children", (Genode::uint64_t)0);
_vbd_nr_of_leafs =
vbd.attribute_value("nr_of_leafs", (Genode::uint64_t)0);
});
node.with_optional_sub_node("free-tree",
[&] (Genode::Xml_node const &ft)
{
_ft_nr_of_lvls =
ft.attribute_value("nr_of_levels", (Genode::uint64_t)0);
_ft_nr_of_children =
ft.attribute_value("nr_of_children", (Genode::uint64_t)0);
_ft_nr_of_leafs =
ft.attribute_value("nr_of_leafs", (Genode::uint64_t)0);
});
if (_vbd_nr_of_lvls == 0 ||
_vbd_nr_of_children == 0 ||
_vbd_nr_of_leafs == 0 ||
_ft_nr_of_lvls == 0 ||
_ft_nr_of_children == 0 ||
_ft_nr_of_leafs == 0)
{
throw Invalid();
}
}
Configuration (Configuration const &other)
{
_vbd_nr_of_lvls = other._vbd_nr_of_lvls ;
_vbd_nr_of_children = other._vbd_nr_of_children;
_vbd_nr_of_leafs = other._vbd_nr_of_leafs ;
_ft_nr_of_lvls = other._ft_nr_of_lvls ;
_ft_nr_of_children = other._ft_nr_of_children ;
_ft_nr_of_leafs = other._ft_nr_of_leafs ;
}
Genode::uint64_t vbd_nr_of_lvls () const { return _vbd_nr_of_lvls ; }
Genode::uint64_t vbd_nr_of_children () const { return _vbd_nr_of_children; }
Genode::uint64_t vbd_nr_of_leafs () const { return _vbd_nr_of_leafs ; }
Genode::uint64_t ft_nr_of_lvls () const { return _ft_nr_of_lvls ; }
Genode::uint64_t ft_nr_of_children () const { return _ft_nr_of_children ; }
Genode::uint64_t ft_nr_of_leafs () const { return _ft_nr_of_leafs ; }
void print(Genode::Output &out) const
{
Genode::print(out,
"vbd=(lvls=", _vbd_nr_of_lvls,
" children=", _vbd_nr_of_children,
" leafs=", _vbd_nr_of_leafs, ")",
" ft=(lvls=", _ft_nr_of_lvls,
" children=", _ft_nr_of_children,
" leafs=", _ft_nr_of_leafs, ")");
}
};
#endif /* _CBE__INIT__CONFIGURATION_H_ */

View File

@ -1,124 +0,0 @@
/*
* \brief Integration of the Consistent Block Encrypter (CBE)
* \author Martin Stein
* \author Josef Soentgen
* \date 2020-11-10
*/
/*
* Copyright (C) 2020 Genode Labs GmbH
*
* This file is part of the Genode OS framework, which is distributed
* under the terms of the GNU Affero General Public License version 3.
*/
#ifndef _CBE__INIT__LIBRARY_H_
#define _CBE__INIT__LIBRARY_H_
/* CBE includes */
#include <cbe/types.h>
#include <cbe/spark_object.h>
extern "C" void cbe_init_cxx_init();
extern "C" void cbe_init_cxx_final();
namespace Cbe_init {
class Library;
Genode::uint32_t object_size(Library const &);
}
struct Cbe_init::Library : Cbe::Spark_object<60960>
{
/*
* Ada/SPARK compatible bindings
*/
void _peek_generated_ta_request(Cbe::Trust_anchor_request &) const;
void _peek_generated_ta_sb_hash(Cbe::Trust_anchor_request const &, Cbe::Hash &) const;
void _peek_generated_ta_key_value_plaintext(Cbe::Trust_anchor_request const &,
Cbe::Key_plaintext_value &) const;
void _peek_generated_ta_key_value_ciphertext(Cbe::Trust_anchor_request const &,
Cbe::Key_ciphertext_value &) const;
Library();
bool client_request_acceptable() const;
void submit_client_request(Cbe::Request const &request,
Genode::uint64_t vbd_max_lvl_idx,
Genode::uint64_t vbd_degree,
Genode::uint64_t vbd_nr_of_leafs,
Genode::uint64_t ft_max_lvl_idx,
Genode::uint64_t ft_degree,
Genode::uint64_t ft_nr_of_leafs);
Cbe::Request peek_completed_client_request() const;
void drop_completed_client_request(Cbe::Request const &req);
void execute(Cbe::Io_buffer &io_buf);
bool execute_progress() const;
void io_request_completed(Cbe::Io_buffer::Index const &data_index,
bool const success);
void has_io_request(Cbe::Request &, Cbe::Io_buffer::Index &) const;
void io_request_in_progress(Cbe::Io_buffer::Index const &data_index);
Cbe::Trust_anchor_request peek_generated_ta_request() const
{
Cbe::Trust_anchor_request request { };
_peek_generated_ta_request(request);
return request;
}
void drop_generated_ta_request(Cbe::Trust_anchor_request const &request);
Cbe::Hash peek_generated_ta_sb_hash(Cbe::Trust_anchor_request const &request) const
{
Cbe::Hash hash { };
_peek_generated_ta_sb_hash(request, hash);
return hash;
}
void mark_generated_ta_secure_sb_request_complete(Cbe::Trust_anchor_request const &request);
void mark_generated_ta_create_key_request_complete(Cbe::Trust_anchor_request const &request,
Cbe::Key_plaintext_value const &key);
Cbe::Key_ciphertext_value peek_generated_ta_key_value_ciphertext(Cbe::Trust_anchor_request const &request) const
{
Cbe::Key_ciphertext_value ck { };
_peek_generated_ta_key_value_ciphertext(request, ck);
return ck;
}
Cbe::Key_plaintext_value peek_generated_ta_key_value_plaintext(Cbe::Trust_anchor_request const &request) const
{
Cbe::Key_plaintext_value pk { };
_peek_generated_ta_key_value_plaintext(request, pk);
return pk;
}
void mark_generated_ta_decrypt_key_request_complete(Cbe::Trust_anchor_request const &reference,
Cbe::Key_plaintext_value const &key);
void mark_generated_ta_encrypt_key_request_complete(Cbe::Trust_anchor_request const &request,
Cbe::Key_ciphertext_value const &key);
void mark_generated_ta_last_sb_hash_request_complete(Cbe::Trust_anchor_request const &,
Cbe::Hash const &)
{
struct Not_supported { };
throw Not_supported();
}
};
#endif /* _CBE__INIT__LIBRARY_H_ */

View File

@ -1,412 +0,0 @@
/*
* \brief Integration of the Consistent Block Encrypter (CBE)
* \author Martin Stein
* \author Josef Soentgen
* \date 2020-11-10
*/
/*
* Copyright (C) 2020 Genode Labs GmbH
*
* This file is part of the Genode OS framework, which is distributed
* under the terms of the GNU Affero General Public License version 3.
*/
#ifndef _CBE_LIBRARY_H_
#define _CBE_LIBRARY_H_
/* Genode includes */
#include <base/stdint.h>
#include <base/output.h>
/* CBE includes */
#include <cbe/types.h>
#include <cbe/spark_object.h>
extern "C" void cbe_cxx_init();
extern "C" void cbe_cxx_final();
namespace Cbe {
using namespace Genode;
class Library;
Genode::uint32_t object_size(Library const &);
} /* namespace Cbe */
class Cbe::Library : public Cbe::Spark_object<353944>
{
private:
/*
* Ada/SPARK compatible bindings
*
* Ada functions cannot have out parameters. Hence we call Ada
* procedures that return the 'progress' result as last out parameter.
*/
void _has_io_request(Request &, Io_buffer::Index &) const;
void _crypto_add_key_required(Request &, Key &) const;
void _crypto_remove_key_required(Request &, Key::Id &) const;
void _crypto_cipher_data_required(Request &, Crypto_plain_buffer::Index &) const;
void _crypto_plain_data_required(Request &, Crypto_cipher_buffer::Index &) const;
void _info(Info &) const;
void _peek_generated_ta_request(Trust_anchor_request &) const;
void _peek_generated_ta_sb_hash(Trust_anchor_request const &, Hash &) const;
void _peek_generated_ta_key_value_plaintext(Trust_anchor_request const &, Key_plaintext_value &) const;
void _peek_generated_ta_key_value_ciphertext(Trust_anchor_request const &, Key_ciphertext_value &) const;
public:
Library();
/**
* Get highest virtual-block-address useable by the current active snapshot
*
* \return highest addressable virtual-block-address
*/
Virtual_block_address max_vba() const;
/**
* Get information about the CBE
*
* \return information structure
*/
Info info() const
{
Info inf { };
_info(inf);
return inf;
}
void execute(Io_buffer &io_buf,
Crypto_plain_buffer &crypto_plain_buf,
Crypto_cipher_buffer &crypto_cipher_buf);
/**
* Return whether the last call to 'execute' has made progress or not
*/
bool execute_progress() const;
/**
* Check if the CBE can accept a new requeust
*
* \return true if a request can be accepted, otherwise false
*/
bool client_request_acceptable() const;
/**
* Submit a new request
*
* This method must only be called after executing 'request_acceptable'
* returned true.
*
* \param request block request
*/
void submit_client_request(Request const &request, uint32_t id);
/**
* Check for any completed request
*
* \return a valid block request will be returned if there is an
* completed request, otherwise an invalid one
*/
Request peek_completed_client_request() const;
/**
* Drops the completed request
*
* This method must only be called after executing
* 'peek_completed_request' returned a valid request.
*
*/
void drop_completed_client_request(Request const &req);
/*
* Backend block I/O
*/
/**
* Submit read request data from the backend block session to the CBE
*
* The given data will be transfered to the CBE.
*
* \param request reference to the request from the CBE
* \param data reference to the data associated with the
* request
*
* \return true if the CBE acknowledged the request
*/
void io_request_completed(Io_buffer::Index const &data_index,
bool const success);
/**
* Return a write request for the backend block session
*
* \param result valid request in case the is one pending that
* needs data, otherwise an invalid one is returned
*/
Request has_io_request(Io_buffer::Index &data_index) const
{
Request result { };
_has_io_request(result, data_index);
return result;
}
void has_io_request(Request &req, Io_buffer::Index &data_index) const
{
_has_io_request(req, data_index);
}
/**
* Obtain data for write request for the backend block session
*
* The CBE will transfer the payload to the given data.
*
* \param request reference to the Block::Request processed
* by the CBE
* \param data reference to the data associated with the
* Request
*
* \return true if the CBE could process the request
*/
void io_request_in_progress(Io_buffer::Index const &data_index);
void client_transfer_read_data_required(Request &,
uint64_t &,
Crypto_plain_buffer::Index &) const;
void client_transfer_read_data_in_progress(Crypto_plain_buffer::Index const &);
void client_transfer_read_data_completed(Crypto_plain_buffer::Index const &, bool);
void client_transfer_write_data_required(Request &,
uint64_t &,
Crypto_plain_buffer::Index &) const;
void client_transfer_write_data_in_progress(Crypto_plain_buffer::Index const &);
void client_transfer_write_data_completed(Crypto_plain_buffer::Index const &, bool);
/**
* Query list of active snapshots
*
* \param ids reference to destination buffer
*/
void active_snapshot_ids(Active_snapshot_ids &ids) const;
Request crypto_add_key_required(Key &key) const
{
Request result { };
_crypto_add_key_required(result, key);
return result;
}
void crypto_add_key_requested(Request const &req);
void crypto_add_key_completed(Request const &req);
Request crypto_remove_key_required(Key::Id &key_id) const
{
Request result { };
_crypto_remove_key_required(result, key_id);
return result;
}
void crypto_remove_key_requested(Request const &req);
void crypto_remove_key_completed(Request const &req);
/**
* CBE requests encrytion
*
* \param result valid request in case the is one pending that
* needs encrytion, otherwise an invalid one is
* returned
*/
Request crypto_cipher_data_required(Crypto_plain_buffer::Index &data_index) const
{
Request result { };
_crypto_cipher_data_required(result, data_index);
return result;
}
/**
* Return plain data for given encryption request
*
* \param request reference to the Block::Request processed
* by the CBE
* \param data reference to the data associated with the
* Block::Request
*/
void crypto_cipher_data_requested(
Crypto_plain_buffer::Index const &data_index);
/**
* Collect cipher data for given completed encryption request
*
* \param request reference to the Block::Request processed
* by the CBE
* \param data reference to the data associated with the
* Block::Request
*
* \return true if the CBE could obtain the encrypted data,
* otherwise false
*/
void supply_crypto_cipher_data(Crypto_cipher_buffer::Index const &data_index,
bool const data_valid);
/**
* CBE requests decryption
*
* \param result valid request in case the is one pending that
* needs decrytion, otherwise an invalid one is
* returned
*/
Request crypto_plain_data_required(Crypto_cipher_buffer::Index &data_index) const
{
Request result { };
_crypto_plain_data_required(result, data_index);
return result;
}
/**
* Return cipher data for given decryption request
*
* \param request reference to the Block::Request processed
* by the CBE
* \param data reference to the data associated with the
* Block::Request
*
* \return true if the CBE could supply the ciphr data,
* otherwise false
*/
void crypto_plain_data_requested(
Crypto_cipher_buffer::Index const &data_index);
/**
* Collect plain data for given completed decryption request
*
* \param request reference to the Block::Request processed
* by the CBE
* \param data reference to the data associated with the
* Block::Request
*
* \return true if the CBE could obtain the decrypted data,
* otherwise false
*/
void supply_crypto_plain_data(Crypto_plain_buffer::Index const &data_index,
bool const data_valid);
/**
* CBE trust anchor request
*
* \return valid TA request in case there is one pending, otherwise an
* invalid one is returned
*/
Trust_anchor_request peek_generated_ta_request() const
{
Trust_anchor_request request { };
_peek_generated_ta_request(request);
return request;
}
/**
* Drop generated TA request
*
* \param request reference to the request processed by the TA
*/
void drop_generated_ta_request(Trust_anchor_request const &request);
/**
* Peek generated TA superblock hash
*
* \param request reference to the request
* \return superblock hash
*/
Hash peek_generated_ta_sb_hash(Trust_anchor_request const &request) const
{
Cbe::Hash hash { };
_peek_generated_ta_sb_hash(request, hash);
return hash;
}
/**
* Mark generated TA secure superblock request complete
*
* \param request reference to the request completed by the TA
*/
void mark_generated_ta_secure_sb_request_complete(Trust_anchor_request const &request);
/**
* Mark generated TA create key request complete
*
* \param request reference to the request completed by the TA
* \param key reference to the key plaintext created by the TA
*/
void mark_generated_ta_create_key_request_complete(Trust_anchor_request const &request,
Key_plaintext_value const &key);
/**
* Peek generated TA key ciphertext
*
* \param request reference to the request
* \return key ciphertext
*/
Key_ciphertext_value peek_generated_ta_key_value_ciphertext(Trust_anchor_request const &request) const
{
Cbe::Key_ciphertext_value ck { };
_peek_generated_ta_key_value_ciphertext(request, ck);
return ck;
}
/**
* Peek generated TA key plaintext
*
* \param request reference to the request
* \return key plaintext
*/
Key_plaintext_value peek_generated_ta_key_value_plaintext(Trust_anchor_request const &request) const
{
Cbe::Key_plaintext_value pk { };
_peek_generated_ta_key_value_plaintext(request, pk);
return pk;
}
/**
* Mark generated TA decrypt key request complete
*
* \param request reference to the request completed by the TA
* \param key reference to the key plaintext decrypted by the TA
*/
void mark_generated_ta_decrypt_key_request_complete(Trust_anchor_request const &reference,
Key_plaintext_value const &key);
/**
* Mark generated TA encrypt key request complete
*
* \param request reference to the request completed by the TA
* \param key reference to the key ciphertext encrypted by the TA
*/
void mark_generated_ta_encrypt_key_request_complete(Trust_anchor_request const &request,
Key_ciphertext_value const &key);
/**
* Mark generated TA last superblock hash request complete
*
* \param request reference to the request completed by the TA
* \param hash reference to the superblock hash stored in the TA
*/
void mark_generated_ta_last_sb_hash_request_complete(Trust_anchor_request const &request,
Hash const &hash);
};
#endif /* _CBE_LIBRARY_H_ */

View File

@ -1,65 +0,0 @@
/*
* \brief Integration of the Consistent Block Encrypter (CBE)
* \author Martin Stein
* \author Josef Soentgen
* \date 2020-11-10
*/
/*
* Copyright (C) 2020 Genode Labs GmbH
*
* This file is part of the Genode OS framework, which is distributed
* under the terms of the GNU Affero General Public License version 3.
*/
#ifndef _CBE_SPARK_OBJECT_H_
#define _CBE_SPARK_OBJECT_H_
/* Genode includes */
#include <base/stdint.h>
#include <base/output.h>
#include <base/log.h>
namespace Cbe {
/**
* Opaque object that contains the space needed to store a SPARK record.
*
* \param BYTES size of the SPARK record in bytes
*/
template <Genode::uint32_t BYTES>
struct Spark_object
{
/**
* Exception type
*/
struct Object_size_mismatch { };
static constexpr Genode::uint32_t bytes() { return BYTES; }
long _space[(BYTES + sizeof(long) - 1)/sizeof(long)] { };
};
template <typename T>
static inline void assert_valid_object_size()
{
if (object_size(*(T *)nullptr) > T::bytes()) {
Genode::error("need ", object_size(*(T *)nullptr),
" bytes, got ", T::bytes(), " bytes");
throw typename T::Object_size_mismatch();
}
}
template <typename T>
static inline void assert_same_object_size()
{
if (object_size(*(T *)nullptr) != T::bytes()) {
Genode::error("need ", object_size(*(T *)nullptr),
" bytes, got ", T::bytes(), " bytes");
throw typename T::Object_size_mismatch();
}
}
} /* namespace Cbe */
#endif /* _CBE_SPARK_OBJECT_H_ */

View File

@ -1,451 +0,0 @@
/*
* \brief Integration of the Consistent Block Encrypter (CBE)
* \author Martin Stein
* \author Josef Soentgen
* \date 2020-11-10
*/
/*
* Copyright (C) 2020 Genode Labs GmbH
*
* This file is part of the Genode OS framework, which is distributed
* under the terms of the GNU Affero General Public License version 3.
*/
#ifndef _CBE_TYPES_H_
#define _CBE_TYPES_H_
/* Genode includes */
#include <base/stdint.h>
#include <base/output.h>
#include <base/exception.h>
#include <util/string.h>
namespace Cbe {
enum { INVALID_GENERATION = 0 };
using namespace Genode;
using Number_of_primitives = size_t;
using Physical_block_address = uint64_t;
using Virtual_block_address = uint64_t;
using Generation = uint64_t;
using Generation_string = String<21>;
using Height = uint32_t;
using Number_of_leaves = uint64_t;
using Number_of_leafs = uint64_t;
using Number_of_blocks = uint64_t;
using Degree = uint32_t;
static constexpr uint32_t BLOCK_SIZE = 4096;
static constexpr uint32_t NR_OF_SNAPSHOTS = 48;
class Request
{
public:
enum class Operation : uint32_t {
INVALID = 0,
READ = 1,
WRITE = 2,
SYNC = 3,
CREATE_SNAPSHOT = 4,
DISCARD_SNAPSHOT = 5,
REKEY = 6,
EXTEND_VBD = 7,
EXTEND_FT = 8,
RESUME_REKEYING = 10,
DEINITIALIZE = 11,
INITIALIZE = 12,
};
private:
Operation _operation;
bool _success;
uint64_t _block_number;
uint64_t _offset;
Number_of_blocks _count;
uint32_t _key_id;
uint32_t _tag;
public:
Request(Operation operation,
bool success,
uint64_t block_number,
uint64_t offset,
Number_of_blocks count,
uint32_t key_id,
uint32_t tag)
:
_operation { operation },
_success { success },
_block_number { block_number },
_offset { offset },
_count { count },
_key_id { key_id },
_tag { tag }
{ }
Request()
:
_operation { Operation::INVALID },
_success { false },
_block_number { 0 },
_offset { 0 },
_count { 0 },
_key_id { 0 },
_tag { 0 }
{ }
bool valid() const
{
return _operation != Operation::INVALID;
}
void print(Genode::Output &out) const;
/***************
** Accessors **
***************/
bool read() const { return _operation == Operation::READ; }
bool write() const { return _operation == Operation::WRITE; }
bool sync() const { return _operation == Operation::SYNC; }
bool create_snapshot() const { return _operation == Operation::CREATE_SNAPSHOT; }
bool discard_snapshot() const { return _operation == Operation::DISCARD_SNAPSHOT; }
bool rekey() const { return _operation == Operation::REKEY; }
bool extend_vbd() const { return _operation == Operation::EXTEND_VBD; }
bool extend_ft() const { return _operation == Operation::EXTEND_FT; }
bool resume_rekeying() const { return _operation == Operation::RESUME_REKEYING; }
bool deinitialize() const { return _operation == Operation::DEINITIALIZE; }
bool initialize() const { return _operation == Operation::INITIALIZE; }
Operation operation() const { return _operation; }
bool success() const { return _success; }
uint64_t block_number() const { return _block_number; }
uint64_t offset() const { return _offset; }
Number_of_blocks count() const { return _count; }
uint32_t key_id() const { return _key_id; }
uint32_t tag() const { return _tag; }
void success(bool arg) { _success = arg; }
void tag(uint32_t arg) { _tag = arg; }
} __attribute__((packed));
class Trust_anchor_request
{
public:
enum class Operation : uint32_t {
INVALID = 0,
CREATE_KEY = 1,
SECURE_SUPERBLOCK = 2,
ENCRYPT_KEY = 3,
DECRYPT_KEY = 4,
LAST_SB_HASH = 5,
INITIALIZE = 6,
};
private:
Operation _operation;
bool _success;
uint32_t _tag;
public:
Trust_anchor_request()
:
_operation { Operation::INVALID },
_success { false },
_tag { 0 }
{ }
Trust_anchor_request(Operation operation,
bool success,
uint32_t tag)
:
_operation { operation },
_success { success },
_tag { tag }
{ }
void print(Genode::Output &out) const;
bool valid() const { return _operation != Operation::INVALID; }
bool create_key() const { return _operation == Operation::CREATE_KEY; }
bool secure_superblock() const { return _operation == Operation::SECURE_SUPERBLOCK; }
bool encrypt_key() const { return _operation == Operation::ENCRYPT_KEY; }
bool decrypt_key() const { return _operation == Operation::DECRYPT_KEY; }
bool last_sb_hash() const { return _operation == Operation::LAST_SB_HASH; }
bool initialize() const { return _operation == Operation::INITIALIZE; }
Operation operation() const { return _operation; }
bool success() const { return _success; }
uint32_t tag() const { return _tag; }
void tag(uint32_t arg) { _tag = arg; }
void success(bool arg) { _success = arg; }
} __attribute__((packed));
struct Block_data
{
char values[BLOCK_SIZE];
void print(Genode::Output &out) const
{
using namespace Genode;
for (char const c : values) {
Genode::print(out, Hex(c, Hex::OMIT_PREFIX, Hex::PAD), " ");
}
Genode::print(out, "\n");
}
} __attribute__((packed));
class Io_buffer
{
private:
Block_data items[1];
public:
struct Bad_index : Genode::Exception { };
struct Index
{
uint32_t value;
explicit Index(uint32_t value) : value(value) { }
} __attribute__((packed));
Block_data &item(Index const idx)
{
if (idx.value >= sizeof(items) / sizeof(items[0])) {
throw Bad_index();
}
return items[idx.value];
}
} __attribute__((packed));
class Crypto_plain_buffer
{
private:
Block_data items[1];
public:
struct Bad_index : Genode::Exception { };
struct Index
{
uint32_t value;
explicit Index(uint32_t value) : value(value) { }
} __attribute__((packed));
Block_data &item(Index const idx)
{
if (idx.value >= sizeof(items) / sizeof(items[0])) {
throw Bad_index();
}
return items[idx.value];
}
} __attribute__((packed));
class Crypto_cipher_buffer
{
private:
Block_data items[1];
public:
struct Bad_index : Genode::Exception { };
struct Index
{
uint32_t value;
explicit Index(uint32_t value) : value(value) { }
} __attribute__((packed));
Block_data &item(Index const idx)
{
if (idx.value >= sizeof(items) / sizeof(items[0])) {
throw Bad_index();
}
return items[idx.value];
}
} __attribute__((packed));
/*
* The Hash contains the hash of a node.
*/
struct Hash
{
enum { MAX_LENGTH = 32, };
char values[MAX_LENGTH];
/* hash as hex value plus "0x" prefix and terminating null */
using String = Genode::String<sizeof(values) * 2 + 3>;
/* debug */
void print(Genode::Output &out) const
{
using namespace Genode;
Genode::print(out, "0x");
bool leading_zero = true;
for (char const c : values) {
if (leading_zero) {
if (c) {
leading_zero = false;
Genode::print(out, Hex(c, Hex::OMIT_PREFIX));
}
} else {
Genode::print(out, Hex(c, Hex::OMIT_PREFIX, Hex::PAD));
}
}
if (leading_zero) {
Genode::print(out, "0");
}
}
};
struct Key_plaintext_value
{
enum { KEY_SIZE = 32 };
char value[KEY_SIZE];
};
struct Key_ciphertext_value
{
enum { KEY_SIZE = 32 };
char value[KEY_SIZE];
};
/*
* The Key contains the key-material that is used to
* process cipher-blocks.
*
* (For now it is not used but the ID field is already referenced
* by type 2 nodes.)
*/
struct Key
{
enum { KEY_SIZE = 32 };
char value[KEY_SIZE];
struct Id { uint32_t value; };
Id id;
using String = Genode::String<sizeof(value) * 2 + 3>;
void print(Genode::Output &out) const
{
using namespace Genode;
Genode::print(out, "[", id.value, ", ");
for (uint32_t i = 0; i < 4; i++) {
Genode::print(out, Hex(value[i], Hex::OMIT_PREFIX, Hex::PAD));
}
Genode::print(out, "...]");
}
} __attribute__((packed));
struct Active_snapshot_ids
{
uint64_t values[NR_OF_SNAPSHOTS];
} __attribute__((packed));
struct Info
{
bool valid;
bool rekeying;
bool extending_vbd;
bool extending_ft;
} __attribute__((packed));
}
inline char const *to_string(Cbe::Request::Operation op)
{
struct Unknown_operation_type : Genode::Exception { };
switch (op) {
case Cbe::Request::Operation::INVALID: return "invalid";
case Cbe::Request::Operation::READ: return "read";
case Cbe::Request::Operation::WRITE: return "write";
case Cbe::Request::Operation::SYNC: return "sync";
case Cbe::Request::Operation::CREATE_SNAPSHOT: return "create_snapshot";
case Cbe::Request::Operation::DISCARD_SNAPSHOT: return "discard_snapshot";
case Cbe::Request::Operation::REKEY: return "rekey";
case Cbe::Request::Operation::EXTEND_VBD: return "extend_vbd";
case Cbe::Request::Operation::EXTEND_FT: return "extend_ft";
case Cbe::Request::Operation::RESUME_REKEYING: return "resume_rekeying";
case Cbe::Request::Operation::DEINITIALIZE: return "deinitialize";
case Cbe::Request::Operation::INITIALIZE: return "initialize";
}
throw Unknown_operation_type();
}
inline char const *to_string(Cbe::Trust_anchor_request::Operation op)
{
struct Unknown_operation_type : Genode::Exception { };
switch (op) {
case Cbe::Trust_anchor_request::Operation::INVALID: return "invalid";
case Cbe::Trust_anchor_request::Operation::CREATE_KEY: return "create_key";
case Cbe::Trust_anchor_request::Operation::INITIALIZE: return "initialize";
case Cbe::Trust_anchor_request::Operation::SECURE_SUPERBLOCK: return "secure_superblock";
case Cbe::Trust_anchor_request::Operation::ENCRYPT_KEY: return "encrypt_key";
case Cbe::Trust_anchor_request::Operation::DECRYPT_KEY: return "decrypt_key";
case Cbe::Trust_anchor_request::Operation::LAST_SB_HASH: return "last_sb_hash";
}
throw Unknown_operation_type();
}
inline void Cbe::Request::print(Genode::Output &out) const
{
if (!valid()) {
Genode::print(out, "<invalid>");
return;
}
Genode::print(out, "op=", to_string (_operation));
Genode::print(out, " vba=", _block_number);
Genode::print(out, " cnt=", _count);
Genode::print(out, " tag=", _tag);
Genode::print(out, " key=", _key_id);
Genode::print(out, " off=", _offset);
Genode::print(out, " succ=", _success);
}
inline void Cbe::Trust_anchor_request::print(Genode::Output &out) const
{
if (!valid()) {
Genode::print(out, "<invalid>");
return;
}
Genode::print(out, "op=", to_string (_operation));
Genode::print(out, " tag=", _tag);
Genode::print(out, " succ=", _success);
}
#endif /* _CBE_TYPES_H_ */

View File

@ -1,728 +0,0 @@
/*
* \brief Integration of the Consistent Block Encrypter (CBE)
* \author Martin Stein
* \author Josef Soentgen
* \date 2020-11-10
*/
/*
* Copyright (C) 2020 Genode Labs GmbH
*
* This file is part of the Genode OS framework, which is distributed
* under the terms of the GNU Affero General Public License version 3.
*/
#ifndef _CBE__VFS__TRUST_ANCHOR_VFS_H_
#define _CBE__VFS__TRUST_ANCHOR_VFS_H_
/* local includes */
#include <cbe/vfs/io_job.h>
namespace Util {
using namespace Genode;
struct Trust_anchor_vfs;
}; /* namespace Util */
struct Util::Trust_anchor_vfs
{
struct Invalid_request : Genode::Exception { };
using Path = Genode::Path<256>;
Vfs::File_system &_vfs;
Allocator &_alloc;
struct File
{
struct Could_not_open_file : Genode::Exception { };
struct Io_job_already_constructed : Genode::Exception { };
struct Cannot_drop_unconstructed_io_job : Genode::Exception { };
struct Completed_io_job
{
bool completed;
bool success;
};
File(File const &) = delete;
File &operator=(File const&) = delete;
Vfs::File_system &_vfs;
Vfs::Vfs_handle *_vfs_handle;
Genode::Constructible<Util::Io_job> _io_job { };
File(Path const &base_path,
char const *name,
Vfs::File_system &vfs,
Genode::Allocator &alloc)
:
_vfs { vfs },
_vfs_handle { nullptr }
{
using Result = Vfs::Directory_service::Open_result;
Path file_path = base_path;
file_path.append_element(name);
Result const res =
_vfs.open(file_path.string(),
Vfs::Directory_service::OPEN_MODE_RDWR,
(Vfs::Vfs_handle **)&_vfs_handle, alloc);
if (res != Result::OPEN_OK) {
error("could not open '", file_path.string(), "'");
throw Could_not_open_file();
}
}
~File()
{
_vfs.close(_vfs_handle);
}
bool submit_io_job(Util::Io_job::Buffer &buffer,
Util::Io_job::Operation op)
{
if (_io_job.constructed()) {
// throw Io_job_already_constructed();
return false;
}
_io_job.construct(*_vfs_handle, op, buffer, 0);
return true;
}
bool execute_io_job()
{
if (!_io_job.constructed()) {
return false;
}
return _io_job->execute();
}
void drop_io_job()
{
if (!_io_job.constructed()) {
throw Cannot_drop_unconstructed_io_job();
}
_io_job.destruct();
}
Completed_io_job completed_io_job()
{
if (!_io_job.constructed()) {
return { false, false };
}
return { _io_job->completed(), _io_job->succeeded() };
}
};
Path const _ta_dir;
Util::Io_job::Buffer _init_io_buffer { };
Util::Io_job::Buffer _encrypt_io_buffer { };
Util::Io_job::Buffer _decrypt_io_buffer { };
Util::Io_job::Buffer _generate_key_io_buffer { };
Util::Io_job::Buffer _last_hash_io_buffer { };
File _init_file { _ta_dir, "initialize", _vfs, _alloc };
File _encrypt_file { _ta_dir, "encrypt", _vfs, _alloc };
File _decrypt_file { _ta_dir, "decrypt", _vfs, _alloc };
File _generate_key_file { _ta_dir, "generate_key", _vfs, _alloc };
File _last_hash_file { _ta_dir, "hashsum", _vfs, _alloc };
struct Job
{
enum class Type {
NONE,
DECRYPT_WRITE,
DECRYPT_READ,
ENCRYPT_WRITE,
ENCRYPT_READ,
GENERATE,
INIT_WRITE,
INIT_READ,
HASH_READ,
HASH_UPDATE_WRITE,
HASH_UPDATE_READ,
};
Type type { Type::NONE };
static char const *to_string(Type const type)
{
switch (type) {
case Type::NONE: return "NONE";
case Type::DECRYPT_WRITE: return "DECRYPT_WRITE";
case Type::DECRYPT_READ: return "DECRYPT_READ";
case Type::ENCRYPT_WRITE: return "ENCRYPT_WRITE";
case Type::ENCRYPT_READ: return "ENCRYPT_READ";
case Type::GENERATE: return "GENERATE";
case Type::INIT_WRITE: return "INIT_WRITE";
case Type::INIT_READ: return "INIT_READ";
case Type::HASH_READ: return "HASH_READ";
case Type::HASH_UPDATE_WRITE: return "HASH_UPDATE_WRITE";
case Type::HASH_UPDATE_READ: return "HASH_UPDATE_READ";
}
return nullptr;
}
enum class State {
NONE,
PENDING,
IN_PROGRESS,
COMPLETE
};
State state { State::NONE };
static char const *to_string(State const state)
{
switch (state) {
case State::NONE: return "NONE";
case State::PENDING: return "PENDING";
case State::IN_PROGRESS: return "IN_PROGRESS";
case State::COMPLETE: return "COMPLETE";
}
return nullptr;
}
Cbe::Hash hash;
Cbe::Key_plaintext_value plain;
Cbe::Key_ciphertext_value cipher;
Cbe::Trust_anchor_request request { };
bool success { false };
void reset()
{
type = Type::NONE;
state = State::NONE;
request = Cbe::Trust_anchor_request();
}
bool valid() const { return state != State::NONE; }
bool completed() const { return state == State::COMPLETE; }
bool equals(Cbe::Trust_anchor_request const &other) const
{
return request.operation() == other.operation()
&& request.tag() == other.tag();
}
void print(Genode::Output &out) const
{
if (!valid()) {
Genode::print(out, "<invalid>");
return;
}
Genode::print(out, "type: ", to_string(type));
Genode::print(out, " state: ", to_string(state));
Genode::print(out, " request: ", request);
}
};
Job _job { };
bool _execute_decrypt(Job &job, bool write)
{
bool progress = false;
File::Completed_io_job completed_io_job { false, false };
switch (job.state) {
case Job::State::PENDING:
{
using Op = Util::Io_job::Operation;
Op const op = write ? Op::WRITE : Op::READ;
if (!_decrypt_file.submit_io_job(_decrypt_io_buffer, op)) {
break;
}
job.state = Job::State::IN_PROGRESS;
progress |= true;
}
[[fallthrough]];
case Job::State::IN_PROGRESS:
if (!_decrypt_file.execute_io_job()) {
break;
}
progress |= true;
completed_io_job = _decrypt_file.completed_io_job();
if (!completed_io_job.completed) {
break;
}
_decrypt_file.drop_io_job();
/* setup second phase */
if (write) {
/*
* In case the write request was not successful it
* is not needed to try to read the result.
*/
if (!completed_io_job.success) {
job.state = Job::State::COMPLETE;
job.request.success(false);
break;
}
_decrypt_io_buffer = {
.base = _job.plain.value,
.size = sizeof (_job.plain)
};
job.type = Job::Type::DECRYPT_READ;
job.state = Job::State::PENDING;
break;
}
job.state = Job::State::COMPLETE;
job.success = completed_io_job.success;
job.request.success(job.success);
[[fallthrough]];
case Job::State::COMPLETE: break;
case Job::State::NONE: break;
}
return progress;
}
bool _execute_encrypt(Job &job, bool write)
{
bool progress = false;
File::Completed_io_job completed_io_job { false, false };
switch (job.state) {
case Job::State::PENDING:
{
using Op = Util::Io_job::Operation;
Op const op = write ? Op::WRITE : Op::READ;
if (!_encrypt_file.submit_io_job(_encrypt_io_buffer, op)) {
break;
}
job.state = Job::State::IN_PROGRESS;
progress |= true;
}
[[fallthrough]];
case Job::State::IN_PROGRESS:
if (!_encrypt_file.execute_io_job()) {
break;
}
progress |= true;
completed_io_job = _encrypt_file.completed_io_job();
if (!completed_io_job.completed) {
break;
}
_encrypt_file.drop_io_job();
/* setup second phase */
if (write) {
/*
* In case the write request was not successful it
* is not needed to try to read the result.
*/
if (!completed_io_job.success) {
job.state = Job::State::COMPLETE;
job.request.success(false);
break;
}
_encrypt_io_buffer = {
.base = _job.cipher.value,
.size = sizeof (_job.cipher)
};
job.type = Job::Type::ENCRYPT_READ;
job.state = Job::State::PENDING;
break;
}
job.state = Job::State::COMPLETE;
job.success = completed_io_job.success;
job.request.success(job.success);
[[fallthrough]];
case Job::State::COMPLETE: break;
case Job::State::NONE: break;
}
return progress;
}
bool _execute_generate(Job &job)
{
bool progress = false;
File::Completed_io_job completed_io_job { false, false };
switch (job.state) {
case Job::State::PENDING:
if (!_generate_key_file.submit_io_job(_generate_key_io_buffer,
Util::Io_job::Operation::READ)) {
break;
}
job.state = Job::State::IN_PROGRESS;
progress |= true;
[[fallthrough]];
case Job::State::IN_PROGRESS:
if (!_generate_key_file.execute_io_job()) {
break;
}
progress |= true;
completed_io_job = _generate_key_file.completed_io_job();
if (!completed_io_job.completed) {
break;
}
_generate_key_file.drop_io_job();
job.state = Job::State::COMPLETE;
job.success = completed_io_job.success;
job.request.success(job.success);
[[fallthrough]];
case Job::State::COMPLETE: break;
case Job::State::NONE: break;
}
return progress;
}
bool _execute_init(Job &job, bool write)
{
bool progress = false;
File::Completed_io_job completed_io_job { false, false };
switch (job.state) {
case Job::State::PENDING:
{
using Op = Util::Io_job::Operation;
Op const op = write ? Op::WRITE : Op::READ;
if (!_init_file.submit_io_job(_init_io_buffer, op)) {
break;
}
job.state = Job::State::IN_PROGRESS;
progress |= true;
}
[[fallthrough]];
case Job::State::IN_PROGRESS:
if (!_init_file.execute_io_job()) {
break;
}
progress |= true;
completed_io_job = _init_file.completed_io_job();
if (!completed_io_job.completed) {
break;
}
_init_file.drop_io_job();
/* setup second phase */
if (write) {
/*
* In case the write request was not successful it
* is not needed to try to read the result.
*/
if (!completed_io_job.success) {
job.state = Job::State::COMPLETE;
job.request.success(false);
break;
}
_init_io_buffer = {
.base = _job.cipher.value,
.size = sizeof (_job.cipher)
};
job.type = Job::Type::INIT_READ;
job.state = Job::State::PENDING;
break;
}
job.state = Job::State::COMPLETE;
job.success = completed_io_job.success;
job.request.success(job.success);
[[fallthrough]];
case Job::State::COMPLETE: break;
case Job::State::NONE: break;
}
return progress;
}
bool _execute_read_hash(Job &job)
{
bool progress = false;
File::Completed_io_job completed_io_job { false, false };
switch (job.state) {
case Job::State::PENDING:
if (!_last_hash_file.submit_io_job(_last_hash_io_buffer,
Util::Io_job::Operation::READ)) {
break;
}
job.state = Job::State::IN_PROGRESS;
progress |= true;
[[fallthrough]];
case Job::State::IN_PROGRESS:
if (!_last_hash_file.execute_io_job()) {
break;
}
progress |= true;
completed_io_job = _last_hash_file.completed_io_job();
if (!completed_io_job.completed) {
break;
}
_last_hash_file.drop_io_job();
job.state = Job::State::COMPLETE;
job.success = completed_io_job.success;
job.request.success(job.success);
[[fallthrough]];
case Job::State::COMPLETE: break;
case Job::State::NONE: break;
}
return progress;
}
bool _execute_update_hash(Job &job, bool write)
{
bool progress = false;
File::Completed_io_job completed_io_job { false, false };
switch (job.state) {
case Job::State::PENDING:
{
using Op = Util::Io_job::Operation;
Op const op = write ? Op::WRITE : Op::READ;
if (!_last_hash_file.submit_io_job(_last_hash_io_buffer, op)) {
break;
}
job.state = Job::State::IN_PROGRESS;
progress |= true;
}
[[fallthrough]];
case Job::State::IN_PROGRESS:
if (!_last_hash_file.execute_io_job()) {
break;
}
progress |= true;
completed_io_job = _last_hash_file.completed_io_job();
if (!completed_io_job.completed) {
break;
}
_last_hash_file.drop_io_job();
/* setup second phase */
if (write) {
/*
* In case the write request was not successful it
* is not needed to try to read the result.
*/
if (!completed_io_job.success) {
job.state = Job::State::COMPLETE;
job.request.success(false);
break;
}
_last_hash_io_buffer = {
.base = _job.hash.values,
.size = sizeof (_job.hash)
};
job.type = Job::Type::HASH_UPDATE_READ;
job.state = Job::State::PENDING;
break;
}
job.state = Job::State::COMPLETE;
job.success = completed_io_job.success;
job.request.success(job.success);
[[fallthrough]];
case Job::State::COMPLETE: break;
case Job::State::NONE: break;
}
return progress;
}
Trust_anchor_vfs(Vfs::File_system &vfs,
Genode::Allocator &alloc,
Path const &path)
:
_vfs(vfs), _alloc(alloc), _ta_dir(path)
{ }
bool request_acceptable() const
{
return !_job.valid();
}
void submit_create_key_request(Cbe::Trust_anchor_request const &request)
{
_job = {
.type = Job::Type::GENERATE,
.state = Job::State::PENDING,
.hash = Cbe::Hash(),
.plain = Cbe::Key_plaintext_value(),
.cipher = Cbe::Key_ciphertext_value(),
.request = request,
.success = false,
};
_generate_key_io_buffer = {
.base = _job.plain.value,
.size = sizeof (_job.plain)
};
}
void submit_superblock_hash_request(Cbe::Trust_anchor_request const &request)
{
_job = {
.type = Job::Type::HASH_READ,
.state = Job::State::PENDING,
.hash = Cbe::Hash(),
.plain = Cbe::Key_plaintext_value(),
.cipher = Cbe::Key_ciphertext_value(),
.request = request,
.success = false,
};
_last_hash_io_buffer = {
.base = _job.hash.values,
.size = sizeof (_job.hash)
};
}
void submit_secure_superblock_request(Cbe::Trust_anchor_request const &request,
Cbe::Hash const &hash)
{
_job = {
.type = Job::Type::HASH_UPDATE_WRITE,
.state = Job::State::PENDING,
.hash = hash,
.plain = Cbe::Key_plaintext_value(),
.cipher = Cbe::Key_ciphertext_value(),
.request = request,
.success = false,
};
_last_hash_io_buffer = {
.base = _job.hash.values,
.size = sizeof (_job.hash)
};
}
void submit_encrypt_key_request(Cbe::Trust_anchor_request const &request,
Cbe::Key_plaintext_value const &plain)
{
_job = {
.type = Job::Type::ENCRYPT_WRITE,
.state = Job::State::PENDING,
.hash = Cbe::Hash(),
.plain = plain,
.cipher = Cbe::Key_ciphertext_value(),
.request = request,
.success = false,
};
_encrypt_io_buffer = {
.base = _job.plain.value,
.size = sizeof (_job.plain)
};
}
void submit_decrypt_key_request(Cbe::Trust_anchor_request const &request,
Cbe::Key_ciphertext_value const &cipher)
{
_job = {
.type = Job::Type::DECRYPT_WRITE,
.state = Job::State::PENDING,
.hash = Cbe::Hash(),
.plain = Cbe::Key_plaintext_value(),
.cipher = cipher,
.request = request,
.success = false,
};
_decrypt_io_buffer = {
.base = _job.cipher.value,
.size = sizeof (_job.cipher)
};
}
Cbe::Trust_anchor_request peek_completed_request()
{
return _job.completed() ? _job.request : Cbe::Trust_anchor_request();
}
void drop_completed_request(Cbe::Trust_anchor_request const &request)
{
if (!_job.equals(request)) {
throw Invalid_request();
}
_job.reset();
}
Cbe::Hash peek_completed_superblock_hash(Cbe::Trust_anchor_request const &request)
{
if (!_job.equals(request) || !_job.completed()) {
throw Invalid_request();
}
return _job.hash;
}
Cbe::Key_plaintext_value peek_completed_key_value_plaintext(Cbe::Trust_anchor_request const &request)
{
if (!_job.equals(request) || !_job.completed()) {
throw Invalid_request();
}
return _job.plain;
}
Cbe::Key_ciphertext_value peek_completed_key_value_ciphertext(Cbe::Trust_anchor_request const &request)
{
if (!_job.equals(request) || !_job.completed()) {
throw Invalid_request();
}
return _job.cipher;
}
bool execute()
{
bool progress = false;
switch (_job.type) {
case Job::Type::NONE: break;
case Job::Type::DECRYPT_WRITE: progress |= _execute_decrypt(_job, true); break;
case Job::Type::DECRYPT_READ: progress |= _execute_decrypt(_job, false); break;
case Job::Type::ENCRYPT_WRITE: progress |= _execute_encrypt(_job, true); break;
case Job::Type::ENCRYPT_READ: progress |= _execute_encrypt(_job, false); break;
case Job::Type::GENERATE: progress |= _execute_generate(_job); break;
case Job::Type::INIT_WRITE: progress |= _execute_init(_job, true); break;
case Job::Type::INIT_READ: progress |= _execute_init(_job, false); break;
case Job::Type::HASH_READ: progress |= _execute_read_hash(_job); break;
case Job::Type::HASH_UPDATE_WRITE: progress |= _execute_update_hash(_job, true); break;
case Job::Type::HASH_UPDATE_READ: progress |= _execute_update_hash(_job, false); break;
}
return progress;
}
};
#endif /* _CBE__VFS__TRUST_ANCHOR_VFS_H_ */

View File

@ -1,3 +0,0 @@
CBE_DIR := $(call select_from_ports,cbe)
INC_DIR += $(CBE_DIR)/src/lib/cbe

View File

@ -1,2 +0,0 @@
INC_DIR += $(call select_from_repositories,src/lib/cbe_check)

View File

@ -1,3 +0,0 @@
CBE_DIR := $(call select_from_ports,cbe)
INC_DIR += $(CBE_DIR)/src/lib/cbe_common

View File

@ -1,2 +0,0 @@
INC_DIR += $(call select_from_repositories,src/lib/cbe_dump)

View File

@ -1,2 +0,0 @@
INC_DIR += $(call select_from_repositories,src/lib/cbe_init)

View File

@ -1,3 +1,3 @@
CBE_DIR := $(call select_from_ports,cbe)
TRESOR_DIR := $(call select_from_ports,tresor)
INC_DIR += $(CBE_DIR)/src/lib/sha256_4k
INC_DIR += $(TRESOR_DIR)/src/lib/sha256_4k

View File

@ -0,0 +1 @@
INC_DIR += $(REP_DIR)/src/lib/tresor/include

View File

@ -1,12 +0,0 @@
CBE_DIR := $(call select_from_ports,cbe)
SRC_ADB := sha256_4k.adb
LIBS += spark libsparkcrypto
CC_ADA_OPT += -gnatec=$(CBE_DIR)/src/lib/sha256_4k/spark.adc
INC_DIR += $(CBE_DIR)/src/lib/sha256_4k
sha256_4k.o : $(CBE_DIR)/src/lib/sha256_4k/sha256_4k.ads
vpath % $(CBE_DIR)/src/lib/sha256_4k

View File

@ -1,23 +0,0 @@
CBE_DIR := $(call select_from_ports,cbe)
LIBS += spark sha256_4k cbe_common
INC_DIR += $(CBE_DIR)/src/lib/cbe
SRC_ADB += cbe-library.adb
SRC_ADB += cbe-request_pool.adb
SRC_ADB += cbe-crypto.adb
SRC_ADB += cbe-tree_helper.adb
SRC_ADB += cbe-translation.adb
SRC_ADB += cbe-cache.adb
SRC_ADB += cbe-new_free_tree.adb
SRC_ADB += cbe-ft_resizing.adb
SRC_ADB += cbe-mt_resizing.adb
SRC_ADB += cbe-meta_tree.adb
SRC_ADB += cbe-generic_index_queue.adb
SRC_ADB += cbe-superblock_control.adb
SRC_ADB += cbe-vbd_rekeying.adb
vpath % $(CBE_DIR)/src/lib/cbe
CC_ADA_OPT += -gnatec=$(CBE_DIR)/src/lib/cbe/pragmas.adc

View File

@ -1,14 +0,0 @@
CBE_DIR := $(call select_from_ports,cbe)
LIBS += spark sha256_4k cbe_common
INC_DIR += $(CBE_DIR)/src/lib/cbe_check
SRC_ADB += cbe-check_library.adb
SRC_ADB += cbe-superblock_check.adb
SRC_ADB += cbe-vbd_check.adb
SRC_ADB += cbe-free_tree_check.adb
vpath % $(CBE_DIR)/src/lib/cbe_check
CC_ADA_OPT += -gnatec=$(CBE_DIR)/src/lib/cbe_check/pragmas.adc

View File

@ -1,17 +0,0 @@
CBE_DIR := $(call select_from_ports,cbe)
LIBS += spark libsparkcrypto sha256_4k cbe_common cbe_cxx_common
LIBS += cbe_check
INC_DIR += $(CBE_DIR)/src/lib/cbe_check
INC_DIR += $(CBE_DIR)/src/lib/cbe_common
INC_DIR += $(CBE_DIR)/src/lib/cbe_check_cxx
INC_DIR += $(CBE_DIR)/src/lib/cbe_cxx_common
SRC_ADB += cbe-cxx-cxx_check_library.adb
vpath % $(CBE_DIR)/src/lib/cbe_check_cxx
SHARED_LIB := yes
include $(REP_DIR)/lib/mk/generate_ada_main_pkg.inc

View File

@ -1,17 +0,0 @@
CBE_DIR := $(call select_from_ports,cbe)
LIBS += spark sha256_4k
INC_DIR += $(CBE_DIR)/src/lib/cbe_common
SRC_ADB += cbe.adb
SRC_ADB += cbe-debug.adb
SRC_ADB += cbe-request.adb
SRC_ADB += cbe-primitive.adb
SRC_ADB += cbe-block_io.adb
SRC_ADB += cbe-ta_request.adb
SRC_ADB += cbe-trust_anchor.adb
vpath % $(CBE_DIR)/src/lib/cbe_common
CC_ADA_OPT += -gnatec=$(CBE_DIR)/src/lib/cbe_common/pragmas.adc

View File

@ -1,16 +0,0 @@
CBE_DIR := $(call select_from_ports,cbe)
LIBS += spark libsparkcrypto sha256_4k cbe cbe_common cbe_cxx_common
INC_DIR += $(CBE_DIR)/src/lib/cbe
INC_DIR += $(CBE_DIR)/src/lib/cbe_common
INC_DIR += $(CBE_DIR)/src/lib/cbe_cxx
INC_DIR += $(CBE_DIR)/src/lib/cbe_cxx_common
SRC_ADB += cbe-cxx-cxx_library.adb
vpath % $(CBE_DIR)/src/lib/cbe_cxx
SHARED_LIB := yes
include $(REP_DIR)/lib/mk/generate_ada_main_pkg.inc

View File

@ -1,12 +0,0 @@
CBE_DIR := $(call select_from_ports,cbe)
LIBS += spark cbe_common
INC_DIR += $(CBE_DIR)/src/lib/cbe_common
INC_DIR += $(CBE_DIR)/src/lib/cbe_cxx_common
SRC_ADB += cbe-cxx.adb
SRC_CC += print_cstring.cc
vpath % $(CBE_DIR)/src/lib/cbe_cxx_common

View File

@ -1,14 +0,0 @@
CBE_DIR := $(call select_from_ports,cbe)
LIBS += spark sha256_4k cbe_common
INC_DIR += $(CBE_DIR)/src/lib/cbe_dump
SRC_ADB += cbe-dump_library.adb
SRC_ADB += cbe-superblock_dump.adb
SRC_ADB += cbe-vbd_dump.adb
SRC_ADB += cbe-free_tree_dump.adb
vpath % $(CBE_DIR)/src/lib/cbe_dump
CC_ADA_OPT += -gnatec=$(CBE_DIR)/src/lib/cbe_dump/pragmas.adc

View File

@ -1,17 +0,0 @@
CBE_DIR := $(call select_from_ports,cbe)
LIBS += spark libsparkcrypto sha256_4k cbe_common cbe_cxx_common
LIBS += cbe_dump
INC_DIR += $(CBE_DIR)/src/lib/cbe_dump
INC_DIR += $(CBE_DIR)/src/lib/cbe_common
INC_DIR += $(CBE_DIR)/src/lib/cbe_dump_cxx
INC_DIR += $(CBE_DIR)/src/lib/cbe_cxx_common
SRC_ADB += cbe-cxx-cxx_dump_library.adb
vpath % $(CBE_DIR)/src/lib/cbe_dump_cxx
SHARED_LIB := yes
include $(REP_DIR)/lib/mk/generate_ada_main_pkg.inc

View File

@ -1,15 +0,0 @@
CBE_DIR := $(call select_from_ports,cbe)
LIBS += spark sha256_4k cbe_common cbe_cxx_common
INC_DIR += $(CBE_DIR)/src/lib/cbe_init
SRC_ADB += cbe-init_library.adb
SRC_ADB += cbe-block_allocator.adb
SRC_ADB += cbe-superblock_initializer.adb
SRC_ADB += cbe-vbd_initializer.adb
SRC_ADB += cbe-free_tree_initializer.adb
vpath % $(CBE_DIR)/src/lib/cbe_init
CC_ADA_OPT += -gnatec=$(CBE_DIR)/src/lib/cbe_init/pragmas.adc

View File

@ -1,17 +0,0 @@
CBE_DIR := $(call select_from_ports,cbe)
LIBS += spark libsparkcrypto sha256_4k cbe_common cbe_cxx_common
LIBS += cbe_init
INC_DIR += $(CBE_DIR)/src/lib/cbe_init
INC_DIR += $(CBE_DIR)/src/lib/cbe_common
INC_DIR += $(CBE_DIR)/src/lib/cbe_init_cxx
INC_DIR += $(CBE_DIR)/src/lib/cbe_cxx_common
SRC_ADB += cbe-cxx-cxx_init_library.adb
vpath % $(CBE_DIR)/src/lib/cbe_init_cxx
SHARED_LIB := yes
include $(REP_DIR)/lib/mk/generate_ada_main_pkg.inc

View File

@ -1,11 +0,0 @@
SRC_CC = vfs.cc
INC_DIR += $(REP_DIR)/src/lib/vfs/cbe
LIBS += cbe_cxx
vpath % $(REP_DIR)/src/lib/vfs/cbe
SHARED_LIB := yes
CC_CXX_WARN_STRICT :=

View File

@ -1,9 +0,0 @@
SRC_CC := vfs.cc
SRC_CC += aes_cbc.cc
LIBS += aes_cbc_4k
vpath vfs.cc $(REP_DIR)/src/lib/vfs/cbe_crypto/
vpath % $(REP_DIR)/src/lib/vfs/cbe_crypto/aes_cbc
SHARED_LIB = yes

View File

@ -1,9 +0,0 @@
SRC_CC := vfs.cc
SRC_CC += memcopy.cc
vpath vfs.cc $(REP_DIR)/src/lib/vfs/cbe_crypto/
vpath %.cc $(REP_DIR)/src/lib/vfs/cbe_crypto/memcopy
SHARED_LIB = yes
CC_CXX_WARN_STRICT_CONVERSION =

View File

@ -0,0 +1,28 @@
TRESOR_DIR := $(REP_DIR)/src/lib/tresor
SRC_CC += crypto.cc
SRC_CC += request_pool.cc
SRC_CC += sha256_4k_hash.cc
SRC_CC += trust_anchor.cc
SRC_CC += block_io.cc
SRC_CC += meta_tree.cc
SRC_CC += virtual_block_device.cc
SRC_CC += superblock_control.cc
SRC_CC += free_tree.cc
SRC_CC += module.cc
SRC_CC += block_allocator.cc
SRC_CC += vbd_initializer.cc
SRC_CC += ft_initializer.cc
SRC_CC += sb_initializer.cc
SRC_CC += vfs_utilities.cc
SRC_CC += ft_resizing.cc
SRC_CC += sb_check.cc
SRC_CC += vbd_check.cc
SRC_CC += ft_check.cc
vpath % $(TRESOR_DIR)
INC_DIR += $(TRESOR_DIR)/include
LIBS += libcrypto
LIBS += vfs

View File

@ -0,0 +1,11 @@
LIB_DIR := $(REP_DIR)/src/lib/vfs/tresor
SRC_CC := vfs.cc
INC_DIR += $(LIB_DIR)
vpath % $(LIB_DIR)
LIBS += tresor
SHARED_LIB := yes

View File

@ -0,0 +1,11 @@
SRC_CC := vfs.cc
SRC_CC += aes_cbc.cc
INC_DIR += $(REP_DIR)/src/lib/tresor/include
LIBS += aes_cbc_4k
vpath vfs.cc $(REP_DIR)/src/lib/vfs/tresor_crypto/
vpath % $(REP_DIR)/src/lib/vfs/tresor_crypto/aes_cbc
SHARED_LIB = yes

View File

@ -0,0 +1,9 @@
SRC_CC := vfs.cc
SRC_CC += memcopy.cc
INC_DIR += $(REP_DIR)/src/lib/tresor/include
vpath vfs.cc $(REP_DIR)/src/lib/vfs/tresor_crypto/
vpath %.cc $(REP_DIR)/src/lib/vfs/tresor_crypto/memcopy
SHARED_LIB = yes

View File

@ -4,11 +4,12 @@ SRC_CC += vfs.cc
SRC_CC += aes_256.cc
SRC_CC += integer.cc
INC_DIR += $(REP_DIR)/src/lib/vfs/cbe_trust_anchor
INC_DIR += $(REP_DIR)/src/lib/vfs/tresor_trust_anchor
INC_DIR += $(REP_DIR)/src/lib/tresor/include
INC_DIR += $(OPENSSL_DIR)/include
LIBS += libcrypto
vpath % $(REP_DIR)/src/lib/vfs/cbe_trust_anchor
vpath % $(REP_DIR)/src/lib/vfs/tresor_trust_anchor
SHARED_LIB := yes

View File

@ -1,14 +0,0 @@
_ZN9Cbe_check11object_sizeERKNS_7LibraryE T
_ZN9Cbe_check7Library20io_request_completedERKN3Cbe9Io_buffer5IndexEb T
_ZN9Cbe_check7Library21submit_client_requestERKN3Cbe7RequestE T
_ZN9Cbe_check7Library22io_request_in_progressERKN3Cbe9Io_buffer5IndexE T
_ZN9Cbe_check7Library29drop_completed_client_requestERKN3Cbe7RequestE T
_ZN9Cbe_check7Library7executeERKN3Cbe9Io_bufferE T
_ZN9Cbe_check7LibraryC1Ev T
_ZN9Sha256_4k4hashERKNS_4DataERNS_4HashE T
_ZNK9Cbe_check7Library14has_io_requestERN3Cbe7RequestERNS1_9Io_buffer5IndexE T
_ZNK9Cbe_check7Library16execute_progressEv T
_ZNK9Cbe_check7Library25client_request_acceptableEv T
_ZNK9Cbe_check7Library29peek_completed_client_requestEv T
cbe_check_cxx_final T
cbe_check_cxx_init T

View File

@ -1,44 +0,0 @@
_ZN3Cbe11object_sizeERKNS_7LibraryE T
_ZN3Cbe7Library20io_request_completedERKNS_9Io_buffer5IndexEb T
_ZN3Cbe7Library21submit_client_requestERKNS_7RequestEj T
_ZN3Cbe7Library22io_request_in_progressERKNS_9Io_buffer5IndexE T
_ZN3Cbe7Library24crypto_add_key_completedERKNS_7RequestE T
_ZN3Cbe7Library24crypto_add_key_requestedERKNS_7RequestE T
_ZN3Cbe7Library24supply_crypto_plain_dataERKNS_19Crypto_plain_buffer5IndexEb T
_ZN3Cbe7Library25drop_generated_ta_requestERKNS_20Trust_anchor_requestE T
_ZN3Cbe7Library25supply_crypto_cipher_dataERKNS_20Crypto_cipher_buffer5IndexEb T
_ZN3Cbe7Library27crypto_plain_data_requestedERKNS_20Crypto_cipher_buffer5IndexE T
_ZN3Cbe7Library27crypto_remove_key_completedERKNS_7RequestE T
_ZN3Cbe7Library27crypto_remove_key_requestedERKNS_7RequestE T
_ZN3Cbe7Library28crypto_cipher_data_requestedERKNS_19Crypto_plain_buffer5IndexE T
_ZN3Cbe7Library29drop_completed_client_requestERKNS_7RequestE T
_ZN3Cbe7Library35client_transfer_read_data_completedERKNS_19Crypto_plain_buffer5IndexEb T
_ZN3Cbe7Library36client_transfer_write_data_completedERKNS_19Crypto_plain_buffer5IndexEb T
_ZN3Cbe7Library37client_transfer_read_data_in_progressERKNS_19Crypto_plain_buffer5IndexE T
_ZN3Cbe7Library38client_transfer_write_data_in_progressERKNS_19Crypto_plain_buffer5IndexE T
_ZN3Cbe7Library44mark_generated_ta_secure_sb_request_completeERKNS_20Trust_anchor_requestE T
_ZN3Cbe7Library45mark_generated_ta_create_key_request_completeERKNS_20Trust_anchor_requestERKNS_19Key_plaintext_valueE T
_ZN3Cbe7Library46mark_generated_ta_decrypt_key_request_completeERKNS_20Trust_anchor_requestERKNS_19Key_plaintext_valueE T
_ZN3Cbe7Library46mark_generated_ta_encrypt_key_request_completeERKNS_20Trust_anchor_requestERKNS_20Key_ciphertext_valueE T
_ZN3Cbe7Library47mark_generated_ta_last_sb_hash_request_completeERKNS_20Trust_anchor_requestERKNS_4HashE T
_ZN3Cbe7Library7executeERNS_9Io_bufferERNS_19Crypto_plain_bufferERNS_20Crypto_cipher_bufferE T
_ZN3Cbe7LibraryC2Ev T
_ZNK3Cbe7Library15_has_io_requestERNS_7RequestERNS_9Io_buffer5IndexE T
_ZNK3Cbe7Library16execute_progressEv T
_ZNK3Cbe7Library19active_snapshot_idsERNS_19Active_snapshot_idsE T
_ZNK3Cbe7Library24_crypto_add_key_requiredERNS_7RequestERNS_3KeyE T
_ZNK3Cbe7Library25client_request_acceptableEv T
_ZNK3Cbe7Library26_peek_generated_ta_requestERNS_20Trust_anchor_requestE T
_ZNK3Cbe7Library26_peek_generated_ta_sb_hashERKNS_20Trust_anchor_requestERNS_4HashE T
_ZNK3Cbe7Library27_crypto_plain_data_requiredERNS_7RequestERNS_20Crypto_cipher_buffer5IndexE T
_ZNK3Cbe7Library27_crypto_remove_key_requiredERNS_7RequestERNS_3Key2IdE T
_ZNK3Cbe7Library28_crypto_cipher_data_requiredERNS_7RequestERNS_19Crypto_plain_buffer5IndexE T
_ZNK3Cbe7Library29peek_completed_client_requestEv T
_ZNK3Cbe7Library34client_transfer_read_data_requiredERNS_7RequestERyRNS_19Crypto_plain_buffer5IndexE T
_ZNK3Cbe7Library35client_transfer_write_data_requiredERNS_7RequestERyRNS_19Crypto_plain_buffer5IndexE T
_ZNK3Cbe7Library38_peek_generated_ta_key_value_plaintextERKNS_20Trust_anchor_requestERNS_19Key_plaintext_valueE T
_ZNK3Cbe7Library39_peek_generated_ta_key_value_ciphertextERKNS_20Trust_anchor_requestERNS_20Key_ciphertext_valueE T
_ZNK3Cbe7Library5_infoERNS_4InfoE T
_ZNK3Cbe7Library7max_vbaEv T
cbe_cxx_final T
cbe_cxx_init T

View File

@ -1,14 +0,0 @@
_ZN8Cbe_dump11object_sizeERKNS_7LibraryE T
_ZN8Cbe_dump7Library20io_request_completedERKN3Cbe9Io_buffer5IndexEb T
_ZN8Cbe_dump7Library21submit_client_requestERKN3Cbe7RequestERKNS_13ConfigurationE T
_ZN8Cbe_dump7Library22io_request_in_progressERKN3Cbe9Io_buffer5IndexE T
_ZN8Cbe_dump7Library29drop_completed_client_requestERKN3Cbe7RequestE T
_ZN8Cbe_dump7Library7executeERKN3Cbe9Io_bufferE T
_ZN8Cbe_dump7LibraryC1Ev T
_ZN9Sha256_4k4hashERKNS_4DataERNS_4HashE T
_ZNK8Cbe_dump7Library14has_io_requestERN3Cbe7RequestERNS1_9Io_buffer5IndexE T
_ZNK8Cbe_dump7Library16execute_progressEv T
_ZNK8Cbe_dump7Library25client_request_acceptableEv T
_ZNK8Cbe_dump7Library29peek_completed_client_requestEv T
cbe_dump_cxx_final T
cbe_dump_cxx_init T

View File

@ -1,25 +0,0 @@
_ZN10Aes_cbc_4k7decryptERKNS_3KeyENS_12Block_numberERKNS_10CiphertextERNS_9PlaintextE T
_ZN10Aes_cbc_4k7encryptERKNS_3KeyENS_12Block_numberERKNS_9PlaintextERNS_10CiphertextE T
_ZN8Cbe_init11object_sizeERKNS_7LibraryE T
_ZN8Cbe_init7Library20io_request_completedERKN3Cbe9Io_buffer5IndexEb T
_ZN8Cbe_init7Library21submit_client_requestERKN3Cbe7RequestEyyyyyy T
_ZN8Cbe_init7Library22io_request_in_progressERKN3Cbe9Io_buffer5IndexE T
_ZN8Cbe_init7Library25drop_generated_ta_requestERKN3Cbe20Trust_anchor_requestE T
_ZN8Cbe_init7Library29drop_completed_client_requestERKN3Cbe7RequestE T
_ZN8Cbe_init7Library44mark_generated_ta_secure_sb_request_completeERKN3Cbe20Trust_anchor_requestE T
_ZN8Cbe_init7Library45mark_generated_ta_create_key_request_completeERKN3Cbe20Trust_anchor_requestERKNS1_19Key_plaintext_valueE T
_ZN8Cbe_init7Library46mark_generated_ta_decrypt_key_request_completeERKN3Cbe20Trust_anchor_requestERKNS1_19Key_plaintext_valueE T
_ZN8Cbe_init7Library46mark_generated_ta_encrypt_key_request_completeERKN3Cbe20Trust_anchor_requestERKNS1_20Key_ciphertext_valueE T
_ZN8Cbe_init7Library7executeERN3Cbe9Io_bufferE T
_ZN8Cbe_init7LibraryC1Ev T
_ZN9Sha256_4k4hashERKNS_4DataERNS_4HashE T
_ZNK8Cbe_init7Library14has_io_requestERN3Cbe7RequestERNS1_9Io_buffer5IndexE T
_ZNK8Cbe_init7Library16execute_progressEv T
_ZNK8Cbe_init7Library25client_request_acceptableEv T
_ZNK8Cbe_init7Library26_peek_generated_ta_requestERN3Cbe20Trust_anchor_requestE T
_ZNK8Cbe_init7Library26_peek_generated_ta_sb_hashERKN3Cbe20Trust_anchor_requestERNS1_4HashE T
_ZNK8Cbe_init7Library29peek_completed_client_requestEv T
_ZNK8Cbe_init7Library38_peek_generated_ta_key_value_plaintextERKN3Cbe20Trust_anchor_requestERNS1_19Key_plaintext_valueE T
_ZNK8Cbe_init7Library39_peek_generated_ta_key_value_ciphertextERKN3Cbe20Trust_anchor_requestERNS1_20Key_ciphertext_valueE T
cbe_init_cxx_final T
cbe_init_cxx_init T

View File

@ -1 +0,0 @@
56ab06c33f61345797baa22c8720e45212b4cb2c

View File

@ -1,12 +0,0 @@
LICENSE := AGPLv3
VERSION := git
DOWNLOADS := cbe.git
URL(cbe) := https://github.com/m-stein/cbe.git
DIR(cbe) := cbe
REV(cbe) := 805b0942fb0b34464354e59366ed23b412da2126
default: symlinks
symlinks: $(DOWNLOADS)
ln -s cbe/src src

View File

@ -1,5 +1,6 @@
MIRROR_FROM_REP_DIR := \
include/cbe/types.h
src/lib/tresor/include \
lib/import/import-tresor.mk
content: $(MIRROR_FROM_REP_DIR) LICENSE

View File

@ -2,9 +2,7 @@ aes_cbc_4k
base
block_session
libc
libsparkcrypto
openssl
os
so
spark
vfs

View File

@ -1 +0,0 @@
Runtime for deploying cbe_check component from the depot.

View File

@ -1,6 +0,0 @@
_/src/cbe
_/src/libsparkcrypto
_/src/spark
_/src/init
_/src/vfs
_/src/vfs_block

View File

@ -1 +0,0 @@
2023-04-27 9877b3a22e52463bfbbe9758642759532503e89f

View File

@ -1,63 +0,0 @@
<runtime ram="10M" caps="250" binary="init" config="init.config">
<requires>
<file_system label="cbe_fs"/>
</requires>
<content>
<rom label="cbe_check"/>
<rom label="init"/>
<rom label="init.config"/>
<rom label="ld.lib.so"/>
<rom label="cbe_check_cxx.lib.so"/>
<rom label="libsparkcrypto.lib.so"/>
<rom label="spark.lib.so"/>
<rom label="vfs.lib.so"/>
<rom label="vfs_block"/>
</content>
<config verbose="yes">
<parent-provides>
<service name="ROM"/>
<service name="PD"/>
<service name="RM"/>
<service name="CPU"/>
<service name="LOG"/>
<service name="Timer"/>
<service name="File_system"/>
</parent-provides>
<default-route> <any-service> <parent/> <any-child/> </any-service> </default-route>
<default caps="100"/>
<start name="cbe_check">
<resource name="RAM" quantum="4M"/>
<exit propagate="yes"/>
<config/>
<route>
<service name="Block"> <child name="vfs_block"/> </service>
<any-service> <parent/> </any-service>
</route>
</start>
<start name="vfs_block">
<resource name="RAM" quantum="4M"/>
<provides> <service name="Block"/> </provides>
<config>
<vfs>
<fs buffer_size="1M"/>
</vfs>
<policy label_prefix="cbe_check" block_size="512"
file="/cbe.img" writeable="yes"/>
</config>
<route>
<service name="File_system"> <parent label="cbe_fs"/> </service>
<any-service> <parent/> </any-service>
</route>
</start>
</config>
</runtime>

View File

@ -1 +0,0 @@
CBE meta package

View File

@ -1,10 +0,0 @@
_/pkg/cbe_check
_/pkg/cbe_fs
_/pkg/cbe_ta_fs
_/pkg/cbe_init
_/pkg/cbe_shell
_/pkg/cbe_vbox5-nova
_/pkg/cbe_vfs
_/pkg/cbe_ta_vfs
_/pkg/cbe_vm_fs
_/pkg/download_coreplus

View File

@ -1 +0,0 @@
2023-04-27 9e98d42c5faeda078acd475c3e85998087cababc

View File

@ -1,2 +0,0 @@
Runtime for deploying the chroot component configured for the CBE from
the depot.

View File

@ -1 +0,0 @@
_/src/chroot

View File

@ -1 +0,0 @@
2023-04-25 4ce6ffd14a3bbfc7f59416b6e3c2bf4e92d034ab

View File

@ -1,15 +0,0 @@
<runtime ram="1M" caps="100" binary="chroot">
<requires> <file_system/> </requires>
<provides> <file_system/> </provides>
<config>
<default-policy path="/cbe" writeable="yes"/>
</config>
<content>
<rom label="ld.lib.so"/>
<rom label="chroot"/>
</content>
</runtime>

View File

@ -1 +0,0 @@
Runtime for deploying cbe_init component from the depot.

View File

@ -1,6 +0,0 @@
_/src/cbe
_/src/libsparkcrypto
_/src/spark
_/src/init
_/src/vfs
_/src/vfs_block

View File

@ -1 +0,0 @@
2023-04-27 8586c3f481575817c7822c2d82675a61d9797ae6

View File

@ -1,71 +0,0 @@
<runtime ram="10M" caps="300" binary="init" config="init.config">
<requires>
<file_system label="cbe_fs"/>
</requires>
<content>
<rom label="cbe_init"/>
<rom label="init"/>
<rom label="init.config"/>
<rom label="ld.lib.so"/>
<rom label="cbe_init_cxx.lib.so"/>
<rom label="libsparkcrypto.lib.so"/>
<rom label="spark.lib.so"/>
<rom label="vfs.lib.so"/>
<rom label="vfs_block"/>
</content>
<config verbose="yes">
<parent-provides>
<service name="ROM"/>
<service name="PD"/>
<service name="RM"/>
<service name="CPU"/>
<service name="LOG"/>
<service name="Timer"/>
<service name="File_system"/>
</parent-provides>
<default-route> <any-service> <parent/> <any-child/> </any-service> </default-route>
<default caps="100"/>
<start name="cbe_init">
<resource name="RAM" quantum="4M"/>
<exit propagate="yes"/>
<config>
<key id="23"/>
<!-- VBD is 1GiB (~16MiB MD) -->
<virtual-block-device nr_of_levels="5" nr_of_children="64"
nr_of_leafs="262144"/>
<!-- FT is 128MiB (~2MiB MD) -->
<free-tree nr_of_levels="4" nr_of_children="64"
nr_of_leafs="32768"/>
</config>
<route>
<service name="Block"> <child name="vfs_block"/> </service>
<any-service> <parent/> </any-service>
</route>
</start>
<start name="vfs_block">
<resource name="RAM" quantum="4M"/>
<provides> <service name="Block"/> </provides>
<config>
<vfs>
<fs buffer_size="1M"/>
</vfs>
<policy label_prefix="cbe_init" block_size="512"
file="/cbe.img" writeable="yes"/>
</config>
<route>
<service name="File_system"> <parent label="cbe_fs"/> </service>
<any-service> <parent/> </any-service>
</route>
</start>
</config>
</runtime>

View File

@ -1 +0,0 @@
Unix runtime that allows the user to interact with the CBE.

View File

@ -1,10 +0,0 @@
_/src/bash-minimal
_/src/coreutils
_/src/libc
_/src/posix
_/src/ncurses
_/src/terminal
_/src/init
_/src/vfs
_/src/vfs_pipe
_/src/cached_fs_rom

View File

@ -1 +0,0 @@
2023-04-27 68a36802cd97b17f22737a674c5f8c089a307314

View File

@ -1,126 +0,0 @@
<runtime ram="76M" caps="1000" binary="init" config="cbe_shell.config">
<requires>
<gui/>
<timer/>
<file_system label="cbe" writeable="yes"/>
<file_system label="fonts" writeable="no"/>
<rom label="clipboard"/>
<report label="clipboard"/>
<rm/>
</requires>
<content>
<rom label="cbe_shell.config"/>
<rom label="ld.lib.so"/>
<rom label="libc.lib.so"/>
<rom label="libm.lib.so"/>
<rom label="init"/>
<rom label="vfs"/>
<rom label="vfs_pipe.lib.so"/>
<rom label="cached_fs_rom"/>
<rom label="terminal"/>
<rom label="posix.lib.so"/>
<rom label="ncurses.lib.so"/>
<rom label="bash-minimal.tar"/>
<rom label="coreutils.tar"/>
<rom label="vfs.lib.so"/>
</content>
<config>
<parent-provides>
<service name="ROM"/>
<service name="PD"/>
<service name="RM"/>
<service name="CPU"/>
<service name="LOG"/>
<service name="Timer"/>
<service name="File_system"/>
<service name="Gui"/>
<service name="Report"/>
</parent-provides>
<default-route> <any-service> <parent/> <any-child/> </any-service> </default-route>
<default caps="100"/>
<start name="terminal">
<resource name="RAM" quantum="12M"/>
<provides> <service name="Terminal"/> </provides>
<config copy="yes" paste="yes">
<initial width="800" height="600"/>
<vfs> <dir name="fonts"> <fs/> </dir> </vfs>
</config>
<route>
<service name="File_system"> <parent label="fonts"/> </service>
<service name="Gui"> <parent label="terminal"/> </service>
<service name="Report" label="clipboard"> <parent label="clipboard"/> </service>
<service name="ROM" label="clipboard"> <parent label="clipboard"/> </service>
<any-service> <parent/> <any-child/> </any-service>
</route>
</start>
<start name="vfs" caps="150">
<resource name="RAM" quantum="12M"/>
<provides><service name="File_system"/></provides>
<config>
<vfs>
<tar name="bash-minimal.tar" />
<tar name="coreutils.tar" />
<dir name="dev">
<zero/> <null/> <terminal/>
<inline name="rtc">2018-01-01 00:01</inline>
</dir>
<dir name="pipe"> <pipe/> </dir>
<dir name="tmp"> <ram /> </dir>
</vfs>
<policy label_prefix="vfs_rom" root="/"/>
<default-policy root="/" writeable="yes"/>
</config>
<route>
<service name="Terminal"> <child name="terminal"/> </service>
<any-service> <parent/> </any-service>
</route>
</start>
<start name="vfs_rom">
<resource name="RAM" quantum="16M"/>
<binary name="cached_fs_rom"/>
<provides> <service name="ROM"/> </provides>
<config/>
<route>
<service name="File_system"> <child name="vfs"/> </service>
<any-service> <parent/> </any-service>
</route>
</start>
<start name="/bin/bash" caps="450">
<resource name="RAM" quantum="28M" />
<exit propagate="yes"/>
<config>
<libc stdin="/dev/terminal" stdout="/dev/terminal"
stderr="/dev/terminal" rtc="/dev/rtc" pipe="/pipe"/>
<vfs>
<fs buffer_size="1M" label="shell"/>
<dir name="cbe"> <fs buffer_size="4M" label="cbe"/> </dir>
</vfs>
<arg value="bash"/>
<env key="HOME" value="/"/>
<env key="TERM" value="screen"/>
<env key="PATH" value="/bin" />
<env key="PS1" value="cbe:$PWD> "/>
</config>
<route>
<service name="File_system" label="cbe"> <parent label="cbe"/> </service>
<service name="File_system" label="shell"> <child name="vfs"/> </service>
<service name="ROM" label_suffix=".lib.so"> <parent/> </service>
<service name="ROM" label_last="/bin/bash"> <child name="vfs_rom"/> </service>
<service name="ROM" label_prefix="/bin"> <child name="vfs_rom"/> </service>
<any-service> <parent/> <any-child/> </any-service>
</route>
</start>
</config>
</runtime>

View File

@ -1,2 +0,0 @@
Runtime for deploying the chroot component configured for the CBE
trust-anchor from the depot.

View File

@ -1 +0,0 @@
_/src/chroot

View File

@ -1 +0,0 @@
2023-04-25 4580d6a6ca8f082447fdcdb7e3339687e3bbd013

View File

@ -1,15 +0,0 @@
<runtime ram="1M" caps="100" binary="chroot">
<requires> <file_system/> </requires>
<provides> <file_system/> </provides>
<config>
<default-policy path="/cbe_ta" writeable="yes"/>
</config>
<content>
<rom label="ld.lib.so"/>
<rom label="chroot"/>
</content>
</runtime>

View File

@ -1 +0,0 @@
Runtime for deploying the CBE trust-anchor vfs component from the depot.

View File

@ -1,2 +0,0 @@
_/src/vfs
_/src/cbe

View File

@ -1 +0,0 @@
2023-04-27 c13b59b705a0a8b56c1873bb0af3c2a7de6609ff

View File

@ -1,23 +0,0 @@
<runtime ram="8M" caps="200" binary="vfs">
<requires> <log/> <file_system label="cbe_ta_fs"/> </requires>
<provides> <file_system/> </provides>
<config>
<vfs>
<fs buffer_size="1M" label="cbe_ta_fs"/>
<dir name="dev">
<cbe_trust_anchor name="cbe_trust_anchor" storage_dir="/"/>
</dir>
</vfs>
<policy label_prefix="cbe_init_trust_anchor" root="/dev" writeable="yes"/>
</config>
<content>
<rom label="ld.lib.so"/>
<rom label="vfs_cbe_trust_anchor.lib.so"/>
<rom label="vfs"/>
</content>
</runtime>

View File

@ -1,2 +0,0 @@
VirtualBox runtime for using a VM with Block session disk access

View File

@ -1,9 +0,0 @@
_/src/vbox5-nova
_/src/base-nova
_/src/libc
_/src/init
_/src/posix
_/src/zlib
_/src/libiconv
_/src/stdcxx
_/src/vfs

View File

@ -1 +0,0 @@
2023-04-27 51d4d436f52e3614ef2000125a647a6e9768dbce

View File

@ -1,104 +0,0 @@
<runtime ram="1500M" caps="1500" binary="init" config="init.config">
<requires>
<file_system label="cbe"/>
<file_system label="vm"/>
<file_system label="shared"/>
<gui/>
<nic/>
<rom label="capslock"/>
<rom label="platform_info"/>
<report label="shape"/>
<report label="clipboard"/>
<rom label="clipboard"/>
<rm/>
<rtc/>
<rom label="usb_devices"/>
<usb/>
</requires>
<content>
<rom label="init.config"/>
<rom label="ld.lib.so"/>
<rom label="init"/>
<rom label="timer"/>
<rom label="virtualbox5-nova"/>
<rom label="libc.lib.so"/>
<rom label="libm.lib.so"/>
<rom label="libiconv.lib.so"/>
<rom label="qemu-usb.lib.so"/>
<rom label="stdcxx.lib.so"/>
<rom label="vfs.lib.so"/>
</content>
<config verbose="yes" prio_levels="2">
<parent-provides>
<service name="ROM"/>
<service name="PD"/>
<service name="RM"/>
<service name="CPU"/>
<service name="LOG"/>
<service name="Gui"/>
<service name="Timer"/>
<service name="Rtc"/>
<service name="Report"/>
<service name="File_system"/>
<service name="Usb"/>
<service name="Nic"/>
</parent-provides>
<default-route> <any-service> <parent/> <any-child/> </any-service> </default-route>
<default caps="100"/>
<start name="timer">
<resource name="RAM" quantum="1M"/>
<provides><service name="Timer"/></provides>
<config/>
<route>
<service name="ROM" label="platform_info">
<parent label="platform_info"/> </service>
<any-service> <parent/> </any-service>
</route>
</start>
<start name="vbox" priority="-1" caps="1000">
<binary name="virtualbox5-nova" />
<resource name="RAM" quantum="8G"/>
<exit propagate="yes"/>
<config vbox_file="machine.vbox" xhci="yes" vm_name="linux" capslock="ROM">
<vfs>
<dir name="dev">
<dir name="cbe">
<fs label="cbe" buffer_size="4M" writeable="yes"/>
</dir>
<log/>
<rtc/>
</dir>
<dir name="shared"> <fs label="shared" writeable="yes"/> </dir>
<fs writeable="yes" label="vm" buffer_size="4M" />
</vfs>
<libc stdout="/dev/log" stderr="/dev/log" rtc="/dev/rtc"/>
</config>
<route>
<service name="Audio_out"> <parent/> </service>
<service name="File_system" label="shared"> <parent label="shared"/> </service>
<service name="File_system" label="vm"> <parent label="vm"/> </service>
<service name="ROM" label="usb_devices"> <parent label="usb_devices"/> </service>
<service name="ROM" label="capslock"> <parent label="capslock"/> </service>
<service name="ROM" label="platform_info">
<parent label="platform_info"/> </service>
<service name="Nic"> <parent/> </service>
<service name="Report" label="shape"> <parent label="shape"/> </service>
<service name="ROM" label="clipboard"> <parent label="clipboard"/> </service>
<service name="Report" label="clipboard"> <parent label="clipboard"/> </service>
<service name="Gui"> <parent label=""/> </service>
<service name="File_system" label="cbe"> <parent label="cbe"/> </service>
<any-service> <parent/> </any-service>
</route>
</start>
</config>
</runtime>

View File

@ -1,2 +0,0 @@
Runtime for deploying the vfs component configured for the CBE from
the depot.

View File

@ -1,4 +0,0 @@
_/src/vfs
_/src/cbe
_/src/spark
_/src/openssl

View File

@ -1 +0,0 @@
2023-04-27 53d46fa42938230c007f2c52e9cefdfb9d7d7748

View File

@ -1,30 +0,0 @@
<runtime ram="64M" caps="200" binary="vfs">
<requires> <log/> <file_system label="cbe_fs"/> </requires>
<provides> <file_system/> </provides>
<config>
<vfs>
<fs buffer_size="1M" label="cbe_fs"/>
<cbe_crypto_aes_cbc name="cbe_crypto"/>
<dir name="ta"> <fs buffer_size="1M" label="ta"/> </dir>
<dir name="dev">
<cbe name="cbe" verbose="no" debug="no" block="/cbe.img"
crypto="/cbe_crypto" trust_anchor="/ta"/>
</dir>
</vfs>
<policy label_prefix="cbe_vbox5-nova" root="/dev/cbe/current" writeable="yes"/>
<policy label_prefix="cbe_shell" root="/dev" writeable="yes"/>
</config>
<content>
<rom label="cbe_cxx.lib.so"/>
<rom label="ld.lib.so"/>
<rom label="libcrypto.lib.so"/>
<rom label="spark.lib.so"/>
<rom label="vfs"/>
<rom label="vfs_cbe.lib.so"/>
<rom label="vfs_cbe_crypto_aes_cbc.lib.so"/>
</content>
</runtime>

View File

@ -1,2 +0,0 @@
Runtime for deploying the chroot component configured for the VM
running on top the CBE from the depot.

View File

@ -1 +0,0 @@
_/src/chroot

View File

@ -1 +0,0 @@
2023-04-25 6253f2ce75fb58e57dad9199e0f57ecc484792a2

View File

@ -1,15 +0,0 @@
<runtime ram="1M" caps="100" binary="chroot">
<requires> <file_system/> </requires>
<provides> <file_system/> </provides>
<config>
<default-policy path="/vm/cbe" writeable="yes"/>
</config>
<content>
<rom label="ld.lib.so"/>
<rom label="chroot"/>
</content>
</runtime>

View File

@ -1 +0,0 @@
This package is used to prepare the assets for the TinyCore+ VM.

View File

@ -1,18 +0,0 @@
_/raw/download_coreplus
_/src/libc
_/src/vfs_lxip
_/src/bash-minimal
_/src/coreutils-minimal
_/src/curl
_/src/fetchurl
_/src/init
_/src/libssh
_/src/openssl
_/src/ncurses
_/src/posix
_/src/report_rom
_/src/terminal
_/src/terminal_log
_/src/vfs
_/src/zlib
_/src/cached_fs_rom

View File

@ -1 +0,0 @@
2023-04-27 c73cf6ceef8aad65bfac745611188efa1f560c61

View File

@ -1,39 +0,0 @@
<runtime ram="80M" caps="1500" binary="init" config="init.config">
<requires>
<gui/>
<nic/>
<timer/>
<rm/>
<file_system label="target" writeable="yes"/>
<file_system label="fonts" writeable="no"/>
</requires>
<content>
<rom label="init.config"/>
<rom label="ld.lib.so"/>
<rom label="libc.lib.so"/>
<rom label="libm.lib.so"/>
<rom label="init"/>
<rom label="terminal"/>
<rom label="posix.lib.so"/>
<rom label="ncurses.lib.so"/>
<rom label="bash-minimal.tar"/>
<rom label="coreutils-minimal.tar"/>
<rom label="vfs"/>
<rom label="vfs.lib.so"/>
<rom label="terminal_log"/>
<rom label="report_rom"/>
<rom label="fetchurl"/>
<rom label="lxip.lib.so"/>
<rom label="vfs_lxip.lib.so"/>
<rom label="libssl.lib.so"/>
<rom label="libssh.lib.so"/>
<rom label="curl.lib.so"/>
<rom label="libcrypto.lib.so"/>
<rom label="zlib.lib.so"/>
<rom label="assets.tar"/>
<rom label="cached_fs_rom"/>
</content>
</runtime>

View File

@ -4,9 +4,7 @@ _/src/libpng
_/src/zlib
_/src/fs_query
_/src/menu_view
_/src/cbe
_/src/spark
_/src/libsparkcrypto
_/src/tresor
_/src/vfs_block
_/src/vfs_jitterentropy
_/src/vfs

View File

@ -26,26 +26,22 @@
<rom label="vfs.lib.so"/>
<rom label="vfs_block"/>
<rom label="vfs_jitterentropy.lib.so"/>
<rom label="vfs_cbe.lib.so"/>
<rom label="vfs_cbe_crypto_aes_cbc.lib.so"/>
<rom label="vfs_cbe_trust_anchor.lib.so"/>
<rom label="cbe_cxx.lib.so"/>
<rom label="cbe_init_cxx.lib.so"/>
<rom label="cbe_init"/>
<rom label="cbe_init_trust_anchor"/>
<rom label="vfs_tresor.lib.so"/>
<rom label="vfs_tresor_crypto_aes_cbc.lib.so"/>
<rom label="vfs_tresor_trust_anchor.lib.so"/>
<rom label="tresor_init"/>
<rom label="tresor_init_trust_anchor"/>
<rom label="libcrypto.lib.so"/>
<rom label="rump.lib.so"/>
<rom label="vfs_rump.lib.so"/>
<rom label="rump_fs.lib.so"/>
<rom label="sandbox.lib.so"/>
<rom label="libsparkcrypto.lib.so"/>
<rom label="spark.lib.so"/>
<rom label="fs_tool"/>
<rom label="mke2fs"/>
<rom label="resize2fs"/>
<rom label="posix.lib.so"/>
<rom label="file_vault"/>
<rom label="file_vault-sync_to_cbe_vfs_init"/>
<rom label="file_vault-sync_to_tresor_vfs_init"/>
<rom label="file_vault-truncate_file"/>
<rom label="menu_view_styles.tar"/>
</content>
@ -74,21 +70,21 @@
<provides>
<service name="File_system"/>
</provides>
<config>
<config user_interface="menu_view">
<vfs>
<dir name="cbe">
<fs label="cbe"/>
<dir name="tresor">
<fs label="tresor"/>
</dir>
</vfs>
</config>
<route>
<service name="File_system" label="cbe_trust_anchor_vfs -> storage_dir"> <parent label="trust_anchor"/> </service>
<service name="File_system" label="tresor_trust_anchor_vfs -> storage_dir"> <parent label="trust_anchor"/> </service>
<service name="File_system" label="vfs_block -> "> <parent label="data"/> </service>
<service name="File_system" label="cbe"> <parent label="data"/> </service>
<service name="File_system" label="tresor"> <parent label="data"/> </service>
<service name="File_system" label="fs_query -> "> <parent label="data"/> </service>
<service name="File_system" label="image_fs_query -> "> <parent label="data"/> </service>
<service name="File_system" label="cbe_vfs -> cbe_fs"> <parent label="data"/> </service>
<service name="File_system" label="truncate_file -> cbe"> <parent label="data"/> </service>
<service name="File_system" label="tresor_vfs -> tresor_fs"> <parent label="data"/> </service>
<service name="File_system" label="truncate_file -> tresor"> <parent label="data"/> </service>
<service name="File_system" label="menu_view -> fonts"> <parent label="fonts"/> </service>
<service name="Timer"> <parent/> </service>
<service name="Gui"> <parent/> </service>

View File

@ -0,0 +1 @@
See repos/gems/src/app/file_vault/README.

View File

@ -0,0 +1,15 @@
_/src/init
_/src/libc
_/src/zlib
_/src/fs_query
_/src/tresor
_/src/vfs_block
_/src/vfs_jitterentropy
_/src/vfs
_/src/openssl
_/src/fs_tool
_/src/fs_utils
_/src/posix
_/src/rump
_/src/sandbox
_/src/file_vault

View File

@ -0,0 +1 @@
2023-03-31-f e133ec19fdfb9ab03e5aa985db926ff807ca1505

View File

@ -0,0 +1,98 @@
<runtime ram="220M" caps="2200" binary="init">
<provides>
<file_system/>
</provides>
<requires>
<file_system label="data" writeable="yes"/>
<file_system label="trust_anchor" writeable="yes"/>
<report label="ui_report"/>
<rom label="ui_config"/>
<rm/>
<timer/>
</requires>
<content>
<rom label="init"/>
<rom label="ld.lib.so"/>
<rom label="libc.lib.so"/>
<rom label="libm.lib.so"/>
<rom label="zlib.lib.so"/>
<rom label="fs_query"/>
<rom label="vfs"/>
<rom label="vfs.lib.so"/>
<rom label="vfs_block"/>
<rom label="vfs_jitterentropy.lib.so"/>
<rom label="vfs_tresor.lib.so"/>
<rom label="vfs_tresor_crypto_aes_cbc.lib.so"/>
<rom label="vfs_tresor_trust_anchor.lib.so"/>
<rom label="tresor_init"/>
<rom label="tresor_init_trust_anchor"/>
<rom label="libcrypto.lib.so"/>
<rom label="rump.lib.so"/>
<rom label="vfs_rump.lib.so"/>
<rom label="rump_fs.lib.so"/>
<rom label="sandbox.lib.so"/>
<rom label="fs_tool"/>
<rom label="mke2fs"/>
<rom label="resize2fs"/>
<rom label="posix.lib.so"/>
<rom label="file_vault"/>
<rom label="file_vault-sync_to_tresor_vfs_init"/>
<rom label="file_vault-truncate_file"/>
</content>
<config>
<parent-provides>
<service name="ROM"/>
<service name="PD"/>
<service name="RM"/>
<service name="CPU"/>
<service name="LOG"/>
<service name="Gui"/>
<service name="Timer"/>
<service name="File_system"/>
</parent-provides>
<service name="File_system">
<default-policy>
<child name="file_vault"/>
</default-policy>
</service>
<start name="file_vault" caps="2000">
<resource name="RAM" quantum="200M"/>
<provides>
<service name="File_system"/>
</provides>
<config user_interface="menu_view">
<vfs>
<dir name="tresor">
<fs label="tresor"/>
</dir>
</vfs>
</config>
<route>
<service name="Report" label="ui_report"> <parent/> </service>
<service name="ROM" label="ui_config"> <parent/> </service>
<service name="File_system" label="tresor_trust_anchor_vfs -> storage_dir"> <parent label="trust_anchor"/> </service>
<service name="File_system" label="vfs_block -> "> <parent label="data"/> </service>
<service name="File_system" label="tresor"> <parent label="data"/> </service>
<service name="File_system" label="fs_query -> "> <parent label="data"/> </service>
<service name="File_system" label="image_fs_query -> "> <parent label="data"/> </service>
<service name="File_system" label="tresor_vfs -> tresor_fs"> <parent label="data"/> </service>
<service name="File_system" label="truncate_file -> tresor"> <parent label="data"/> </service>
<service name="Timer"> <parent/> </service>
<service name="PD"> <parent/> </service>
<service name="ROM"> <parent/> </service>
<service name="CPU"> <parent/> </service>
<service name="LOG"> <parent/> </service>
<service name="RM"> <parent/> </service>
</route>
</start>
</config>
</runtime>

View File

@ -359,7 +359,7 @@ For inspiration, please follow the postings at
:Encrypted file store:
The file-vault package provides Sculpt users with an easy way to set
up and use an encrypted file store using Genode's custom CBE block
up and use an encrypted file store using Genode's custom Tresor block
encrypter.
[https://genodians.org/m-stein/2021-05-17-introducing-the-file-vault]
@ -1557,7 +1557,7 @@ Before building the packages, various ports of 3rd-party software need to
be prepared. The following command prepares all of them at once:
! <GENODE-DIR>/tool/ports/prepare_port \
! acpica ada-runtime bash cbe coreutils curl \
! acpica ada-runtime bash tresor coreutils curl \
! dde_bsd dde_ipxe dde_linux dde_rump e2fsprogs-lib \
! expat freetype gnupg grub2 jitterentropy jpeg \
! libarchive libc libdrm libgcrypt libiconv libnl libpng \

View File

@ -0,0 +1 @@
Test for the fs_tool component

View File

@ -0,0 +1,4 @@
_/pkg/file_vault_config_report
_/src/report_rom
_/src/dynamic_rom
_/src/vfs

View File

@ -0,0 +1 @@
2023-03-31-j 57b14d73d7dfb8a25d18394bc2119bfd1ea07844

View File

@ -0,0 +1,232 @@
<runtime ram="250M" caps="3000" binary="init">
<requires>
<timer/>
</requires>
<events>
<timeout meaning="failed" sec="240" />
<log meaning="succeeded">
&lt;ui_report version="step_*" state="uninitialized"/>*
&lt;ui_report version="step_*" state="initializing"/>*
&lt;ui_report version="step_*" state="unlocked"/>*
&lt;ui_report version="step_*" state="locking"/>*
&lt;ui_report version="step_*" state="locked"/>*
&lt;ui_report version="step_*" state="unlocking"/>*
&lt;ui_report version="step_*" state="unlocked"/>*
&lt;ui_report version="step_*" state="locking"/>*
&lt;ui_report version="step_*" state="locked"/>*
&lt;ui_report version="step_*" state="unlocking"/>*
&lt;ui_report version="step_*" state="locked"/>*
&lt;ui_report version="step_*" state="unlocking"/>*
&lt;ui_report version="step_*" state="unlocked"/>*
&lt;ui_report version="step_*" state="locking"/>*
&lt;ui_report version="step_*" state="locked"/>
</log>
</events>
<content>
<rom label="ld.lib.so"/>
<rom label="report_rom"/>
<rom label="dynamic_rom"/>
<rom label="file_vault"/>
<rom label="vfs"/>
</content>
<config>
<parent-provides>
<service name="ROM"/>
<service name="LOG"/>
<service name="RM"/>
<service name="CPU"/>
<service name="PD"/>
<service name="IRQ"/>
<service name="IO_MEM"/>
<service name="IO_PORT"/>
<service name="Timer"/>
</parent-provides>
<start name="dynamic_rom" caps="100">
<resource name="RAM" quantum="4M"/>
<provides><service name="ROM"/> </provides>
<config verbose="no">
<rom name="file_vault_ui_config">
<inline>
<ui_config version="step_1_wait"/>
</inline>
<sleep milliseconds="5000"/>
<inline>
<ui_config version="step_2_init" passphrase="abcdefgh"
client_fs_size="1M"
journaling_buf_size="1M"/>
</inline>
<sleep milliseconds="5000"/>
<inline>
<ui_config version="step_3_lock"/>
</inline>
<sleep milliseconds="500"/>
<inline>
<ui_config version="step_4_unlock_fast" passphrase="abcdefgh"/>
</inline>
<sleep milliseconds="5000"/>
<inline>
<ui_config version="step_5_lock"/>
</inline>
<sleep milliseconds="5000"/>
<inline>
<ui_config version="step_6_bad_unlock" passphrase="00000001"/>
</inline>
<sleep milliseconds="500"/>
<inline>
<ui_config version="step_7_bad_unlock" passphrase="00000002"/>
</inline>
<sleep milliseconds="500"/>
<inline>
<ui_config version="step_8_bad_unlock" passphrase="00000003"/>
</inline>
<sleep milliseconds="500"/>
<inline>
<ui_config version="step_9_bad_unlock" passphrase="00000004"/>
</inline>
<sleep milliseconds="500"/>
<inline>
<ui_config version="step_10_bad_unlock" passphrase="00000005"/>
</inline>
<sleep milliseconds="5000"/>
<inline>
<ui_config version="step_11_wait"/>
</inline>
<sleep milliseconds="10000"/>
<inline>
<ui_config version="step_12_unlock" passphrase="abcdefgh"/>
</inline>
<sleep milliseconds="500"/>
<inline>
<ui_config version="step_13_lock_fast"/>
</inline>
<sleep milliseconds="600000"/>
</rom>
</config>
<route>
<service name="Timer"> <parent/> </service>
<service name="PD"> <parent/> </service>
<service name="ROM"> <parent/> </service>
<service name="LOG"> <parent/> </service>
<service name="CPU"> <parent/> </service>
</route>
</start>
<start name="report_rom" caps="70">
<resource name="RAM" quantum="1M"/>
<provides>
<service name="ROM" />
<service name="Report" />
</provides>
<config verbose="yes"/>
<route>
<service name="LOG"> <parent/> </service>
<service name="PD"> <parent/> </service>
<service name="CPU"> <parent/> </service>
<service name="ROM"> <parent/> </service>
</route>
</start>
<start name="data_fs" caps="500">
<binary name="vfs"/>
<resource name="RAM" quantum="50M"/>
<provides><service name="File_system"/></provides>
<config>
<vfs>
<dir name="data">
<ram/>
</dir>
</vfs>
<policy label="file_vault -> data" root="/data" writeable="yes"/>
</config>
<route>
<service name="PD"> <parent/> </service>
<service name="ROM"> <parent/> </service>
<service name="LOG"> <parent/> </service>
<service name="CPU"> <parent/> </service>
</route>
</start>
<start name="trust_anchor_fs" caps="100">
<binary name="vfs"/>
<resource name="RAM" quantum="5M"/>
<provides><service name="File_system"/></provides>
<config>
<vfs>
<dir name="trust_anchor">
<ram/>
</dir>
</vfs>
<policy label="file_vault -> trust_anchor" root="/trust_anchor" writeable="yes"/>
</config>
<route>
<service name="PD"> <parent/> </service>
<service name="ROM"> <parent/> </service>
<service name="LOG"> <parent/> </service>
<service name="CPU"> <parent/> </service>
</route>
</start>
<start name="file_vault" caps="1500">
<resource name="RAM" quantum="180M"/>
<config user_interface="config_and_report">
<vfs>
<dir name="tresor">
<fs label="tresor"/>
</dir>
</vfs>
</config>
<route>
<service name="ROM" label="ui_config"> <child name="dynamic_rom" label="file_vault_ui_config"/> </service>
<service name="Report"> label="ui_report" <child name="report_rom"/> </service>
<service name="File_system" label="tresor_trust_anchor_vfs -> storage_dir"> <child name="trust_anchor_fs" label="file_vault -> trust_anchor"/> </service>
<service name="File_system" label="tresor_init -> "> <child name="data_fs" label="file_vault -> data"/> </service>
<service name="File_system" label="tresor"> <child name="data_fs" label="file_vault -> data"/> </service>
<service name="File_system" label="fs_query -> "> <child name="data_fs" label="file_vault -> data"/> </service>
<service name="File_system" label="image_fs_query -> "> <child name="data_fs" label="file_vault -> data"/> </service>
<service name="File_system" label="tresor_vfs -> tresor_fs"> <child name="data_fs" label="file_vault -> data"/> </service>
<service name="File_system" label="truncate_file -> tresor"> <child name="data_fs" label="file_vault -> data"/> </service>
<service name="Timer"> <parent/> </service>
<service name="PD"> <parent/> </service>
<service name="ROM"> <parent/> </service>
<service name="CPU"> <parent/> </service>
<service name="LOG"> <parent/> </service>
<service name="RM"> <parent/> </service>
</route>
</start>
</config>
</runtime>

View File

@ -5,7 +5,7 @@ parentCID=ffffffff
createType="fullDevice"
# Extent description
RW 2097152 FLAT "/dev/cbe/data" 0
RW 2097152 FLAT "/dev/tresor/data" 0
# The disk Data Base
#DDB

View File

@ -1,70 +0,0 @@
BUILD_LIBS := \
cbe_cxx \
cbe_init_cxx \
cbe_dump_cxx \
cbe_check_cxx
MIRROR_FROM_CBE_DIR := \
src/lib/cbe \
src/lib/cbe_common \
src/lib/cbe_cxx \
src/lib/cbe_cxx_common \
src/lib/cbe_init \
src/lib/cbe_init_cxx \
src/lib/cbe_dump \
src/lib/cbe_dump_cxx \
src/lib/cbe_check \
src/lib/cbe_check_cxx \
src/lib/sha256_4k
MIRROR_FROM_REP_DIR := \
lib/import/import-cbe.mk \
lib/import/import-cbe_common.mk \
lib/import/import-cbe_init.mk \
lib/import/import-cbe_dump.mk \
lib/import/import-cbe_check.mk \
lib/import/import-sha256_4k.mk \
lib/mk/spec/x86_64/cbe.mk \
lib/mk/spec/x86_64/cbe_common.mk \
lib/mk/spec/x86_64/cbe_cxx.mk \
lib/mk/spec/x86_64/cbe_cxx_common.mk \
lib/mk/spec/x86_64/cbe_init.mk \
lib/mk/spec/x86_64/cbe_init_cxx.mk \
lib/mk/spec/x86_64/cbe_dump.mk \
lib/mk/spec/x86_64/cbe_dump_cxx.mk \
lib/mk/spec/x86_64/cbe_check.mk \
lib/mk/spec/x86_64/cbe_check_cxx.mk \
lib/mk/spec/x86_64/vfs_cbe.mk \
lib/mk/spec/x86_64/vfs_cbe_crypto_aes_cbc.mk \
lib/mk/spec/x86_64/vfs_cbe_crypto_memcopy.mk \
lib/mk/spec/x86_64/vfs_cbe_trust_anchor.mk \
lib/mk/generate_ada_main_pkg.inc \
lib/mk/sha256_4k.mk \
lib/symbols/cbe_check_cxx \
lib/symbols/cbe_dump_cxx \
lib/symbols/cbe_init_cxx \
src/lib/vfs/cbe \
src/lib/vfs/cbe_crypto/vfs.cc \
src/lib/vfs/cbe_crypto/aes_cbc \
src/lib/vfs/cbe_crypto/memcopy \
src/lib/vfs/cbe_trust_anchor \
src/app/cbe_check \
src/app/cbe_dump \
src/app/cbe_init \
src/app/cbe_init_trust_anchor \
src/app/cbe_tester \
include/cbe
CBE_DIR := $(call port_dir,$(REP_DIR)/ports/cbe)
content: $(MIRROR_FROM_REP_DIR) $(MIRROR_FROM_CBE_DIR) LICENSE
$(MIRROR_FROM_REP_DIR):
$(mirror_from_rep_dir)
$(MIRROR_FROM_CBE_DIR):
mkdir -p $(dir $@)
cp -r $(CBE_DIR)/$@ $(dir $@)
LICENSE:
cp $(GENODE_DIR)/LICENSE $@

Some files were not shown because too many files have changed in this diff Show More