Parse attributes in extended VTL0 APIs

VTL0 sends data to the secure kernel during and after initial boot.
Use the new attributes parameter to extend load_kdata, allowing it
to process data after boot and use the improved format for sending
data from VTL0. Small, simple data buffers like certificates can be
sent efficiently with the same APIs used for larger aggregated data
like module info.

The new data format is leveraged to reduce the size of the kernel
string table passed from ~10MB (all of rodata) to ~250KB.

The validate_module and validate_kexec APIs are extended to use the
new attributes.

Author: femiatl

litebox_platform_lvbs/src/mshv/error.rs

@@ -152,6 +152,21 @@ pub enum VsmError {
 
     #[error("symbol name contains invalid UTF-8")]
     SymbolNameInvalidUtf8,
+
+    #[error("invalid API attribute")]
+    ApiAttrInvalid,
+
+    #[error("invalid symbol info type")]
+    SymbolInfoTypeInvalid,
+
+    #[error("invalid permissions info type")]
+    PermInfoTypeInvalid,
+
+    #[error("invalid patch type")]
+    PatchTypeInvalid,
+
+    #[error("invalid data page")]
+    DataPageInvalid,
 }
 
 impl From<VerificationError> for VsmError {
@@ -217,7 +232,12 @@ impl From<VsmError> for Errno {
             | VsmError::SymbolNameInvalidUtf8
             | VsmError::SymbolNameNoTerminator
             | VsmError::CertificateDerLengthInvalid { .. }
-            | VsmError::CertificateParseFailed => Errno::EINVAL,
+            | VsmError::CertificateParseFailed
+            | VsmError::ApiAttrInvalid
+            | VsmError::SymbolInfoTypeInvalid
+            | VsmError::PermInfoTypeInvalid
+            | VsmError::DataPageInvalid
+            | VsmError::PatchTypeInvalid => Errno::EINVAL,
 
             // Signature verification failures delegate to VerificationError's Errno mapping
             VsmError::SignatureVerificationFailed(e) => Errno::from(e),

litebox_platform_lvbs/src/mshv/heki.rs

@@ -7,11 +7,13 @@ use crate::{
 };
 use core::mem;
 use litebox::utils::TruncateExt;
+use modular_bitfield::Specifier;
 use num_enum::TryFromPrimitive;
 use x86_64::{
-    PhysAddr, VirtAddr,
+    PhysAddr,
     structures::paging::{PageSize, Size4KiB},
 };
+use zerocopy::{FromBytes, Immutable, KnownLayout};
 
 bitflags::bitflags! {
     #[derive(Clone, Copy, Debug, PartialEq)]
@@ -42,8 +44,9 @@ pub(crate) fn mem_attr_to_hv_page_prot_flags(attr: MemAttr) -> HvPageProtFlags {
     flags
 }
 
-#[derive(Default, Debug, TryFromPrimitive, PartialEq)]
-#[repr(u64)]
+#[derive(Default, Debug, TryFromPrimitive, PartialEq, Specifier)]
+#[bits = 16]
+#[repr(u16)]
 pub enum HekiKdataType {
     SystemCerts = 0,
     RevocationCerts = 1,
@@ -52,22 +55,36 @@ pub enum HekiKdataType {
     KernelData = 4,
     PatchInfo = 5,
     KexecTrampoline = 6,
+    SymbolInfo = 7,
+    ModuleInfo = 8,
+    PermInfo = 9,
+    KexecInfo = 10,
+    DataPage = 0xff,
     #[default]
-    Unknown = 0xffff_ffff_ffff_ffff,
+    Unknown = 0xffff,
+}
+
+#[derive(Debug, TryFromPrimitive, PartialEq)]
+#[repr(u16)]
+pub enum HekiSymbolInfoType {
+    SymbolTable = 0,
+    GplSymbolTable = 1,
+    SymbolStringTable = 2,
+    Unknown = 0xffff,
 }
 
 #[derive(Default, Debug, TryFromPrimitive, PartialEq)]
-#[repr(u64)]
+#[repr(u16)]
 pub enum HekiKexecType {
     KexecImage = 0,
     KexecKernelBlob = 1,
     KexecPages = 2,
     #[default]
-    Unknown = 0xffff_ffff_ffff_ffff,
+    Unknown = 0xffff,
 }
 
 #[derive(Clone, Copy, Default, Debug, TryFromPrimitive, PartialEq)]
-#[repr(u64)]
+#[repr(u16)]
 pub enum ModMemType {
     Text = 0,
     Data = 1,
@@ -79,7 +96,7 @@ pub enum ModMemType {
     ElfBuffer = 7,
     Patch = 8,
     #[default]
-    Unknown = 0xffff_ffff_ffff_ffff,
+    Unknown = 0xffff,
 }
 
 pub(crate) fn mod_mem_type_to_mem_attr(mod_mem_type: ModMemType) -> MemAttr {
@@ -103,150 +120,6 @@ pub(crate) fn mod_mem_type_to_mem_attr(mod_mem_type: ModMemType) -> MemAttr {
     mem_attr
 }
 
-/// `HekiRange` is a generic container for various types of memory ranges.
-/// It has an `attributes` field which can be interpreted differently based on the context like
-/// `MemAttr`, `KdataType`, `ModMemType`, or `KexecType`.
-#[derive(Default, Clone, Copy)]
-#[repr(C, packed)]
-pub struct HekiRange {
-    pub va: u64,
-    pub pa: u64,
-    pub epa: u64,
-    pub attributes: u64,
-}
-
-impl HekiRange {
-    #[inline]
-    pub fn is_aligned<U>(&self, align: U) -> bool
-    where
-        U: Into<u64> + Copy,
-    {
-        let va = self.va;
-        let pa = self.pa;
-        let epa = self.epa;
-
-        VirtAddr::new(va).is_aligned(align)
-            && PhysAddr::new(pa).is_aligned(align)
-            && PhysAddr::new(epa).is_aligned(align)
-    }
-
-    #[inline]
-    pub fn mem_attr(&self) -> Option<MemAttr> {
-        let attr = self.attributes;
-        MemAttr::from_bits(attr)
-    }
-
-    #[inline]
-    pub fn mod_mem_type(&self) -> ModMemType {
-        let attr = self.attributes;
-        ModMemType::try_from(attr).unwrap_or(ModMemType::Unknown)
-    }
-
-    #[inline]
-    pub fn heki_kdata_type(&self) -> HekiKdataType {
-        let attr = self.attributes;
-        HekiKdataType::try_from(attr).unwrap_or(HekiKdataType::Unknown)
-    }
-
-    #[inline]
-    pub fn heki_kexec_type(&self) -> HekiKexecType {
-        let attr = self.attributes;
-        HekiKexecType::try_from(attr).unwrap_or(HekiKexecType::Unknown)
-    }
-
-    pub fn is_valid(&self) -> bool {
-        let va = self.va;
-        let pa = self.pa;
-        let epa = self.epa;
-        let Ok(pa) = PhysAddr::try_new(pa) else {
-            return false;
-        };
-        let Ok(epa) = PhysAddr::try_new(epa) else {
-            return false;
-        };
-        !(VirtAddr::try_new(va).is_err()
-            || epa < pa
-            || (self.mem_attr().is_none()
-                && self.heki_kdata_type() == HekiKdataType::Unknown
-                && self.heki_kexec_type() == HekiKexecType::Unknown
-                && self.mod_mem_type() == ModMemType::Unknown))
-    }
-}
-
-impl core::fmt::Debug for HekiRange {
-    fn fmt(&self, f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
-        let va = self.va;
-        let pa = self.pa;
-        let epa = self.epa;
-        let attr = self.attributes;
-        f.debug_struct("HekiRange")
-            .field("va", &format_args!("{va:#x}"))
-            .field("pa", &format_args!("{pa:#x}"))
-            .field("epa", &format_args!("{epa:#x}"))
-            .field("attr", &format_args!("{attr:#x}"))
-            .field("type", &format_args!("{:?}", self.heki_kdata_type()))
-            .field("size", &format_args!("{:?}", self.epa - self.pa))
-            .finish()
-    }
-}
-
-#[expect(clippy::cast_possible_truncation)]
-pub const HEKI_MAX_RANGES: usize =
-    ((PAGE_SIZE as u32 - u64::BITS * 3 / 8) / core::mem::size_of::<HekiRange>() as u32) as usize;
-
-#[derive(Clone, Copy)]
-#[repr(align(4096))]
-#[repr(C)]
-pub struct HekiPage {
-    pub next: *mut HekiPage,
-    pub next_pa: u64,
-    pub nranges: u64,
-    pub ranges: [HekiRange; HEKI_MAX_RANGES],
-    pad: u64,
-}
-
-impl HekiPage {
-    pub fn new() -> Self {
-        HekiPage {
-            next: core::ptr::null_mut(),
-            ..Default::default()
-        }
-    }
-
-    pub fn is_valid(&self) -> bool {
-        if PhysAddr::try_new(self.next_pa).is_err() {
-            return false;
-        }
-        let Some(nranges) = usize::try_from(self.nranges)
-            .ok()
-            .filter(|&n| n <= HEKI_MAX_RANGES)
-        else {
-            return false;
-        };
-        for heki_range in &self.ranges[..nranges] {
-            if !heki_range.is_valid() {
-                return false;
-            }
-        }
-        true
-    }
-}
-
-impl Default for HekiPage {
-    fn default() -> Self {
-        Self::new()
-    }
-}
-
-impl<'a> IntoIterator for &'a HekiPage {
-    type Item = &'a HekiRange;
-    type IntoIter = core::slice::Iter<'a, HekiRange>;
-
-    fn into_iter(self) -> Self::IntoIter {
-        self.ranges[..usize::try_from(self.nranges).unwrap_or(0)].iter()
-    }
-}
-
 #[derive(Default, Clone, Copy, Debug)]
 #[repr(C)]
 pub struct HekiPatch {
@@ -304,12 +177,12 @@ impl HekiPatch {
     }
 }
 
-#[derive(Default, Clone, Copy, Debug, PartialEq)]
-#[repr(u32)]
+#[derive(Default, Clone, Copy, Debug, PartialEq, TryFromPrimitive)]
+#[repr(u16)]
 pub enum HekiPatchType {
     JumpLabel = 0,
     #[default]
-    Unknown = 0xffff_ffff,
+    Unknown = 0xffff,
 }
 
 #[derive(Clone, Copy, Debug)]
@@ -348,6 +221,7 @@ impl HekiPatchInfo {
     }
 }
 
+#[derive(FromBytes, KnownLayout, Immutable)]
 #[repr(C)]
 #[allow(clippy::struct_field_names)]
 // TODO: Account for kernel config changing the size and meaning of the field members
@@ -380,37 +254,3 @@ impl HekiKernelSymbol {
         }
     }
 }
-
-#[repr(C)]
-#[allow(clippy::struct_field_names)]
-pub struct HekiKernelInfo {
-    pub ksymtab_start: *const HekiKernelSymbol,
-    pub ksymtab_end: *const HekiKernelSymbol,
-    pub ksymtab_gpl_start: *const HekiKernelSymbol,
-    pub ksymtab_gpl_end: *const HekiKernelSymbol,
-    // Skip unused arch info
-}
-
-impl HekiKernelInfo {
-    const KINFO_LEN: usize = mem::size_of::<HekiKernelInfo>();
-
-    pub fn from_bytes(bytes: &[u8]) -> Result<Self, VsmError> {
-        if bytes.len() < Self::KINFO_LEN {
-            return Err(VsmError::BufferTooSmall("HekiKernelInfo"));
-        }
-
-        #[allow(clippy::cast_ptr_alignment)]
-        let kinfo_ptr = bytes.as_ptr().cast::<HekiKernelInfo>();
-        assert!(kinfo_ptr.is_aligned(), "kinfo_ptr is not aligned");
-
-        // SAFETY: Casting from vtl0 buffer that contained the struct
-        unsafe {
-            Ok(HekiKernelInfo {
-                ksymtab_start: (*kinfo_ptr).ksymtab_start,
-                ksymtab_end: (*kinfo_ptr).ksymtab_end,
-                ksymtab_gpl_start: (*kinfo_ptr).ksymtab_gpl_start,
-                ksymtab_gpl_end: (*kinfo_ptr).ksymtab_gpl_end,
-            })
-        }
-    }
-}