kernel/process_binary.rs
1// Licensed under the Apache License, Version 2.0 or the MIT License.
2// SPDX-License-Identifier: Apache-2.0 OR MIT
3// Copyright Tock Contributors 2024.
4
5//! Representation of processes stored in flash.
6//!
7//! A `ProcessBinary` object represents the stored binary for a process before
8//! it is loaded into a runnable `Process` object.
9
10use core::fmt;
11
12use crate::config;
13use crate::debug;
14use crate::process_checker::AcceptedCredential;
15use crate::utilities::cells::OptionalCell;
16
17/// Errors resulting from trying to load a process binary structure from flash.
18pub enum ProcessBinaryError {
19 /// No TBF header was found.
20 TbfHeaderNotFound,
21
22 /// The TBF header for the process could not be successfully parsed.
23 TbfHeaderParseFailure(tock_tbf::types::TbfParseError),
24
25 /// Not enough flash remaining to parse a process and its header.
26 NotEnoughFlash,
27
28 /// A process requires a newer version of the kernel or did not specify a
29 /// required version. Processes can include the KernelVersion TBF header
30 /// stating their compatible kernel version (^major.minor).
31 ///
32 /// Boards may not require processes to include the KernelVersion TBF
33 /// header, and the kernel supports ignoring a missing KernelVersion TBF
34 /// header. In that case, this error will not be returned for a process
35 /// missing a KernelVersion TBF header.
36 ///
37 /// `version` is the `(major, minor)` kernel version the process indicates
38 /// it requires. If `version` is `None` then the process did not include the
39 /// KernelVersion TBF header.
40 IncompatibleKernelVersion { version: Option<(u16, u16)> },
41
42 /// A process specified that its binary must start at a particular address,
43 /// and that is not the address the binary is actually placed at.
44 IncorrectFlashAddress {
45 actual_address: u32,
46 expected_address: u32,
47 },
48
49 /// The process binary specifies the process is not enabled, and therefore
50 /// cannot be loaded.
51 NotEnabledProcess,
52
53 /// This entry in flash is just padding.
54 Padding,
55}
56
57impl From<tock_tbf::types::TbfParseError> for ProcessBinaryError {
58 /// Convert between a TBF Header parse error and a process binary error.
59 ///
60 /// We note that the process binary error is because a TBF header failed to
61 /// parse, and just pass through the parse error.
62 fn from(error: tock_tbf::types::TbfParseError) -> Self {
63 ProcessBinaryError::TbfHeaderParseFailure(error)
64 }
65}
66
67impl fmt::Debug for ProcessBinaryError {
68 fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
69 match self {
70 ProcessBinaryError::TbfHeaderNotFound => {
71 write!(f, "Could not find TBF header")
72 }
73
74 ProcessBinaryError::TbfHeaderParseFailure(tbf_parse_error) => {
75 writeln!(f, "Error parsing TBF header")?;
76 write!(f, "{:?}", tbf_parse_error)
77 }
78
79 ProcessBinaryError::NotEnoughFlash => {
80 write!(f, "Not enough flash available for TBF")
81 }
82
83 ProcessBinaryError::IncorrectFlashAddress {
84 actual_address,
85 expected_address,
86 } => write!(
87 f,
88 "App flash does not match requested address. Actual:{:#x}, Expected:{:#x}",
89 actual_address, expected_address
90 ),
91
92 ProcessBinaryError::IncompatibleKernelVersion { version } => match version {
93 Some((major, minor)) => write!(
94 f,
95 "Process is incompatible with the kernel. Running: {}.{}, Requested: {}.{}",
96 crate::KERNEL_MAJOR_VERSION,
97 crate::KERNEL_MINOR_VERSION,
98 major,
99 minor
100 ),
101 None => write!(f, "Process did not provide a TBF kernel version header"),
102 },
103
104 ProcessBinaryError::NotEnabledProcess => {
105 write!(f, "Process marked not enabled")
106 }
107
108 ProcessBinaryError::Padding => {
109 write!(f, "Process item is just padding")
110 }
111 }
112 }
113}
114
115/// A process stored in flash.
116pub struct ProcessBinary {
117 /// Process flash segment. This is the entire region of nonvolatile flash
118 /// that the process occupies.
119 pub flash: &'static [u8],
120
121 /// The footers of the process binary (may be zero-sized), which are metadata
122 /// about the process not covered by integrity. Used, among other things, to
123 /// store signatures.
124 pub footers: &'static [u8],
125
126 /// Collection of pointers to the TBF header in flash.
127 pub header: tock_tbf::types::TbfHeader,
128
129 /// Optional credential that was used to approve this application. This is
130 /// set if the process is checked by a credential checker and a specific
131 /// credential was used to approve this process. Otherwise this is `None`.
132 pub credential: OptionalCell<AcceptedCredential>,
133}
134
135impl ProcessBinary {
136 pub(crate) fn create(
137 app_flash: &'static [u8],
138 header_length: usize,
139 tbf_version: u16,
140 require_kernel_version: bool,
141 ) -> Result<Self, ProcessBinaryError> {
142 // Get a slice for just the app header.
143 let header_flash = app_flash
144 .get(0..header_length)
145 .ok_or(ProcessBinaryError::NotEnoughFlash)?;
146
147 // Parse the full TBF header to see if this is a valid app. If the
148 // header can't parse, we will error right here.
149 let tbf_header = tock_tbf::parse::parse_tbf_header(header_flash, tbf_version)?;
150
151 // If this isn't an app (i.e. it is padding) then we can skip it and do
152 // not create a `ProcessBinary` object.
153 if !tbf_header.is_app() {
154 if config::CONFIG.debug_load_processes && !tbf_header.is_app() {
155 debug!(
156 "Padding in flash={:#010X}-{:#010X}",
157 app_flash.as_ptr() as usize,
158 app_flash.as_ptr() as usize + app_flash.len() - 1
159 );
160 }
161 // Return no process and the full memory slice we were given.
162 return Err(ProcessBinaryError::Padding);
163 }
164
165 // If this is an app but it isn't enabled, then we can return an error.
166 if !tbf_header.enabled() {
167 if config::CONFIG.debug_load_processes {
168 debug!(
169 "Process not enabled flash={:#010X}-{:#010X} process={:?}",
170 app_flash.as_ptr() as usize,
171 app_flash.as_ptr() as usize + app_flash.len() - 1,
172 tbf_header.get_package_name().unwrap_or("(no name)")
173 );
174 }
175 return Err(ProcessBinaryError::NotEnabledProcess);
176 }
177
178 if let Some((major, minor)) = tbf_header.get_kernel_version() {
179 // If the `KernelVersion` header is present, we read the requested
180 // kernel version and compare it to the running kernel version.
181 if crate::KERNEL_MAJOR_VERSION != major || crate::KERNEL_MINOR_VERSION < minor {
182 // If the kernel major version is different, we prevent the
183 // process from being loaded.
184 //
185 // If the kernel major version is the same, we compare the
186 // kernel minor version. The current running kernel minor
187 // version has to be greater or equal to the one that the
188 // process has requested. If not, we prevent the process from
189 // loading.
190 if config::CONFIG.debug_load_processes {
191 debug!(
192 "WARN process {} requires kernel>={}.{} and <{}.0, (running kernel {}.{})",
193 tbf_header.get_package_name().unwrap_or(""),
194 major,
195 minor,
196 (major + 1),
197 crate::KERNEL_MAJOR_VERSION,
198 crate::KERNEL_MINOR_VERSION
199 );
200 }
201 return Err(ProcessBinaryError::IncompatibleKernelVersion {
202 version: Some((major, minor)),
203 });
204 }
205 } else if require_kernel_version {
206 // If enforcing the kernel version is requested, and the
207 // `KernelVersion` header is not present, we prevent the process
208 // from loading.
209 if config::CONFIG.debug_load_processes {
210 debug!(
211 "WARN process {} has no kernel version header",
212 tbf_header.get_package_name().unwrap_or("")
213 );
214 debug!("Please upgrade to elf2tab >= 0.8.0");
215 }
216 return Err(ProcessBinaryError::IncompatibleKernelVersion { version: None });
217 }
218
219 let binary_end = tbf_header.get_binary_end() as usize;
220 let total_size = app_flash.len();
221
222 // End of the portion of the application binary covered by integrity.
223 // Now handle footers.
224 let footer_region = app_flash
225 .get(binary_end..total_size)
226 .ok_or(ProcessBinaryError::NotEnoughFlash)?;
227
228 // Check that the process is at the correct location in flash if the TBF
229 // header specified a fixed address. If there is a mismatch we catch
230 // that early.
231 if let Some(fixed_flash_start) = tbf_header.get_fixed_address_flash() {
232 // The flash address in the header is based on the app binary, so we
233 // need to take into account the header length.
234 let actual_address = app_flash.as_ptr() as u32 + tbf_header.get_protected_size();
235 let expected_address = fixed_flash_start;
236 if actual_address != expected_address {
237 return Err(ProcessBinaryError::IncorrectFlashAddress {
238 actual_address,
239 expected_address,
240 });
241 }
242 }
243
244 Ok(Self {
245 header: tbf_header,
246 footers: footer_region,
247 flash: app_flash,
248 credential: OptionalCell::empty(),
249 })
250 }
251
252 pub fn get_credential(&self) -> Option<AcceptedCredential> {
253 self.credential.get()
254 }
255
256 pub(crate) fn get_integrity_region_slice(&self) -> &'static [u8] {
257 unsafe {
258 core::slice::from_raw_parts(self.flash.as_ptr(), self.header.get_binary_end() as usize)
259 }
260 }
261}