kernel compiles with a bunch of trusted and ignores

PLSysSec · Jul 24, 2024 · 5d8862f · 5d8862f
1 parent a8d393e
commit 5d8862f
Show file tree

Hide file tree

Showing 7 changed files with 46 additions and 13 deletions.
diff --git a/kernel/src/debug.rs b/kernel/src/debug.rs
@@ -602,7 +602,7 @@ pub fn debug_print(args: Arguments) {
     writer.publish_bytes();
 }
 
-#[flux::ignore]
+#[flux::trusted]
 pub fn debug_println(args: Arguments) {
     let writer = unsafe { get_debug_writer() };
 

diff --git a/kernel/src/grant.rs b/kernel/src/grant.rs
@@ -1761,6 +1761,7 @@ impl<T: Default, Upcalls: UpcallSize, AllowROs: AllowRoSize, AllowRWs: AllowRwSi
     ///
     /// Calling this function when an `ProcessGrant` for a process is currently
     /// entered will result in a panic.
+    #[flux::ignore]
     pub fn iter(&self) -> Iter<T, Upcalls, AllowROs, AllowRWs> {
         Iter {
             grant: self,
@@ -1770,6 +1771,7 @@ impl<T: Default, Upcalls: UpcallSize, AllowROs: AllowRoSize, AllowRWs: AllowRwSi
 }
 
 /// Type to iterate `ProcessGrant`s across processes.
+#[flux::ignore]
 pub struct Iter<
     'a,
     T: 'a + Default,
@@ -1787,6 +1789,7 @@ pub struct Iter<
     >,
 }
 
+#[flux::ignore]
 impl<'a, T: Default, Upcalls: UpcallSize, AllowROs: AllowRoSize, AllowRWs: AllowRwSize> Iterator
     for Iter<'a, T, Upcalls, AllowROs, AllowRWs>
 {

diff --git a/kernel/src/ipc.rs b/kernel/src/ipc.rs
@@ -42,6 +42,7 @@ pub enum IPCUpcallType {
 struct IPCData;
 
 /// The IPC mechanism struct.
+#[flux::ignore]
 pub struct IPC<const NUM_PROCS: u8> {
     /// The grant regions for each process that holds the per-process IPC data.
     data: Grant<
@@ -52,6 +53,7 @@ pub struct IPC<const NUM_PROCS: u8> {
     >,
 }
 
+#[flux::ignore]
 impl<const NUM_PROCS: u8> IPC<NUM_PROCS> {
     pub fn new(
         kernel: &'static Kernel,
@@ -102,6 +104,7 @@ impl<const NUM_PROCS: u8> IPC<NUM_PROCS> {
     }
 }
 
+#[flux::ignore]
 impl<const NUM_PROCS: u8> SyscallDriver for IPC<NUM_PROCS> {
     /// command is how notify() is implemented.
     /// Notifying an IPC service is done by setting client_or_svc to 0,

diff --git a/kernel/src/kernel.rs b/kernel/src/kernel.rs
@@ -71,6 +71,7 @@ enum AllocResult {
 
 /// Tries to allocate the grant region for specified driver and process.
 /// Returns if a new grant was allocated or not
+#[flux::ignore]
 fn try_allocate_grant(driver: &dyn SyscallDriver, process: &dyn process::Process) -> AllocResult {
     let before_count = process.grant_allocated_count().unwrap_or(0);
     match driver.allocate_grant(process.processid()).is_ok() {
@@ -99,6 +100,7 @@ impl Kernel {
 
     /// Helper function that moves all non-generic portions of process_map_or
     /// into a non-generic function to reduce code bloat from monomorphization.
+    #[flux::trusted]
     pub(crate) fn get_process(&self, processid: ProcessId) -> Option<&dyn process::Process> {
         // We use the index in the `processid` so we can do a direct lookup.
         // However, we are not guaranteed that the app still exists at that
@@ -128,10 +130,12 @@ impl Kernel {
     /// different index in the processes array. Note that a match _will_ be
     /// found if the process still exists in the correct location in the array
     /// but is in any "stopped" state.
+    #[flux::trusted]
     pub(crate) fn process_map_or<F, R>(&self, default: R, processid: ProcessId, closure: F) -> R
     where
         F: FnOnce(&dyn process::Process) -> R,
     {
+        // unimplemented!()
         match self.get_process(processid) {
             Some(process) => closure(process),
             None => default,
@@ -152,6 +156,7 @@ impl Kernel {
     /// This is functionally the same as `process_map_or()`, but this method is
     /// available outside the kernel crate and requires a
     /// `ProcessManagementCapability` to use.
+    #[flux::trusted]
     pub fn process_map_or_external<F, R>(
         &self,
         default: R,
@@ -170,6 +175,7 @@ impl Kernel {
 
     /// Run a closure on every valid process. This will iterate the array of
     /// processes and call the closure on every process that exists.
+    #[flux::trusted]
     pub(crate) fn process_each<F>(&self, mut closure: F)
     where
         F: FnMut(&dyn process::Process),
@@ -185,6 +191,7 @@ impl Kernel {
     }
 
     /// Returns an iterator over all processes loaded by the kernel
+    #[flux::ignore]
     pub(crate) fn get_process_iter(
         &self,
     ) -> core::iter::FilterMap<
@@ -205,6 +212,7 @@ impl Kernel {
     /// This is functionally the same as `process_each()`, but this method is
     /// available outside the kernel crate and requires a
     /// `ProcessManagementCapability` to use.
+    #[flux::trusted]
     pub fn process_each_capability<F>(
         &'static self,
         _capability: &dyn capabilities::ProcessManagementCapability,
@@ -225,6 +233,7 @@ impl Kernel {
     /// Run a closure on every process, but only continue if the closure returns `None`. That is,
     /// if the closure returns any non-`None` value, iteration stops and the value is returned from
     /// this function to the called.
+    #[flux::trusted]
     pub(crate) fn process_until<T, F>(&self, closure: F) -> Option<T>
     where
         F: Fn(&dyn process::Process) -> Option<T>,
@@ -249,6 +258,7 @@ impl Kernel {
     ///
     /// This is needed for `ProcessId` itself to implement the `.index()` command to
     /// verify that the referenced app is still at the correct index.
+    #[flux::trusted]
     pub(crate) fn processid_is_valid(&self, processid: &ProcessId) -> bool {
         self.processes.get(processid.index).map_or(false, |p| {
             p.map_or(false, |process| process.processid().id() == processid.id())
@@ -359,6 +369,7 @@ impl Kernel {
     /// This function has one configuration option: `no_sleep`. If that argument
     /// is set to true, the kernel will never attempt to put the chip to sleep,
     /// and this function can be called again immediately.
+    #[flux::ignore]
     pub fn kernel_loop_operation<KR: KernelResources<C>, C: Chip, const NUM_PROCS: u8>(
         &self,
         resources: &KR,
@@ -426,6 +437,7 @@ impl Kernel {
     ///
     /// Most of the behavior of this loop is controlled by the `Scheduler`
     /// implementation in use.
+    #[flux::ignore]
     pub fn kernel_loop<KR: KernelResources<C>, C: Chip, const NUM_PROCS: u8>(
         &self,
         resources: &KR,
@@ -472,6 +484,7 @@ impl Kernel {
     /// cooperatively). Notably, time spent in this function by the kernel,
     /// executing system calls or merely setting up the switch to/from
     /// userspace, is charged to the process.
+    #[flux::ignore]
     fn do_process<KR: KernelResources<C>, C: Chip, const NUM_PROCS: u8>(
         &self,
         resources: &KR,
@@ -682,6 +695,7 @@ impl Kernel {
     /// driver system calls to peripheral driver capsules through the platforms
     /// `with_driver` method.
     #[inline]
+    #[flux::ignore]
     fn handle_syscall<KR: KernelResources<C>, C: Chip>(
         &self,
         resources: &KR,

diff --git a/kernel/src/lib.rs b/kernel/src/lib.rs
@@ -111,32 +111,32 @@ pub mod debug;
 #[flux::ignore]
 pub mod deferred_call;
 pub mod errorcode;
-#[flux::ignore]
+#[flux::trusted]
 pub mod grant;
 #[flux::ignore]
 pub mod hil;
 #[flux::ignore]
 pub mod introspection;
-#[flux::ignore]
+#[flux::trusted]
 pub mod ipc;
 pub mod platform;
-#[flux::ignore]
+// #[flux::ignore]
 pub mod process;
 #[flux::ignore]
 pub mod process_checker;
-#[flux::ignore]
+// #[flux::ignore]
 pub mod processbuffer;
 #[flux::ignore]
 pub mod scheduler;
 pub mod storage_permissions;
-#[flux::ignore]
+// #[flux::ignore]
 pub mod syscall;
-#[flux::ignore]
+// #[flux::ignore]
 pub mod upcall;
 pub mod utilities;
 
 mod config;
-#[flux::ignore]
+// #[flux::ignore]
 mod kernel;
 mod memop;
 #[flux::ignore]
@@ -149,7 +149,7 @@ mod process_policies;
 mod process_printer;
 #[flux::ignore]
 mod process_standard;
-#[flux::ignore]
+// #[flux::ignore]
 mod syscall_driver;
 
 // Core resources exposed as `kernel::Type`.

diff --git a/kernel/src/platform/mod.rs b/kernel/src/platform/mod.rs
@@ -5,14 +5,14 @@
 //! Traits for implementing various layers and components in Tock.
 //!
 //! Implementations of these traits are used by the core kernel.
-#[flux::ignore]
+// #[flux::ignore]
 pub mod chip;
 pub mod mpu;
 #[flux::ignore]
 pub mod scheduler_timer;
 pub mod watchdog;
 
-#[flux::ignore]
+// #[flux::ignore]
 pub(crate) mod platform;
 
 pub use self::platform::ContextSwitchCallback;

diff --git a/kernel/src/processbuffer.rs b/kernel/src/processbuffer.rs
@@ -328,6 +328,7 @@ impl ReadableProcessBuffer for ReadOnlyProcessBuffer {
     ///
     /// This verifies the process is still valid before accessing the underlying
     /// memory.
+    #[flux::ignore]
     fn enter<F, R>(&self, fun: F) -> Result<R, process::Error>
     where
         F: FnOnce(&ReadableProcessSlice) -> R,
@@ -388,6 +389,7 @@ impl ReadOnlyProcessBufferRef<'_> {
     /// [`ReadOnlyProcessBuffer::new_external`]. The derived lifetime can
     /// help enforce the invariant that this incoming pointer may only
     /// be access for a certain duration.
+    #[flux::ignore]
     pub(crate) unsafe fn new(ptr: *const u8, len: usize, process_id: ProcessId) -> Self {
         Self {
             buf: ReadOnlyProcessBuffer::new(ptr, len, process_id),
@@ -535,6 +537,7 @@ impl ReadableProcessBuffer for ReadWriteProcessBuffer {
     ///
     /// This verifies the process is still valid before accessing the underlying
     /// memory.
+    #[flux::ignore]
     fn enter<F, R>(&self, fun: F) -> Result<R, process::Error>
     where
         F: FnOnce(&ReadableProcessSlice) -> R,
@@ -568,6 +571,7 @@ impl ReadableProcessBuffer for ReadWriteProcessBuffer {
     }
 }
 
+#[flux::ignore]
 impl WriteableProcessBuffer for ReadWriteProcessBuffer {
     fn mut_enter<F, R>(&self, fun: F) -> Result<R, process::Error>
     where
@@ -625,6 +629,7 @@ impl ReadWriteProcessBufferRef<'_> {
     /// [`ReadWriteProcessBuffer::new_external`]. The derived lifetime can
     /// help enforce the invariant that this incoming pointer may only
     /// be access for a certain duration.
+    #[flux::ignore]
     pub(crate) unsafe fn new(ptr: *mut u8, len: usize, process_id: ProcessId) -> Self {
         Self {
             buf: ReadWriteProcessBuffer::new(ptr, len, process_id),
@@ -736,6 +741,7 @@ impl ReadableProcessSlice {
     /// # Panics
     ///
     /// This function will panic if `self.len() != dest.len()`.
+    #[flux::ignore]
     pub fn copy_to_slice(&self, dest: &mut [u8]) {
         // The panic code path was put into a cold function to not
         // bloat the call site.
@@ -759,6 +765,7 @@ impl ReadableProcessSlice {
     ///
     /// The length of `self` must be the same as `dest`. Subslicing
     /// can be used to obtain a slice of matching length.
+    #[flux::ignore]
     pub fn copy_to_slice_or_err(&self, dest: &mut [u8]) -> Result<(), ErrorCode> {
         // Method implemetation adopted from the
         // core::slice::copy_from_slice method implementation:
@@ -791,6 +798,7 @@ impl ReadableProcessSlice {
     }
 
     /// Iterate the slice in chunks.
+    #[flux::ignore]
     pub fn chunks(
         &self,
         chunk_size: usize,
@@ -857,7 +865,7 @@ impl Index<RangeFrom<usize>> for ReadableProcessSlice {
         &self[idx.start..self.len()]
     }
 }
-
+#[flux::ignore]
 impl Index<usize> for ReadableProcessSlice {
     // Indexing into a ReadableProcessSlice must yield a
     // ReadableProcessByte, to limit the API surface of the wrapped
@@ -919,6 +927,7 @@ impl WriteableProcessSlice {
     /// # Panics
     ///
     /// This function will panic if `self.len() != dest.len()`.
+    #[flux::ignore]
     pub fn copy_to_slice(&self, dest: &mut [u8]) {
         // The panic code path was put into a cold function to not
         // bloat the call site.
@@ -942,6 +951,7 @@ impl WriteableProcessSlice {
     ///
     /// The length of `self` must be the same as `dest`. Subslicing
     /// can be used to obtain a slice of matching length.
+    #[flux::ignore]
     pub fn copy_to_slice_or_err(&self, dest: &mut [u8]) -> Result<(), ErrorCode> {
         // Method implemetation adopted from the
         // core::slice::copy_from_slice method implementation:
@@ -971,6 +981,7 @@ impl WriteableProcessSlice {
     /// # Panics
     ///
     /// This function will panic if `src.len() != self.len()`.
+    #[flux::ignore]
     pub fn copy_from_slice(&self, src: &[u8]) {
         // Method implemetation adopted from the
         // core::slice::copy_from_slice method implementation:
@@ -997,6 +1008,7 @@ impl WriteableProcessSlice {
     ///
     /// The length of `src` must be the same as `self`. Subslicing can
     /// be used to obtain a slice of matching length.
+    #[flux::ignore]
     pub fn copy_from_slice_or_err(&self, src: &[u8]) -> Result<(), ErrorCode> {
         // Method implemetation adopted from the
         // core::slice::copy_from_slice method implementation:
@@ -1028,6 +1040,7 @@ impl WriteableProcessSlice {
     }
 
     /// Iterate over the slice in chunks.
+    #[flux::ignore]
     pub fn chunks(
         &self,
         chunk_size: usize,
@@ -1094,7 +1107,7 @@ impl Index<RangeFrom<usize>> for WriteableProcessSlice {
         &self[idx.start..self.len()]
     }
 }
-
+#[flux::ignore]
 impl Index<usize> for WriteableProcessSlice {
     // Indexing into a WriteableProcessSlice yields a Cell<u8>, as
     // mutating the memory contents is allowed.