Standardise safety comments in pvmfw and fdtpci.
Bug: 290018030
Test: m pvmfw_bin
Change-Id: Ia6aaf9e226d6594c6f97543857ce4f3b739dc699
diff --git a/libs/fdtpci/src/lib.rs b/libs/fdtpci/src/lib.rs
index 96d98d6..602f736 100644
--- a/libs/fdtpci/src/lib.rs
+++ b/libs/fdtpci/src/lib.rs
@@ -119,7 +119,9 @@
/// method must only be called once, and there must be no other `PciRoot` constructed using the
/// same CAM.
pub unsafe fn make_pci_root(&self) -> PciRoot {
- PciRoot::new(self.cam_range.start as *mut u8, Cam::MmioCam)
+ // SAFETY: We trust that the FDT gave us a valid MMIO base address for the CAM. The caller
+ // guarantees to only call us once, so there are no other references to it.
+ unsafe { PciRoot::new(self.cam_range.start as *mut u8, Cam::MmioCam) }
}
}
diff --git a/pvmfw/avb/src/descriptor/collection.rs b/pvmfw/avb/src/descriptor/collection.rs
index c6698c0..14c47b1 100644
--- a/pvmfw/avb/src/descriptor/collection.rs
+++ b/pvmfw/avb/src/descriptor/collection.rs
@@ -170,9 +170,9 @@
/// Behavior is undefined if any of the following conditions are violated:
/// * The `descriptor` pointer must be non-null and point to a valid `AvbDescriptor`.
unsafe fn from_descriptor_ptr(descriptor: *const AvbDescriptor) -> utils::Result<Self> {
+ let avb_descriptor =
// SAFETY: It is safe as the raw pointer `descriptor` is non-null and points to
// a valid `AvbDescriptor`.
- let avb_descriptor =
unsafe { get_valid_descriptor(descriptor, avb_descriptor_validate_and_byteswap)? };
let len = usize_checked_add(
size_of::<AvbDescriptor>(),
@@ -189,9 +189,9 @@
Ok(Self::Hash(descriptor))
}
Ok(AvbDescriptorTag::AVB_DESCRIPTOR_TAG_PROPERTY) => {
+ let descriptor =
// SAFETY: It is safe because the caller ensures that `descriptor` is a non-null
// pointer pointing to a valid struct.
- let descriptor =
unsafe { PropertyDescriptor::from_descriptor_ptr(descriptor, data)? };
Ok(Self::Property(descriptor))
}
diff --git a/pvmfw/avb/src/ops.rs b/pvmfw/avb/src/ops.rs
index e7f0ac7..8f7295c 100644
--- a/pvmfw/avb/src/ops.rs
+++ b/pvmfw/avb/src/ops.rs
@@ -320,8 +320,8 @@
pub(crate) fn vbmeta_images(&self) -> Result<&[AvbVBMetaData], AvbSlotVerifyError> {
let data = self.as_ref();
is_not_null(data.vbmeta_images).map_err(|_| AvbSlotVerifyError::Io)?;
- // SAFETY: It is safe as the raw pointer `data.vbmeta_images` is a nonnull pointer.
let vbmeta_images =
+ // SAFETY: It is safe as the raw pointer `data.vbmeta_images` is a nonnull pointer.
unsafe { slice::from_raw_parts(data.vbmeta_images, data.num_vbmeta_images) };
Ok(vbmeta_images)
}
@@ -329,10 +329,10 @@
pub(crate) fn loaded_partitions(&self) -> Result<&[AvbPartitionData], AvbSlotVerifyError> {
let data = self.as_ref();
is_not_null(data.loaded_partitions).map_err(|_| AvbSlotVerifyError::Io)?;
+ let loaded_partitions =
// SAFETY: It is safe as the raw pointer `data.loaded_partitions` is a nonnull pointer and
// is guaranteed by libavb to point to a valid `AvbPartitionData` array as part of the
// `AvbSlotVerifyData` struct.
- let loaded_partitions =
unsafe { slice::from_raw_parts(data.loaded_partitions, data.num_loaded_partitions) };
Ok(loaded_partitions)
}
diff --git a/pvmfw/src/crypto.rs b/pvmfw/src/crypto.rs
index 3d9c8d1..94714c0 100644
--- a/pvmfw/src/crypto.rs
+++ b/pvmfw/src/crypto.rs
@@ -46,17 +46,14 @@
impl Error {
fn get() -> Option<Self> {
- let mut file = MaybeUninit::uninit();
- let mut line = MaybeUninit::uninit();
- // SAFETY - The function writes to the provided pointers, validated below.
- let packed = unsafe { ERR_get_error_line(file.as_mut_ptr(), line.as_mut_ptr()) };
- // SAFETY - Any possible value returned could be considered a valid *const c_char.
- let file = unsafe { file.assume_init() };
- // SAFETY - Any possible value returned could be considered a valid c_int.
- let line = unsafe { line.assume_init() };
+ let mut file = ptr::null();
+ let mut line = 0;
+ // SAFETY: The function writes to the provided pointers, which are valid because they come
+ // from references. It doesn't retain them after it returns.
+ let packed = unsafe { ERR_get_error_line(&mut file, &mut line) };
let packed = packed.try_into().ok()?;
- // SAFETY - Any non-NULL result is expected to point to a global const C string.
+ // SAFETY: Any non-NULL result is expected to point to a global const C string.
let file = unsafe { as_static_cstr(file) };
Some(Self { packed, file, line })
@@ -67,16 +64,16 @@
}
fn library_name(&self) -> Option<&'static CStr> {
- // SAFETY - Call to a pure function.
+ // SAFETY: Call to a pure function.
let name = unsafe { ERR_lib_error_string(self.packed_value()) };
- // SAFETY - Any non-NULL result is expected to point to a global const C string.
+ // SAFETY: Any non-NULL result is expected to point to a global const C string.
unsafe { as_static_cstr(name) }
}
fn reason(&self) -> Option<&'static CStr> {
- // SAFETY - Call to a pure function.
+ // SAFETY: Call to a pure function.
let reason = unsafe { ERR_reason_error_string(self.packed_value()) };
- // SAFETY - Any non-NULL result is expected to point to a global const C string.
+ // SAFETY: Any non-NULL result is expected to point to a global const C string.
unsafe { as_static_cstr(reason) }
}
}
@@ -111,18 +108,18 @@
impl Aead {
pub fn aes_256_gcm_randnonce() -> Option<&'static Self> {
- // SAFETY - Returned pointer is checked below.
+ // SAFETY: Returned pointer is checked below.
let aead = unsafe { EVP_aead_aes_256_gcm_randnonce() };
if aead.is_null() {
None
} else {
- // SAFETY - We assume that the non-NULL value points to a valid and static EVP_AEAD.
+ // SAFETY: We assume that the non-NULL value points to a valid and static EVP_AEAD.
Some(unsafe { &*(aead as *const _) })
}
}
pub fn max_overhead(&self) -> usize {
- // SAFETY - Function should only read from self.
+ // SAFETY: Function should only read from self.
unsafe { EVP_AEAD_max_overhead(self.as_ref() as *const _) }
}
}
@@ -141,7 +138,7 @@
const DEFAULT_TAG_LENGTH: usize = 0;
let engine = ptr::null_mut(); // Use default implementation.
let mut ctx = MaybeUninit::zeroed();
- // SAFETY - Initialize the EVP_AEAD_CTX with const pointers to the AEAD and key.
+ // SAFETY: Initialize the EVP_AEAD_CTX with const pointers to the AEAD and key.
let result = unsafe {
EVP_AEAD_CTX_init(
ctx.as_mut_ptr(),
@@ -154,7 +151,7 @@
};
if result == 1 {
- // SAFETY - We assume that the non-NULL value points to a valid and static EVP_AEAD.
+ // SAFETY: We assume that the non-NULL value points to a valid and static EVP_AEAD.
Ok(Self(unsafe { ctx.assume_init() }))
} else {
Err(ErrorIterator {})
@@ -162,12 +159,12 @@
}
pub fn aead(&self) -> Option<&'static Aead> {
- // SAFETY - The function should only read from self.
+ // SAFETY: The function should only read from self.
let aead = unsafe { EVP_AEAD_CTX_aead(self.as_ref() as *const _) };
if aead.is_null() {
None
} else {
- // SAFETY - We assume that the non-NULL value points to a valid and static EVP_AEAD.
+ // SAFETY: We assume that the non-NULL value points to a valid and static EVP_AEAD.
Some(unsafe { &*(aead as *const _) })
}
}
@@ -178,7 +175,7 @@
let ad = ptr::null_mut();
let ad_len = 0;
let mut out_len = MaybeUninit::uninit();
- // SAFETY - The function should only read from self and write to out (at most the provided
+ // SAFETY: The function should only read from self and write to out (at most the provided
// number of bytes) and out_len while reading from data (at most the provided number of
// bytes), ignoring any NULL input.
let result = unsafe {
@@ -197,7 +194,7 @@
};
if result == 1 {
- // SAFETY - Any value written to out_len could be a valid usize. The value itself is
+ // SAFETY: Any value written to out_len could be a valid usize. The value itself is
// validated as being a proper slice length by panicking in the following indexing
// otherwise.
let out_len = unsafe { out_len.assume_init() };
@@ -213,7 +210,7 @@
let ad = ptr::null_mut();
let ad_len = 0;
let mut out_len = MaybeUninit::uninit();
- // SAFETY - The function should only read from self and write to out (at most the provided
+ // SAFETY: The function should only read from self and write to out (at most the provided
// number of bytes) while reading from data (at most the provided number of bytes),
// ignoring any NULL input.
let result = unsafe {
@@ -232,7 +229,7 @@
};
if result == 1 {
- // SAFETY - Any value written to out_len could be a valid usize. The value itself is
+ // SAFETY: Any value written to out_len could be a valid usize. The value itself is
// validated as being a proper slice length by panicking in the following indexing
// otherwise.
let out_len = unsafe { out_len.assume_init() };
@@ -272,12 +269,12 @@
pub fn hkdf_sh512<const N: usize>(secret: &[u8], salt: &[u8], info: &[u8]) -> Result<[u8; N]> {
let mut key = [0; N];
- // SAFETY - The function shouldn't access any Rust variable and the returned value is accepted
+ // SAFETY: The function shouldn't access any Rust variable and the returned value is accepted
// as a potentially NULL pointer.
let digest = unsafe { EVP_sha512() };
assert!(!digest.is_null());
- // SAFETY - Only reads from/writes to the provided slices and supports digest was checked not
+ // SAFETY: Only reads from/writes to the provided slices and supports digest was checked not
// be NULL.
let result = unsafe {
HKDF(
@@ -301,6 +298,6 @@
}
pub fn init() {
- // SAFETY - Configures the internal state of the library - may be called multiple times.
+ // SAFETY: Configures the internal state of the library - may be called multiple times.
unsafe { CRYPTO_library_init() }
}
diff --git a/pvmfw/src/dice.rs b/pvmfw/src/dice.rs
index fbab013..28271d3 100644
--- a/pvmfw/src/dice.rs
+++ b/pvmfw/src/dice.rs
@@ -91,7 +91,7 @@
/// .data, or provided BCC).
#[no_mangle]
unsafe extern "C" fn DiceClearMemory(_ctx: *mut c_void, size: usize, addr: *mut c_void) {
- // SAFETY - We must trust that the slice will be valid arrays/variables on the C code stack.
+ // SAFETY: We must trust that the slice will be valid arrays/variables on the C code stack.
let region = unsafe { slice::from_raw_parts_mut(addr as *mut u8, size) };
flushed_zeroize(region)
}
diff --git a/pvmfw/src/entry.rs b/pvmfw/src/entry.rs
index f3bd637..9c929a9 100644
--- a/pvmfw/src/entry.rs
+++ b/pvmfw/src/entry.rs
@@ -93,7 +93,7 @@
RebootReason::InternalError
})?;
- // SAFETY - The tracker validated the range to be in main memory, mapped, and not overlap.
+ // SAFETY: The tracker validated the range to be in main memory, mapped, and not overlap.
let fdt = unsafe { slice::from_raw_parts_mut(range.start as *mut u8, range.len()) };
let fdt = libfdt::Fdt::from_mut_slice(fdt).map_err(|e| {
error!("Failed to spawn the FDT wrapper: {e}");
@@ -153,9 +153,9 @@
return Err(RebootReason::InvalidPayload);
};
- // SAFETY - The tracker validated the range to be in main memory, mapped, and not overlap.
- let kernel =
- unsafe { slice::from_raw_parts(kernel_range.start as *const u8, kernel_range.len()) };
+ let kernel = kernel_range.start as *const u8;
+ // SAFETY: The tracker validated the range to be in main memory, mapped, and not overlap.
+ let kernel = unsafe { slice::from_raw_parts(kernel, kernel_range.len()) };
let ramdisk = if let Some(r) = info.initrd_range {
debug!("Located ramdisk at {r:?}");
@@ -164,7 +164,7 @@
RebootReason::InvalidRamdisk
})?;
- // SAFETY - The region was validated by memory to be in main memory, mapped, and
+ // SAFETY: The region was validated by memory to be in main memory, mapped, and
// not overlap.
Some(unsafe { slice::from_raw_parts(r.start as *const u8, r.len()) })
} else {
@@ -198,7 +198,7 @@
RebootReason::InternalError
})?;
- // SAFETY - We only get the appended payload from here, once. The region was statically mapped,
+ // SAFETY: We only get the appended payload from here, once. The region was statically mapped,
// then remapped by `init_page_table()`.
let appended_data = unsafe { get_appended_data_slice() };
@@ -277,7 +277,7 @@
// Disable the exception vector, caches and page table and then jump to the payload at the
// given address, passing it the given FDT pointer.
//
- // SAFETY - We're exiting pvmfw by passing the register values we need to a noreturn asm!().
+ // SAFETY: We're exiting pvmfw by passing the register values we need to a noreturn asm!().
unsafe {
asm!(
"cmp {scratch}, {bcc}",
diff --git a/pvmfw/src/fdt.rs b/pvmfw/src/fdt.rs
index 2382b50..4e41331 100644
--- a/pvmfw/src/fdt.rs
+++ b/pvmfw/src/fdt.rs
@@ -559,7 +559,7 @@
*v = v.to_be();
}
- // SAFETY - array size is the same
+ // SAFETY: array size is the same
let value = unsafe {
core::mem::transmute::<
[u32; NUM_INTERRUPTS * CELLS_PER_INTERRUPT],
@@ -801,7 +801,7 @@
}
};
- // SAFETY - on failure, the corrupted DT is restored using the backup.
+ // SAFETY: on failure, the corrupted DT is restored using the backup.
if let Err(e) = unsafe { fdt.apply_overlay(overlay) } {
warn!("Failed to apply debug policy: {e}. Recovering...");
fdt.copy_from_slice(backup_fdt.as_slice())?;
diff --git a/pvmfw/src/gpt.rs b/pvmfw/src/gpt.rs
index 892850c..1060460 100644
--- a/pvmfw/src/gpt.rs
+++ b/pvmfw/src/gpt.rs
@@ -130,7 +130,7 @@
for i in Header::ENTRIES_LBA..Header::ENTRIES_LBA.checked_add(num_blocks).unwrap() {
self.read_block(i, &mut blk)?;
let entries = blk.as_ptr().cast::<Entry>();
- // SAFETY - blk is assumed to be properly aligned for Entry and its size is assert-ed
+ // SAFETY: blk is assumed to be properly aligned for Entry and its size is assert-ed
// above. All potential values of the slice will produce valid Entry values.
let entries = unsafe { slice::from_raw_parts(entries, min(rem, entries_per_blk)) };
for entry in entries {