Standardise safety comments for unsafe blocks.
These will soon be required by a lint.
Bug: 290018030
Test: m pvmfw_bin
Change-Id: I4faf7eb14eb8825af542c2da886d93c096068cb6
diff --git a/diced/open_dice/src/bcc.rs b/diced/open_dice/src/bcc.rs
index f9c6a34..ca2136f 100644
--- a/diced/open_dice/src/bcc.rs
+++ b/diced/open_dice/src/bcc.rs
@@ -48,9 +48,9 @@
};
let mut buffer_size = 0;
- // SAFETY: The function writes to the buffer, within the given bounds, and only reads the
- // input values. It writes its result to buffer_size.
check_result(
+ // SAFETY: The function writes to the buffer, within the given bounds, and only reads the
+ // input values. It writes its result to buffer_size.
unsafe {
BccFormatConfigDescriptor(&values, buffer.len(), buffer.as_mut_ptr(), &mut buffer_size)
},
@@ -72,11 +72,11 @@
next_bcc: &mut [u8],
) -> Result<usize> {
let mut next_bcc_size = 0;
- // SAFETY: `BccMainFlow` only reads the current `bcc` and CDI values and writes
- // to `next_bcc` and next CDI values within its bounds. It also reads
- // `input_values` as a constant input and doesn't store any pointer.
- // The first argument can be null and is not used in the current implementation.
check_result(
+ // SAFETY: `BccMainFlow` only reads the current `bcc` and CDI values and writes
+ // to `next_bcc` and next CDI values within its bounds. It also reads
+ // `input_values` as a constant input and doesn't store any pointer.
+ // The first argument can be null and is not used in the current implementation.
unsafe {
BccMainFlow(
ptr::null_mut(), // context
@@ -108,11 +108,11 @@
next_bcc_handover: &mut [u8],
) -> Result<usize> {
let mut next_bcc_handover_size = 0;
- // SAFETY - The function only reads `current_bcc_handover` and writes to `next_bcc_handover`
- // within its bounds,
- // It also reads `input_values` as a constant input and doesn't store any pointer.
- // The first argument can be null and is not used in the current implementation.
check_result(
+ // SAFETY: The function only reads `current_bcc_handover` and writes to `next_bcc_handover`
+ // within its bounds,
+ // It also reads `input_values` as a constant input and doesn't store any pointer.
+ // The first argument can be null and is not used in the current implementation.
unsafe {
BccHandoverMainFlow(
ptr::null_mut(), // context
@@ -165,9 +165,9 @@
let mut cdi_seal: *const u8 = ptr::null();
let mut bcc: *const u8 = ptr::null();
let mut bcc_size = 0;
- // SAFETY: The `bcc_handover` is only read and never stored and the returned pointers should all
- // point within the address range of the `bcc_handover` or be NULL.
check_result(
+ // SAFETY: The `bcc_handover` is only read and never stored and the returned pointers should
+ // all point within the address range of the `bcc_handover` or be NULL.
unsafe {
BccHandoverParse(
bcc_handover.as_ptr(),
diff --git a/diced/open_dice/src/dice.rs b/diced/open_dice/src/dice.rs
index 0704d21..e42e373 100644
--- a/diced/open_dice/src/dice.rs
+++ b/diced/open_dice/src/dice.rs
@@ -217,9 +217,9 @@
/// Derives a CDI private key seed from a `cdi_attest` value.
pub fn derive_cdi_private_key_seed(cdi_attest: &Cdi) -> Result<PrivateKeySeed> {
let mut seed = PrivateKeySeed::default();
- // SAFETY: The function writes to the buffer within the given bounds, and only reads the
- // input values. The first argument context is not used in this function.
check_result(
+ // SAFETY: The function writes to the buffer within the given bounds, and only reads the
+ // input values. The first argument context is not used in this function.
unsafe {
DiceDeriveCdiPrivateKeySeed(
ptr::null_mut(), // context
@@ -235,9 +235,9 @@
/// Derives an ID from the given `cdi_public_key` value.
pub fn derive_cdi_certificate_id(cdi_public_key: &[u8]) -> Result<DiceId> {
let mut id = [0u8; ID_SIZE];
- // SAFETY: The function writes to the buffer within the given bounds, and only reads the
- // input values. The first argument context is not used in this function.
check_result(
+ // SAFETY: The function writes to the buffer within the given bounds, and only reads the
+ // input values. The first argument context is not used in this function.
unsafe {
DiceDeriveCdiCertificateId(
ptr::null_mut(), // context
@@ -264,10 +264,10 @@
next_cdi_values: &mut CdiValues,
) -> Result<usize> {
let mut next_cdi_certificate_actual_size = 0;
- // SAFETY: The function only reads the current CDI values and inputs and writes
- // to `next_cdi_certificate` and next CDI values within its bounds.
- // The first argument can be null and is not used in the current implementation.
check_result(
+ // SAFETY: The function only reads the current CDI values and inputs and writes
+ // to `next_cdi_certificate` and next CDI values within its bounds.
+ // The first argument can be null and is not used in the current implementation.
unsafe {
DiceMainFlow(
ptr::null_mut(), // context
diff --git a/diced/open_dice/src/ops.rs b/diced/open_dice/src/ops.rs
index d978f86..6b9202a 100644
--- a/diced/open_dice/src/ops.rs
+++ b/diced/open_dice/src/ops.rs
@@ -29,9 +29,9 @@
/// Hashes the provided input using DICE's hash function `DiceHash`.
pub fn hash(input: &[u8]) -> Result<Hash> {
let mut output: Hash = [0; HASH_SIZE];
- // SAFETY: DiceHash takes a sized input buffer and writes to a constant-sized output buffer.
- // The first argument context is not used in this function.
check_result(
+ // SAFETY: DiceHash takes a sized input buffer and writes to a constant-sized output buffer.
+ // The first argument context is not used in this function.
unsafe {
DiceHash(
ptr::null_mut(), // context
@@ -48,9 +48,9 @@
/// An implementation of HKDF-SHA512. Derives a key of `derived_key.len()` bytes from `ikm`, `salt`,
/// and `info`. The derived key is written to the `derived_key`.
pub fn kdf(ikm: &[u8], salt: &[u8], info: &[u8], derived_key: &mut [u8]) -> Result<()> {
- // SAFETY: The function writes to the `derived_key`, within the given bounds, and only reads the
- // input values. The first argument context is not used in this function.
check_result(
+ // SAFETY: The function writes to the `derived_key`, within the given bounds, and only reads
+ // the input values. The first argument context is not used in this function.
unsafe {
DiceKdf(
ptr::null_mut(), // context
@@ -74,9 +74,10 @@
pub fn keypair_from_seed(seed: &[u8; PRIVATE_KEY_SEED_SIZE]) -> Result<(PublicKey, PrivateKey)> {
let mut public_key = [0u8; PUBLIC_KEY_SIZE];
let mut private_key = PrivateKey::default();
- // SAFETY: The function writes to the `public_key` and `private_key` within the given bounds,
- // and only reads the `seed`. The first argument context is not used in this function.
check_result(
+ // SAFETY: The function writes to the `public_key` and `private_key` within the given
+ // bounds, and only reads the `seed`. The first argument context is not used in this
+ // function.
unsafe {
DiceKeypairFromSeed(
ptr::null_mut(), // context
@@ -93,9 +94,9 @@
/// Signs the `message` with the give `private_key` using `DiceSign`.
pub fn sign(message: &[u8], private_key: &[u8; PRIVATE_KEY_SIZE]) -> Result<Signature> {
let mut signature = [0u8; SIGNATURE_SIZE];
- // SAFETY: The function writes to the `signature` within the given bounds, and only reads the
- // message and the private key. The first argument context is not used in this function.
check_result(
+ // SAFETY: The function writes to the `signature` within the given bounds, and only reads
+ // the message and the private key. The first argument context is not used in this function.
unsafe {
DiceSign(
ptr::null_mut(), // context
@@ -112,9 +113,9 @@
/// Verifies the `signature` of the `message` with the given `public_key` using `DiceVerify`.
pub fn verify(message: &[u8], signature: &Signature, public_key: &PublicKey) -> Result<()> {
- // SAFETY: only reads the messages, signature and public key as constant values.
- // The first argument context is not used in this function.
check_result(
+ // SAFETY: only reads the messages, signature and public key as constant values.
+ // The first argument context is not used in this function.
unsafe {
DiceVerify(
ptr::null_mut(), // context
@@ -140,9 +141,10 @@
certificate: &mut [u8],
) -> Result<usize> {
let mut certificate_actual_size = 0;
- // SAFETY: The function writes to the `certificate` within the given bounds, and only reads the
- // input values and the key seeds. The first argument context is not used in this function.
check_result(
+ // SAFETY: The function writes to the `certificate` within the given bounds, and only reads
+ // the input values and the key seeds. The first argument context is not used in this
+ // function.
unsafe {
DiceGenerateCertificate(
ptr::null_mut(), // context