Skip to content

Investigate use of unsafe and panicking #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ionut-arm opened this issue Dec 6, 2019 · 4 comments · Fixed by #18
Closed

Investigate use of unsafe and panicking #2

ionut-arm opened this issue Dec 6, 2019 · 4 comments · Fixed by #18
Assignees
@ionut-arm
Labels
bug Something isn't working
Milestone
Rust tss-esapi v1.0

Comments

@ionut-arm
Copy link
Member

At the moment, our methods implemented on Context appear to be safe for clients of the crate to use, but it might not be so. We should decide what unsafe behaviour means for us and what functionality we report as (un)safe.

We should also look into our uses of unwrap and try to reduce them as much as possible.
@ionut-arm ionut-arm self-assigned this Dec 6, 2019
@ionut-arm ionut-arm added the bug Something isn't working label Dec 6, 2019
@hug-dev
Copy link
Member

hug-dev commented Dec 6, 2019

See https://github.com/rust-secure-code/safety-dance for unsafe
Maybe there is a way (a Cargo plugin?) to search for all unsafe blocks in the current crate and in dependencies? In the above link they seem to do it manually.

@hug-dev
Copy link
Member

hug-dev commented Dec 6, 2019

Also: https://rust-lang.github.io/unsafe-code-guidelines/
This will be useful for parallaxsecond/parsec#73 as well

@ionut-arm ionut-arm added this to the Rust tss-esapi v1.0 milestone Dec 11, 2019
@ionut-arm
Copy link
Member Author

We have to decide what kind of guarantees we provide when we offer a safe function in an interface and probably the easiest one to reason about would be something like

This code will not panic or crash unless some memory is corrupted or if the underlying software stack crashes due to reasons outside of our control. All other errors will be returned with appropriate insight, as a Result

I think this leaves us with the sole responsability of being the middle-man, but not putting any pressure related to checking the arguments that we pass down (apart from a process safety perspective) - and by this I'm only talking about the Context structure.

For any abstractions, we would definitely need to make sure that the intended operations work out of the box, barring invalid arguments (that we validate ourselves).

@hug-dev - does that make sense?

@hug-dev
Copy link
Member

hug-dev commented Dec 13, 2019

I think so, preventing invalid argument to be given to the underlining unsafe C code is the main point to me. We need to make sure that at any given moment, we are using the subset of inputs that make the stack safe to execute, both in memory and threads terms.

@hug-dev hug-dev mentioned this issue Dec 18, 2019
Merged
@ionut-arm ionut-arm mentioned this issue Dec 18, 2019
Merged
hug-dev added a commit that referenced this issue Aug 3, 2021
@hug-dev
Merge pull request #243 from ionut-arm/fix-pcr-selection
5845840 
Ensure PcrSelectionList retains order, #2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ionut-arm ionut-arm

Labels
bug Something isn't working
Projects
None yet
Milestone
Rust tss-esapi v1.0
Development

Successfully merging a pull request may close this issue.

Improve usage of unsafe blocks ionut-arm/rust-tss-esapi
2 participants
@hug-dev @ionut-arm