Async hash and read

[labbott]

No description provided.

[aapoalas]

Peanut gallery passing by again after a spell.

[aapoalas]

suggestion: Doc comment maybe?

[aapoalas]

suggestion: This sounds like it definitely should be a doc comment; should the method be unsafe as well since it has a precondition?

[cbiffle]

It doesn't look like misusing this can violate Rust safety, so I don't think unsafe is necessary.

As a reader it would be helpful to say how these are bounds checked, like, are these sector numbers or byte indices, and are they bounds checked against the current flash chip or a portion of it, etc.

[aapoalas]

question: Should these be using unwrap_lite()?

Also, is it possible for addr + step_size to overflow with a range at the end of the memory range that's not quite aligned to block sizes? Presumably that's not possible, in which case this could perhaps be a unchecked add. Otherwise, a checked add might be in order.

Can also reuse the addr + step_size result below just to make sure the compiler doesn't accidentally miss the deduplication chance.

[cbiffle]

This calculation could technically overflow if the addr value is chosen to be very large, and the end value is chosen to be within 256 of u32::MAX (if I'm doing the math right). If this happens, we'll panic.

If we want to address this, we really need to maintain some invariants over the initial value of addr and step_size, I'm not sure altering the addition operation is the right approach.

I think this is a relatively low risk though.

[cbiffle]

(But, yes, these should probably be unwrap_lite)

[aapoalas]

praise: :awsm:

[aapoalas]

typo:

Suggested change

	// which is treted as `0xff`
	// which is treated as `0xff`

[aapoalas]

suggestion: This SlotHash => Result<[u8; SHA256_SZ, RequestError<HfError>> repeats 4 times over; would a From impl or such perhaps be warranted to deduplicate the code?

[cbiffle]

The thing where I can't leave a comment on lines you didn't touch is still unfortunate.

In drv/gimlet-hf-server/src/main.rs, I think you want to invalidate the cached hash at line 511, 674, 686, and possibly in the set_mux IPC to be sure. Check the similar operations in cosmo too.

I think we might want to block attempts to change the mux while an async hash is in progress. There are a couple of comments below where I noted potential problems with permitting mux changes -- in particular, it allows you to panic the hf task mid-hash. But it also seems dodgy from a TOCTOU perspective, even if the race window is exceptionally short. If we decide to do this, some of the code becomes simpler -- we no longer have to save and restore the dev setting (and instead maybe just check that it's still SP).

[cbiffle]

Just to make it less likely that we forget this, this should get fixed up before merge.

[cbiffle]

It doesn't look like misusing this can violate Rust safety, so I don't think unsafe is necessary.

As a reader it would be helpful to say how these are bounds checked, like, are these sector numbers or byte indices, and are they bounds checked against the current flash chip or a portion of it, etc.

[cbiffle]

(You don't necessarily need to change this in this PR, but I've been trying to notice cases where we're putting useful information in a ringbuf and not returning it, so that I can point out: we can return things in errors now, and that pattern is generally more useful when we're debugging over the network without full ringbuf access.)

[cbiffle]

This calculation could technically overflow if the addr value is chosen to be very large, and the end value is chosen to be within 256 of u32::MAX (if I'm doing the math right). If this happens, we'll panic.

If we want to address this, we really need to maintain some invariants over the initial value of addr and step_size, I'm not sure altering the addition operation is the right approach.

I think this is a relatively low risk though.

[cbiffle]

(But, yes, these should probably be unwrap_lite)

[cbiffle]

NB: sys_set_timer_relative provides a simpler API for this that also bakes in avoiding a bounds check and panic (which can't happen in reality but the compiler doesn't know that). In case that's useful.

[cbiffle]

I've gone and looked at other cases where we're unwrapping set_dev, and in each case it's asserted to be safe because we've checked that the flash is muxed to the SP. They could make this assertion because the code was straight-line and didn't potentially handle other IPCs asking to e.g. switch the mux back.

I don't think this property holds in the async case, so I think this is effectively an IPC/network controlled panic, unless I missed the interlock. We could do two different things to prevent this.

1. We could check for the Err result here and stop the hashing process because the mux has been switched. I'm a bit nervous about that since, in theory, you could switch the mux back and forth between two calls to step_hash without us noticing. (Yeah, you'd have to do that in under a millisecond, but, still.)
2. We could block requests to switch the mux while a hash is in progress, by adding code to the set_mux path (and anywhere else that flips the mux). This appeals to me, since it ensures that the hash is hashing consistent stuff without interlopers.

Thoughts?

[cbiffle]

My initial analysis is partially wrong. Spoke with @labbott about this directly and the problem is smaller than I'd anticipated, because the IPC handlers try to invalidate the cache where appropriate, which in turn prevents step_hash from doing anything useful (and panicking).

However, there's at least one path where this protection is incomplete rn: you can call page_program_dev with an invalid argument and arrange for it to call set_dev, then delegate to page_program, which rejects the argument and returns an error -- leaving the mux flipped.

We're poking at the code to see if there's a more central place to put cache invalidation to prevent this class of error.

[cbiffle]

(consider sys_set_timer_relative here, it's shorter and cheaper)

[cbiffle]

Conceptually: why would we allow the dev to be switched to host while we're hashing? Wouldn't that potentially raise TOCTOU issues?

So do we need to be setting/restoring the mux setting each time we go through this, or should we maintain the invariant that if we're in a hashing state, we have set the mux to SP, and we'll restore it at the very end if at all?

[cbiffle]

(Laura's clarified the design intent here, which is that you can switch the mux all you want, but the hash should be invalidated if you do so. I think that means this save/restore code and its unwraps can be removed.)

[cbiffle]

...Laura has also pointed out that I've confused set_dev and set_mux in several places, so, I may be entirely off base here. Wheeeeee

Re-checking.

[mkeeter]

Should we put the hash data into a common place? Right now, it looks like there's a decent amount of copypasta between cosmo-hf and gimlet-hf.

Something like

struct HashData {
    hash: drv_hash_api::Hash,
    cached_hash0: SlotHash,
    cached_hash1: SlotHash,
    state: HashState,
}

enum HashState {
    Done,
    Hashing {
        dev: HfDevSelect,
        addr: usize,
        end: usize,
    },
    Uninitialized,
}

enum SlotHash {
    // Nothing has requested a hash of this slot yet
    Uncalculated,
    // Something has modified this slot
    Recalculate,
    // In progress calculation
    HashInProgress,
    // A valid hash
    Hash([u8; SHA256_SZ]),
}

(then move more common code into methods on the new HashData)

[labbott]

Should we put the hash data into a common place? Right now, it looks like there's a decent amount of copypasta between cosmo-hf and gimlet-hf.

I think that's reasonable. This started out as gimlet only then I realized I needed cosmo too. It does look like we can use the same approach in both places.

[cbiffle]

Alright, so, there is an actual async state machine issue here, but it's not exactly what I described, as I'm paging this code back in.

The issue is that you can freely switch the mux while a hash computation is in progress. (The mux is not the dev.) This is probably bad, since it implies potentially giving the host write access, or just corrupting the hash computation.

I currently feel like the best compromise might be:

• If the mux is flipped, cancel any ongoing hash computation.
• But retain any previously computed result, since it represents a useful capture of the flash state at the point in time when it was computed.

This also suggests that we might want to reconsider aggressively invalidating the computed hash on other mutation operations -- since it's still an accurate description of the flash contents, even if (say) a page erase has happened since. I'm less convinced of this though, and think consistent invalidation is the safest option.

[mkeeter]

Should we only request this notification if the hash is in progress? I guess it's harmless to always have the bit active...

[labbott]

This seems to match what we do throughout hubris

[mkeeter]

Okay!