fidl_fuchsia_sysmem

Struct SecureMemSynchronousProxy

Source
pub struct SecureMemSynchronousProxy { /* private fields */ }

Implementations§

Source§

impl SecureMemSynchronousProxy

Source

pub fn new(channel: Channel) -> Self

Source

pub fn into_channel(self) -> Channel

Source

pub fn wait_for_event( &self, deadline: MonotonicInstant, ) -> Result<SecureMemEvent, Error>

Waits until an event arrives and returns it. It is safe for other threads to make concurrent requests while waiting for an event.

Source

pub fn get_physical_secure_heaps( &self, ___deadline: MonotonicInstant, ) -> Result<SecureMemGetPhysicalSecureHeapsResult, Error>

Gets the physical address and length of any secure heap whose physical range is configured via the TEE.

Presently, these will be fixed physical addresses and lengths, with the location plumbed via the TEE.

This is preferred over [‘fuchsia.hardware.sysmem.Sysmem/RegisterHeap’] when there isn’t any special heap-specific per-VMO setup or teardown required.

The physical range must be secured/protected by the TEE before the securemem driver responds to this request with success.

Sysmem should only call this once. Returning zero heaps is not a failure.

Errors:

  • ZX_ERR_BAD_STATE - called more than once.
  • ZX_ERR_INTERNAL - generic internal error (such as in communication with TEE which doesn’t generate zx_status_t errors).
  • other errors are allowed; any other errors should be treated the same as ZX_ERR_INTERNAL.
Source

pub fn get_physical_secure_heap_properties( &self, entire_heap: &SecureHeapAndRange, ___deadline: MonotonicInstant, ) -> Result<SecureMemGetPhysicalSecureHeapPropertiesResult, Error>

This request from sysmem to the securemem driver gets the properties of a protected/secure heap.

This only handles heaps with a single contiguous physical extent.

The heap’s entire physical range is indicated in case this request needs some physical space to auto-detect how many ranges are REE-usable. Any temporary HW protection ranges will be deleted before this request completes.

Source

pub fn add_secure_heap_physical_range( &self, heap_range: &SecureHeapAndRange, ___deadline: MonotonicInstant, ) -> Result<SecureMemAddSecureHeapPhysicalRangeResult, Error>

This request from sysmem to the securemem driver conveys a physical range to add, for a heap whose physical range(s) are set up via sysmem.

Only sysmem can call this because only sysmem is handed the client end of a FIDL channel serving this protocol, via RegisterSecureMem(). The securemem driver is the server end of this protocol.

The securemem driver must configure all the covered offsets as protected before responding to this message with success.

On failure, the securemem driver must ensure the protected range was not created.

Sysmem must only call this up to once if dynamic_protection_ranges false.

If dynamic_protection_ranges is true, sysmem can call this multiple times as long as the current number of ranges never exceeds max_protected_range_count.

The caller must not attempt to add a range that matches an already-existing range. Added ranges can overlap each other as long as no two ranges match exactly.

Errors:

  • ZX_ERR_BAD_STATE - called more than once when !dynamic_protection_ranges. Adding a heap that would cause overall heap count to exceed max_protected_range_count.
  • ZX_ERR_INVALID_ARGS - unexpected heap, or range that doesn’t conform to protected_range_granularity.
  • ZX_ERR_INTERNAL - generic internal error (such as in communication with TEE which doesn’t generate zx_status_t errors).
  • other errors are possible, such as from communication failures or server propagation of zx_status_t failures.
Source

pub fn delete_secure_heap_physical_range( &self, heap_range: &SecureHeapAndRange, ___deadline: MonotonicInstant, ) -> Result<SecureMemDeleteSecureHeapPhysicalRangeResult, Error>

This request from sysmem to the securemem driver conveys a physical range to delete, for a heap whose physical range(s) are set up via sysmem.

Only sysmem can call this because only sysmem is handed the client end of a FIDL channel serving this protocol, via RegisterSecureMem(). The securemem driver is the server end of this protocol.

The securemem driver must configure all the covered offsets as not protected before responding to this message with success.

On failure, the securemem driver must ensure the protected range was not deleted.

Sysmem must not call this if dynamic_protection_ranges false.

If dynamic_protection_ranges is true, sysmem can call this repeatedly, on various ranges that exist at the time of the call.

If any portion of the range being deleted is not also covered by another protected range, then any ongoing DMA to any part of the entire range may be interrupted / may fail, potentially in a way that’s disruptive to the entire system (bus lockup or similar, depending on device details). Therefore, the caller must ensure that no ongoing DMA is occurring to any portion of the range being deleted, unless the caller has other active ranges covering every block of the range being deleted. Ongoing DMA to/from blocks outside the range being deleted is never impacted by the deletion.

Errors:

  • ZX_ERR_BAD_STATE - called when !dynamic_protection_ranges.
  • ZX_ERR_INVALID_ARGS - unexpected heap, or range that doesn’t conform to protected_range_granularity.
  • ZX_ERR_INTERNAL - generic internal error (such as in communication with TEE which doesn’t generate zx_status_t errors).
  • ZX_ERR_NOT_FOUND - the specified range is not found.
  • other errors are possible, such as from communication failures or server propagation of zx_status_t failures.
Source

pub fn modify_secure_heap_physical_range( &self, range_modification: &SecureHeapAndRangeModification, ___deadline: MonotonicInstant, ) -> Result<SecureMemModifySecureHeapPhysicalRangeResult, Error>

This request from sysmem to the securemem driver conveys a physical range to modify and its new base and length, for a heap whose physical range(s) are set up via sysmem.

Only sysmem can call this because only sysmem is handed the client end of a FIDL channel serving this protocol, via RegisterSecureMem(). The securemem driver is the server end of this protocol.

The securemem driver must configure the range to cover only the new offsets before responding to this message with success.

On failure, the securemem driver must ensure the range was not changed.

Sysmem must not call this if dynamic_protection_ranges false. Sysmem must not call this if !is_mod_protected_range_available.

If dynamic_protection_ranges is true, sysmem can call this repeatedly, on various ranges that exist at the time of the call.

The range must only be modified at one end or the other, but not both. If the range is getting shorter, and the un-covered blocks are not covered by other active ranges, any ongoing DMA to the entire range that’s geting shorter may fail in a way that disrupts the entire system (bus lockup or similar), so the caller must ensure that no DMA is ongoing to any portion of a range that is getting shorter, unless the blocks being un-covered by the modification to this range are all covered by other active ranges, in which case no disruption to ongoing DMA will occur.

If a range is modified to become <= zero length, the range is deleted.

Errors:

  • ZX_ERR_BAD_STATE - called when !dynamic_protection_ranges.
  • ZX_ERR_INVALID_ARGS - unexpected heap, or old_range or new_range that doesn’t conform to protected_range_granularity, or old_range and new_range differ in both begin and end (disallowed).
  • ZX_ERR_INTERNAL - generic internal error (such as in communication with TEE which doesn’t generate zx_status_t errors).
  • ZX_ERR_NOT_FOUND - the specified range is not found.
  • other errors are possible, such as from communication failures or server propagation of zx_status_t failures.
Source

pub fn zero_sub_range( &self, is_covering_range_explicit: bool, heap_range: &SecureHeapAndRange, ___deadline: MonotonicInstant, ) -> Result<SecureMemZeroSubRangeResult, Error>

Zero a sub-range of a currently-existing physical range added via AddSecureHeapPhysicalRange(). The sub-range must be fully covered by exactly one physical range, and must not overlap with any other physical range.

is_covering_range_explicit - When true, the covering range must be one of the ranges explicitly created via AddSecureHeapPhysicalRange(), possibly modified since. When false, the covering range must not be one of the ranges explicitly created via AddSecureHeapPhysicalRange(), but the covering range must exist as a covering range not created via AddSecureHeapPhysicalRange(). The covering range is typically the entire physical range (or a range which covers even more) of a heap configured by the TEE and whose configuration is conveyed to sysmem via GetPhysicalSecureHeaps().

Ongoing DMA is not disrupted by this request.

Trait Implementations§

Source§

impl Debug for SecureMemSynchronousProxy

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl SynchronousProxy for SecureMemSynchronousProxy

Source§

type Proxy = SecureMemProxy

The async proxy for the same protocol.
Source§

type Protocol = SecureMemMarker

The protocol which this Proxy controls.
Source§

fn from_channel(inner: Channel) -> Self

Create a proxy over the given channel.
Source§

fn into_channel(self) -> Channel

Convert the proxy back into a channel.
Source§

fn as_channel(&self) -> &Channel

Get a reference to the proxy’s underlying channel. Read more
§

fn is_closed(&self) -> Result<bool, Status>

Returns true if the proxy has received the PEER_CLOSED signal. Read more

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
§

impl<T, D> Encode<Ambiguous1, D> for T
where D: ResourceDialect,

§

unsafe fn encode( self, _encoder: &mut Encoder<'_, D>, _offset: usize, _depth: Depth, ) -> Result<(), Error>

Encodes the object into the encoder’s buffers. Any handles stored in the object are swapped for Handle::INVALID. Read more
§

impl<T, D> Encode<Ambiguous2, D> for T
where D: ResourceDialect,

§

unsafe fn encode( self, _encoder: &mut Encoder<'_, D>, _offset: usize, _depth: Depth, ) -> Result<(), Error>

Encodes the object into the encoder’s buffers. Any handles stored in the object are swapped for Handle::INVALID. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

§

impl<T> Instrument for T

§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided [Span], returning an Instrumented wrapper. Read more
§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

§

impl<T> Pointable for T

§

const ALIGN: usize = _

The alignment of pointer.
§

type Init = T

The type for initializers.
§

unsafe fn init(init: <T as Pointable>::Init) -> usize

Initializes a with the given initializer. Read more
§

unsafe fn deref<'a>(ptr: usize) -> &'a T

Dereferences the given pointer. Read more
§

unsafe fn deref_mut<'a>(ptr: usize) -> &'a mut T

Mutably dereferences the given pointer. Read more
§

unsafe fn drop(ptr: usize)

Drops the object pointed to by the given pointer. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
§

impl<T> WithSubscriber for T

§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a [WithDispatch] wrapper. Read more
§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a [WithDispatch] wrapper. Read more