increase mmap size

add mlockall to lock secret_mem
disable coredumps for process
2024-10-11 14:47:47 +02:00 · 2024-09-25 14:00:59 +02:00 · 2024-09-25 13:46:05 +02:00 · 2024-09-25 11:11:12 +02:00 · 2024-08-28 10:01:02 +02:00 · 2024-08-27 16:00:43 +02:00
3 changed files with 33 additions and 15 deletions
--- a/.envrc
+++ b/.envrc
@@ -1 +0,0 @@
-use nix
--- a/default.nix
+++ b/default.nix
@@ -1,14 +1,7 @@
-{ pkgs ? import <nixpkgs> { } }:
+{ pkgs ? import <nixpkgs> { }
+, agent
+}:
 with pkgs;
-let
-  agent_src = fetchgit {
-    url = "https://gitea.rixxc.de/rixxc/x25519_agent.git";
-    rev = "201f270624487ded538b63cc5416456bd5b8ba18";
-    hash = "sha256-KPaKG+t3qSMy4Y7fd0PlBWZiZYcs7M1Clmn75emC9LU=";
-  };
-
-  agent = callPackage "${agent_src}/default.nix" { };
-in
 rustPlatform.buildRustPackage {
  name = "agent-harness";
  src = nix-gitignore.gitignoreSource [ ] ./.;
@@ -17,5 +10,5 @@ rustPlatform.buildRustPackage {
  
  buildInputs = [ agent ];

-  cargoSha256 = "sha256-ZgwQr1goz9yPws0P1eQwhHEv2WbcJeTCLEPYOUADOtE=";
+  cargoHash = "sha256-ZgwQr1goz9yPws0P1eQwhHEv2WbcJeTCLEPYOUADOtE=";
 }
--- a/src/main.rs
+++ b/src/main.rs
@@ -1,11 +1,13 @@
 use libc::{
-    c_int, c_void, mmap, MAP_FAILED, MAP_SHARED, PROT_READ, PROT_WRITE,
+    c_int, c_void, mlockall, mmap, prctl, MAP_FAILED, MAP_SHARED, MCL_FUTURE, PROT_READ,
+    PROT_WRITE, PR_SET_DUMPABLE, PR_SET_SPECULATION_CTRL, PR_SPEC_FORCE_DISABLE,
+    PR_SPEC_STORE_BYPASS,
 };
 use std::fs::File;
 use std::os::fd::AsRawFd;
 use std::{env, ptr};

-const SHARED_MEMORY_SIZE: usize = 1024;
+const SHARED_MEMORY_SIZE: usize = 1024 * 1024;

 #[link(name = "agent")]
 extern "C" {
@@ -13,6 +15,22 @@ extern "C" {
 }

 fn main() {
+    unsafe {
+        assert!(
+            prctl(
+                PR_SET_SPECULATION_CTRL,
+                PR_SPEC_STORE_BYPASS,
+                PR_SPEC_FORCE_DISABLE,
+                0,
+                0,
+            ) >= 0,
+        );
+    }
+
+    unsafe {
+        assert!(prctl(PR_SET_DUMPABLE, 0) == 0);
+    }
+
    let args: Vec<String> = env::args().collect();

    let shared_fd: c_int = args[0]
@@ -54,7 +72,15 @@ fn main() {
        .expect("Cannot open KEY_FILE");

    unsafe {
-        agent_start(shared_memory, sync_memory, private_file.as_raw_fd().try_into().unwrap());
+        assert!(mlockall(MCL_FUTURE) == 0);
+    }
+
+    unsafe {
+        agent_start(
+            shared_memory,
+            sync_memory,
+            private_file.as_raw_fd().try_into().unwrap(),
+        );
    }

    drop(private_file); // don't drop (and close) private file before here
Author	SHA1	Message	Date
Aaron Kaiser	f7720356f3	increase mmap size	2024-10-11 14:47:47 +02:00
Aaron Kaiser	dd6fb23a9e	add mlockall to lock secret_mem	2024-09-25 14:00:59 +02:00
Aaron Kaiser	f243b7b95c	disable coredumps for process	2024-09-25 13:46:05 +02:00
Aaron Kaiser	7e45cd719e	disable speculative store bypass	2024-09-25 11:11:12 +02:00
Aaron Kaiser	5757ed1140	chore: remove .envrc	2024-08-28 10:01:02 +02:00
Aaron Kaiser	bfb77a8368	accept agent as prebuild lib	2024-08-27 16:00:43 +02:00
Aaron Kaiser	081cac7074	pass agent as input	2024-08-27 15:54:48 +02:00
Aaron Kaiser	32d799a5e8	update agent	2024-08-27 10:38:18 +02:00