increase mmap size

add mlockall to lock secret_mem
disable coredumps for process
2024-10-11 14:47:47 +02:00 · 2024-09-25 14:00:59 +02:00 · 2024-09-25 13:46:05 +02:00 · 2024-09-25 11:11:12 +02:00 · 2024-08-28 10:01:02 +02:00 · 2024-08-27 16:00:43 +02:00
4 changed files with 45 additions and 29 deletions
--- a/.envrc
+++ b/.envrc
@@ -1 +0,0 @@
-use nix
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
 /target
 result
+.direnv
--- a/default.nix
+++ b/default.nix
@@ -1,14 +1,7 @@
-{ pkgs ? import <nixpkgs> { } }:
+{ pkgs ? import <nixpkgs> { }
+, agent
+}:
 with pkgs;
-let
-  agent_src = fetchgit {
-    url = "https://gitea.rixxc.de/rixxc/x25519_agent.git";
-    rev = "de022e4c6b6fa0086a9f5c4fad1340b75ccceba1";
-    hash = "sha256-oe8ngvtEcu6O6FWm0ImTS4DTsQx78VRs9bQx672aUbI=";
-  };
-
-  agent = callPackage "${agent_src}/default.nix" { };
-in
 rustPlatform.buildRustPackage {
  name = "agent-harness";
  src = nix-gitignore.gitignoreSource [ ] ./.;
@@ -17,5 +10,5 @@ rustPlatform.buildRustPackage {
  
  buildInputs = [ agent ];

-  cargoSha256 = "sha256-ZgwQr1goz9yPws0P1eQwhHEv2WbcJeTCLEPYOUADOtE=";
+  cargoHash = "sha256-ZgwQr1goz9yPws0P1eQwhHEv2WbcJeTCLEPYOUADOtE=";
 }
--- a/src/main.rs
+++ b/src/main.rs
@@ -1,16 +1,36 @@
 use libc::{
-    c_int, c_void, mmap, MAP_ANON, MAP_FAILED, MAP_PRIVATE, MAP_SHARED, PROT_READ, PROT_WRITE,
+    c_int, c_void, mlockall, mmap, prctl, MAP_FAILED, MAP_SHARED, MCL_FUTURE, PROT_READ,
+    PROT_WRITE, PR_SET_DUMPABLE, PR_SET_SPECULATION_CTRL, PR_SPEC_FORCE_DISABLE,
+    PR_SPEC_STORE_BYPASS,
 };
+use std::fs::File;
+use std::os::fd::AsRawFd;
 use std::{env, ptr};

-const SHARED_MEMORY_SIZE: usize = 1024;
+const SHARED_MEMORY_SIZE: usize = 1024 * 1024;

 #[link(name = "agent")]
 extern "C" {
-    fn agent_start(shared_memory: *mut u8, sync_memory: *mut u8, private_mem: *mut u8);
+    fn agent_start(shared_memory: *mut u8, sync_memory: *mut u8, private_mem_fd: u64);
 }

 fn main() {
+    unsafe {
+        assert!(
+            prctl(
+                PR_SET_SPECULATION_CTRL,
+                PR_SPEC_STORE_BYPASS,
+                PR_SPEC_FORCE_DISABLE,
+                0,
+                0,
+            ) >= 0,
+        );
+    }
+
+    unsafe {
+        assert!(prctl(PR_SET_DUMPABLE, 0) == 0);
+    }
+
    let args: Vec<String> = env::args().collect();

    let shared_fd: c_int = args[0]
@@ -19,7 +39,7 @@ fn main() {

    let sync_fd: c_int = args[1]
        .parse()
-        .expect("Please provide a valid file descriptor as first argument");
+        .expect("Please provide a valid file descriptor as second argument");

    let shared_memory = unsafe {
        mmap(
@@ -45,20 +65,23 @@ fn main() {
    } as *mut u8;
    assert_ne!(sync_memory, MAP_FAILED as *mut u8);

-    let private_mem = unsafe {
-        mmap(
-            ptr::null_mut() as *mut c_void,
-            32 * 100,
-            PROT_READ | PROT_WRITE,
-            MAP_PRIVATE | MAP_ANON,
-            0,
-            0,
-        )
-    } as *mut u8;
-    assert_ne!(private_mem, MAP_FAILED as *mut u8);
+    let private_file = File::options()
+        .read(true)
+        .write(true)
+        .open(&args[2])
+        .expect("Cannot open KEY_FILE");

-    println!("Agent: starting agent...");
    unsafe {
-        agent_start(shared_memory, sync_memory, private_mem);
+        assert!(mlockall(MCL_FUTURE) == 0);
    }
+
+    unsafe {
+        agent_start(
+            shared_memory,
+            sync_memory,
+            private_file.as_raw_fd().try_into().unwrap(),
+        );
+    }
+
+    drop(private_file); // don't drop (and close) private file before here
 }
Author	SHA1	Message	Date
Aaron Kaiser	f7720356f3	increase mmap size	2024-10-11 14:47:47 +02:00
Aaron Kaiser	dd6fb23a9e	add mlockall to lock secret_mem	2024-09-25 14:00:59 +02:00
Aaron Kaiser	f243b7b95c	disable coredumps for process	2024-09-25 13:46:05 +02:00
Aaron Kaiser	7e45cd719e	disable speculative store bypass	2024-09-25 11:11:12 +02:00
Aaron Kaiser	5757ed1140	chore: remove .envrc	2024-08-28 10:01:02 +02:00
Aaron Kaiser	bfb77a8368	accept agent as prebuild lib	2024-08-27 16:00:43 +02:00
Aaron Kaiser	081cac7074	pass agent as input	2024-08-27 15:54:48 +02:00
Aaron Kaiser	32d799a5e8	update agent	2024-08-27 10:38:18 +02:00
Aaron Kaiser	13f852bd20	Make sure private_file does not get closed by rusts borrow checker	2024-08-26 12:42:36 +02:00
Aaron Kaiser	a8ab06df98	update agent	2024-08-23 13:21:20 +02:00
Aaron Kaiser	f50bd5ea91	update agent	2024-08-23 11:01:21 +02:00
Aaron Kaiser	d2154ade95	update agent	2024-05-15 09:02:53 +02:00
Aaron Kaiser	84ddd68b45	fix: map keyfile as shared	2024-05-06 16:30:38 +02:00
Aaron Kaiser	de9ec47a6d	fix: map keyfile as shared	2024-05-06 16:18:08 +02:00
Aaron Kaiser	5aac640ab2	Pass keyfile via commandline arguments	2024-05-06 16:10:35 +02:00
Aaron Kaiser	daaffce503	update agent	2024-05-06 15:48:19 +02:00
Aaron Kaiser	2b16e726d4	Save keys to file	2024-05-06 11:58:14 +02:00
Aaron Kaiser	f3fe8c5441	Remove debug prints	2024-04-23 15:33:52 +02:00
Aaron Kaiser	9dc2ae1bf7	Update agent	2024-04-23 14:09:51 +02:00
Aaron Kaiser	ed9a7aa94f	Update agent	2024-04-23 13:36:02 +02:00
Aaron Kaiser	2d85f9f448	Update agent	2024-04-23 12:39:01 +02:00