/*
* Copyright (C) 2016 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include "nvram/core/nvram_manager.h"
extern "C" {
#include <inttypes.h>
#include <string.h>
} // extern "C"
#include <nvram/core/logger.h>
#include "crypto.h"
using namespace nvram::storage;
namespace nvram {
namespace {
// Maximum size of a single space's contents.
constexpr size_t kMaxSpaceSize = 1024;
// Maximum authorization blob size;
constexpr size_t kMaxAuthSize = 32;
// The bitmask of all supported control flags.
constexpr uint32_t kSupportedControlsMask =
(1 << NV_CONTROL_PERSISTENT_WRITE_LOCK) |
(1 << NV_CONTROL_BOOT_WRITE_LOCK) |
(1 << NV_CONTROL_BOOT_READ_LOCK) |
(1 << NV_CONTROL_WRITE_AUTHORIZATION) |
(1 << NV_CONTROL_READ_AUTHORIZATION) |
(1 << NV_CONTROL_WRITE_EXTEND);
// Convert the |space.controls| bitmask to vector representation.
nvram_result_t GetControlsVector(const NvramSpace& space,
Vector<nvram_control_t>* controls) {
for (size_t control = 0; control < sizeof(uint32_t) * 8; ++control) {
if (space.HasControl(control)) {
if (!controls->Resize(controls->size() + 1)) {
NVRAM_LOG_ERR("Allocation failure.");
return NV_RESULT_INTERNAL_ERROR;
}
(*controls)[controls->size() - 1] = static_cast<nvram_control_t>(control);
}
}
return NV_RESULT_SUCCESS;
}
// Constant time memory block comparison.
bool ConstantTimeEquals(const Blob& a, const Blob& b) {
if (a.size() != b.size())
return false;
// The volatile qualifiers prevent the compiler from making assumptions that
// allow shortcuts:
// * The entire array data must be read from memory.
// * Marking |result| volatile ensures the subsequent loop iterations must
// still store to |result|, thus avoiding the loop to exit early.
// This achieves the desired constant-time behavior.
volatile const uint8_t* data_a = a.data();
volatile const uint8_t* data_b = b.data();
volatile uint8_t result = 0;
for (size_t i = 0; i < a.size(); ++i) {
result |= data_a[i] ^ data_b[i];
}
return result == 0;
}
// A standard minimum function.
template <typename Type>
const Type& min(const Type& a, const Type& b) {
return (a < b) ? a : b;
}
// Filter status codes from the storage layer to only include known values.
// Anything outside the range will be mapped to the generic |kStorageError|.
storage::Status SanitizeStorageStatus(storage::Status status) {
switch (status) {
case storage::Status::kSuccess:
return storage::Status::kSuccess;
case storage::Status::kNotFound:
return storage::Status::kNotFound;
case storage::Status::kStorageError:
return storage::Status::kStorageError;
}
NVRAM_LOG_ERR("Unknown status code %u!", status);
return storage::Status::kStorageError;
}
} // namespace
// Looks at |request| to determine the command to execute, then invokes
// the appropriate handler.
void NvramManager::Dispatch(const nvram::Request& request,
nvram::Response* response) {
nvram_result_t result = NV_RESULT_INVALID_PARAMETER;
const nvram::RequestUnion& input = request.payload;
nvram::ResponseUnion* output = &response->payload;
switch (input.which()) {
case nvram::COMMAND_GET_INFO:
result = GetInfo(*input.get<COMMAND_GET_INFO>(),
&output->Activate<COMMAND_GET_INFO>());
break;
case nvram::COMMAND_CREATE_SPACE:
result = CreateSpace(*input.get<COMMAND_CREATE_SPACE>(),
&output->Activate<COMMAND_CREATE_SPACE>());
break;
case nvram::COMMAND_GET_SPACE_INFO:
result = GetSpaceInfo(*input.get<COMMAND_GET_SPACE_INFO>(),
&output->Activate<COMMAND_GET_SPACE_INFO>());
break;
case nvram::COMMAND_DELETE_SPACE:
result = DeleteSpace(*input.get<COMMAND_DELETE_SPACE>(),
&output->Activate<COMMAND_DELETE_SPACE>());
break;
case nvram::COMMAND_DISABLE_CREATE:
result = DisableCreate(*input.get<COMMAND_DISABLE_CREATE>(),
&output->Activate<COMMAND_DISABLE_CREATE>());
break;
case nvram::COMMAND_WRITE_SPACE:
result = WriteSpace(*input.get<COMMAND_WRITE_SPACE>(),
&output->Activate<COMMAND_WRITE_SPACE>());
break;
case nvram::COMMAND_READ_SPACE:
result = ReadSpace(*input.get<COMMAND_READ_SPACE>(),
&output->Activate<COMMAND_READ_SPACE>());
break;
case nvram::COMMAND_LOCK_SPACE_WRITE:
result = LockSpaceWrite(*input.get<COMMAND_LOCK_SPACE_WRITE>(),
&output->Activate<COMMAND_LOCK_SPACE_WRITE>());
break;
case nvram::COMMAND_LOCK_SPACE_READ:
result = LockSpaceRead(*input.get<COMMAND_LOCK_SPACE_READ>(),
&output->Activate<COMMAND_LOCK_SPACE_READ>());
break;
case nvram::COMMAND_WIPE_STORAGE:
result = WipeStorage(*input.get<COMMAND_WIPE_STORAGE>(),
&output->Activate<COMMAND_WIPE_STORAGE>());
break;
case nvram::COMMAND_DISABLE_WIPE:
result = DisableWipe(*input.get<COMMAND_DISABLE_WIPE>(),
&output->Activate<COMMAND_DISABLE_WIPE>());
break;
}
response->result = result;
}
nvram_result_t NvramManager::GetInfo(const GetInfoRequest& /* request */,
GetInfoResponse* response) {
NVRAM_LOG_INFO("GetInfo");
if (!Initialize())
return NV_RESULT_INTERNAL_ERROR;
// TODO: Get better values for total and available size from the storage
// layer.
response->total_size = kMaxSpaceSize * kMaxSpaces;
response->available_size = kMaxSpaceSize * (kMaxSpaces - num_spaces_);
response->max_space_size = kMaxSpaceSize;
response->max_spaces = kMaxSpaces;
Vector<uint32_t>& space_list = response->space_list;
if (!space_list.Resize(num_spaces_)) {
NVRAM_LOG_ERR("Allocation failure.");
return NV_RESULT_INTERNAL_ERROR;
}
for (size_t i = 0; i < num_spaces_; ++i) {
space_list[i] = spaces_[i].index;
}
response->wipe_disabled = disable_wipe_;
return NV_RESULT_SUCCESS;
}
nvram_result_t NvramManager::CreateSpace(const CreateSpaceRequest& request,
CreateSpaceResponse* /* response */) {
const uint32_t index = request.index;
NVRAM_LOG_INFO("CreateSpace Ox%" PRIx32, index);
if (!Initialize())
return NV_RESULT_INTERNAL_ERROR;
if (disable_create_) {
NVRAM_LOG_INFO("Creation of further spaces is disabled.");
return NV_RESULT_OPERATION_DISABLED;
}
if (FindSpace(index) != kMaxSpaces) {
NVRAM_LOG_INFO("Space 0x%" PRIx32 " already exists.", index);
return NV_RESULT_SPACE_ALREADY_EXISTS;
}
if (num_spaces_ + 1 > kMaxSpaces) {
NVRAM_LOG_INFO("Too many spaces.");
return NV_RESULT_INVALID_PARAMETER;
}
if (request.size > kMaxSpaceSize) {
NVRAM_LOG_INFO("Create request exceeds max space size.");
return NV_RESULT_INVALID_PARAMETER;
}
if (request.authorization_value.size() > kMaxAuthSize) {
NVRAM_LOG_INFO("Authorization blob too large.");
return NV_RESULT_INVALID_PARAMETER;
}
uint32_t controls = 0;
for (uint32_t control : request.controls) {
controls |= (1 << control);
}
if ((controls & ~kSupportedControlsMask) != 0) {
NVRAM_LOG_INFO("Bad controls.");
return NV_RESULT_INVALID_PARAMETER;
}
if ((controls & (1 << NV_CONTROL_PERSISTENT_WRITE_LOCK)) != 0 &&
(controls & (1 << NV_CONTROL_BOOT_WRITE_LOCK)) != 0) {
NVRAM_LOG_INFO("Write lock controls are exclusive.");
return NV_RESULT_INVALID_PARAMETER;
}
if ((controls & (1 << NV_CONTROL_WRITE_EXTEND)) != 0 &&
request.size != crypto::kSHA256DigestSize) {
NVRAM_LOG_INFO("Write-extended space size must be %zu.",
crypto::kSHA256DigestSize);
return NV_RESULT_INVALID_PARAMETER;
}
// Mark the index as allocated.
spaces_[num_spaces_].index = index;
spaces_[num_spaces_].write_locked = false;
spaces_[num_spaces_].read_locked = false;
++num_spaces_;
// Create a space record.
NvramSpace space;
space.flags = 0;
space.controls = controls;
// Copy the auth blob.
if (space.HasControl(NV_CONTROL_WRITE_AUTHORIZATION) ||
space.HasControl(NV_CONTROL_READ_AUTHORIZATION)) {
if (!space.authorization_value.Assign(request.authorization_value.data(),
request.authorization_value.size())) {
NVRAM_LOG_ERR("Allocation failure.");
return NV_RESULT_INTERNAL_ERROR;
}
}
// Initialize the space content.
if (!space.contents.Resize(request.size)) {
NVRAM_LOG_ERR("Allocation failure.");
return NV_RESULT_INTERNAL_ERROR;
}
memset(space.contents.data(), 0, request.size);
// Write the header before the space data. This ensures that all space
// definitions present in storage are also recorded in the header. Thus, the
// set of spaces present in the header is always a superset of the set of
// spaces that have state in storage. If there's a crash after writing the
// header but before writing the space information, the space data will be
// missing in storage. The initialization code handles this by checking the
// for the space data corresponding to the index marked as provisional in the
// header.
nvram_result_t result;
if ((result = WriteHeader(Optional<uint32_t>(index))) != NV_RESULT_SUCCESS ||
(result = WriteSpace(index, space)) != NV_RESULT_SUCCESS) {
--num_spaces_;
}
return result;
}
nvram_result_t NvramManager::GetSpaceInfo(const GetSpaceInfoRequest& request,
GetSpaceInfoResponse* response) {
const uint32_t index = request.index;
NVRAM_LOG_INFO("GetSpaceInfo Ox%" PRIx32, index);
if (!Initialize())
return NV_RESULT_INTERNAL_ERROR;
SpaceRecord space_record;
nvram_result_t result;
if (!LoadSpaceRecord(index, &space_record, &result)) {
return result;
}
response->size = space_record.persistent.contents.size();
result = GetControlsVector(space_record.persistent, &response->controls);
if (result != NV_RESULT_SUCCESS) {
return NV_RESULT_INTERNAL_ERROR;
}
if (space_record.persistent.HasControl(NV_CONTROL_BOOT_READ_LOCK)) {
response->read_locked = space_record.transient->read_locked;
}
if (space_record.persistent.HasControl(NV_CONTROL_PERSISTENT_WRITE_LOCK)) {
response->write_locked =
space_record.persistent.HasFlag(NvramSpace::kFlagWriteLocked);
} else if (space_record.persistent.HasControl(NV_CONTROL_BOOT_WRITE_LOCK)) {
response->write_locked = space_record.transient->write_locked;
}
return NV_RESULT_SUCCESS;
}
nvram_result_t NvramManager::DeleteSpace(const DeleteSpaceRequest& request,
DeleteSpaceResponse* /* response */) {
const uint32_t index = request.index;
NVRAM_LOG_INFO("DeleteSpace Ox%" PRIx32, index);
if (!Initialize())
return NV_RESULT_INTERNAL_ERROR;
SpaceRecord space_record;
nvram_result_t result;
if (!LoadSpaceRecord(index, &space_record, &result)) {
return result;
}
result = space_record.CheckWriteAccess(request.authorization_value);
if (result != NV_RESULT_SUCCESS) {
return result;
}
// Delete the space. First mark the space as provisionally removed in the
// header. Then, delete the space data from storage. This allows orphaned
// space data be cleaned up after a crash.
SpaceListEntry tmp = spaces_[space_record.array_index];
spaces_[space_record.array_index] = spaces_[num_spaces_ - 1];
--num_spaces_;
result = WriteHeader(Optional<uint32_t>(index));
if (result == NV_RESULT_SUCCESS) {
switch (SanitizeStorageStatus(persistence::DeleteSpace(index))) {
case storage::Status::kStorageError:
NVRAM_LOG_ERR("Failed to delete space 0x%" PRIx32 " data.", index);
result = NV_RESULT_INTERNAL_ERROR;
break;
case storage::Status::kNotFound:
// The space was missing even if it shouldn't have been. Log an error,
// but return success as we're in the desired state.
NVRAM_LOG_ERR("Space 0x%" PRIx32 " data missing on deletion.", index);
return NV_RESULT_SUCCESS;
case storage::Status::kSuccess:
return NV_RESULT_SUCCESS;
}
}
// Failed to delete, re-add the transient state to |spaces_|.
spaces_[num_spaces_] = tmp;
++num_spaces_;
return result;
}
nvram_result_t NvramManager::DisableCreate(
const DisableCreateRequest& /* request */,
DisableCreateResponse* /* response */) {
NVRAM_LOG_INFO("DisableCreate");
if (!Initialize())
return NV_RESULT_INTERNAL_ERROR;
// Set the |disable_create_| flag and call |WriteHeader| to persist the flag
// such that it remains effective after a reboot. Make sure to restore the
// current value of |disable_create_| if the write call fails, as we return an
// error in that case and client code would not expect state changes.
bool disable_create_previous = disable_create_;
disable_create_ = true;
nvram_result_t result = WriteHeader(Optional<uint32_t>());
if (result != NV_RESULT_SUCCESS) {
disable_create_ = disable_create_previous;
}
return result;
}
nvram_result_t NvramManager::WriteSpace(const WriteSpaceRequest& request,
WriteSpaceResponse* /* response */) {
const uint32_t index = request.index;
NVRAM_LOG_INFO("WriteSpace Ox%" PRIx32, index);
if (!Initialize())
return NV_RESULT_INTERNAL_ERROR;
SpaceRecord space_record;
nvram_result_t result;
if (!LoadSpaceRecord(index, &space_record, &result)) {
return result;
}
result = space_record.CheckWriteAccess(request.authorization_value);
if (result != NV_RESULT_SUCCESS) {
return result;
}
Blob& contents = space_record.persistent.contents;
if (space_record.persistent.HasControl(NV_CONTROL_WRITE_EXTEND)) {
// Concatenate the current space |contents| with the input data.
Blob sha256_input;
if (!sha256_input.Resize(contents.size() + request.buffer.size())) {
return NV_RESULT_INTERNAL_ERROR;
}
memcpy(sha256_input.data(), contents.data(), contents.size());
memcpy(sha256_input.data() + contents.size(), request.buffer.data(),
request.buffer.size());
// Compute the SHA-256 digest and write it back to |contents|.
crypto::SHA256(sha256_input.data(), sha256_input.size(), contents.data(),
contents.size());
} else {
if (contents.size() < request.buffer.size()) {
return NV_RESULT_INVALID_PARAMETER;
}
memcpy(contents.data(), request.buffer.data(), request.buffer.size());
memset(contents.data() + request.buffer.size(), 0x0,
contents.size() - request.buffer.size());
}
return WriteSpace(index, space_record.persistent);
}
nvram_result_t NvramManager::ReadSpace(const ReadSpaceRequest& request,
ReadSpaceResponse* response) {
const uint32_t index = request.index;
NVRAM_LOG_INFO("ReadSpace Ox%" PRIx32, index);
if (!Initialize())
return NV_RESULT_INTERNAL_ERROR;
SpaceRecord space_record;
nvram_result_t result;
if (!LoadSpaceRecord(index, &space_record, &result)) {
return result;
}
result = space_record.CheckReadAccess(request.authorization_value);
if (result != NV_RESULT_SUCCESS) {
return result;
}
if (!response->buffer.Assign(space_record.persistent.contents.data(),
space_record.persistent.contents.size())) {
NVRAM_LOG_ERR("Allocation failure.");
return NV_RESULT_INTERNAL_ERROR;
}
return NV_RESULT_SUCCESS;
}
nvram_result_t NvramManager::LockSpaceWrite(
const LockSpaceWriteRequest& request,
LockSpaceWriteResponse* /* response */) {
const uint32_t index = request.index;
NVRAM_LOG_INFO("LockSpaceWrite Ox%" PRIx32, index);
if (!Initialize())
return NV_RESULT_INTERNAL_ERROR;
SpaceRecord space_record;
nvram_result_t result;
if (!LoadSpaceRecord(index, &space_record, &result)) {
return result;
}
result = space_record.CheckWriteAccess(request.authorization_value);
if (result != NV_RESULT_SUCCESS) {
return result;
}
if (space_record.persistent.HasControl(NV_CONTROL_PERSISTENT_WRITE_LOCK)) {
space_record.persistent.SetFlag(NvramSpace::kFlagWriteLocked);
return WriteSpace(index, space_record.persistent);
} else if (space_record.persistent.HasControl(NV_CONTROL_BOOT_WRITE_LOCK)) {
space_record.transient->write_locked = true;
return NV_RESULT_SUCCESS;
}
NVRAM_LOG_ERR("Space not configured for write locking.");
return NV_RESULT_INVALID_PARAMETER;
}
nvram_result_t NvramManager::LockSpaceRead(
const LockSpaceReadRequest& request,
LockSpaceReadResponse* /* response */) {
const uint32_t index = request.index;
NVRAM_LOG_INFO("LockSpaceRead Ox%" PRIx32, index);
if (!Initialize())
return NV_RESULT_INTERNAL_ERROR;
SpaceRecord space_record;
nvram_result_t result;
if (!LoadSpaceRecord(index, &space_record, &result)) {
return result;
}
result = space_record.CheckReadAccess(request.authorization_value);
if (result != NV_RESULT_SUCCESS) {
return result;
}
if (space_record.persistent.HasControl(NV_CONTROL_BOOT_READ_LOCK)) {
space_record.transient->read_locked = true;
return NV_RESULT_SUCCESS;
}
NVRAM_LOG_ERR("Space not configured for read locking.");
return NV_RESULT_INVALID_PARAMETER;
}
nvram_result_t NvramManager::WipeStorage(
const WipeStorageRequest& /* request */,
WipeStorageResponse* /* response */) {
if (!Initialize())
return NV_RESULT_INTERNAL_ERROR;
#ifdef NVRAM_WIPE_STORAGE_SUPPORT
if (disable_wipe_) {
return NV_RESULT_OPERATION_DISABLED;
}
// Go through all spaces and wipe the corresponding data. Note that the header
// is only updated once all space data is gone. This will "break" all spaces
// that are left declared but don't have data. This situation can be observed
// if we crash somewhere during the wiping process before clearing the header.
//
// Note that we deliberately choose this wiping sequence so we can never end
// up in a state where the header appears clean but existing space data
// remains.
//
// As a final note, the ideal solution would be to atomically clear the header
// and delete all space data. While more desirable from an operational point
// of view, this would drastically complicate storage layer requirements to
// support cross-object atomicity instead of per-object atomicity.
for (size_t i = 0; i < num_spaces_; ++i) {
const uint32_t index = spaces_[i].index;
switch (SanitizeStorageStatus(persistence::DeleteSpace(index))) {
case storage::Status::kStorageError:
NVRAM_LOG_ERR("Failed to wipe space 0x%" PRIx32 " data.", index);
return NV_RESULT_INTERNAL_ERROR;
case storage::Status::kNotFound:
// The space was missing even if it shouldn't have been. This may occur
// if a previous wiping attempt was aborted half-way. Log an error, but
// return success as we're in the desired state.
NVRAM_LOG_WARN("Space 0x%" PRIx32 " data missing on wipe.", index);
break;
case storage::Status::kSuccess:
break;
}
}
// All spaces are gone, clear the header.
num_spaces_ = 0;
return WriteHeader(Optional<uint32_t>());
#else // NVRAM_WIPE_STORAGE_SUPPORT
// We're not accessing the flag member, so prevent a compiler warning. The
// alternative of conditionally including the member in the class declaration
// looks cleaner at first sight, but comes with the risk of
// NVRAM_WIPE_STORAGE_SUPPORT polarity mismatches between compilation units,
// which is more subtly dangerous, so we rather keep the member even for the
// case in which it is not used.
(void)disable_wipe_;
return NV_RESULT_OPERATION_DISABLED;
#endif // NVRAM_WIPE_STORAGE_SUPPORT
}
nvram_result_t NvramManager::DisableWipe(
const DisableWipeRequest& /* request */,
DisableWipeResponse* /* response */) {
if (!Initialize())
return NV_RESULT_INTERNAL_ERROR;
#ifdef NVRAM_WIPE_STORAGE_SUPPORT
disable_wipe_ = true;
return NV_RESULT_SUCCESS;
#else // NVRAM_WIPE_STORAGE_SUPPORT
return NV_RESULT_OPERATION_DISABLED;
#endif // NVRAM_WIPE_STORAGE_SUPPORT
}
nvram_result_t NvramManager::SpaceRecord::CheckWriteAccess(
const Blob& authorization_value) {
if (persistent.HasControl(NV_CONTROL_PERSISTENT_WRITE_LOCK)) {
if (persistent.HasFlag(NvramSpace::kFlagWriteLocked)) {
NVRAM_LOG_INFO("Attempt to write persistently locked space 0x%" PRIx32
".",
transient->index);
return NV_RESULT_OPERATION_DISABLED;
}
} else if (persistent.HasControl(NV_CONTROL_BOOT_WRITE_LOCK)) {
if (transient->write_locked) {
NVRAM_LOG_INFO("Attempt to write per-boot locked space 0x%" PRIx32 ".",
transient->index);
return NV_RESULT_OPERATION_DISABLED;
}
}
if (persistent.HasControl(NV_CONTROL_WRITE_AUTHORIZATION) &&
!ConstantTimeEquals(persistent.authorization_value,
authorization_value)) {
NVRAM_LOG_INFO(
"Authorization value mismatch for write access to space 0x%" PRIx32 ".",
transient->index);
return NV_RESULT_ACCESS_DENIED;
}
// All checks passed, allow the write.
return NV_RESULT_SUCCESS;
}
nvram_result_t NvramManager::SpaceRecord::CheckReadAccess(
const Blob& authorization_value) {
if (persistent.HasControl(NV_CONTROL_BOOT_READ_LOCK)) {
if (transient->read_locked) {
NVRAM_LOG_INFO("Attempt to read per-boot locked space 0x%" PRIx32 ".",
transient->index);
return NV_RESULT_OPERATION_DISABLED;
}
}
if (persistent.HasControl(NV_CONTROL_READ_AUTHORIZATION) &&
!ConstantTimeEquals(persistent.authorization_value,
authorization_value)) {
NVRAM_LOG_INFO(
"Authorization value mismatch for read access to space 0x%" PRIx32 ".",
transient->index);
return NV_RESULT_ACCESS_DENIED;
}
// All checks passed, allow the read.
return NV_RESULT_SUCCESS;
}
bool NvramManager::Initialize() {
if (initialized_)
return true;
NvramHeader header;
switch (SanitizeStorageStatus(persistence::LoadHeader(&header))) {
case storage::Status::kStorageError:
NVRAM_LOG_ERR("Init failed to load header.");
return false;
case storage::Status::kNotFound:
// No header in storage. This happens the very first time we initialize
// on a fresh device where the header isn't present yet. The first write
// will flush the fresh header to storage.
initialized_ = true;
return true;
case storage::Status::kSuccess:
if (header.version > NvramHeader::kVersion) {
NVRAM_LOG_ERR("Storage format %" PRIu32 " is more recent than %" PRIu32
", aborting.",
header.version, NvramHeader::kVersion);
return false;
}
break;
}
// Check the state of the provisional space if applicable.
const Optional<uint32_t>& provisional_index = header.provisional_index;
bool provisional_space_in_storage = false;
if (provisional_index.valid()) {
NvramSpace space;
switch (SanitizeStorageStatus(
persistence::LoadSpace(provisional_index.value(), &space))) {
case storage::Status::kStorageError:
// Log an error but leave the space marked as allocated. This will allow
// initialization to complete, so other spaces can be accessed.
// Operations on the bad space will fail however. The choice of keeping
// the bad space around (as opposed to dropping it) is intentional:
// * Failing noisily reduces the chances of bugs going undetected.
// * Keeping the index allocated prevents it from being accidentally
// clobbered due to appearing absent after transient storage errors.
NVRAM_LOG_ERR("Failed to load provisional space 0x%" PRIx32 ".",
provisional_index.value());
provisional_space_in_storage = true;
break;
case storage::Status::kNotFound:
break;
case storage::Status::kSuccess:
provisional_space_in_storage = true;
break;
}
}
// If there are more spaces allocated than this build supports, fail
// initialization. This may seem a bit drastic, but the alternatives aren't
// acceptable:
// * If we continued with just a subset of the spaces, that may lead to wrong
// conclusions about the system state in consumers. Furthermore, consumers
// might delete a space to make room and then create a space that appears
// free but is present in storage. This would clobber the existing space
// data and potentially violate its access control rules.
// * We could just try to allocate more memory to hold the larger number of
// spaces. That'd render the memory footprint of the NVRAM implementation
// unpredictable. One variation that may work is to allow a maximum number
// of existing spaces larger than kMaxSpaces, but still within sane limits.
if (header.allocated_indices.size() > kMaxSpaces) {
NVRAM_LOG_ERR("Excess spaces %zu in header.",
header.allocated_indices.size());
return false;
}
// Initialize the transient space bookkeeping data.
bool delete_provisional_space = provisional_index.valid();
for (uint32_t index : header.allocated_indices) {
if (provisional_index.valid() && provisional_index.value() == index) {
// The provisional space index refers to a created space. If it isn't
// valid, pretend it was never created.
if (!provisional_space_in_storage) {
continue;
}
// The provisional space index corresponds to a created space that is
// present in storage. Retain the space.
delete_provisional_space = false;
}
spaces_[num_spaces_].index = index;
spaces_[num_spaces_].write_locked = false;
spaces_[num_spaces_].read_locked = false;
++num_spaces_;
}
// If the provisional space data is present in storage, but the index wasn't
// in |header.allocated_indices|, it refers to half-deleted space. Destroy the
// space in that case.
if (delete_provisional_space) {
switch (SanitizeStorageStatus(
persistence::DeleteSpace(provisional_index.value()))) {
case storage::Status::kStorageError:
NVRAM_LOG_ERR("Failed to delete provisional space 0x%" PRIx32 " data.",
provisional_index.value());
return false;
case storage::Status::kNotFound:
// The space isn't present in storage. This may happen if the space
// deletion succeeded, but the header wasn't written subsequently.
break;
case storage::Status::kSuccess:
break;
}
}
disable_create_ = header.HasFlag(NvramHeader::kFlagDisableCreate);
initialized_ = true;
// Write the header to clear the provisional index if necessary. It's actually
// not a problem if this fails, because the state is consistent regardless. We
// still do this opportunistically in order to avoid loading the provisional
// space data for each reboot after a crash.
if (provisional_index.valid()) {
WriteHeader(Optional<uint32_t>());
}
return true;
}
size_t NvramManager::FindSpace(uint32_t space_index) {
for (size_t i = 0; i < num_spaces_; ++i) {
if (spaces_[i].index == space_index) {
return i;
}
}
return kMaxSpaces;
}
bool NvramManager::LoadSpaceRecord(uint32_t index,
SpaceRecord* space_record,
nvram_result_t* result) {
space_record->array_index = FindSpace(index);
if (space_record->array_index == kMaxSpaces) {
*result = NV_RESULT_SPACE_DOES_NOT_EXIST;
return false;
}
space_record->transient = &spaces_[space_record->array_index];
switch (SanitizeStorageStatus(
persistence::LoadSpace(index, &space_record->persistent))) {
case storage::Status::kStorageError:
NVRAM_LOG_ERR("Failed to load space 0x%" PRIx32 " data.", index);
*result = NV_RESULT_INTERNAL_ERROR;
return false;
case storage::Status::kNotFound:
// This should never happen if the header contains the index.
NVRAM_LOG_ERR("Space index 0x%" PRIx32
" present in header, but data missing.",
index);
*result = NV_RESULT_INTERNAL_ERROR;
return false;
case storage::Status::kSuccess:
*result = NV_RESULT_SUCCESS;
return true;
}
*result = NV_RESULT_INTERNAL_ERROR;
return false;
}
nvram_result_t NvramManager::WriteHeader(Optional<uint32_t> provisional_index) {
NvramHeader header;
header.version = NvramHeader::kVersion;
if (disable_create_) {
header.SetFlag(NvramHeader::kFlagDisableCreate);
}
if (!header.allocated_indices.Resize(num_spaces_)) {
NVRAM_LOG_ERR("Allocation failure.");
return NV_RESULT_INTERNAL_ERROR;
}
for (size_t i = 0; i < num_spaces_; ++i) {
header.allocated_indices[i] = spaces_[i].index;
}
header.provisional_index = provisional_index;
if (SanitizeStorageStatus(persistence::StoreHeader(header)) !=
storage::Status::kSuccess) {
NVRAM_LOG_ERR("Failed to store header.");
return NV_RESULT_INTERNAL_ERROR;
}
return NV_RESULT_SUCCESS;
}
nvram_result_t NvramManager::WriteSpace(uint32_t index,
const NvramSpace& space) {
if (SanitizeStorageStatus(persistence::StoreSpace(index, space)) !=
storage::Status::kSuccess) {
NVRAM_LOG_ERR("Failed to store space 0x%" PRIx32 ".", index);
return NV_RESULT_INTERNAL_ERROR;
}
return NV_RESULT_SUCCESS;
}
} // namespace nvram