rust/src/ops.rs

*d289c2baSAndroid Build Coastguard Worker// Copyright 2023, The Android Open Source Project
*d289c2baSAndroid Build Coastguard Worker//
*d289c2baSAndroid Build Coastguard Worker// Licensed under the Apache License, Version 2.0 (the "License");
*d289c2baSAndroid Build Coastguard Worker// you may not use this file except in compliance with the License.
*d289c2baSAndroid Build Coastguard Worker// You may obtain a copy of the License at
*d289c2baSAndroid Build Coastguard Worker//
*d289c2baSAndroid Build Coastguard Worker//     http://www.apache.org/licenses/LICENSE-2.0
*d289c2baSAndroid Build Coastguard Worker//
*d289c2baSAndroid Build Coastguard Worker// Unless required by applicable law or agreed to in writing, software
*d289c2baSAndroid Build Coastguard Worker// distributed under the License is distributed on an "AS IS" BASIS,
*d289c2baSAndroid Build Coastguard Worker// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
*d289c2baSAndroid Build Coastguard Worker// See the License for the specific language governing permissions and
*d289c2baSAndroid Build Coastguard Worker// limitations under the License.
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker//! User callback APIs.
*d289c2baSAndroid Build Coastguard Worker//!
*d289c2baSAndroid Build Coastguard Worker//! This module is responsible for bridging the user-implemented callbacks so that they can be
*d289c2baSAndroid Build Coastguard Worker//! written in safe Rust but libavb can call them from C.
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Workerextern crate alloc;
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Workeruse crate::{error::result_to_io_enum, CertOps, IoError, IoResult, SHA256_DIGEST_SIZE};
*d289c2baSAndroid Build Coastguard Workeruse avb_bindgen::{AvbCertOps, AvbCertPermanentAttributes, AvbIOResult, AvbOps};
*d289c2baSAndroid Build Coastguard Workeruse core::{
*d289c2baSAndroid Build Coastguard Worker    cmp::min,
*d289c2baSAndroid Build Coastguard Worker    ffi::{c_char, c_void, CStr},
*d289c2baSAndroid Build Coastguard Worker    marker::PhantomPinned,
*d289c2baSAndroid Build Coastguard Worker    pin::Pin,
*d289c2baSAndroid Build Coastguard Worker    ptr, slice,
*d289c2baSAndroid Build Coastguard Worker};
*d289c2baSAndroid Build Coastguard Worker#[cfg(feature = "uuid")]
*d289c2baSAndroid Build Coastguard Workeruse uuid::Uuid;
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker/// Base implementation-provided callbacks for verification.
*d289c2baSAndroid Build Coastguard Worker///
*d289c2baSAndroid Build Coastguard Worker/// See libavb `AvbOps` for more complete documentation.
*d289c2baSAndroid Build Coastguard Worker///
*d289c2baSAndroid Build Coastguard Worker/// # Lifetimes
*d289c2baSAndroid Build Coastguard Worker/// The trait lifetime `'a` indicates the lifetime of any preloaded partition data.
*d289c2baSAndroid Build Coastguard Worker///
*d289c2baSAndroid Build Coastguard Worker/// Preloading partitions is an optional feature which allows libavb to use data already loaded to
*d289c2baSAndroid Build Coastguard Worker/// RAM rather than allocating memory itself and loading data from disk. Preloading changes the
*d289c2baSAndroid Build Coastguard Worker/// data ownership model so that the verification result borrows this existing data rather than
*d289c2baSAndroid Build Coastguard Worker/// allocating and owning the data itself. Because of this borrow, we need the lifetime here to
*d289c2baSAndroid Build Coastguard Worker/// ensure that the underlying data outlives the verification result object.
*d289c2baSAndroid Build Coastguard Worker///
*d289c2baSAndroid Build Coastguard Worker/// If `get_preloaded_partition()` is left unimplemented, all data is loaded and owned by the
*d289c2baSAndroid Build Coastguard Worker/// verification result rather than borrowed, and this trait lifetime can be `'static`.
*d289c2baSAndroid Build Coastguard Workerpub trait Ops<'a> {
*d289c2baSAndroid Build Coastguard Worker    /// Reads data from the requested partition on disk.
*d289c2baSAndroid Build Coastguard Worker    ///
*d289c2baSAndroid Build Coastguard Worker    /// # Arguments
*d289c2baSAndroid Build Coastguard Worker    /// * `partition`: partition name to read from.
*d289c2baSAndroid Build Coastguard Worker    /// * `offset`: offset in bytes within the partition to read from; a positive value indicates an
*d289c2baSAndroid Build Coastguard Worker    ///             offset from the partition start, a negative value indicates a backwards offset
*d289c2baSAndroid Build Coastguard Worker    ///             from the partition end.
*d289c2baSAndroid Build Coastguard Worker    /// * `buffer`: buffer to read data into.
*d289c2baSAndroid Build Coastguard Worker    ///
*d289c2baSAndroid Build Coastguard Worker    /// # Returns
*d289c2baSAndroid Build Coastguard Worker    /// The number of bytes actually read into `buffer` or an `IoError`. Reading less than
*d289c2baSAndroid Build Coastguard Worker    /// `buffer.len()` bytes is only allowed if the end of the partition was reached.
*d289c2baSAndroid Build Coastguard Worker    fn read_from_partition(
*d289c2baSAndroid Build Coastguard Worker        &mut self,
*d289c2baSAndroid Build Coastguard Worker        partition: &CStr,
*d289c2baSAndroid Build Coastguard Worker        offset: i64,
*d289c2baSAndroid Build Coastguard Worker        buffer: &mut [u8],
*d289c2baSAndroid Build Coastguard Worker    ) -> IoResult<usize>;
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker    /// Returns a reference to preloaded partition contents.
*d289c2baSAndroid Build Coastguard Worker    ///
*d289c2baSAndroid Build Coastguard Worker    /// This is an optional optimization if a partition has already been loaded to provide libavb
*d289c2baSAndroid Build Coastguard Worker    /// with a reference to the data rather than copying it as `read_from_partition()` would.
*d289c2baSAndroid Build Coastguard Worker    ///
*d289c2baSAndroid Build Coastguard Worker    /// May be left unimplemented if preloaded partitions are not used.
*d289c2baSAndroid Build Coastguard Worker    ///
*d289c2baSAndroid Build Coastguard Worker    /// # Arguments
*d289c2baSAndroid Build Coastguard Worker    /// * `partition`: partition name to read from.
*d289c2baSAndroid Build Coastguard Worker    ///
*d289c2baSAndroid Build Coastguard Worker    /// # Returns
*d289c2baSAndroid Build Coastguard Worker    /// * A reference to the entire partition contents if the partition has been preloaded.
*d289c2baSAndroid Build Coastguard Worker    /// * `Err<IoError::NotImplemented>` if the requested partition has not been preloaded;
*d289c2baSAndroid Build Coastguard Worker    ///   verification will next attempt to load the partition via `read_from_partition()`.
*d289c2baSAndroid Build Coastguard Worker    /// * Any other `Err<IoError>` if an error occurred; verification will exit immediately.
*d289c2baSAndroid Build Coastguard Worker    fn get_preloaded_partition(&mut self, _partition: &CStr) -> IoResult<&'a [u8]> {
*d289c2baSAndroid Build Coastguard Worker        Err(IoError::NotImplemented)
*d289c2baSAndroid Build Coastguard Worker    }
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker    /// Checks if the given public key is valid for vbmeta image signing.
*d289c2baSAndroid Build Coastguard Worker    ///
*d289c2baSAndroid Build Coastguard Worker    /// If using libavb_cert, this should forward to `cert_validate_vbmeta_public_key()`.
*d289c2baSAndroid Build Coastguard Worker    ///
*d289c2baSAndroid Build Coastguard Worker    /// # Arguments
*d289c2baSAndroid Build Coastguard Worker    /// * `public_key`: the public key.
*d289c2baSAndroid Build Coastguard Worker    /// * `public_key_metadata`: public key metadata set by the `--public_key_metadata` arg in
*d289c2baSAndroid Build Coastguard Worker    ///                          `avbtool`, or None if no metadata was provided.
*d289c2baSAndroid Build Coastguard Worker    ///
*d289c2baSAndroid Build Coastguard Worker    /// # Returns
*d289c2baSAndroid Build Coastguard Worker    /// True if the given key is valid, false if it is not, `IoError` on error.
*d289c2baSAndroid Build Coastguard Worker    fn validate_vbmeta_public_key(
*d289c2baSAndroid Build Coastguard Worker        &mut self,
*d289c2baSAndroid Build Coastguard Worker        public_key: &[u8],
*d289c2baSAndroid Build Coastguard Worker        public_key_metadata: Option<&[u8]>,
*d289c2baSAndroid Build Coastguard Worker    ) -> IoResult<bool>;
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker    /// Reads the rollback index at the given location.
*d289c2baSAndroid Build Coastguard Worker    ///
*d289c2baSAndroid Build Coastguard Worker    /// # Arguments
*d289c2baSAndroid Build Coastguard Worker    /// * `rollback_index_location`: the rollback location.
*d289c2baSAndroid Build Coastguard Worker    ///
*d289c2baSAndroid Build Coastguard Worker    /// # Returns
*d289c2baSAndroid Build Coastguard Worker    /// The rollback index at this location or `IoError` on error.
*d289c2baSAndroid Build Coastguard Worker    fn read_rollback_index(&mut self, rollback_index_location: usize) -> IoResult<u64>;
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker    /// Writes the rollback index at the given location.
*d289c2baSAndroid Build Coastguard Worker    ///
*d289c2baSAndroid Build Coastguard Worker    /// This API is never actually used by libavb; the purpose of having it here is to group it
*d289c2baSAndroid Build Coastguard Worker    /// with `read_rollback_index()` and indicate to the implementation that it is responsible
*d289c2baSAndroid Build Coastguard Worker    /// for providing this functionality. However, it's up to the implementation to call this
*d289c2baSAndroid Build Coastguard Worker    /// function at the proper time after verification, which is a device-specific decision that
*d289c2baSAndroid Build Coastguard Worker    /// depends on things like the A/B strategy. See the libavb documentation for more information.
*d289c2baSAndroid Build Coastguard Worker    ///
*d289c2baSAndroid Build Coastguard Worker    /// # Arguments
*d289c2baSAndroid Build Coastguard Worker    /// * `rollback_index_location`: the rollback location.
*d289c2baSAndroid Build Coastguard Worker    /// * `index`: the rollback index to write.
*d289c2baSAndroid Build Coastguard Worker    ///
*d289c2baSAndroid Build Coastguard Worker    /// # Returns
*d289c2baSAndroid Build Coastguard Worker    /// Unit on success or `IoError` on error.
*d289c2baSAndroid Build Coastguard Worker    fn write_rollback_index(&mut self, rollback_index_location: usize, index: u64) -> IoResult<()>;
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker    /// Returns the device unlock state.
*d289c2baSAndroid Build Coastguard Worker    ///
*d289c2baSAndroid Build Coastguard Worker    /// # Returns
*d289c2baSAndroid Build Coastguard Worker    /// True if the device is unlocked, false if locked, `IoError` on error.
*d289c2baSAndroid Build Coastguard Worker    fn read_is_device_unlocked(&mut self) -> IoResult<bool>;
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker    /// Returns the GUID of the requested partition.
*d289c2baSAndroid Build Coastguard Worker    ///
*d289c2baSAndroid Build Coastguard Worker    /// This is only necessary if the kernel commandline requires GUID substitution, and is omitted
*d289c2baSAndroid Build Coastguard Worker    /// from the library by default to avoid unnecessary dependencies. To implement:
*d289c2baSAndroid Build Coastguard Worker    /// 1. Enable the `uuid` feature during compilation
*d289c2baSAndroid Build Coastguard Worker    /// 2. Provide the [`uuid` crate](https://docs.rs/uuid/latest/uuid/) dependency
*d289c2baSAndroid Build Coastguard Worker    ///
*d289c2baSAndroid Build Coastguard Worker    /// # Arguments
*d289c2baSAndroid Build Coastguard Worker    /// * `partition`: partition name.
*d289c2baSAndroid Build Coastguard Worker    ///
*d289c2baSAndroid Build Coastguard Worker    /// # Returns
*d289c2baSAndroid Build Coastguard Worker    /// The partition GUID or `IoError` on error.
*d289c2baSAndroid Build Coastguard Worker    #[cfg(feature = "uuid")]
*d289c2baSAndroid Build Coastguard Worker    fn get_unique_guid_for_partition(&mut self, partition: &CStr) -> IoResult<Uuid>;
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker    /// Returns the size of the requested partition.
*d289c2baSAndroid Build Coastguard Worker    ///
*d289c2baSAndroid Build Coastguard Worker    /// # Arguments
*d289c2baSAndroid Build Coastguard Worker    /// * `partition`: partition name.
*d289c2baSAndroid Build Coastguard Worker    ///
*d289c2baSAndroid Build Coastguard Worker    /// # Returns
*d289c2baSAndroid Build Coastguard Worker    /// The partition size in bytes or `IoError` on error.
*d289c2baSAndroid Build Coastguard Worker    fn get_size_of_partition(&mut self, partition: &CStr) -> IoResult<u64>;
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker    /// Reads the requested persistent value.
*d289c2baSAndroid Build Coastguard Worker    ///
*d289c2baSAndroid Build Coastguard Worker    /// This is only necessary if using persistent digests or the "managed restart and EIO"
*d289c2baSAndroid Build Coastguard Worker    /// hashtree verification mode; if verification is not using these features, this function will
*d289c2baSAndroid Build Coastguard Worker    /// never be called.
*d289c2baSAndroid Build Coastguard Worker    ///
*d289c2baSAndroid Build Coastguard Worker    /// # Arguments
*d289c2baSAndroid Build Coastguard Worker    /// * `name`: persistent value name.
*d289c2baSAndroid Build Coastguard Worker    /// * `value`: buffer to read persistent value into; if too small to hold the persistent value,
*d289c2baSAndroid Build Coastguard Worker    ///            `IoError::InsufficientSpace` should be returned and this function will be called
*d289c2baSAndroid Build Coastguard Worker    ///            again with an appropriately-sized buffer. This may be an empty slice if the
*d289c2baSAndroid Build Coastguard Worker    ///            caller only wants to query the persistent value size.
*d289c2baSAndroid Build Coastguard Worker    ///
*d289c2baSAndroid Build Coastguard Worker    /// # Returns
*d289c2baSAndroid Build Coastguard Worker    /// * The number of bytes written into `value` on success.
*d289c2baSAndroid Build Coastguard Worker    /// * `IoError::NoSuchValue` if `name` is not a known persistent value.
*d289c2baSAndroid Build Coastguard Worker    /// * `IoError::InsufficientSpace` with the required size if the `value` buffer is too small.
*d289c2baSAndroid Build Coastguard Worker    /// * Any other `IoError` on failure.
*d289c2baSAndroid Build Coastguard Worker    fn read_persistent_value(&mut self, name: &CStr, value: &mut [u8]) -> IoResult<usize>;
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker    /// Writes the requested persistent value.
*d289c2baSAndroid Build Coastguard Worker    ///
*d289c2baSAndroid Build Coastguard Worker    /// This is only necessary if using persistent digests or the "managed restart and EIO"
*d289c2baSAndroid Build Coastguard Worker    /// hashtree verification mode; if verification is not using these features, this function will
*d289c2baSAndroid Build Coastguard Worker    /// never be called.
*d289c2baSAndroid Build Coastguard Worker    ///
*d289c2baSAndroid Build Coastguard Worker    /// # Arguments
*d289c2baSAndroid Build Coastguard Worker    /// * `name`: persistent value name.
*d289c2baSAndroid Build Coastguard Worker    /// * `value`: bytes to write as the new value.
*d289c2baSAndroid Build Coastguard Worker    ///
*d289c2baSAndroid Build Coastguard Worker    /// # Returns
*d289c2baSAndroid Build Coastguard Worker    /// * Unit on success.
*d289c2baSAndroid Build Coastguard Worker    /// * `IoError::NoSuchValue` if `name` is not a supported persistent value.
*d289c2baSAndroid Build Coastguard Worker    /// * `IoError::InvalidValueSize` if `value` is too large to save as a persistent value.
*d289c2baSAndroid Build Coastguard Worker    /// * Any other `IoError` on failure.
*d289c2baSAndroid Build Coastguard Worker    fn write_persistent_value(&mut self, name: &CStr, value: &[u8]) -> IoResult<()>;
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker    /// Erases the requested persistent value.
*d289c2baSAndroid Build Coastguard Worker    ///
*d289c2baSAndroid Build Coastguard Worker    /// This is only necessary if using persistent digests or the "managed restart and EIO"
*d289c2baSAndroid Build Coastguard Worker    /// hashtree verification mode; if verification is not using these features, this function will
*d289c2baSAndroid Build Coastguard Worker    /// never be called.
*d289c2baSAndroid Build Coastguard Worker    ///
*d289c2baSAndroid Build Coastguard Worker    /// If the requested persistent value is already erased, this function is a no-op and should
*d289c2baSAndroid Build Coastguard Worker    /// return `Ok(())`.
*d289c2baSAndroid Build Coastguard Worker    ///
*d289c2baSAndroid Build Coastguard Worker    /// # Arguments
*d289c2baSAndroid Build Coastguard Worker    /// * `name`: persistent value name.
*d289c2baSAndroid Build Coastguard Worker    ///
*d289c2baSAndroid Build Coastguard Worker    /// # Returns
*d289c2baSAndroid Build Coastguard Worker    /// * Unit on success.
*d289c2baSAndroid Build Coastguard Worker    /// * `IoError::NoSuchValue` if `name` is not a supported persistent value.
*d289c2baSAndroid Build Coastguard Worker    /// * Any other `IoError` on failure.
*d289c2baSAndroid Build Coastguard Worker    fn erase_persistent_value(&mut self, name: &CStr) -> IoResult<()>;
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker    /// Checks if the given public key is valid for the given partition.
*d289c2baSAndroid Build Coastguard Worker    ///
*d289c2baSAndroid Build Coastguard Worker    /// This is only used if the "no vbmeta" verification flag is passed, meaning the partitions
*d289c2baSAndroid Build Coastguard Worker    /// to verify have an embedded vbmeta image rather than locating it in a separate vbmeta
*d289c2baSAndroid Build Coastguard Worker    /// partition. If this flag is not used, the `validate_vbmeta_public_key()` callback is used
*d289c2baSAndroid Build Coastguard Worker    /// instead, and this function will never be called.
*d289c2baSAndroid Build Coastguard Worker    ///
*d289c2baSAndroid Build Coastguard Worker    /// If using libavb_cert for `partition`, this should forward to
*d289c2baSAndroid Build Coastguard Worker    /// `cert_validate_vbmeta_public_key()`.
*d289c2baSAndroid Build Coastguard Worker    ///
*d289c2baSAndroid Build Coastguard Worker    /// # Arguments
*d289c2baSAndroid Build Coastguard Worker    /// * `partition`: partition name.
*d289c2baSAndroid Build Coastguard Worker    /// * `public_key`: the public key.
*d289c2baSAndroid Build Coastguard Worker    /// * `public_key_metadata`: public key metadata set by the `--public_key_metadata` arg in
*d289c2baSAndroid Build Coastguard Worker    ///                          `avbtool`, or None if no metadata was provided.
*d289c2baSAndroid Build Coastguard Worker    ///
*d289c2baSAndroid Build Coastguard Worker    /// # Returns
*d289c2baSAndroid Build Coastguard Worker    /// On success, returns a `PublicKeyForPartitionInfo` object indicating whether the given
*d289c2baSAndroid Build Coastguard Worker    /// key is trusted and its rollback index location.
*d289c2baSAndroid Build Coastguard Worker    ///
*d289c2baSAndroid Build Coastguard Worker    /// On failure, returns an error.
*d289c2baSAndroid Build Coastguard Worker    fn validate_public_key_for_partition(
*d289c2baSAndroid Build Coastguard Worker        &mut self,
*d289c2baSAndroid Build Coastguard Worker        partition: &CStr,
*d289c2baSAndroid Build Coastguard Worker        public_key: &[u8],
*d289c2baSAndroid Build Coastguard Worker        public_key_metadata: Option<&[u8]>,
*d289c2baSAndroid Build Coastguard Worker    ) -> IoResult<PublicKeyForPartitionInfo>;
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker    /// Returns the libavb_cert certificate ops if supported.
*d289c2baSAndroid Build Coastguard Worker    ///
*d289c2baSAndroid Build Coastguard Worker    /// The libavb_cert extension provides some additional key management and authentication support
*d289c2baSAndroid Build Coastguard Worker    /// APIs, see the cert module documentation for more info.
*d289c2baSAndroid Build Coastguard Worker    ///
*d289c2baSAndroid Build Coastguard Worker    /// The default implementation returns `None` to disable cert APIs.
*d289c2baSAndroid Build Coastguard Worker    ///
*d289c2baSAndroid Build Coastguard Worker    /// Commonly when using certs the same struct will implement both `Ops` and `CertOps`, in which
*d289c2baSAndroid Build Coastguard Worker    /// case this can just return `Some(self)`.
*d289c2baSAndroid Build Coastguard Worker    ///
*d289c2baSAndroid Build Coastguard Worker    /// Note: changing this return value in the middle of a libavb operation (e.g. from another
*d289c2baSAndroid Build Coastguard Worker    /// callback) is not recommended; it may cause runtime errors or a panic later on in the
*d289c2baSAndroid Build Coastguard Worker    /// operation. It's fine to change this return value outside of libavb operations.
*d289c2baSAndroid Build Coastguard Worker    ///
*d289c2baSAndroid Build Coastguard Worker    /// # Returns
*d289c2baSAndroid Build Coastguard Worker    /// The `CertOps` object, or `None` if not supported.
*d289c2baSAndroid Build Coastguard Worker    fn cert_ops(&mut self) -> Option<&mut dyn CertOps> {
*d289c2baSAndroid Build Coastguard Worker        None
*d289c2baSAndroid Build Coastguard Worker    }
*d289c2baSAndroid Build Coastguard Worker}
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker/// Info returned from `validate_public_key_for_partition()`.
*d289c2baSAndroid Build Coastguard Worker#[derive(Clone, Copy, Debug)]
*d289c2baSAndroid Build Coastguard Workerpub struct PublicKeyForPartitionInfo {
*d289c2baSAndroid Build Coastguard Worker    /// Whether the key is trusted for the given partition..
*d289c2baSAndroid Build Coastguard Worker    pub trusted: bool,
*d289c2baSAndroid Build Coastguard Worker    /// The rollback index to use for the given partition.
*d289c2baSAndroid Build Coastguard Worker    pub rollback_index_location: u32,
*d289c2baSAndroid Build Coastguard Worker}
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker/// Provides the logic to bridge between the libavb C ops and our Rust ops.
*d289c2baSAndroid Build Coastguard Worker///
*d289c2baSAndroid Build Coastguard Worker/// This struct internally owns the C ops structs, and borrows ownership of the Rust `Ops`. This
*d289c2baSAndroid Build Coastguard Worker/// allows us to translate in both directions, from Rust -> C to call into libavb and then back
*d289c2baSAndroid Build Coastguard Worker/// from C -> Rust when servicing the callbacks.
*d289c2baSAndroid Build Coastguard Worker///
*d289c2baSAndroid Build Coastguard Worker/// The general control flow look like this:
*d289c2baSAndroid Build Coastguard Worker///
*d289c2baSAndroid Build Coastguard Worker/// ```ignore
*d289c2baSAndroid Build Coastguard Worker/// user calls a Rust API with their `Ops` {
*d289c2baSAndroid Build Coastguard Worker///     we create `OpsBridge` wrapping `Ops` and the C structs
*d289c2baSAndroid Build Coastguard Worker///     we call into C libavb API {
*d289c2baSAndroid Build Coastguard Worker///         libavb makes C ops callback {
*d289c2baSAndroid Build Coastguard Worker///             we retrieve `OpsBridge` from the callback `user_data` param
*d289c2baSAndroid Build Coastguard Worker///             we make the corresponding Rust `Ops` callback
*d289c2baSAndroid Build Coastguard Worker///         }
*d289c2baSAndroid Build Coastguard Worker///         ... libavb makes more callbacks as needed ...
*d289c2baSAndroid Build Coastguard Worker///     }
*d289c2baSAndroid Build Coastguard Worker/// }
*d289c2baSAndroid Build Coastguard Worker/// ```
*d289c2baSAndroid Build Coastguard Worker///
*d289c2baSAndroid Build Coastguard Worker/// # Lifetimes
*d289c2baSAndroid Build Coastguard Worker/// * `'o`: lifetime of the `Ops` object
*d289c2baSAndroid Build Coastguard Worker/// * `'p`: lifetime of any preloaded data provided by `Ops`
*d289c2baSAndroid Build Coastguard Workerpub(crate) struct OpsBridge<'o, 'p> {
*d289c2baSAndroid Build Coastguard Worker    /// C `AvbOps` holds a raw pointer to the `OpsBridge` so we can retrieve it during callbacks.
*d289c2baSAndroid Build Coastguard Worker    avb_ops: AvbOps,
*d289c2baSAndroid Build Coastguard Worker    /// When using libavb_cert, C `AvbOps`/`AvbCertOps` hold circular pointers to each other.
*d289c2baSAndroid Build Coastguard Worker    cert_ops: AvbCertOps,
*d289c2baSAndroid Build Coastguard Worker    /// Rust `Ops` implementation, which may also provide Rust `CertOps`.
*d289c2baSAndroid Build Coastguard Worker    rust_ops: &'o mut dyn Ops<'p>,
*d289c2baSAndroid Build Coastguard Worker    /// Remove the `Unpin` trait to indicate this type has address-sensitive state.
*d289c2baSAndroid Build Coastguard Worker    _pin: PhantomPinned,
*d289c2baSAndroid Build Coastguard Worker}
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Workerimpl<'o, 'p> OpsBridge<'o, 'p> {
*d289c2baSAndroid Build Coastguard Worker    pub(crate) fn new(ops: &'o mut dyn Ops<'p>) -> Self {
*d289c2baSAndroid Build Coastguard Worker        Self {
*d289c2baSAndroid Build Coastguard Worker            avb_ops: AvbOps {
*d289c2baSAndroid Build Coastguard Worker                user_data: ptr::null_mut(), // Set at the time of use.
*d289c2baSAndroid Build Coastguard Worker                ab_ops: ptr::null_mut(),    // Deprecated, no need to support.
*d289c2baSAndroid Build Coastguard Worker                cert_ops: ptr::null_mut(),  // Set at the time of use.
*d289c2baSAndroid Build Coastguard Worker                read_from_partition: Some(read_from_partition),
*d289c2baSAndroid Build Coastguard Worker                get_preloaded_partition: Some(get_preloaded_partition),
*d289c2baSAndroid Build Coastguard Worker                write_to_partition: None, // Not needed, only used for deprecated A/B.
*d289c2baSAndroid Build Coastguard Worker                validate_vbmeta_public_key: Some(validate_vbmeta_public_key),
*d289c2baSAndroid Build Coastguard Worker                read_rollback_index: Some(read_rollback_index),
*d289c2baSAndroid Build Coastguard Worker                write_rollback_index: Some(write_rollback_index),
*d289c2baSAndroid Build Coastguard Worker                read_is_device_unlocked: Some(read_is_device_unlocked),
*d289c2baSAndroid Build Coastguard Worker                get_unique_guid_for_partition: Some(get_unique_guid_for_partition),
*d289c2baSAndroid Build Coastguard Worker                get_size_of_partition: Some(get_size_of_partition),
*d289c2baSAndroid Build Coastguard Worker                read_persistent_value: Some(read_persistent_value),
*d289c2baSAndroid Build Coastguard Worker                write_persistent_value: Some(write_persistent_value),
*d289c2baSAndroid Build Coastguard Worker                validate_public_key_for_partition: Some(validate_public_key_for_partition),
*d289c2baSAndroid Build Coastguard Worker            },
*d289c2baSAndroid Build Coastguard Worker            cert_ops: AvbCertOps {
*d289c2baSAndroid Build Coastguard Worker                ops: ptr::null_mut(), // Set at the time of use.
*d289c2baSAndroid Build Coastguard Worker                read_permanent_attributes: Some(read_permanent_attributes),
*d289c2baSAndroid Build Coastguard Worker                read_permanent_attributes_hash: Some(read_permanent_attributes_hash),
*d289c2baSAndroid Build Coastguard Worker                set_key_version: Some(set_key_version),
*d289c2baSAndroid Build Coastguard Worker                get_random: Some(get_random),
*d289c2baSAndroid Build Coastguard Worker            },
*d289c2baSAndroid Build Coastguard Worker            rust_ops: ops,
*d289c2baSAndroid Build Coastguard Worker            _pin: PhantomPinned,
*d289c2baSAndroid Build Coastguard Worker        }
*d289c2baSAndroid Build Coastguard Worker    }
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker    /// Initializes and returns the C `AvbOps` structure from an `OpsBridge`.
*d289c2baSAndroid Build Coastguard Worker    ///
*d289c2baSAndroid Build Coastguard Worker    /// If the contained `Ops` supports `CertOps`, the returned `AvbOps` will also be configured
*d289c2baSAndroid Build Coastguard Worker    /// properly for libavb_cert.
*d289c2baSAndroid Build Coastguard Worker    ///
*d289c2baSAndroid Build Coastguard Worker    /// Pinning is necessary here because the returned `AvbOps` contains pointers into `self`, so
*d289c2baSAndroid Build Coastguard Worker    /// we cannot allow `self` to subsequently move or else the pointers would become invalid.
*d289c2baSAndroid Build Coastguard Worker    ///
*d289c2baSAndroid Build Coastguard Worker    /// # Returns
*d289c2baSAndroid Build Coastguard Worker    /// The C `AvbOps` struct to make libavb calls with.
*d289c2baSAndroid Build Coastguard Worker    pub(crate) fn init_and_get_c_ops<'a>(self: Pin<&'a mut Self>) -> &'a mut AvbOps {
*d289c2baSAndroid Build Coastguard Worker        // SAFETY: we do not move out of `self_mut`, but only set pointers to pinned addresses.
*d289c2baSAndroid Build Coastguard Worker        let self_mut = unsafe { self.get_unchecked_mut() };
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker        // Set the C `user_data` to point back to us so we can retrieve ourself in callbacks.
*d289c2baSAndroid Build Coastguard Worker        self_mut.avb_ops.user_data = self_mut as *mut _ as *mut _;
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker        // If the `Ops` supports certs, set up the necessary additional pointer tracking.
*d289c2baSAndroid Build Coastguard Worker        if self_mut.rust_ops.cert_ops().is_some() {
*d289c2baSAndroid Build Coastguard Worker            self_mut.avb_ops.cert_ops = &mut self_mut.cert_ops;
*d289c2baSAndroid Build Coastguard Worker            self_mut.cert_ops.ops = &mut self_mut.avb_ops;
*d289c2baSAndroid Build Coastguard Worker        }
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker        &mut self_mut.avb_ops
*d289c2baSAndroid Build Coastguard Worker    }
*d289c2baSAndroid Build Coastguard Worker}
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker/// Extracts the user-provided `Ops` from a raw `AvbOps`.
*d289c2baSAndroid Build Coastguard Worker///
*d289c2baSAndroid Build Coastguard Worker/// This function is used in libavb callbacks to bridge libavb's raw C `AvbOps` struct to our Rust
*d289c2baSAndroid Build Coastguard Worker/// implementation.
*d289c2baSAndroid Build Coastguard Worker///
*d289c2baSAndroid Build Coastguard Worker/// # Arguments
*d289c2baSAndroid Build Coastguard Worker/// * `avb_ops`: The raw `AvbOps` pointer used by libavb.
*d289c2baSAndroid Build Coastguard Worker///
*d289c2baSAndroid Build Coastguard Worker/// # Returns
*d289c2baSAndroid Build Coastguard Worker/// The Rust `Ops` extracted from `avb_ops.user_data`.
*d289c2baSAndroid Build Coastguard Worker///
*d289c2baSAndroid Build Coastguard Worker/// # Safety
*d289c2baSAndroid Build Coastguard Worker/// * only call this function on an `AvbOps` created via `OpsBridge`
*d289c2baSAndroid Build Coastguard Worker/// * drop all references to the returned `Ops` and preloaded data before returning control to
*d289c2baSAndroid Build Coastguard Worker///   libavb or calling this function again
*d289c2baSAndroid Build Coastguard Worker///
*d289c2baSAndroid Build Coastguard Worker/// In practice, these conditions are met since we call this at most once in each callback
*d289c2baSAndroid Build Coastguard Worker/// to extract the `Ops`, and drop the references at callback completion.
*d289c2baSAndroid Build Coastguard Worker///
*d289c2baSAndroid Build Coastguard Worker/// # Lifetimes
*d289c2baSAndroid Build Coastguard Worker/// * `'o`: lifetime of the `Ops` object
*d289c2baSAndroid Build Coastguard Worker/// * `'p`: lifetime of any preloaded data provided by `Ops`
*d289c2baSAndroid Build Coastguard Worker///
*d289c2baSAndroid Build Coastguard Worker/// It's difficult to accurately provide the lifetimes when calling this function, since we are in
*d289c2baSAndroid Build Coastguard Worker/// a C callback which provides no lifetime information in the args. We solve this in the safety
*d289c2baSAndroid Build Coastguard Worker/// requirements by requiring the caller to drop both references before returning, which is always
*d289c2baSAndroid Build Coastguard Worker/// a subset of the actual object lifetimes as the objects must remain valid while libavb is
*d289c2baSAndroid Build Coastguard Worker/// actively using them:
*d289c2baSAndroid Build Coastguard Worker///
*d289c2baSAndroid Build Coastguard Worker/// ```ignore
*d289c2baSAndroid Build Coastguard Worker/// ops/preloaded lifetime {  // Actual 'o/'p start
*d289c2baSAndroid Build Coastguard Worker///   call into libavb {
*d289c2baSAndroid Build Coastguard Worker///     libavb callbacks {
*d289c2baSAndroid Build Coastguard Worker///       as_ops()            // as_ops() 'o/'p start
*d289c2baSAndroid Build Coastguard Worker///     }                     // as_ops() 'o/'p end
*d289c2baSAndroid Build Coastguard Worker///   }
*d289c2baSAndroid Build Coastguard Worker/// }                         // Actual 'o/'p end
*d289c2baSAndroid Build Coastguard Worker/// ```
*d289c2baSAndroid Build Coastguard Workerunsafe fn as_ops<'o, 'p>(avb_ops: *mut AvbOps) -> IoResult<&'o mut dyn Ops<'p>> {
*d289c2baSAndroid Build Coastguard Worker    // SAFETY: we created this AvbOps object and passed it to libavb so we know it meets all
*d289c2baSAndroid Build Coastguard Worker    // the criteria for `as_mut()`.
*d289c2baSAndroid Build Coastguard Worker    let avb_ops = unsafe { avb_ops.as_mut() }.ok_or(IoError::Io)?;
*d289c2baSAndroid Build Coastguard Worker    // Cast the void* `user_data` back to a OpsBridge*.
*d289c2baSAndroid Build Coastguard Worker    let bridge = avb_ops.user_data as *mut OpsBridge;
*d289c2baSAndroid Build Coastguard Worker    // SAFETY: we created this OpsBridge object and passed it to libavb so we know it meets all
*d289c2baSAndroid Build Coastguard Worker    // the criteria for `as_mut()`.
*d289c2baSAndroid Build Coastguard Worker    Ok(unsafe { bridge.as_mut() }.ok_or(IoError::Io)?.rust_ops)
*d289c2baSAndroid Build Coastguard Worker}
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker/// Similar to `as_ops()`, but for `CertOps`.
*d289c2baSAndroid Build Coastguard Worker///
*d289c2baSAndroid Build Coastguard Worker/// # Safety
*d289c2baSAndroid Build Coastguard Worker/// Same as `as_ops()`.
*d289c2baSAndroid Build Coastguard Workerunsafe fn as_cert_ops<'o>(cert_ops: *mut AvbCertOps) -> IoResult<&'o mut dyn CertOps> {
*d289c2baSAndroid Build Coastguard Worker    // SAFETY: we created this `CertOps` object and passed it to libavb so we know it meets all
*d289c2baSAndroid Build Coastguard Worker    // the criteria for `as_mut()`.
*d289c2baSAndroid Build Coastguard Worker    let cert_ops = unsafe { cert_ops.as_mut() }.ok_or(IoError::Io)?;
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker    // SAFETY: caller must adhere to `as_ops()` safety requirements.
*d289c2baSAndroid Build Coastguard Worker    let ops = unsafe { as_ops(cert_ops.ops) }?;
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker    // Return the `CertOps` implementation. If it doesn't exist here, it indicates an internal error
*d289c2baSAndroid Build Coastguard Worker    // in this library; somewhere we accepted a non-cert `Ops` into a function that requires cert.
*d289c2baSAndroid Build Coastguard Worker    ops.cert_ops().ok_or(IoError::NotImplemented)
*d289c2baSAndroid Build Coastguard Worker}
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker/// Converts a non-NULL `ptr` to `()`, NULL to `Err(IoError::Io)`.
*d289c2baSAndroid Build Coastguard Workerfn check_nonnull<T>(ptr: *const T) -> IoResult<()> {
*d289c2baSAndroid Build Coastguard Worker    match ptr.is_null() {
*d289c2baSAndroid Build Coastguard Worker        true => Err(IoError::Io),
*d289c2baSAndroid Build Coastguard Worker        false => Ok(()),
*d289c2baSAndroid Build Coastguard Worker    }
*d289c2baSAndroid Build Coastguard Worker}
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker/// Wraps a callback to convert the given `IoResult<>` to raw `AvbIOResult` for libavb.
*d289c2baSAndroid Build Coastguard Worker///
*d289c2baSAndroid Build Coastguard Worker/// See corresponding `try_*` function docs.
*d289c2baSAndroid Build Coastguard Workerunsafe extern "C" fn read_from_partition(
*d289c2baSAndroid Build Coastguard Worker    ops: *mut AvbOps,
*d289c2baSAndroid Build Coastguard Worker    partition: *const c_char,
*d289c2baSAndroid Build Coastguard Worker    offset: i64,
*d289c2baSAndroid Build Coastguard Worker    num_bytes: usize,
*d289c2baSAndroid Build Coastguard Worker    buffer: *mut c_void,
*d289c2baSAndroid Build Coastguard Worker    out_num_read: *mut usize,
*d289c2baSAndroid Build Coastguard Worker) -> AvbIOResult {
*d289c2baSAndroid Build Coastguard Worker    // SAFETY: see corresponding `try_*` function safety documentation.
*d289c2baSAndroid Build Coastguard Worker    unsafe {
*d289c2baSAndroid Build Coastguard Worker        result_to_io_enum(try_read_from_partition(
*d289c2baSAndroid Build Coastguard Worker            ops,
*d289c2baSAndroid Build Coastguard Worker            partition,
*d289c2baSAndroid Build Coastguard Worker            offset,
*d289c2baSAndroid Build Coastguard Worker            num_bytes,
*d289c2baSAndroid Build Coastguard Worker            buffer,
*d289c2baSAndroid Build Coastguard Worker            out_num_read,
*d289c2baSAndroid Build Coastguard Worker        ))
*d289c2baSAndroid Build Coastguard Worker    }
*d289c2baSAndroid Build Coastguard Worker}
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker/// Bounces the C callback into the user-provided Rust implementation.
*d289c2baSAndroid Build Coastguard Worker///
*d289c2baSAndroid Build Coastguard Worker/// # Safety
*d289c2baSAndroid Build Coastguard Worker/// * `ops` must have been created via `OpsBridge`.
*d289c2baSAndroid Build Coastguard Worker/// * `partition` must adhere to the requirements of `CStr::from_ptr()`.
*d289c2baSAndroid Build Coastguard Worker/// * `buffer` must adhere to the requirements of `slice::from_raw_parts_mut()`.
*d289c2baSAndroid Build Coastguard Worker/// * `out_num_read` must adhere to the requirements of `ptr::write()`.
*d289c2baSAndroid Build Coastguard Workerunsafe fn try_read_from_partition(
*d289c2baSAndroid Build Coastguard Worker    ops: *mut AvbOps,
*d289c2baSAndroid Build Coastguard Worker    partition: *const c_char,
*d289c2baSAndroid Build Coastguard Worker    offset: i64,
*d289c2baSAndroid Build Coastguard Worker    num_bytes: usize,
*d289c2baSAndroid Build Coastguard Worker    buffer: *mut c_void,
*d289c2baSAndroid Build Coastguard Worker    out_num_read: *mut usize,
*d289c2baSAndroid Build Coastguard Worker) -> IoResult<()> {
*d289c2baSAndroid Build Coastguard Worker    check_nonnull(partition)?;
*d289c2baSAndroid Build Coastguard Worker    check_nonnull(buffer)?;
*d289c2baSAndroid Build Coastguard Worker    check_nonnull(out_num_read)?;
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker    // Initialize the output variables first in case something fails.
*d289c2baSAndroid Build Coastguard Worker    // SAFETY:
*d289c2baSAndroid Build Coastguard Worker    // * we've checked that the pointer is non-NULL.
*d289c2baSAndroid Build Coastguard Worker    // * libavb gives us a properly-allocated `out_num_read`.
*d289c2baSAndroid Build Coastguard Worker    unsafe { ptr::write(out_num_read, 0) };
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker    // SAFETY:
*d289c2baSAndroid Build Coastguard Worker    // * we only use `ops` objects created via `OpsBridge` as required.
*d289c2baSAndroid Build Coastguard Worker    // * `ops` is only extracted once and is dropped at the end of the callback.
*d289c2baSAndroid Build Coastguard Worker    let ops = unsafe { as_ops(ops) }?;
*d289c2baSAndroid Build Coastguard Worker    // SAFETY:
*d289c2baSAndroid Build Coastguard Worker    // * we've checked that the pointer is non-NULL.
*d289c2baSAndroid Build Coastguard Worker    // * libavb gives us a properly-allocated and nul-terminated `partition`.
*d289c2baSAndroid Build Coastguard Worker    // * the string contents are not modified while the returned `&CStr` exists.
*d289c2baSAndroid Build Coastguard Worker    // * the returned `&CStr` is not held past the scope of this callback.
*d289c2baSAndroid Build Coastguard Worker    let partition = unsafe { CStr::from_ptr(partition) };
*d289c2baSAndroid Build Coastguard Worker    // SAFETY:
*d289c2baSAndroid Build Coastguard Worker    // * we've checked that the pointer is non-NULL.
*d289c2baSAndroid Build Coastguard Worker    // * libavb gives us a properly-allocated `buffer` with size `num_bytes`.
*d289c2baSAndroid Build Coastguard Worker    // * we only access the contents via the returned slice.
*d289c2baSAndroid Build Coastguard Worker    // * the returned slice is not held past the scope of this callback.
*d289c2baSAndroid Build Coastguard Worker    let buffer = unsafe { slice::from_raw_parts_mut(buffer as *mut u8, num_bytes) };
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker    let bytes_read = ops.read_from_partition(partition, offset, buffer)?;
*d289c2baSAndroid Build Coastguard Worker    // SAFETY:
*d289c2baSAndroid Build Coastguard Worker    // * we've checked that the pointer is non-NULL.
*d289c2baSAndroid Build Coastguard Worker    // * libavb gives us a properly-allocated `out_num_read`.
*d289c2baSAndroid Build Coastguard Worker    unsafe { ptr::write(out_num_read, bytes_read) };
*d289c2baSAndroid Build Coastguard Worker    Ok(())
*d289c2baSAndroid Build Coastguard Worker}
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker/// Wraps a callback to convert the given `IoResult<>` to raw `AvbIOResult` for libavb.
*d289c2baSAndroid Build Coastguard Worker///
*d289c2baSAndroid Build Coastguard Worker/// See corresponding `try_*` function docs.
*d289c2baSAndroid Build Coastguard Workerunsafe extern "C" fn get_preloaded_partition(
*d289c2baSAndroid Build Coastguard Worker    ops: *mut AvbOps,
*d289c2baSAndroid Build Coastguard Worker    partition: *const c_char,
*d289c2baSAndroid Build Coastguard Worker    num_bytes: usize,
*d289c2baSAndroid Build Coastguard Worker    out_pointer: *mut *mut u8,
*d289c2baSAndroid Build Coastguard Worker    out_num_bytes_preloaded: *mut usize,
*d289c2baSAndroid Build Coastguard Worker) -> AvbIOResult {
*d289c2baSAndroid Build Coastguard Worker    // SAFETY: see corresponding `try_*` function safety documentation.
*d289c2baSAndroid Build Coastguard Worker    unsafe {
*d289c2baSAndroid Build Coastguard Worker        result_to_io_enum(try_get_preloaded_partition(
*d289c2baSAndroid Build Coastguard Worker            ops,
*d289c2baSAndroid Build Coastguard Worker            partition,
*d289c2baSAndroid Build Coastguard Worker            num_bytes,
*d289c2baSAndroid Build Coastguard Worker            out_pointer,
*d289c2baSAndroid Build Coastguard Worker            out_num_bytes_preloaded,
*d289c2baSAndroid Build Coastguard Worker        ))
*d289c2baSAndroid Build Coastguard Worker    }
*d289c2baSAndroid Build Coastguard Worker}
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker/// Bounces the C callback into the user-provided Rust implementation.
*d289c2baSAndroid Build Coastguard Worker///
*d289c2baSAndroid Build Coastguard Worker/// # Safety
*d289c2baSAndroid Build Coastguard Worker/// * `ops` must have been created via `OpsBridge`.
*d289c2baSAndroid Build Coastguard Worker/// * `partition` must adhere to the requirements of `CStr::from_ptr()`.
*d289c2baSAndroid Build Coastguard Worker/// * `out_pointer` and `out_num_bytes_preloaded` must adhere to the requirements of `ptr::write()`.
*d289c2baSAndroid Build Coastguard Worker/// * `out_pointer` will become an alias to the `ops` preloaded partition data, so the preloaded
*d289c2baSAndroid Build Coastguard Worker///   data must remain valid and unmodified while `out_pointer` exists.
*d289c2baSAndroid Build Coastguard Workerunsafe fn try_get_preloaded_partition(
*d289c2baSAndroid Build Coastguard Worker    ops: *mut AvbOps,
*d289c2baSAndroid Build Coastguard Worker    partition: *const c_char,
*d289c2baSAndroid Build Coastguard Worker    num_bytes: usize,
*d289c2baSAndroid Build Coastguard Worker    out_pointer: *mut *mut u8,
*d289c2baSAndroid Build Coastguard Worker    out_num_bytes_preloaded: *mut usize,
*d289c2baSAndroid Build Coastguard Worker) -> IoResult<()> {
*d289c2baSAndroid Build Coastguard Worker    check_nonnull(partition)?;
*d289c2baSAndroid Build Coastguard Worker    check_nonnull(out_pointer)?;
*d289c2baSAndroid Build Coastguard Worker    check_nonnull(out_num_bytes_preloaded)?;
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker    // Initialize the output variables first in case something fails.
*d289c2baSAndroid Build Coastguard Worker    // SAFETY:
*d289c2baSAndroid Build Coastguard Worker    // * we've checked that the pointers are non-NULL.
*d289c2baSAndroid Build Coastguard Worker    // * libavb gives us properly-aligned and sized `out` vars.
*d289c2baSAndroid Build Coastguard Worker    unsafe {
*d289c2baSAndroid Build Coastguard Worker        ptr::write(out_pointer, ptr::null_mut());
*d289c2baSAndroid Build Coastguard Worker        ptr::write(out_num_bytes_preloaded, 0);
*d289c2baSAndroid Build Coastguard Worker    }
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker    // SAFETY:
*d289c2baSAndroid Build Coastguard Worker    // * we only use `ops` objects created via `OpsBridge` as required.
*d289c2baSAndroid Build Coastguard Worker    // * `ops` is only extracted once and is dropped at the end of the callback.
*d289c2baSAndroid Build Coastguard Worker    let ops = unsafe { as_ops(ops) }?;
*d289c2baSAndroid Build Coastguard Worker    // SAFETY:
*d289c2baSAndroid Build Coastguard Worker    // * we've checked that the pointer is non-NULL.
*d289c2baSAndroid Build Coastguard Worker    // * libavb gives us a properly-allocated and nul-terminated `partition`.
*d289c2baSAndroid Build Coastguard Worker    // * the string contents are not modified while the returned `&CStr` exists.
*d289c2baSAndroid Build Coastguard Worker    // * the returned `&CStr` is not held past the scope of this callback.
*d289c2baSAndroid Build Coastguard Worker    let partition = unsafe { CStr::from_ptr(partition) };
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker    match ops.get_preloaded_partition(partition) {
*d289c2baSAndroid Build Coastguard Worker        // SAFETY:
*d289c2baSAndroid Build Coastguard Worker        // * we've checked that the pointers are non-NULL.
*d289c2baSAndroid Build Coastguard Worker        // * libavb gives us properly-aligned and sized `out` vars.
*d289c2baSAndroid Build Coastguard Worker        Ok(contents) => unsafe {
*d289c2baSAndroid Build Coastguard Worker            ptr::write(
*d289c2baSAndroid Build Coastguard Worker                out_pointer,
*d289c2baSAndroid Build Coastguard Worker                // Warning: we are casting an immutable &[u8] to a mutable *u8. If libavb actually
*d289c2baSAndroid Build Coastguard Worker                // modified these contents this could cause undefined behavior, but it just reads.
*d289c2baSAndroid Build Coastguard Worker                // TODO: can we change the libavb API to take a const*?
*d289c2baSAndroid Build Coastguard Worker                contents.as_ptr() as *mut u8,
*d289c2baSAndroid Build Coastguard Worker            );
*d289c2baSAndroid Build Coastguard Worker            ptr::write(
*d289c2baSAndroid Build Coastguard Worker                out_num_bytes_preloaded,
*d289c2baSAndroid Build Coastguard Worker                // Truncate here if necessary, we may have more preloaded data than libavb needs.
*d289c2baSAndroid Build Coastguard Worker                min(contents.len(), num_bytes),
*d289c2baSAndroid Build Coastguard Worker            );
*d289c2baSAndroid Build Coastguard Worker        },
*d289c2baSAndroid Build Coastguard Worker        // No-op if this partition is not preloaded, we've already reset the out variables to
*d289c2baSAndroid Build Coastguard Worker        // indicate preloaded data is not available.
*d289c2baSAndroid Build Coastguard Worker        Err(IoError::NotImplemented) => (),
*d289c2baSAndroid Build Coastguard Worker        Err(e) => return Err(e),
*d289c2baSAndroid Build Coastguard Worker    };
*d289c2baSAndroid Build Coastguard Worker    Ok(())
*d289c2baSAndroid Build Coastguard Worker}
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker/// Wraps a callback to convert the given `IoResult<>` to raw `AvbIOResult` for libavb.
*d289c2baSAndroid Build Coastguard Worker///
*d289c2baSAndroid Build Coastguard Worker/// See corresponding `try_*` function docs.
*d289c2baSAndroid Build Coastguard Workerunsafe extern "C" fn validate_vbmeta_public_key(
*d289c2baSAndroid Build Coastguard Worker    ops: *mut AvbOps,
*d289c2baSAndroid Build Coastguard Worker    public_key_data: *const u8,
*d289c2baSAndroid Build Coastguard Worker    public_key_length: usize,
*d289c2baSAndroid Build Coastguard Worker    public_key_metadata: *const u8,
*d289c2baSAndroid Build Coastguard Worker    public_key_metadata_length: usize,
*d289c2baSAndroid Build Coastguard Worker    out_is_trusted: *mut bool,
*d289c2baSAndroid Build Coastguard Worker) -> AvbIOResult {
*d289c2baSAndroid Build Coastguard Worker    // SAFETY: see corresponding `try_*` function safety documentation.
*d289c2baSAndroid Build Coastguard Worker    unsafe {
*d289c2baSAndroid Build Coastguard Worker        result_to_io_enum(try_validate_vbmeta_public_key(
*d289c2baSAndroid Build Coastguard Worker            ops,
*d289c2baSAndroid Build Coastguard Worker            public_key_data,
*d289c2baSAndroid Build Coastguard Worker            public_key_length,
*d289c2baSAndroid Build Coastguard Worker            public_key_metadata,
*d289c2baSAndroid Build Coastguard Worker            public_key_metadata_length,
*d289c2baSAndroid Build Coastguard Worker            out_is_trusted,
*d289c2baSAndroid Build Coastguard Worker        ))
*d289c2baSAndroid Build Coastguard Worker    }
*d289c2baSAndroid Build Coastguard Worker}
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker/// Bounces the C callback into the user-provided Rust implementation.
*d289c2baSAndroid Build Coastguard Worker///
*d289c2baSAndroid Build Coastguard Worker/// # Safety
*d289c2baSAndroid Build Coastguard Worker/// * `ops` must have been created via `OpsBridge`.
*d289c2baSAndroid Build Coastguard Worker/// * `public_key_*` args must adhere to the requirements of `slice::from_raw_parts()`.
*d289c2baSAndroid Build Coastguard Worker/// * `out_is_trusted` must adhere to the requirements of `ptr::write()`.
*d289c2baSAndroid Build Coastguard Workerunsafe fn try_validate_vbmeta_public_key(
*d289c2baSAndroid Build Coastguard Worker    ops: *mut AvbOps,
*d289c2baSAndroid Build Coastguard Worker    public_key_data: *const u8,
*d289c2baSAndroid Build Coastguard Worker    public_key_length: usize,
*d289c2baSAndroid Build Coastguard Worker    public_key_metadata: *const u8,
*d289c2baSAndroid Build Coastguard Worker    public_key_metadata_length: usize,
*d289c2baSAndroid Build Coastguard Worker    out_is_trusted: *mut bool,
*d289c2baSAndroid Build Coastguard Worker) -> IoResult<()> {
*d289c2baSAndroid Build Coastguard Worker    check_nonnull(public_key_data)?;
*d289c2baSAndroid Build Coastguard Worker    check_nonnull(out_is_trusted)?;
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker    // Initialize the output variables first in case something fails.
*d289c2baSAndroid Build Coastguard Worker    // SAFETY:
*d289c2baSAndroid Build Coastguard Worker    // * we've checked that the pointer is non-NULL.
*d289c2baSAndroid Build Coastguard Worker    // * libavb gives us a properly-allocated `out_is_trusted`.
*d289c2baSAndroid Build Coastguard Worker    unsafe { ptr::write(out_is_trusted, false) };
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker    // SAFETY:
*d289c2baSAndroid Build Coastguard Worker    // * we only use `ops` objects created via `OpsBridge` as required.
*d289c2baSAndroid Build Coastguard Worker    // * `ops` is only extracted once and is dropped at the end of the callback.
*d289c2baSAndroid Build Coastguard Worker    let ops = unsafe { as_ops(ops) }?;
*d289c2baSAndroid Build Coastguard Worker    // SAFETY:
*d289c2baSAndroid Build Coastguard Worker    // * we've checked that the pointer is non-NULL.
*d289c2baSAndroid Build Coastguard Worker    // * libavb gives us a properly-allocated `public_key_data` with size `public_key_length`.
*d289c2baSAndroid Build Coastguard Worker    // * we only access the contents via the returned slice.
*d289c2baSAndroid Build Coastguard Worker    // * the returned slice is not held past the scope of this callback.
*d289c2baSAndroid Build Coastguard Worker    let public_key = unsafe { slice::from_raw_parts(public_key_data, public_key_length) };
*d289c2baSAndroid Build Coastguard Worker    let metadata = check_nonnull(public_key_metadata).ok().map(
*d289c2baSAndroid Build Coastguard Worker        // SAFETY:
*d289c2baSAndroid Build Coastguard Worker        // * we've checked that the pointer is non-NULL.
*d289c2baSAndroid Build Coastguard Worker        // * libavb gives us a properly-allocated `public_key_metadata` with size
*d289c2baSAndroid Build Coastguard Worker        //   `public_key_metadata_length`.
*d289c2baSAndroid Build Coastguard Worker        // * we only access the contents via the returned slice.
*d289c2baSAndroid Build Coastguard Worker        // * the returned slice is not held past the scope of this callback.
*d289c2baSAndroid Build Coastguard Worker        |_| unsafe { slice::from_raw_parts(public_key_metadata, public_key_metadata_length) },
*d289c2baSAndroid Build Coastguard Worker    );
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker    let trusted = ops.validate_vbmeta_public_key(public_key, metadata)?;
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker    // SAFETY:
*d289c2baSAndroid Build Coastguard Worker    // * we've checked that the pointer is non-NULL.
*d289c2baSAndroid Build Coastguard Worker    // * libavb gives us a properly-allocated `out_is_trusted`.
*d289c2baSAndroid Build Coastguard Worker    unsafe { ptr::write(out_is_trusted, trusted) };
*d289c2baSAndroid Build Coastguard Worker    Ok(())
*d289c2baSAndroid Build Coastguard Worker}
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker/// Wraps a callback to convert the given `IoResult<>` to raw `AvbIOResult` for libavb.
*d289c2baSAndroid Build Coastguard Worker///
*d289c2baSAndroid Build Coastguard Worker/// See corresponding `try_*` function docs.
*d289c2baSAndroid Build Coastguard Workerunsafe extern "C" fn read_rollback_index(
*d289c2baSAndroid Build Coastguard Worker    ops: *mut AvbOps,
*d289c2baSAndroid Build Coastguard Worker    rollback_index_location: usize,
*d289c2baSAndroid Build Coastguard Worker    out_rollback_index: *mut u64,
*d289c2baSAndroid Build Coastguard Worker) -> AvbIOResult {
*d289c2baSAndroid Build Coastguard Worker    // SAFETY: see corresponding `try_*` function safety documentation.
*d289c2baSAndroid Build Coastguard Worker    unsafe {
*d289c2baSAndroid Build Coastguard Worker        result_to_io_enum(try_read_rollback_index(
*d289c2baSAndroid Build Coastguard Worker            ops,
*d289c2baSAndroid Build Coastguard Worker            rollback_index_location,
*d289c2baSAndroid Build Coastguard Worker            out_rollback_index,
*d289c2baSAndroid Build Coastguard Worker        ))
*d289c2baSAndroid Build Coastguard Worker    }
*d289c2baSAndroid Build Coastguard Worker}
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker/// Bounces the C callback into the user-provided Rust implementation.
*d289c2baSAndroid Build Coastguard Worker///
*d289c2baSAndroid Build Coastguard Worker/// # Safety
*d289c2baSAndroid Build Coastguard Worker/// * `ops` must have been created via `OpsBridge`.
*d289c2baSAndroid Build Coastguard Worker/// * `out_rollback_index` must adhere to the requirements of `ptr::write()`.
*d289c2baSAndroid Build Coastguard Workerunsafe fn try_read_rollback_index(
*d289c2baSAndroid Build Coastguard Worker    ops: *mut AvbOps,
*d289c2baSAndroid Build Coastguard Worker    rollback_index_location: usize,
*d289c2baSAndroid Build Coastguard Worker    out_rollback_index: *mut u64,
*d289c2baSAndroid Build Coastguard Worker) -> IoResult<()> {
*d289c2baSAndroid Build Coastguard Worker    check_nonnull(out_rollback_index)?;
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker    // Initialize the output variables first in case something fails.
*d289c2baSAndroid Build Coastguard Worker    // SAFETY:
*d289c2baSAndroid Build Coastguard Worker    // * we've checked that the pointer is non-NULL.
*d289c2baSAndroid Build Coastguard Worker    // * libavb gives us a properly-allocated `out_rollback_index`.
*d289c2baSAndroid Build Coastguard Worker    unsafe { ptr::write(out_rollback_index, 0) };
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker    // SAFETY:
*d289c2baSAndroid Build Coastguard Worker    // * we only use `ops` objects created via `OpsBridge` as required.
*d289c2baSAndroid Build Coastguard Worker    // * `ops` is only extracted once and is dropped at the end of the callback.
*d289c2baSAndroid Build Coastguard Worker    let ops = unsafe { as_ops(ops) }?;
*d289c2baSAndroid Build Coastguard Worker    let index = ops.read_rollback_index(rollback_index_location)?;
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker    // SAFETY:
*d289c2baSAndroid Build Coastguard Worker    // * we've checked that the pointer is non-NULL.
*d289c2baSAndroid Build Coastguard Worker    // * libavb gives us a properly-allocated `out_rollback_index`.
*d289c2baSAndroid Build Coastguard Worker    unsafe { ptr::write(out_rollback_index, index) };
*d289c2baSAndroid Build Coastguard Worker    Ok(())
*d289c2baSAndroid Build Coastguard Worker}
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker/// Wraps a callback to convert the given `IoResult<>` to raw `AvbIOResult` for libavb.
*d289c2baSAndroid Build Coastguard Worker///
*d289c2baSAndroid Build Coastguard Worker/// See corresponding `try_*` function docs.
*d289c2baSAndroid Build Coastguard Workerunsafe extern "C" fn write_rollback_index(
*d289c2baSAndroid Build Coastguard Worker    ops: *mut AvbOps,
*d289c2baSAndroid Build Coastguard Worker    rollback_index_location: usize,
*d289c2baSAndroid Build Coastguard Worker    rollback_index: u64,
*d289c2baSAndroid Build Coastguard Worker) -> AvbIOResult {
*d289c2baSAndroid Build Coastguard Worker    // SAFETY: see corresponding `try_*` function safety documentation.
*d289c2baSAndroid Build Coastguard Worker    unsafe {
*d289c2baSAndroid Build Coastguard Worker        result_to_io_enum(try_write_rollback_index(
*d289c2baSAndroid Build Coastguard Worker            ops,
*d289c2baSAndroid Build Coastguard Worker            rollback_index_location,
*d289c2baSAndroid Build Coastguard Worker            rollback_index,
*d289c2baSAndroid Build Coastguard Worker        ))
*d289c2baSAndroid Build Coastguard Worker    }
*d289c2baSAndroid Build Coastguard Worker}
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker/// Bounces the C callback into the user-provided Rust implementation.
*d289c2baSAndroid Build Coastguard Worker///
*d289c2baSAndroid Build Coastguard Worker/// # Safety
*d289c2baSAndroid Build Coastguard Worker/// * `ops` must have been created via `OpsBridge`.
*d289c2baSAndroid Build Coastguard Workerunsafe fn try_write_rollback_index(
*d289c2baSAndroid Build Coastguard Worker    ops: *mut AvbOps,
*d289c2baSAndroid Build Coastguard Worker    rollback_index_location: usize,
*d289c2baSAndroid Build Coastguard Worker    rollback_index: u64,
*d289c2baSAndroid Build Coastguard Worker) -> IoResult<()> {
*d289c2baSAndroid Build Coastguard Worker    // SAFETY:
*d289c2baSAndroid Build Coastguard Worker    // * we only use `ops` objects created via `OpsBridge` as required.
*d289c2baSAndroid Build Coastguard Worker    // * `ops` is only extracted once and is dropped at the end of the callback.
*d289c2baSAndroid Build Coastguard Worker    let ops = unsafe { as_ops(ops) }?;
*d289c2baSAndroid Build Coastguard Worker    ops.write_rollback_index(rollback_index_location, rollback_index)
*d289c2baSAndroid Build Coastguard Worker}
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker/// Wraps a callback to convert the given `IoResult<>` to raw `AvbIOResult` for libavb.
*d289c2baSAndroid Build Coastguard Worker///
*d289c2baSAndroid Build Coastguard Worker/// See corresponding `try_*` function docs.
*d289c2baSAndroid Build Coastguard Workerunsafe extern "C" fn read_is_device_unlocked(
*d289c2baSAndroid Build Coastguard Worker    ops: *mut AvbOps,
*d289c2baSAndroid Build Coastguard Worker    out_is_unlocked: *mut bool,
*d289c2baSAndroid Build Coastguard Worker) -> AvbIOResult {
*d289c2baSAndroid Build Coastguard Worker    // SAFETY: see corresponding `try_*` function safety documentation.
*d289c2baSAndroid Build Coastguard Worker    unsafe { result_to_io_enum(try_read_is_device_unlocked(ops, out_is_unlocked)) }
*d289c2baSAndroid Build Coastguard Worker}
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker/// Bounces the C callback into the user-provided Rust implementation.
*d289c2baSAndroid Build Coastguard Worker///
*d289c2baSAndroid Build Coastguard Worker/// # Safety
*d289c2baSAndroid Build Coastguard Worker/// * `ops` must have been created via `OpsBridge`.
*d289c2baSAndroid Build Coastguard Worker/// * `out_is_unlocked` must adhere to the requirements of `ptr::write()`.
*d289c2baSAndroid Build Coastguard Workerunsafe fn try_read_is_device_unlocked(
*d289c2baSAndroid Build Coastguard Worker    ops: *mut AvbOps,
*d289c2baSAndroid Build Coastguard Worker    out_is_unlocked: *mut bool,
*d289c2baSAndroid Build Coastguard Worker) -> IoResult<()> {
*d289c2baSAndroid Build Coastguard Worker    check_nonnull(out_is_unlocked)?;
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker    // Initialize the output variables first in case something fails.
*d289c2baSAndroid Build Coastguard Worker    // SAFETY:
*d289c2baSAndroid Build Coastguard Worker    // * we've checked that the pointer is non-NULL.
*d289c2baSAndroid Build Coastguard Worker    // * libavb gives us a properly-allocated `out_is_unlocked`.
*d289c2baSAndroid Build Coastguard Worker    unsafe { ptr::write(out_is_unlocked, false) };
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker    // SAFETY:
*d289c2baSAndroid Build Coastguard Worker    // * we only use `ops` objects created via `OpsBridge` as required.
*d289c2baSAndroid Build Coastguard Worker    // * `ops` is only extracted once and is dropped at the end of the callback.
*d289c2baSAndroid Build Coastguard Worker    let ops = unsafe { as_ops(ops) }?;
*d289c2baSAndroid Build Coastguard Worker    let unlocked = ops.read_is_device_unlocked()?;
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker    // SAFETY:
*d289c2baSAndroid Build Coastguard Worker    // * we've checked that the pointer is non-NULL.
*d289c2baSAndroid Build Coastguard Worker    // * libavb gives us a properly-allocated `out_is_unlocked`.
*d289c2baSAndroid Build Coastguard Worker    unsafe { ptr::write(out_is_unlocked, unlocked) };
*d289c2baSAndroid Build Coastguard Worker    Ok(())
*d289c2baSAndroid Build Coastguard Worker}
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker/// Wraps a callback to convert the given `IoResult<>` to raw `AvbIOResult` for libavb.
*d289c2baSAndroid Build Coastguard Worker///
*d289c2baSAndroid Build Coastguard Worker/// See corresponding `try_*` function docs.
*d289c2baSAndroid Build Coastguard Workerunsafe extern "C" fn get_unique_guid_for_partition(
*d289c2baSAndroid Build Coastguard Worker    ops: *mut AvbOps,
*d289c2baSAndroid Build Coastguard Worker    partition: *const c_char,
*d289c2baSAndroid Build Coastguard Worker    guid_buf: *mut c_char,
*d289c2baSAndroid Build Coastguard Worker    guid_buf_size: usize,
*d289c2baSAndroid Build Coastguard Worker) -> AvbIOResult {
*d289c2baSAndroid Build Coastguard Worker    // SAFETY: see corresponding `try_*` function safety documentation.
*d289c2baSAndroid Build Coastguard Worker    unsafe {
*d289c2baSAndroid Build Coastguard Worker        result_to_io_enum(try_get_unique_guid_for_partition(
*d289c2baSAndroid Build Coastguard Worker            ops,
*d289c2baSAndroid Build Coastguard Worker            partition,
*d289c2baSAndroid Build Coastguard Worker            guid_buf,
*d289c2baSAndroid Build Coastguard Worker            guid_buf_size,
*d289c2baSAndroid Build Coastguard Worker        ))
*d289c2baSAndroid Build Coastguard Worker    }
*d289c2baSAndroid Build Coastguard Worker}
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker/// Bounces the C callback into the user-provided Rust implementation.
*d289c2baSAndroid Build Coastguard Worker///
*d289c2baSAndroid Build Coastguard Worker/// When the `uuid` feature is not enabled, this doesn't call into the user ops at all and instead
*d289c2baSAndroid Build Coastguard Worker/// gives the empty string for all partitions.
*d289c2baSAndroid Build Coastguard Worker///
*d289c2baSAndroid Build Coastguard Worker/// # Safety
*d289c2baSAndroid Build Coastguard Worker/// * `ops` must have been created via `OpsBridge`.
*d289c2baSAndroid Build Coastguard Worker/// * `partition` must adhere to the requirements of `CStr::from_ptr()`.
*d289c2baSAndroid Build Coastguard Worker/// * `guid_buf` must adhere to the requirements of `slice::from_raw_parts_mut()`.
*d289c2baSAndroid Build Coastguard Workerunsafe fn try_get_unique_guid_for_partition(
*d289c2baSAndroid Build Coastguard Worker    #[allow(unused_variables)] ops: *mut AvbOps,
*d289c2baSAndroid Build Coastguard Worker    #[allow(unused_variables)] partition: *const c_char,
*d289c2baSAndroid Build Coastguard Worker    guid_buf: *mut c_char,
*d289c2baSAndroid Build Coastguard Worker    guid_buf_size: usize,
*d289c2baSAndroid Build Coastguard Worker) -> IoResult<()> {
*d289c2baSAndroid Build Coastguard Worker    check_nonnull(guid_buf)?;
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker    // On some architectures `c_char` is `u8`, and on others `i8`. We make sure it's `u8` here
*d289c2baSAndroid Build Coastguard Worker    // since that's what `CStr::to_bytes_with_nul()` always provides.
*d289c2baSAndroid Build Coastguard Worker    #[allow(clippy::unnecessary_cast)]
*d289c2baSAndroid Build Coastguard Worker    let guid_buf = guid_buf as *mut u8;
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker    // SAFETY:
*d289c2baSAndroid Build Coastguard Worker    // * we've checked that the pointer is non-NULL.
*d289c2baSAndroid Build Coastguard Worker    // * libavb gives us a properly-allocated `guid_buf` with size `guid_buf_size`.
*d289c2baSAndroid Build Coastguard Worker    // * we only access the contents via the returned slice.
*d289c2baSAndroid Build Coastguard Worker    // * the returned slice is not held past the scope of this callback.
*d289c2baSAndroid Build Coastguard Worker    let buffer = unsafe { slice::from_raw_parts_mut(guid_buf, guid_buf_size) };
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker    // Initialize the output buffer to the empty string.
*d289c2baSAndroid Build Coastguard Worker    //
*d289c2baSAndroid Build Coastguard Worker    // When the `uuid` feature is not selected, the user doesn't need commandline GUIDs but libavb
*d289c2baSAndroid Build Coastguard Worker    // may still attempt to inject the `vmbeta` or `boot` partition GUIDs into the commandline,
*d289c2baSAndroid Build Coastguard Worker    // depending on the verification settings. In order to satisfy libavb's requirements we must:
*d289c2baSAndroid Build Coastguard Worker    // * write a nul-terminated string to avoid undefined behavior (empty string is sufficient)
*d289c2baSAndroid Build Coastguard Worker    // * return `Ok(())` or verification will fail
*d289c2baSAndroid Build Coastguard Worker    if buffer.is_empty() {
*d289c2baSAndroid Build Coastguard Worker        return Err(IoError::Oom);
*d289c2baSAndroid Build Coastguard Worker    }
*d289c2baSAndroid Build Coastguard Worker    buffer[0] = b'\0';
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker    #[cfg(feature = "uuid")]
*d289c2baSAndroid Build Coastguard Worker    {
*d289c2baSAndroid Build Coastguard Worker        check_nonnull(partition)?;
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker        // SAFETY:
*d289c2baSAndroid Build Coastguard Worker        // * we've checked that the pointer is non-NULL.
*d289c2baSAndroid Build Coastguard Worker        // * libavb gives us a properly-allocated and nul-terminated `partition`.
*d289c2baSAndroid Build Coastguard Worker        // * the string contents are not modified while the returned `&CStr` exists.
*d289c2baSAndroid Build Coastguard Worker        // * the returned `&CStr` is not held past the scope of this callback.
*d289c2baSAndroid Build Coastguard Worker        let partition = unsafe { CStr::from_ptr(partition) };
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker        // SAFETY:
*d289c2baSAndroid Build Coastguard Worker        // * we only use `ops` objects created via `OpsBridge` as required.
*d289c2baSAndroid Build Coastguard Worker        // * `ops` is only extracted once and is dropped at the end of the callback.
*d289c2baSAndroid Build Coastguard Worker        let ops = unsafe { as_ops(ops) }?;
*d289c2baSAndroid Build Coastguard Worker        let guid = ops.get_unique_guid_for_partition(partition)?;
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker        // Write the UUID string to a uuid buffer which is guaranteed to be large enough, then use
*d289c2baSAndroid Build Coastguard Worker        // `CString` to apply nul-termination.
*d289c2baSAndroid Build Coastguard Worker        // This does allocate memory, but it's short-lived and discarded as soon as we copy the
*d289c2baSAndroid Build Coastguard Worker        // properly-terminated string back to the buffer.
*d289c2baSAndroid Build Coastguard Worker        let mut encode_buffer = Uuid::encode_buffer();
*d289c2baSAndroid Build Coastguard Worker        let guid_str = guid.as_hyphenated().encode_lower(&mut encode_buffer);
*d289c2baSAndroid Build Coastguard Worker        let guid_cstring = alloc::ffi::CString::new(guid_str.as_bytes()).or(Err(IoError::Io))?;
*d289c2baSAndroid Build Coastguard Worker        let guid_bytes = guid_cstring.to_bytes_with_nul();
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker        if buffer.len() < guid_bytes.len() {
*d289c2baSAndroid Build Coastguard Worker            // This would indicate some internal error - the uuid library needs more
*d289c2baSAndroid Build Coastguard Worker            // space to print the UUID string than libavb provided.
*d289c2baSAndroid Build Coastguard Worker            return Err(IoError::Oom);
*d289c2baSAndroid Build Coastguard Worker        }
*d289c2baSAndroid Build Coastguard Worker        buffer[..guid_bytes.len()].copy_from_slice(guid_bytes);
*d289c2baSAndroid Build Coastguard Worker    }
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker    Ok(())
*d289c2baSAndroid Build Coastguard Worker}
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker/// Wraps a callback to convert the given `IoResult<>` to raw `AvbIOResult` for libavb.
*d289c2baSAndroid Build Coastguard Worker///
*d289c2baSAndroid Build Coastguard Worker/// See corresponding `try_*` function docs.
*d289c2baSAndroid Build Coastguard Workerunsafe extern "C" fn get_size_of_partition(
*d289c2baSAndroid Build Coastguard Worker    ops: *mut AvbOps,
*d289c2baSAndroid Build Coastguard Worker    partition: *const c_char,
*d289c2baSAndroid Build Coastguard Worker    out_size_num_bytes: *mut u64,
*d289c2baSAndroid Build Coastguard Worker) -> AvbIOResult {
*d289c2baSAndroid Build Coastguard Worker    // SAFETY: see corresponding `try_*` function safety documentation.
*d289c2baSAndroid Build Coastguard Worker    unsafe {
*d289c2baSAndroid Build Coastguard Worker        result_to_io_enum(try_get_size_of_partition(
*d289c2baSAndroid Build Coastguard Worker            ops,
*d289c2baSAndroid Build Coastguard Worker            partition,
*d289c2baSAndroid Build Coastguard Worker            out_size_num_bytes,
*d289c2baSAndroid Build Coastguard Worker        ))
*d289c2baSAndroid Build Coastguard Worker    }
*d289c2baSAndroid Build Coastguard Worker}
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker/// Bounces the C callback into the user-provided Rust implementation.
*d289c2baSAndroid Build Coastguard Worker///
*d289c2baSAndroid Build Coastguard Worker/// # Safety
*d289c2baSAndroid Build Coastguard Worker/// * `ops` must have been created via `OpsBridge`.
*d289c2baSAndroid Build Coastguard Worker/// * `partition` must adhere to the requirements of `CStr::from_ptr()`.
*d289c2baSAndroid Build Coastguard Worker/// * `out_size_num_bytes` must adhere to the requirements of `ptr::write()`.
*d289c2baSAndroid Build Coastguard Workerunsafe fn try_get_size_of_partition(
*d289c2baSAndroid Build Coastguard Worker    ops: *mut AvbOps,
*d289c2baSAndroid Build Coastguard Worker    partition: *const c_char,
*d289c2baSAndroid Build Coastguard Worker    out_size_num_bytes: *mut u64,
*d289c2baSAndroid Build Coastguard Worker) -> IoResult<()> {
*d289c2baSAndroid Build Coastguard Worker    check_nonnull(partition)?;
*d289c2baSAndroid Build Coastguard Worker    check_nonnull(out_size_num_bytes)?;
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker    // Initialize the output variables first in case something fails.
*d289c2baSAndroid Build Coastguard Worker    // SAFETY:
*d289c2baSAndroid Build Coastguard Worker    // * we've checked that the pointer is non-NULL.
*d289c2baSAndroid Build Coastguard Worker    // * libavb gives us a properly-allocated `out_size_num_bytes`.
*d289c2baSAndroid Build Coastguard Worker    unsafe { ptr::write(out_size_num_bytes, 0) };
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker    // SAFETY:
*d289c2baSAndroid Build Coastguard Worker    // * we only use `ops` objects created via `OpsBridge` as required.
*d289c2baSAndroid Build Coastguard Worker    // * `ops` is only extracted once and is dropped at the end of the callback.
*d289c2baSAndroid Build Coastguard Worker    let ops = unsafe { as_ops(ops) }?;
*d289c2baSAndroid Build Coastguard Worker    // SAFETY:
*d289c2baSAndroid Build Coastguard Worker    // * we've checked that the pointer is non-NULL.
*d289c2baSAndroid Build Coastguard Worker    // * libavb gives us a properly-allocated and nul-terminated `partition`.
*d289c2baSAndroid Build Coastguard Worker    // * the string contents are not modified while the returned `&CStr` exists.
*d289c2baSAndroid Build Coastguard Worker    // * the returned `&CStr` is not held past the scope of this callback.
*d289c2baSAndroid Build Coastguard Worker    let partition = unsafe { CStr::from_ptr(partition) };
*d289c2baSAndroid Build Coastguard Worker    let size = ops.get_size_of_partition(partition)?;
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker    // SAFETY:
*d289c2baSAndroid Build Coastguard Worker    // * we've checked that the pointer is non-NULL.
*d289c2baSAndroid Build Coastguard Worker    // * libavb gives us a properly-allocated `out_size_num_bytes`.
*d289c2baSAndroid Build Coastguard Worker    unsafe { ptr::write(out_size_num_bytes, size) };
*d289c2baSAndroid Build Coastguard Worker    Ok(())
*d289c2baSAndroid Build Coastguard Worker}
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker/// Wraps a callback to convert the given `IoResult<>` to raw `AvbIOResult` for libavb.
*d289c2baSAndroid Build Coastguard Worker///
*d289c2baSAndroid Build Coastguard Worker/// See corresponding `try_*` function docs.
*d289c2baSAndroid Build Coastguard Workerunsafe extern "C" fn read_persistent_value(
*d289c2baSAndroid Build Coastguard Worker    ops: *mut AvbOps,
*d289c2baSAndroid Build Coastguard Worker    name: *const c_char,
*d289c2baSAndroid Build Coastguard Worker    buffer_size: usize,
*d289c2baSAndroid Build Coastguard Worker    out_buffer: *mut u8,
*d289c2baSAndroid Build Coastguard Worker    out_num_bytes_read: *mut usize,
*d289c2baSAndroid Build Coastguard Worker) -> AvbIOResult {
*d289c2baSAndroid Build Coastguard Worker    // SAFETY: see corresponding `try_*` function safety documentation.
*d289c2baSAndroid Build Coastguard Worker    unsafe {
*d289c2baSAndroid Build Coastguard Worker        result_to_io_enum(try_read_persistent_value(
*d289c2baSAndroid Build Coastguard Worker            ops,
*d289c2baSAndroid Build Coastguard Worker            name,
*d289c2baSAndroid Build Coastguard Worker            buffer_size,
*d289c2baSAndroid Build Coastguard Worker            out_buffer,
*d289c2baSAndroid Build Coastguard Worker            out_num_bytes_read,
*d289c2baSAndroid Build Coastguard Worker        ))
*d289c2baSAndroid Build Coastguard Worker    }
*d289c2baSAndroid Build Coastguard Worker}
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker/// Bounces the C callback into the user-provided Rust implementation.
*d289c2baSAndroid Build Coastguard Worker///
*d289c2baSAndroid Build Coastguard Worker/// # Safety
*d289c2baSAndroid Build Coastguard Worker/// * `ops` must have been created via `OpsBridge`.
*d289c2baSAndroid Build Coastguard Worker/// * `name` must adhere to the requirements of `CStr::from_ptr()`.
*d289c2baSAndroid Build Coastguard Worker/// * `out_buffer` must adhere to the requirements of `slice::from_raw_parts_mut()`.
*d289c2baSAndroid Build Coastguard Worker/// * `out_num_bytes_read` must adhere to the requirements of `ptr::write()`.
*d289c2baSAndroid Build Coastguard Workerunsafe fn try_read_persistent_value(
*d289c2baSAndroid Build Coastguard Worker    ops: *mut AvbOps,
*d289c2baSAndroid Build Coastguard Worker    name: *const c_char,
*d289c2baSAndroid Build Coastguard Worker    buffer_size: usize,
*d289c2baSAndroid Build Coastguard Worker    out_buffer: *mut u8,
*d289c2baSAndroid Build Coastguard Worker    out_num_bytes_read: *mut usize,
*d289c2baSAndroid Build Coastguard Worker) -> IoResult<()> {
*d289c2baSAndroid Build Coastguard Worker    check_nonnull(name)?;
*d289c2baSAndroid Build Coastguard Worker    check_nonnull(out_num_bytes_read)?;
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker    // Initialize the output variables first in case something fails.
*d289c2baSAndroid Build Coastguard Worker    // SAFETY:
*d289c2baSAndroid Build Coastguard Worker    // * we've checked that the pointer is non-NULL.
*d289c2baSAndroid Build Coastguard Worker    // * libavb gives us a properly-allocated `out_num_bytes_read`.
*d289c2baSAndroid Build Coastguard Worker    unsafe { ptr::write(out_num_bytes_read, 0) };
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker    // SAFETY:
*d289c2baSAndroid Build Coastguard Worker    // * we only use `ops` objects created via `OpsBridge` as required.
*d289c2baSAndroid Build Coastguard Worker    // * `ops` is only extracted once and is dropped at the end of the callback.
*d289c2baSAndroid Build Coastguard Worker    let ops = unsafe { as_ops(ops) }?;
*d289c2baSAndroid Build Coastguard Worker    // SAFETY:
*d289c2baSAndroid Build Coastguard Worker    // * we've checked that the pointer is non-NULL.
*d289c2baSAndroid Build Coastguard Worker    // * libavb gives us a properly-allocated and nul-terminated `name`.
*d289c2baSAndroid Build Coastguard Worker    // * the string contents are not modified while the returned `&CStr` exists.
*d289c2baSAndroid Build Coastguard Worker    // * the returned `&CStr` is not held past the scope of this callback.
*d289c2baSAndroid Build Coastguard Worker    let name = unsafe { CStr::from_ptr(name) };
*d289c2baSAndroid Build Coastguard Worker    let mut empty: [u8; 0] = [];
*d289c2baSAndroid Build Coastguard Worker    let value = match out_buffer.is_null() {
*d289c2baSAndroid Build Coastguard Worker        // NULL buffer => empty slice, used to just query the value size.
*d289c2baSAndroid Build Coastguard Worker        true => &mut empty,
*d289c2baSAndroid Build Coastguard Worker        false => {
*d289c2baSAndroid Build Coastguard Worker            // SAFETY:
*d289c2baSAndroid Build Coastguard Worker            // * we've checked that the pointer is non-NULL.
*d289c2baSAndroid Build Coastguard Worker            // * libavb gives us a properly-allocated `out_buffer` with size `buffer_size`.
*d289c2baSAndroid Build Coastguard Worker            // * we only access the contents via the returned slice.
*d289c2baSAndroid Build Coastguard Worker            // * the returned slice is not held past the scope of this callback.
*d289c2baSAndroid Build Coastguard Worker            unsafe { slice::from_raw_parts_mut(out_buffer, buffer_size) }
*d289c2baSAndroid Build Coastguard Worker        }
*d289c2baSAndroid Build Coastguard Worker    };
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker    let result = ops.read_persistent_value(name, value);
*d289c2baSAndroid Build Coastguard Worker    // On success or insufficient space we need to write the property size back.
*d289c2baSAndroid Build Coastguard Worker    if let Ok(size) | Err(IoError::InsufficientSpace(size)) = result {
*d289c2baSAndroid Build Coastguard Worker        // SAFETY:
*d289c2baSAndroid Build Coastguard Worker        // * we've checked that the pointer is non-NULL.
*d289c2baSAndroid Build Coastguard Worker        // * libavb gives us a properly-allocated `out_num_bytes_read`.
*d289c2baSAndroid Build Coastguard Worker        unsafe { ptr::write(out_num_bytes_read, size) };
*d289c2baSAndroid Build Coastguard Worker    };
*d289c2baSAndroid Build Coastguard Worker    // We've written the size back and can drop it now.
*d289c2baSAndroid Build Coastguard Worker    result.map(|_| ())
*d289c2baSAndroid Build Coastguard Worker}
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker/// Wraps a callback to convert the given `IoResult<>` to raw `AvbIOResult` for libavb.
*d289c2baSAndroid Build Coastguard Worker///
*d289c2baSAndroid Build Coastguard Worker/// See corresponding `try_*` function docs.
*d289c2baSAndroid Build Coastguard Workerunsafe extern "C" fn write_persistent_value(
*d289c2baSAndroid Build Coastguard Worker    ops: *mut AvbOps,
*d289c2baSAndroid Build Coastguard Worker    name: *const c_char,
*d289c2baSAndroid Build Coastguard Worker    value_size: usize,
*d289c2baSAndroid Build Coastguard Worker    value: *const u8,
*d289c2baSAndroid Build Coastguard Worker) -> AvbIOResult {
*d289c2baSAndroid Build Coastguard Worker    // SAFETY: see corresponding `try_*` function safety documentation.
*d289c2baSAndroid Build Coastguard Worker    unsafe { result_to_io_enum(try_write_persistent_value(ops, name, value_size, value)) }
*d289c2baSAndroid Build Coastguard Worker}
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker/// Bounces the C callback into the user-provided Rust implementation.
*d289c2baSAndroid Build Coastguard Worker///
*d289c2baSAndroid Build Coastguard Worker/// # Safety
*d289c2baSAndroid Build Coastguard Worker/// * `ops` must have been created via `OpsBridge`.
*d289c2baSAndroid Build Coastguard Worker/// * `name` must adhere to the requirements of `CStr::from_ptr()`.
*d289c2baSAndroid Build Coastguard Worker/// * `out_buffer` must adhere to the requirements of `slice::from_raw_parts()`.
*d289c2baSAndroid Build Coastguard Workerunsafe fn try_write_persistent_value(
*d289c2baSAndroid Build Coastguard Worker    ops: *mut AvbOps,
*d289c2baSAndroid Build Coastguard Worker    name: *const c_char,
*d289c2baSAndroid Build Coastguard Worker    value_size: usize,
*d289c2baSAndroid Build Coastguard Worker    value: *const u8,
*d289c2baSAndroid Build Coastguard Worker) -> IoResult<()> {
*d289c2baSAndroid Build Coastguard Worker    check_nonnull(name)?;
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker    // SAFETY:
*d289c2baSAndroid Build Coastguard Worker    // * we only use `ops` objects created via `OpsBridge` as required.
*d289c2baSAndroid Build Coastguard Worker    // * `ops` is only extracted once and is dropped at the end of the callback.
*d289c2baSAndroid Build Coastguard Worker    let ops = unsafe { as_ops(ops) }?;
*d289c2baSAndroid Build Coastguard Worker    // SAFETY:
*d289c2baSAndroid Build Coastguard Worker    // * we've checked that the pointer is non-NULL.
*d289c2baSAndroid Build Coastguard Worker    // * libavb gives us a properly-allocated and nul-terminated `name`.
*d289c2baSAndroid Build Coastguard Worker    // * the string contents are not modified while the returned `&CStr` exists.
*d289c2baSAndroid Build Coastguard Worker    // * the returned `&CStr` is not held past the scope of this callback.
*d289c2baSAndroid Build Coastguard Worker    let name = unsafe { CStr::from_ptr(name) };
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker    if value_size == 0 {
*d289c2baSAndroid Build Coastguard Worker        ops.erase_persistent_value(name)
*d289c2baSAndroid Build Coastguard Worker    } else {
*d289c2baSAndroid Build Coastguard Worker        check_nonnull(value)?;
*d289c2baSAndroid Build Coastguard Worker        // SAFETY:
*d289c2baSAndroid Build Coastguard Worker        // * we've checked that the pointer is non-NULL.
*d289c2baSAndroid Build Coastguard Worker        // * libavb gives us a properly-allocated `value` with size `value_size`.
*d289c2baSAndroid Build Coastguard Worker        // * we only access the contents via the returned slice.
*d289c2baSAndroid Build Coastguard Worker        // * the returned slice is not held past the scope of this callback.
*d289c2baSAndroid Build Coastguard Worker        let value = unsafe { slice::from_raw_parts(value, value_size) };
*d289c2baSAndroid Build Coastguard Worker        ops.write_persistent_value(name, value)
*d289c2baSAndroid Build Coastguard Worker    }
*d289c2baSAndroid Build Coastguard Worker}
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker/// Wraps a callback to convert the given `IoResult<>` to raw `AvbIOResult` for libavb.
*d289c2baSAndroid Build Coastguard Worker///
*d289c2baSAndroid Build Coastguard Worker/// See corresponding `try_*` function docs.
*d289c2baSAndroid Build Coastguard Workerunsafe extern "C" fn validate_public_key_for_partition(
*d289c2baSAndroid Build Coastguard Worker    ops: *mut AvbOps,
*d289c2baSAndroid Build Coastguard Worker    partition: *const c_char,
*d289c2baSAndroid Build Coastguard Worker    public_key_data: *const u8,
*d289c2baSAndroid Build Coastguard Worker    public_key_length: usize,
*d289c2baSAndroid Build Coastguard Worker    public_key_metadata: *const u8,
*d289c2baSAndroid Build Coastguard Worker    public_key_metadata_length: usize,
*d289c2baSAndroid Build Coastguard Worker    out_is_trusted: *mut bool,
*d289c2baSAndroid Build Coastguard Worker    out_rollback_index_location: *mut u32,
*d289c2baSAndroid Build Coastguard Worker) -> AvbIOResult {
*d289c2baSAndroid Build Coastguard Worker    // SAFETY: see corresponding `try_*` function safety documentation.
*d289c2baSAndroid Build Coastguard Worker    unsafe {
*d289c2baSAndroid Build Coastguard Worker        result_to_io_enum(try_validate_public_key_for_partition(
*d289c2baSAndroid Build Coastguard Worker            ops,
*d289c2baSAndroid Build Coastguard Worker            partition,
*d289c2baSAndroid Build Coastguard Worker            public_key_data,
*d289c2baSAndroid Build Coastguard Worker            public_key_length,
*d289c2baSAndroid Build Coastguard Worker            public_key_metadata,
*d289c2baSAndroid Build Coastguard Worker            public_key_metadata_length,
*d289c2baSAndroid Build Coastguard Worker            out_is_trusted,
*d289c2baSAndroid Build Coastguard Worker            out_rollback_index_location,
*d289c2baSAndroid Build Coastguard Worker        ))
*d289c2baSAndroid Build Coastguard Worker    }
*d289c2baSAndroid Build Coastguard Worker}
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker/// Bounces the C callback into the user-provided Rust implementation.
*d289c2baSAndroid Build Coastguard Worker///
*d289c2baSAndroid Build Coastguard Worker/// # Safety
*d289c2baSAndroid Build Coastguard Worker/// * `ops` must have been created via `OpsBridge`.
*d289c2baSAndroid Build Coastguard Worker/// * `partition` must adhere to the requirements of `CStr::from_ptr()`.
*d289c2baSAndroid Build Coastguard Worker/// * `public_key_*` args must adhere to the requirements of `slice::from_raw_parts()`.
*d289c2baSAndroid Build Coastguard Worker/// * `out_*` must adhere to the requirements of `ptr::write()`.
*d289c2baSAndroid Build Coastguard Worker#[allow(clippy::too_many_arguments)] // Mirroring libavb C API.
*d289c2baSAndroid Build Coastguard Workerunsafe fn try_validate_public_key_for_partition(
*d289c2baSAndroid Build Coastguard Worker    ops: *mut AvbOps,
*d289c2baSAndroid Build Coastguard Worker    partition: *const c_char,
*d289c2baSAndroid Build Coastguard Worker    public_key_data: *const u8,
*d289c2baSAndroid Build Coastguard Worker    public_key_length: usize,
*d289c2baSAndroid Build Coastguard Worker    public_key_metadata: *const u8,
*d289c2baSAndroid Build Coastguard Worker    public_key_metadata_length: usize,
*d289c2baSAndroid Build Coastguard Worker    out_is_trusted: *mut bool,
*d289c2baSAndroid Build Coastguard Worker    out_rollback_index_location: *mut u32,
*d289c2baSAndroid Build Coastguard Worker) -> IoResult<()> {
*d289c2baSAndroid Build Coastguard Worker    check_nonnull(partition)?;
*d289c2baSAndroid Build Coastguard Worker    check_nonnull(public_key_data)?;
*d289c2baSAndroid Build Coastguard Worker    check_nonnull(out_is_trusted)?;
*d289c2baSAndroid Build Coastguard Worker    check_nonnull(out_rollback_index_location)?;
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker    // Initialize the output variables first in case something fails.
*d289c2baSAndroid Build Coastguard Worker    // SAFETY:
*d289c2baSAndroid Build Coastguard Worker    // * we've checked that the pointers are non-NULL.
*d289c2baSAndroid Build Coastguard Worker    // * libavb gives us a properly-allocated `out_*`.
*d289c2baSAndroid Build Coastguard Worker    unsafe {
*d289c2baSAndroid Build Coastguard Worker        ptr::write(out_is_trusted, false);
*d289c2baSAndroid Build Coastguard Worker        ptr::write(out_rollback_index_location, 0);
*d289c2baSAndroid Build Coastguard Worker    }
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker    // SAFETY:
*d289c2baSAndroid Build Coastguard Worker    // * we only use `ops` objects created via `OpsBridge` as required.
*d289c2baSAndroid Build Coastguard Worker    // * `ops` is only extracted once and is dropped at the end of the callback.
*d289c2baSAndroid Build Coastguard Worker    let ops = unsafe { as_ops(ops) }?;
*d289c2baSAndroid Build Coastguard Worker    // SAFETY:
*d289c2baSAndroid Build Coastguard Worker    // * we've checked that the pointer is non-NULL.
*d289c2baSAndroid Build Coastguard Worker    // * libavb gives us a properly-allocated and nul-terminated `partition`.
*d289c2baSAndroid Build Coastguard Worker    // * the string contents are not modified while the returned `&CStr` exists.
*d289c2baSAndroid Build Coastguard Worker    // * the returned `&CStr` is not held past the scope of this callback.
*d289c2baSAndroid Build Coastguard Worker    let partition = unsafe { CStr::from_ptr(partition) };
*d289c2baSAndroid Build Coastguard Worker    // SAFETY:
*d289c2baSAndroid Build Coastguard Worker    // * we've checked that the pointer is non-NULL.
*d289c2baSAndroid Build Coastguard Worker    // * libavb gives us a properly-allocated `public_key_data` with size `public_key_length`.
*d289c2baSAndroid Build Coastguard Worker    // * we only access the contents via the returned slice.
*d289c2baSAndroid Build Coastguard Worker    // * the returned slice is not held past the scope of this callback.
*d289c2baSAndroid Build Coastguard Worker    let public_key = unsafe { slice::from_raw_parts(public_key_data, public_key_length) };
*d289c2baSAndroid Build Coastguard Worker    let metadata = check_nonnull(public_key_metadata).ok().map(
*d289c2baSAndroid Build Coastguard Worker        // SAFETY:
*d289c2baSAndroid Build Coastguard Worker        // * we've checked that the pointer is non-NULL.
*d289c2baSAndroid Build Coastguard Worker        // * libavb gives us a properly-allocated `public_key_metadata` with size
*d289c2baSAndroid Build Coastguard Worker        //   `public_key_metadata_length`.
*d289c2baSAndroid Build Coastguard Worker        // * we only access the contents via the returned slice.
*d289c2baSAndroid Build Coastguard Worker        // * the returned slice is not held past the scope of this callback.
*d289c2baSAndroid Build Coastguard Worker        |_| unsafe { slice::from_raw_parts(public_key_metadata, public_key_metadata_length) },
*d289c2baSAndroid Build Coastguard Worker    );
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker    let key_info = ops.validate_public_key_for_partition(partition, public_key, metadata)?;
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker    // SAFETY:
*d289c2baSAndroid Build Coastguard Worker    // * we've checked that the pointers are non-NULL.
*d289c2baSAndroid Build Coastguard Worker    // * libavb gives us a properly-allocated `out_*`.
*d289c2baSAndroid Build Coastguard Worker    unsafe {
*d289c2baSAndroid Build Coastguard Worker        ptr::write(out_is_trusted, key_info.trusted);
*d289c2baSAndroid Build Coastguard Worker        ptr::write(
*d289c2baSAndroid Build Coastguard Worker            out_rollback_index_location,
*d289c2baSAndroid Build Coastguard Worker            key_info.rollback_index_location,
*d289c2baSAndroid Build Coastguard Worker        );
*d289c2baSAndroid Build Coastguard Worker    }
*d289c2baSAndroid Build Coastguard Worker    Ok(())
*d289c2baSAndroid Build Coastguard Worker}
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker/// Wraps a callback to convert the given `IoResult<>` to raw `AvbIOResult` for libavb.
*d289c2baSAndroid Build Coastguard Worker///
*d289c2baSAndroid Build Coastguard Worker/// See corresponding `try_*` function docs.
*d289c2baSAndroid Build Coastguard Workerunsafe extern "C" fn read_permanent_attributes(
*d289c2baSAndroid Build Coastguard Worker    cert_ops: *mut AvbCertOps,
*d289c2baSAndroid Build Coastguard Worker    attributes: *mut AvbCertPermanentAttributes,
*d289c2baSAndroid Build Coastguard Worker) -> AvbIOResult {
*d289c2baSAndroid Build Coastguard Worker    result_to_io_enum(
*d289c2baSAndroid Build Coastguard Worker        // SAFETY: see corresponding `try_*` function safety documentation.
*d289c2baSAndroid Build Coastguard Worker        unsafe { try_read_permanent_attributes(cert_ops, attributes) },
*d289c2baSAndroid Build Coastguard Worker    )
*d289c2baSAndroid Build Coastguard Worker}
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker/// Bounces the C callback into the user-provided Rust implementation.
*d289c2baSAndroid Build Coastguard Worker///
*d289c2baSAndroid Build Coastguard Worker/// # Safety
*d289c2baSAndroid Build Coastguard Worker/// * `cert_ops` must have been created via `ScopedAvbOps`.
*d289c2baSAndroid Build Coastguard Worker/// * `attributes` must be a valid `AvbCertPermanentAttributes` that we have exclusive access to.
*d289c2baSAndroid Build Coastguard Workerunsafe fn try_read_permanent_attributes(
*d289c2baSAndroid Build Coastguard Worker    cert_ops: *mut AvbCertOps,
*d289c2baSAndroid Build Coastguard Worker    attributes: *mut AvbCertPermanentAttributes,
*d289c2baSAndroid Build Coastguard Worker) -> IoResult<()> {
*d289c2baSAndroid Build Coastguard Worker    // SAFETY: `attributes` is a valid object provided by libavb that we have exclusive access to.
*d289c2baSAndroid Build Coastguard Worker    let attributes = unsafe { attributes.as_mut() }.ok_or(IoError::Io)?;
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker    // SAFETY:
*d289c2baSAndroid Build Coastguard Worker    // * we only use `cert_ops` objects created via `ScopedAvbOps` as required.
*d289c2baSAndroid Build Coastguard Worker    // * `cert_ops` is only extracted once and is dropped at the end of the callback.
*d289c2baSAndroid Build Coastguard Worker    let cert_ops = unsafe { as_cert_ops(cert_ops) }?;
*d289c2baSAndroid Build Coastguard Worker    cert_ops.read_permanent_attributes(attributes)
*d289c2baSAndroid Build Coastguard Worker}
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker/// Wraps a callback to convert the given `IoResult<>` to raw `AvbIOResult` for libavb.
*d289c2baSAndroid Build Coastguard Worker///
*d289c2baSAndroid Build Coastguard Worker/// See corresponding `try_*` function docs.
*d289c2baSAndroid Build Coastguard Workerunsafe extern "C" fn read_permanent_attributes_hash(
*d289c2baSAndroid Build Coastguard Worker    cert_ops: *mut AvbCertOps,
*d289c2baSAndroid Build Coastguard Worker    hash: *mut u8,
*d289c2baSAndroid Build Coastguard Worker) -> AvbIOResult {
*d289c2baSAndroid Build Coastguard Worker    result_to_io_enum(
*d289c2baSAndroid Build Coastguard Worker        // SAFETY: see corresponding `try_*` function safety documentation.
*d289c2baSAndroid Build Coastguard Worker        unsafe { try_read_permanent_attributes_hash(cert_ops, hash) },
*d289c2baSAndroid Build Coastguard Worker    )
*d289c2baSAndroid Build Coastguard Worker}
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker/// Bounces the C callback into the user-provided Rust implementation.
*d289c2baSAndroid Build Coastguard Worker///
*d289c2baSAndroid Build Coastguard Worker/// # Safety
*d289c2baSAndroid Build Coastguard Worker/// * `cert_ops` must have been created via `ScopedAvbOps`.
*d289c2baSAndroid Build Coastguard Worker/// * `hash` must point to a valid buffer of size `SHA256_DIGEST_SIZE` that we have exclusive
*d289c2baSAndroid Build Coastguard Worker///   access to.
*d289c2baSAndroid Build Coastguard Workerunsafe fn try_read_permanent_attributes_hash(
*d289c2baSAndroid Build Coastguard Worker    cert_ops: *mut AvbCertOps,
*d289c2baSAndroid Build Coastguard Worker    hash: *mut u8,
*d289c2baSAndroid Build Coastguard Worker) -> IoResult<()> {
*d289c2baSAndroid Build Coastguard Worker    check_nonnull(hash)?;
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker    // SAFETY:
*d289c2baSAndroid Build Coastguard Worker    // * we only use `cert_ops` objects created via `ScopedAvbOps` as required.
*d289c2baSAndroid Build Coastguard Worker    // * `cert_ops` is only extracted once and is dropped at the end of the callback.
*d289c2baSAndroid Build Coastguard Worker    let cert_ops = unsafe { as_cert_ops(cert_ops) }?;
*d289c2baSAndroid Build Coastguard Worker    let provided_hash = cert_ops.read_permanent_attributes_hash()?;
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker    // SAFETY:
*d289c2baSAndroid Build Coastguard Worker    // * `provided_hash` is a valid `[u8]` with size `SHA256_DIGEST_SIZE`.
*d289c2baSAndroid Build Coastguard Worker    // * libavb gives us a properly-allocated `hash` with size `SHA256_DIGEST_SIZE`.
*d289c2baSAndroid Build Coastguard Worker    // * the arrays are independent objects and cannot overlap.
*d289c2baSAndroid Build Coastguard Worker    unsafe { ptr::copy_nonoverlapping(provided_hash.as_ptr(), hash, SHA256_DIGEST_SIZE) };
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker    Ok(())
*d289c2baSAndroid Build Coastguard Worker}
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker/// Wraps a callback to convert the given `IoResult<>` to `None` for libavb.
*d289c2baSAndroid Build Coastguard Worker///
*d289c2baSAndroid Build Coastguard Worker/// See corresponding `try_*` function docs.
*d289c2baSAndroid Build Coastguard Workerunsafe extern "C" fn set_key_version(
*d289c2baSAndroid Build Coastguard Worker    cert_ops: *mut AvbCertOps,
*d289c2baSAndroid Build Coastguard Worker    rollback_index_location: usize,
*d289c2baSAndroid Build Coastguard Worker    key_version: u64,
*d289c2baSAndroid Build Coastguard Worker) {
*d289c2baSAndroid Build Coastguard Worker    // SAFETY: see corresponding `try_*` function safety documentation.
*d289c2baSAndroid Build Coastguard Worker    let result = unsafe { try_set_key_version(cert_ops, rollback_index_location, key_version) };
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker    // `set_key_version()` is unique in that it has no return value, and therefore cannot fail.
*d289c2baSAndroid Build Coastguard Worker    // However, our internal C -> Rust logic does have some potential failure points when we unwrap
*d289c2baSAndroid Build Coastguard Worker    // the C pointers to extract our Rust objects.
*d289c2baSAndroid Build Coastguard Worker    //
*d289c2baSAndroid Build Coastguard Worker    // Ignoring the error could be a security risk, as it would silently prevent the device from
*d289c2baSAndroid Build Coastguard Worker    // updating key rollback versions, so instead we panic here.
*d289c2baSAndroid Build Coastguard Worker    if let Err(e) = result {
*d289c2baSAndroid Build Coastguard Worker        panic!("Fatal error in set_key_version(): {:?}", e);
*d289c2baSAndroid Build Coastguard Worker    }
*d289c2baSAndroid Build Coastguard Worker}
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker/// Bounces the C callback into the user-provided Rust implementation.
*d289c2baSAndroid Build Coastguard Worker///
*d289c2baSAndroid Build Coastguard Worker/// # Safety
*d289c2baSAndroid Build Coastguard Worker/// `cert_ops` must have been created via `ScopedAvbOps`.
*d289c2baSAndroid Build Coastguard Workerunsafe fn try_set_key_version(
*d289c2baSAndroid Build Coastguard Worker    cert_ops: *mut AvbCertOps,
*d289c2baSAndroid Build Coastguard Worker    rollback_index_location: usize,
*d289c2baSAndroid Build Coastguard Worker    key_version: u64,
*d289c2baSAndroid Build Coastguard Worker) -> IoResult<()> {
*d289c2baSAndroid Build Coastguard Worker    // SAFETY:
*d289c2baSAndroid Build Coastguard Worker    // * we only use `cert_ops` objects created via `ScopedAvbOps` as required.
*d289c2baSAndroid Build Coastguard Worker    // * `cert_ops` is only extracted once and is dropped at the end of the callback.
*d289c2baSAndroid Build Coastguard Worker    let cert_ops = unsafe { as_cert_ops(cert_ops) }?;
*d289c2baSAndroid Build Coastguard Worker    cert_ops.set_key_version(rollback_index_location, key_version);
*d289c2baSAndroid Build Coastguard Worker    Ok(())
*d289c2baSAndroid Build Coastguard Worker}
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker/// Wraps a callback to convert the given `IoResult<>` to `None` for libavb.
*d289c2baSAndroid Build Coastguard Worker///
*d289c2baSAndroid Build Coastguard Worker/// See corresponding `try_*` function docs.
*d289c2baSAndroid Build Coastguard Workerunsafe extern "C" fn get_random(
*d289c2baSAndroid Build Coastguard Worker    cert_ops: *mut AvbCertOps,
*d289c2baSAndroid Build Coastguard Worker    num_bytes: usize,
*d289c2baSAndroid Build Coastguard Worker    output: *mut u8,
*d289c2baSAndroid Build Coastguard Worker) -> AvbIOResult {
*d289c2baSAndroid Build Coastguard Worker    result_to_io_enum(
*d289c2baSAndroid Build Coastguard Worker        // SAFETY: see corresponding `try_*` function safety documentation.
*d289c2baSAndroid Build Coastguard Worker        unsafe { try_get_random(cert_ops, num_bytes, output) },
*d289c2baSAndroid Build Coastguard Worker    )
*d289c2baSAndroid Build Coastguard Worker}
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker/// Bounces the C callback into the user-provided Rust implementation.
*d289c2baSAndroid Build Coastguard Worker///
*d289c2baSAndroid Build Coastguard Worker/// # Safety
*d289c2baSAndroid Build Coastguard Worker/// * `cert_ops` must have been created via `ScopedAvbOps`.
*d289c2baSAndroid Build Coastguard Worker/// * `output` must point to a valid buffer of size `num_bytes` that we have exclusive access to.
*d289c2baSAndroid Build Coastguard Workerunsafe fn try_get_random(
*d289c2baSAndroid Build Coastguard Worker    cert_ops: *mut AvbCertOps,
*d289c2baSAndroid Build Coastguard Worker    num_bytes: usize,
*d289c2baSAndroid Build Coastguard Worker    output: *mut u8,
*d289c2baSAndroid Build Coastguard Worker) -> IoResult<()> {
*d289c2baSAndroid Build Coastguard Worker    check_nonnull(output)?;
*d289c2baSAndroid Build Coastguard Worker    if num_bytes == 0 {
*d289c2baSAndroid Build Coastguard Worker        return Ok(());
*d289c2baSAndroid Build Coastguard Worker    }
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker    // SAFETY:
*d289c2baSAndroid Build Coastguard Worker    // * we've checked that the pointer is non-NULL.
*d289c2baSAndroid Build Coastguard Worker    // * libavb gives us a properly-allocated `output` with size `num_bytes`.
*d289c2baSAndroid Build Coastguard Worker    // * we only access the contents via the returned slice.
*d289c2baSAndroid Build Coastguard Worker    // * the returned slice is not held past the scope of this callback.
*d289c2baSAndroid Build Coastguard Worker    let output = unsafe { slice::from_raw_parts_mut(output, num_bytes) };
*d289c2baSAndroid Build Coastguard Worker
*d289c2baSAndroid Build Coastguard Worker    // SAFETY:
*d289c2baSAndroid Build Coastguard Worker    // * we only use `cert_ops` objects created via `ScopedAvbOps` as required.
*d289c2baSAndroid Build Coastguard Worker    // * `cert_ops` is only extracted once and is dropped at the end of the callback.
*d289c2baSAndroid Build Coastguard Worker    let cert_ops = unsafe { as_cert_ops(cert_ops) }?;
*d289c2baSAndroid Build Coastguard Worker    cert_ops.get_random(output)
*d289c2baSAndroid Build Coastguard Worker}