Lock APOB state machine on unapproved messages

Author: mkeeter

drv/cosmo-hf/src/apob.rs

@@ -620,6 +620,19 @@ impl ApobState {
         Ok(data.len())
     }
 
+    pub(crate) fn lock(&mut self) {
+        match *self {
+            ApobState::Ready { .. } | ApobState::Waiting { .. } => {
+                *self = ApobState::Locked {
+                    commit_result: Err(ApobCommitError::InvalidState),
+                };
+            }
+            ApobState::Locked { .. } => {
+                // Nothing to do here
+            }
+        }
+    }
+
     pub(crate) fn commit(
         &mut self,
         drv: &mut FlashDriver,

drv/cosmo-hf/src/hf.rs

@@ -537,6 +537,14 @@ impl idl::InOrderHostFlashImpl for ServerImpl {
             .map_err(RequestError::from)
     }
 
+    fn apob_lock(
+        &mut self,
+        _: &RecvMessage,
+    ) -> Result<(), RequestError<core::convert::Infallible>> {
+        self.apob_state.lock();
+        Ok(())
+    }
+
     fn apob_read(
         &mut self,
         _: &RecvMessage,
@@ -989,6 +997,14 @@ impl idl::InOrderHostFlashImpl for FailServer {
         Err(drv_hf_api::ApobCommitError::InvalidState.into())
     }
 
+    fn apob_lock(
+        &mut self,
+        _: &RecvMessage,
+    ) -> Result<(), RequestError<core::convert::Infallible>> {
+        // Locking is tautological if we're running the error server
+        Ok(())
+    }
+
     fn apob_read(
         &mut self,
         _: &RecvMessage,

drv/gimlet-hf-server/src/main.rs

@@ -940,6 +940,13 @@ impl idl::InOrderHostFlashImpl for ServerImpl {
         Err(drv_hf_api::ApobCommitError::NotImplemented.into())
     }
 
+    fn apob_lock(
+        &mut self,
+        _: &RecvMessage,
+    ) -> Result<(), RequestError<core::convert::Infallible>> {
+        Err(drv_hf_api::ApobCommitError::NotImplemented.into())
+    }
+
     fn apob_read(
         &mut self,
         _: &RecvMessage,
@@ -1166,6 +1173,13 @@ impl idl::InOrderHostFlashImpl for FailServer {
         Err(drv_hf_api::ApobCommitError::NotImplemented.into())
     }
 
+    fn apob_lock(
+        &mut self,
+        _: &RecvMessage,
+    ) -> Result<(), RequestError<core::convert::Infallible>> {
+        Err(drv_hf_api::ApobCommitError::NotImplemented.into())
+    }
+
     fn apob_read(
         &mut self,
         _: &RecvMessage,

drv/mock-gimlet-hf-server/src/main.rs

@@ -264,6 +264,13 @@ impl idl::InOrderHostFlashImpl for ServerImpl {
         Err(drv_hf_api::ApobCommitError::NotImplemented.into())
     }
 
+    fn apob_lock(
+        &mut self,
+        _: &RecvMessage,
+    ) -> Result<(), RequestError<core::convert::Infallible>> {
+        Err(drv_hf_api::ApobCommitError::NotImplemented.into())
+    }
+
     fn apob_read(
         &mut self,
         _: &RecvMessage,

idl/hf.idol

@@ -286,6 +286,11 @@ Interface(
             ),
             idempotent: true,
         ),
+        "apob_lock": (
+            description: "locks the APOB state machine",
+            reply: Simple("()"),
+            idempotent: true,
+        ),
         "apob_read": (
             description: "reads from the current APOB slot",
             args: {

task/host-sp-comms/src/main.rs

@@ -822,6 +822,27 @@ impl ServerImpl {
             self.tx_buf.reset();
         }
 
+        // If we receive an out-of-sequence message, then lock the APOB state
+        // machine.  This makes it harder for malicious hosts to exfiltrate
+        // data via the host flash APOB slots.
+        match request {
+            HostToSp::KeyLookup { .. }
+            | HostToSp::GetBootStorageUnit
+            | HostToSp::GetIdentity
+            | HostToSp::GetStatus
+            | HostToSp::AckSpStart
+            | HostToSp::ApobBegin { .. }
+            | HostToSp::ApobData { .. }
+            | HostToSp::ApobRead { .. }
+            | HostToSp::ApobCommit => {
+                // These are explicitly allowed
+            }
+            _ => {
+                // Anything not allowed is prohibited!
+                self.hf.apob_lock();
+            }
+        }
+
         // We defer any actions until after we've serialized our response to
         // avoid borrow checker issues with calling methods on `self`.
         let mut action = None;