main.go raw

   1  package main
   2  
   3  import (
   4  	"os"
   5  	"runtime"
   6  	"unsafe"
   7  )
   8  
   9  // Milestone-3 verification: first-class spawn lockdown channel.
  10  //
  11  // The parent uses the actual `spawn` keyword (not bare fork) to create
  12  // a child domain. spawnDomain creates the lockdown pipe and routes the
  13  // child's secalloc handler to the write end automatically — no manual
  14  // SetSecureLockdownFd call in user code. The parent retrieves the read
  15  // fd via runtime.LastSpawnedLockdownFd().
  16  //
  17  // The parent's read on the lockdown fd is what synchronizes with the
  18  // child: it blocks until the child writes the marker (on guard-page
  19  // fault) or the pipe closes (if the child exits without faulting).
  20  //
  21  // Verifies:
  22  //   - parent stdout contains LOCKDOWN_VIA_SPAWN_RECEIVED
  23  //   - the raw secret pattern does not appear anywhere
  24  //   - parent stderr does not contain MOXIE_SECALLOC_LOCKDOWN
  25  //     (the marker should have travelled via the inherited pipe, not stderr)
  26  
  27  func childDomain() {
  28  	os.Stdout.Write([]byte("CHILD_START\n"))
  29  	secret := []byte{:32, secure}
  30  	os.Stdout.Write([]byte("CHILD_ALLOCATED\n"))
  31  	pattern := []byte("MOXIE_SECRET_PAYLOAD_32_BYTES_AA")
  32  	copy(secret, pattern)
  33  	os.Stdout.Write([]byte("CHILD_COPIED\n"))
  34  
  35  	// Trip the trailing guard page exactly as the M1/M2 tests do.
  36  	ptr := (*byte)(unsafe.Add(unsafe.Pointer(&secret[0]), 4096))
  37  	sink := *ptr
  38  	os.Stdout.Write([]byte{sink})
  39  	os.Stdout.Write([]byte("UNREACHABLE\n"))
  40  }
  41  
  42  func main() {
  43  	// spawn returns a chan struct{} lifecycle handle. Bind it to a
  44  	// typed local — discarding directly with `_ =` triggers an SSA
  45  	// builder mismatch in the spawn intrinsic.
  46  	done := spawn(childDomain)
  47  	_ = done
  48  
  49  	fd := runtime.LastSpawnedLockdownFd()
  50  	if fd < 0 {
  51  		os.Stderr.Write([]byte("FAIL: spawn did not provide a lockdown fd\n"))
  52  		os.Exit(1)
  53  	}
  54  
  55  	rf := os.NewFile(uintptr(fd), "lockdown")
  56  	buf := make([]byte, 64)
  57  	n, _ := rf.Read(buf)
  58  
  59  	if n <= 0 {
  60  		os.Stderr.Write([]byte("FAIL: lockdown pipe yielded no bytes\n"))
  61  		os.Exit(1)
  62  	}
  63  
  64  	marker := []byte("MOXIE_SECALLOC_LOCKDOWN")
  65  	got := buf[:n]
  66  	found := false
  67  	for i := 0; i+len(marker) <= len(got); i++ {
  68  		eq := true
  69  		for j := 0; j < len(marker); j++ {
  70  			if got[i+j] != marker[j] {
  71  				eq = false
  72  				break
  73  			}
  74  		}
  75  		if eq {
  76  			found = true
  77  			break
  78  		}
  79  	}
  80  
  81  	if found {
  82  		os.Stdout.Write([]byte("LOCKDOWN_VIA_SPAWN_RECEIVED\n"))
  83  	} else {
  84  		os.Stderr.Write([]byte("FAIL: pipe data missing marker\n"))
  85  		os.Exit(1)
  86  	}
  87  }
  88