Add support for policy modules #194

This allows to remove the `#[cfg]` guards for the platforms and (in the future) for the policy modules. The problem with `#[cfg]` guards is that they don't scale well with the number of choices, and introduce bug-prone conditional compilation which we only really need for the architecture-dependant assembly. The new `select_env` proc macro takes the name of an environment variable, and then matches its value against a list of possible values. It then replaces the macro invocation with the patch of the matching arm.

This patch adds bare bone support for policy modules in Miralis. Policy modules are a new mechanism to define policies that should be enforced by Miralis. By default Miralis does not isolate the rest of the system from the virtualieed firmware, therefore does not provide any security guarantee on its own. As different systems requires different isolation policies (e.g. protect VMs or user-level enclaves) we add a new modular mechanism to defined policies within Miralis through Policy Modules. A policy module simply implements the trait and can be selected through our config mechanism. In multiple places of Miralis we will add hooks that can be leveraged by policy modules to interpose on some events, enabling the definition of custom policies. This patch introduces two policy modules: the default policy which provides no further isolation, and the Keystone policy which is currently a placeholder but will be used in the future to implement the Keystone ABI and policies. As of this commit it is possible to run a firmware with the Keystone policy using: ``` just run default config/qemu-keystone.toml ```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add support for policy modules #194

Add support for policy modules #194

Commits on Sep 17, 2024