erix/lib-handoff
1
0
Fork 0
generated from erix/meta
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
A thin, no-policy Rust crate for EriX handoff structures used in early boot and early userspace bootstrap.
13 commits 1 branch 0 tags 105 KiB
  • Rust 100%
Find a file
Exact
Erik Inkinen 29b2d15d44
All checks were successful
CI / test (push) Successful in 4s
Details
CI / security (push) Successful in 1m26s
Details
CI / minimal-versions (push) Successful in 10s
Details
lib-handoff: drop unstable rustfmt options for stable toolchains
2026-03-23 10:19:54 +02:00
.github Refactor milestone terminology to "Component Milestone Tracking" across documentation for clarity and consistency 2026-03-05 11:54:37 +02:00
src phase3: add typed framebuffer continuity handoff helpers 2026-03-11 09:58:01 +02:00
.editorconfig Initial commit 2026-02-26 11:39:01 +01:00
.gitignore Initial commit 2026-02-26 11:39:01 +01:00
ARCHITECTURE.md Initialize lib-handoff 2026-02-26 12:43:58 +02:00
Cargo.toml Add handoff structures and validation for bootloader, kernel, and root services 2026-02-26 12:52:24 +02:00
CODE_OF_CONDUCT.md Initial commit 2026-02-26 11:39:01 +01:00
CONTRIBUTING.md Refactor milestone terminology to "Component Milestone Tracking" across documentation for clarity and consistency 2026-03-05 11:54:37 +02:00
LICENSE Initial commit 2026-02-26 11:39:01 +01:00
README.md Refactor milestone terminology to "Component Milestone Tracking" across documentation for clarity and consistency 2026-03-05 11:54:37 +02:00
ROADMAP.md Update ROADMAP.md to reflect current implementation status and deliverables for v1 2026-02-26 13:44:20 +02:00
rustfmt.toml lib-handoff: drop unstable rustfmt options for stable toolchains 2026-03-23 10:19:54 +02:00
SECURITY.md docs: align security policy phase numbering 2026-03-11 05:28:13 +02:00

README.md

lib-handoff

A thin, no-policy Rust crate for EriX handoff structures used in early boot and early userspace bootstrap.

This crate defines shared wire-level structs, constants, enums, and validation helpers for:

  • bootloader -> kernel
  • kernel -> root task
  • root task -> critical services

It exists to keep handoff schemas centralized and versioned across repos.

Scope

lib-handoff is intentionally minimal:

  • shared struct definitions for handoff headers/tables/messages
  • version/magic constants and role/type identifiers
  • checked size/bounds helpers for parsing and validation
  • optional encode/decode helpers for little-endian fixed-layout fields

Non-goals

  • No boot media parsing (boot.img is handled by lib-bootimg)
  • No ELF parsing (lib-elf handles executable structure)
  • No authority policy decisions (kernel/root own policy)
  • No scheduler, IPC router, or service lifecycle logic
  • No dynamic schema negotiation in v1

Why this crate exists

Without a shared crate, each stage would re-define the same handoff layout, causing drift and compatibility bugs.

lib-handoff provides one canonical representation used by:

  • bootloader (producer for BL -> Kernel handoff)
  • kernel (consumer of BL handoff, producer of Kernel -> Root handoff)
  • root_task / early service launcher (consumer/producer for Root -> Services startup messages)
  • test tooling and fixtures

Normative specs

These documents define the protocol semantics and invariants:

  • ../docs/handoff/bl-to-kernel.md
  • ../docs/handoff/kernel-to-root.md
  • ../docs/handoff/root-to-services.md

This crate implements those structures; docs remain normative.

Design principles

  • Thin wrapper only: represent protocol, do not embed boot policy.
  • Version-first: every handoff starts with magic + major/minor version.
  • Deterministic layout: fixed-size records where practical, little-endian fields.
  • Checked arithmetic: offset/size calculations must never overflow.
  • Portability: shared semantic fields are architecture/platform neutral; ABI transport details stay in adapters.
  • Zero external crates: clean-room dependency policy.

Expected API surface (v1)

Illustrative module split (final names may vary):

  • bl_kernel:
    • BlKernelHandoffHeaderV1
    • BlKernelMemRegionV1
    • BlKernelModuleV1
  • kernel_root:
    • KernelRootInfoHeaderV1
    • KernelRootModuleDescV1
    • KernelRootUntypedDescV1
  • root_services:
    • RootServiceStartEnvelopeV1
    • service role constants
  • version:
    • magic/version constants
    • compatibility helpers
  • validate:
    • bounds/table checks
    • entry-size/count checks

Invariants

If a handoff buffer is accepted by crate validation helpers:

  • magic and version fields are recognized
  • header/table offsets and lengths are in-bounds
  • entry sizes match expected versioned layout
  • count * entry_size arithmetic is overflow-safe
  • required reserved fields satisfy v1 rules

Semantic policy checks (for example required module presence, required capability sets, launch policy) remain with caller components.

Security model

lib-handoff is in the trusted bootstrap chain and should be treated as TCB-adjacent.

Threat model:

  • input buffers may be malformed or adversarial
  • no panic paths should be reachable from malformed data
  • acceptance must imply structural safety, never policy correctness

Testing strategy

  • Positive fixture tests for valid v1 handoffs
  • Negative tests for:
    • wrong magic/version
    • out-of-bounds offsets
    • integer overflow in table math
    • malformed entry size/count combinations
  • Cross-repo compatibility tests (producer bytes match consumer decode)
  • Determinism tests (same input bytes -> same parse result)

Dependencies

  • External crates: none
  • Internal dependencies: minimal; prefer no dependency where possible

See clean-room policy in ../docs/policies/no-external-code.md.

Status

Early development.

Protocol docs exist in docs/handoff; this crate is the implementation layer for those schemas. Current role constant set for root->services v1 is split as memd=1, vspaced=2, pagerd=3, procd=4 (>=1024 extension roles).

License

ISC. See LICENSE.