Add APOB messages to host_sp_comms

[mkeeter]

Implements the state machine described in RFD 593

See https://github.com/oxidecomputer/stlouis/issues/707, https://github.com/oxidecomputer/rfd/pull/855 , oxidecomputer/amd-host-image-builder#222

[jgallagher]

Could this fail if there's a blip in the IPCC path and the host resends an APOB request? (I'm not sure what the expectations are for the offsets the host is providing.)

[mkeeter]

This has changed a bunch since February; messages should now all be idempotent.

[hawkw]

Some mostly kind of annoying nitpicks.

[rmustacc]

So we need something in the broader API to discover what the erase size granularity is or at least make sure that we're sending stuff that is page size aligned. This gets to what @jgallagher gets at below. But if the host sent things that wasn't page aligned then we'd erase the entire page because our API is not doing a read-modify-write.

[mkeeter]

This has all changed now – we ensure that the to-be-written page is erased when the state machine starts, and writes are idempotent.

[labbott]

Will probably do another pass later

[labbott]

assert becomes panic, is that the behavior we want here?

[mkeeter]

I think so; the only way this should panic is if someone has broken the code in a dramatic way (e.g. editing the implementation of is_valid so that previously valid data is no longer valid).

[mkeeter]

But this is also copied from HfRawPersistentData, so I didn't think about it too much!

[labbott]

There are a couple of places where we have unreachable because of using the u32, maaaybe an enum would be cleaner and reduce a few checks? Or is the issue this needs to match exactly what the host is expecting?

[mkeeter]

This isn't seen at all by the host, but we're reading / writing this object directly to disk, so we need zerocopy-friendly types.

[hawkw]

FWIW, zerocopy::TryFromBytes can be derived for enums (though I'm not sure how annoying that would be to actually use here)

[mkeeter]

I think it would be usable, but the docs seem to imply that you shouldn't it when round-tripping through bytes (?!).

I've opened google/zerocopy#2722 to ask for clarification

[labbott]

Hmmm, do we lose the idl generation of this?

[mkeeter]

Yeah – I switched to finer-grained error types for a few methods, which means that the IDL generator can't make a FailServer (which assumes a single error type).

[labbott]

Do we need the u64 everywhere? It seems like everything gets converted/checked against u32 anyway

[mkeeter]

The initial u64 is sent by the host, but I pushed the u32 conversion upstream into host_sp_comms.

[citrus-it]

@mkeeter - here are the IPCC messages which are expected to be seen before the host is finished with APOB. Anything else incoming from the host should trigger the lockdown.

humility: ring buffer task_host_sp_comms::__RINGBUF in host_sp_comms:
   TOTAL VARIANT
      99 Request(ApobRead)
      96 Request(ApobData)
       2 Request(KeyLookup)
       1 Request(GetBootStorageUnit)
       1 Request(GetIdentity)
       1 Request(GetStatus)
       1 Request(AckSpStart)
       1 Request(ApobBegin)
       1 Request(ApobCommit)

[mkeeter]

@citrus-it Great, thanks! I've pushed this list to Hubris and to RFD 593.

[hawkw]

I like the latest changes, this looks good to me! I'd be happy to approve this now, but I felt like some of the // XXX: should this lock the state machine? comments could maybe use a second opinion from someone wiser than I am (perhaps @labbott?).

[hawkw]

<3

[hawkw]

comments here aer lovely, thank you for adding them --- this is all much clearer now.