feat: FwMgmt, Notify, and TPM service implementation + tests#58
Open
dymk wants to merge 10 commits into
Open
Conversation
dymk
force-pushed
the
dymk/fwmgmt-notify-tpm-impl
branch
4 times, most recently
from
99657fb to
4352dac
Compare
This was referenced Apr 15, 2026
There was a problem hiding this comment.
Pull request overview
Implements extended behaviors and unit tests for the FwMgmt, Notify, TPM services, plus MessageHandler dispatch tests, and tightens dev workflow checks.
Changes:
- Add TPM extended handlers (feature info + notification register/unregister/finish) and deinit state reset, with expanded tests and a TPM2_Startup CRB test helper.
- Implement Notify Add/Remove/Assign/Unassign state tracking, safer message-id parsing, shift-safe bitmap handling, and add Notify unit tests.
- Improve FwMgmt error propagation (remove unwraps, make indirect unsupported) and add FwMgmt unit tests; add MessageHandler routing tests and strengthen pre-commit checks.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
ec-service-lib/src/services/tpm.rs |
Adds TPM notification registration state, extended handlers, deinit reset, and expanded unit tests/helpers. |
ec-service-lib/src/services/notify.rs |
Adds Add/Remove/Assign/Unassign handling, safer message-id parsing, bitmap guard helper, and extensive unit tests. |
ec-service-lib/src/services/fw_mgmt.rs |
Converts several handlers to return Result, propagates FF-A errors, marks indirect unsupported, and adds unit tests. |
ec-service-lib/src/message_handler.rs |
Adds unit tests validating UUID-based routing and unknown-UUID error behavior. |
.husky/pre-commit |
Enforces clippy warnings as errors and runs tests on the host target explicitly. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
cargo test without --target fails locally when rust-toolchain.toml installs aarch64-unknown-none-softfloat, because no_std-incompatible transitive deps (futures-timer, slab) are resolved for that target. Using the host target from rustc -vV ensures portability across Linux, macOS, and Windows.
- process_indirect returns Err("process_indirect not supported") instead of hardcoded 0x0
- map_share uses ? operator on MemRetrieveReq::exec() instead of .unwrap()
- test_notify uses ? operator on NotificationSet::exec() instead of .unwrap()
- Dispatch match arms updated to use ? propagation
- Removed old commented-out FfaNotify code block
- nfy_add: find-or-create entry, register mappings (mirrors nfy_setup logic) - nfy_remove: find entry, unregister mappings (mirrors nfy_destroy logic) - nfy_assign: update id/ntype on existing cookie-matched mappings with bitmap conflict check - nfy_unassign: clear id/ntype on cookie-matched mappings, keep slot reserved - Replace catch-all NotSupported arm with four individual dispatch arms
- Add notification_registered field to TpmService struct - get_feature_info_handler returns capability flags for notification feature - register_handler tracks notification registration state (Already on double-register) - unregister_handler validates registration (Denied if not registered) - finish_handler validates registration (Denied if not registered) - deinit resets all state (current_state, active_locality, locality_states, notification_registered) - init also resets notification_registered - Update 3 test assertions: register→Ok, unregister→Denied, finish→Denied - Apply cargo fmt fixup for fw_mgmt.rs
- FwMgmt: 5 tests covering get_fw_state, get_svc_list, get_bid, process_indirect error, unknown command - Notify: 12 tests covering Setup, Destroy, Add, Remove, Assign, Unassign + error cases - UUID round-trip via to_u128_le() for correct NotifyReq deserialization
- 6 tests: UUID routing to MockServiceA/B, unknown UUID error, empty handler, chain ordering
- Mock services use echo pattern with distinct markers (0xAA, 0xBB)
- Verifies LIFO linked-list dispatch and Error::Other("Unknown UUID") terminal
- 9 new TPM tests: get_feature_info (notification/unknown), register/unregister state transitions, double register -> Already, finish with/without registration, deinit state reset, register after deinit - cargo fmt fixups for all test modules (alignment/line-length) - Total: 94 tests passing (62 existing + 32 new), zero regressions
CR-01: MessageInfo::message_id() now returns Option<MessageID> instead of panicking via .expect(). Invalid bit patterns (6, 7) return an error response rather than crashing the secure partition. CR-02: All 1<<id bitmap operations now use nfy_bitmask() helper that returns None for id >= 64, preventing shift overflow panics in debug and silent bitmap corruption in release builds. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…erage Add test_write_crb operation 5 that prepares a TPM2_Startup(CLEAR) command in the CRB data buffer with correct command_size. This enables E2E tests to exercise the full sst.start() pipeline (copy_command_data, start_command, copy_response_data) through the emulated TPM CRB interface. Only available when test-bypass-locality-check feature is enabled. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
nfy_assign: pre-validate all tuples (cookie exists, id in range, no bitmap conflicts) using a simulated bitmap before applying any mutations. On error, no state is modified. nfy_unassign: pre-validate all cookies exist before clearing any mappings. Bitmap is updated atomically after all mutations. test_setup_overflow_count: NotifyReq::from() clamps count with .min(7), so sending count=8 never reached the >= 8 guard. Replace with two tests: one verifying clamped count=8 succeeds with 7 valid tuples, another exercising count=7 directly as the effective maximum. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
dymk
force-pushed
the
dymk/fwmgmt-notify-tpm-impl
branch
from
4352dac to
fff1bd2
Compare
philgweber
previously approved these changes
Apr 15, 2026
kurtjd
previously approved these changes
Apr 15, 2026
dymk
dismissed stale reviews from kurtjd and philgweber
The merge-base changed after approval.
philgweber
previously approved these changes
Apr 15, 2026
dymk
dismissed
philgweber’s stale review
The merge-base changed after approval.
github-project-automation
Bot
moved this to In progress
in ODP Stack for QEMU SBSA (Arm64)
kurtjd
previously approved these changes
Apr 15, 2026
kurtjd
previously approved these changes
Apr 15, 2026
philgweber
previously approved these changes
Apr 16, 2026
dymk
dismissed
philgweber’s stale review
The merge-base changed after approval.
kurtjd
previously approved these changes
Apr 16, 2026
kurtjd
left a comment
kurtjd
left a comment
Member
There was a problem hiding this comment.
Is just doing a git rebase causing the approvals to be dismissed? If so, that might be an issue with this repo's settings, our other repos don't seem to have that problem.
This was referenced Apr 16, 2026
rogurr
previously approved these changes
Apr 17, 2026
philgweber
reviewed
Jun 15, 2026
| use odp_ffa::{DirectMessagePayload, HasRegisterPayload}; | ||
| use uuid::uuid; | ||
|
|
||
| const NOTIFY_UUID: Uuid = uuid!("e474d87e-5731-4044-a727-cb3e8cf3c8df"); |
Collaborator
There was a problem hiding this comment.
Isn't this defined somewhere externally as this is defined in the FFA standard we can maybe move it here.
philgweber
reviewed
Jun 15, 2026
| @@ -236,6 +237,7 @@ impl<S: TpmSstOps> TpmService<S> { | |||
| interface_id_default: PtpCrbInterfaceIdentifier::new(), | |||
| locality_states: [TpmLocalityState::Closed; NUM_LOCALITIES as usize], | |||
| tpm_internal_crb_address: 0x10000200000, | |||
Collaborator
There was a problem hiding this comment.
This will probably conflict with the other change the TPM address has changed.
philgweber
previously approved these changes
Jun 15, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implement FwMgmt error handling, Notify state-tracking (add/remove/assign/unassign),
and TPM extended handlers (get_feature_info, register, unregister, finish, deinit).
Adds comprehensive unit tests for all three services plus MessageHandler dispatch
tests. Fixes panic on invalid MessageID and shift overflow in notify service.
Changes
Files changed
ec-service-lib/src/services/fw_mgmt.rsec-service-lib/src/services/notify.rsec-service-lib/src/services/tpm.rsec-service-lib/src/message_handler.rs