Skip to content

Pterohacktyl/retry disc logic#2

Merged
jof merged 1 commit into
mainfrom
pterohacktyl/retry-disc-logic
May 30, 2026
Merged

Pterohacktyl/retry disc logic#2
jof merged 1 commit into
mainfrom
pterohacktyl/retry-disc-logic

Conversation

@pterohacktyl

Copy link
Copy Markdown
Collaborator

fe06790 — Disc write retry + YubiHSM audit log recovery

Disc write retry states (app.rs, ceremony_ops.rs, modes/ceremony/mod.rs)

  • Added IntentBurnFailed and BurnFailed ceremony phases for disc write failures
  • BurnFailed blocks navigation away from the screen — cert is in memory but not yet on disc; enforces the disc-before-USB invariant structurally
  • Both states run a background disc scan loop; pressing [1] retries the burn once a disc is reinserted
  • Added RetryBurn and RetryIntentBurn actions wired into the TUI dispatch

YubiHSM audit log detection and drain (app.rs, ceremony_ops.rs, yubihsm_backend.rs, lib.rs)

  • Added BootstrapAuditLogFull ceremony phase: if the audit log is full before bootstrap, the TUI pauses and requires explicit operator confirmation before draining
  • Added query_bootstrap_audit_log() to the HsmBackend trait, implemented on YubiHsmBackend via device_info() (pre-session, no auth required)
  • Added ConfirmAuditLogDrain action that calls do_bootstrap_hsm_drain_confirmed() then do_generate_and_build()
  • Fixed post_intent_init_root to detect the BootstrapAuditLogFull deferred state and return early without prematurely calling do_generate_and_build
  • Moved pre-drain to the first operation in bootstrap() — before put_authentication_key — so it works even when Force Audit=Fix is blocking other commands
  • Added delete-before-create for the anodize auth key to handle partial bootstrap states (stale key ID 2 left by a previous failed bootstrap)

e4a51afInvalidData guard on YubiHSM audit option setting

yubihsm_backend.rs

  • YubiHSM2 firmware makes Force Audit and per-command audit options immutable once set to Fix — any further SetOption call (including setting it to the same value) returns InvalidData
  • Changed set_force_audit_option and each set_command_audit_option call from .map_err(...)? to a match that treats device::ErrorKind::InvalidData as "already Fix, skip" rather than a fatal error
  • Makes bootstrap() fully idempotent against partially-bootstrapped devices in any intermediate state

f4ebd13 — Update list-usb help text (anodize-shuttle/src/init.rs)

  • Changed the --device argument doc comment to reference make list-usb instead of anodize-shuttle lint --list-usb

8ae4e34 — Nix build timeout (Makefile)

  • Added --option connect-timeout 15 and --option stalled-download-timeout 60 to the Docker Nix build command to prevent indefinite hangs when the binary cache drops a connection mid-download

Integrate HSM-layer improvements from pterohacktyl/retry-disc-logic,
adapted to current main after the TUI refactor.

YubiHSM bootstrap idempotency:
- Drain the audit log immediately after connecting with factory creds,
  before any auditable commands.  A prior partial bootstrap may have
  left Force Audit=Fix with the log full, blocking PutAuthenticationKey
  and all other auditable operations.  GetLogEntries/SetLogIndex are
  exempt from Force Audit blocking, so the drain always succeeds.
- Delete any existing anodize auth key (ID 2) before re-creating it,
  making bootstrap safe to retry after a partial failure.
- Tolerate InvalidData from set_force_audit_option and
  set_command_audit_option — once set to Fix, the YubiHSM firmware
  rejects even same-value SetOption calls.

New trait method:
- HsmBackend::query_bootstrap_audit_log() returns (used, capacity) for
  the device's audit log using factory-default credentials.  YubiHSM
  implements it; SoftHSM returns None.  Allows the TUI to detect a
  full log pre-bootstrap and prompt the operator.

Build improvements:
- Add connect-timeout (15s) and stalled-download-timeout (60s) to
  Docker-based nix builds to prevent hangs on flaky networks.

Doc fix:
- Update anodize-shuttle init.rs to reference `make list-usb` instead
  of the removed `anodize-shuttle lint --list-usb`.

Original-branch: pterohacktyl/retry-disc-logic
Co-Authored-By: Cris Lingad <clingad@crusoe.ai>
@jof jof force-pushed the pterohacktyl/retry-disc-logic branch from 4e93913 to aa194d2 Compare May 30, 2026 01:23
@jof jof merged commit 3809340 into main May 30, 2026
4 of 7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants