Pterohacktyl/retry disc logic#2
Merged
Merged
Conversation
Integrate HSM-layer improvements from pterohacktyl/retry-disc-logic, adapted to current main after the TUI refactor. YubiHSM bootstrap idempotency: - Drain the audit log immediately after connecting with factory creds, before any auditable commands. A prior partial bootstrap may have left Force Audit=Fix with the log full, blocking PutAuthenticationKey and all other auditable operations. GetLogEntries/SetLogIndex are exempt from Force Audit blocking, so the drain always succeeds. - Delete any existing anodize auth key (ID 2) before re-creating it, making bootstrap safe to retry after a partial failure. - Tolerate InvalidData from set_force_audit_option and set_command_audit_option — once set to Fix, the YubiHSM firmware rejects even same-value SetOption calls. New trait method: - HsmBackend::query_bootstrap_audit_log() returns (used, capacity) for the device's audit log using factory-default credentials. YubiHSM implements it; SoftHSM returns None. Allows the TUI to detect a full log pre-bootstrap and prompt the operator. Build improvements: - Add connect-timeout (15s) and stalled-download-timeout (60s) to Docker-based nix builds to prevent hangs on flaky networks. Doc fix: - Update anodize-shuttle init.rs to reference `make list-usb` instead of the removed `anodize-shuttle lint --list-usb`. Original-branch: pterohacktyl/retry-disc-logic Co-Authored-By: Cris Lingad <clingad@crusoe.ai>
4e93913 to
aa194d2
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
fe06790 — Disc write retry + YubiHSM audit log recovery
Disc write retry states (
app.rs,ceremony_ops.rs,modes/ceremony/mod.rs)IntentBurnFailedandBurnFailedceremony phases for disc write failuresBurnFailedblocks navigation away from the screen — cert is in memory but not yet on disc; enforces thedisc-before-USBinvariant structurally[1]retries the burn once a disc is reinsertedRetryBurnandRetryIntentBurnactions wired into the TUI dispatchYubiHSM audit log detection and drain (
app.rs,ceremony_ops.rs,yubihsm_backend.rs,lib.rs)BootstrapAuditLogFullceremony phase: if the audit log is full before bootstrap, the TUI pauses and requires explicit operator confirmation before drainingquery_bootstrap_audit_log()to theHsmBackendtrait, implemented onYubiHsmBackendviadevice_info()(pre-session, no auth required)ConfirmAuditLogDrainaction that callsdo_bootstrap_hsm_drain_confirmed()thendo_generate_and_build()post_intent_init_rootto detect theBootstrapAuditLogFulldeferred state and return early without prematurely callingdo_generate_and_buildbootstrap()— beforeput_authentication_key— so it works even whenForce Audit=Fixis blocking other commandsdelete-before-createfor the anodize auth key to handle partial bootstrap states (stale keyID 2left by a previous failed bootstrap)e4a51af —
InvalidDataguard on YubiHSM audit option settingyubihsm_backend.rsSetOptioncall (including setting it to the same value) returnsInvalidDataset_force_audit_optionand eachset_command_audit_optioncall from.map_err(...)?to a match that treatsdevice::ErrorKind::InvalidDataas "already Fix, skip" rather than a fatal errorbootstrap()fully idempotent against partially-bootstrapped devices in any intermediate statef4ebd13 — Update
list-usbhelp text (anodize-shuttle/src/init.rs)--deviceargument doc comment to referencemake list-usbinstead ofanodize-shuttle lint --list-usb8ae4e34 — Nix build timeout (Makefile)
--option connect-timeout 15and--option stalled-download-timeout 60to the Docker Nix build command to prevent indefinite hangs when the binary cache drops a connection mid-download