base64-ng 1.2.0

no_std-first Base64 encoding and decoding with strict APIs and a security-heavy release process
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312

//! Runtime backend reporting for security-sensitive deployments.
//!
//! This module exposes backend posture so callers can log, assert, or audit
//! whether execution is scalar-only, using an admitted encode backend, or
//! merely detecting future SIMD candidates.

/// A backend that can be reported by `base64-ng`.
#[derive(Clone, Copy, Debug, Eq, PartialEq)]
#[non_exhaustive]
pub enum Backend {
    /// The audited scalar backend.
    Scalar,
    /// An AVX-512 VBMI candidate was detected.
    Avx512Vbmi,
    /// An AVX2 candidate was detected.
    Avx2,
    /// An SSSE3/SSE4.1 candidate was detected.
    Ssse3Sse41,
    /// An ARM NEON candidate was detected.
    Neon,
    /// A wasm `simd128` candidate was detected.
    WasmSimd128,
}

impl Backend {
    /// Returns the stable lowercase identifier for this backend.
    ///
    /// ```
    /// assert_eq!(base64_ng::runtime::Backend::Scalar.as_str(), "scalar");
    /// ```
    #[must_use]
    pub const fn as_str(self) -> &'static str {
        match self {
            Self::Scalar => "scalar",
            Self::Avx512Vbmi => "avx512-vbmi",
            Self::Avx2 => "avx2",
            Self::Ssse3Sse41 => "ssse3-sse4.1",
            Self::Neon => "neon",
            Self::WasmSimd128 => "wasm-simd128",
        }
    }

    /// Returns the CPU features required before this backend may be used.
    ///
    /// Security logs can record exactly which CPU feature bundle is required by
    /// an active backend or visible candidate.
    ///
    /// ```
    /// assert_eq!(
    ///     base64_ng::runtime::Backend::Avx512Vbmi.required_cpu_features(),
    ///     ["avx512f", "avx512bw", "avx512vl", "avx512vbmi"],
    /// );
    /// ```
    #[must_use]
    pub const fn required_cpu_features(self) -> &'static [&'static str] {
        match self {
            Self::Scalar => &[],
            Self::Avx512Vbmi => &["avx512f", "avx512bw", "avx512vl", "avx512vbmi"],
            Self::Avx2 => &["avx2"],
            Self::Ssse3Sse41 => &["ssse3", "sse4.1"],
            Self::Neon => &["neon"],
            Self::WasmSimd128 => &["simd128"],
        }
    }
}

impl core::fmt::Display for Backend {
    fn fmt(&self, formatter: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
        formatter.write_str(self.as_str())
    }
}

/// How SIMD backend candidates were detected for this build.
#[derive(Clone, Copy, Debug, Eq, PartialEq)]
#[non_exhaustive]
pub enum CandidateDetectionMode {
    /// SIMD candidate detection is disabled because the `simd` feature is
    /// not enabled.
    SimdFeatureDisabled,
    /// Candidate detection uses runtime CPU feature probing.
    RuntimeCpuFeatures,
    /// Candidate detection uses compile-time target features.
    ///
    /// This mode does not prove that the deployment CPU has the reported
    /// feature; it only reflects how the binary was compiled.
    CompileTimeTargetFeatures,
}

impl CandidateDetectionMode {
    /// Returns the stable lowercase identifier for this detection mode.
    ///
    /// ```
    /// assert_eq!(
    ///     base64_ng::runtime::CandidateDetectionMode::SimdFeatureDisabled.as_str(),
    ///     "simd-feature-disabled",
    /// );
    /// ```
    #[must_use]
    pub const fn as_str(self) -> &'static str {
        match self {
            Self::SimdFeatureDisabled => "simd-feature-disabled",
            Self::RuntimeCpuFeatures => "runtime-cpu-features",
            Self::CompileTimeTargetFeatures => "compile-time-target-features",
        }
    }
}

impl core::fmt::Display for CandidateDetectionMode {
    fn fmt(&self, formatter: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
        formatter.write_str(self.as_str())
    }
}

/// Security posture for the active runtime backend.
#[derive(Clone, Copy, Debug, Eq, PartialEq)]
#[non_exhaustive]
pub enum SecurityPosture {
    /// No accelerated backend is active.
    ScalarOnly,
    /// SIMD support may be detected, but execution still uses scalar.
    SimdCandidateScalarActive,
    /// A SIMD backend is active.
    Accelerated,
}

impl SecurityPosture {
    /// Returns the stable lowercase identifier for this security posture.
    ///
    /// ```
    /// assert_eq!(
    ///     base64_ng::runtime::SecurityPosture::ScalarOnly.as_str(),
    ///     "scalar-only",
    /// );
    /// ```
    #[must_use]
    pub const fn as_str(self) -> &'static str {
        match self {
            Self::ScalarOnly => "scalar-only",
            Self::SimdCandidateScalarActive => "simd-candidate-scalar-active",
            Self::Accelerated => "accelerated",
        }
    }
}

impl core::fmt::Display for SecurityPosture {
    fn fmt(&self, formatter: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
        formatter.write_str(self.as_str())
    }
}

/// Wipe-barrier posture for this build and target.
#[derive(Clone, Copy, Debug, Eq, PartialEq)]
#[non_exhaustive]
pub enum WipePosture {
    /// The target uses a native store-ordering hardware fence in addition
    /// to volatile writes and compiler fences.
    ///
    /// This describes wipe-store ordering only. It is separate from
    /// [`CtGatePosture`], which reports whether the constant-time result
    /// gate has a speculation barrier or only an ordering fence.
    HardwareFence,
    /// The target uses volatile writes and compiler fences only.
    CompilerFenceOnly,
}

impl WipePosture {
    /// Returns the stable lowercase identifier for this wipe posture.
    #[must_use]
    pub const fn as_str(self) -> &'static str {
        match self {
            Self::HardwareFence => "hardware-fence",
            Self::CompilerFenceOnly => "compiler-fence-only",
        }
    }
}

impl core::fmt::Display for WipePosture {
    fn fmt(&self, formatter: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
        formatter.write_str(self.as_str())
    }
}

/// Constant-time result-gate barrier posture for this build and target.
#[derive(Clone, Copy, Debug, Eq, PartialEq)]
#[non_exhaustive]
pub enum CtGatePosture {
    /// The target uses a native speculation barrier before public CT
    /// success/failure or equality-result branches.
    HardwareSpeculationBarrier,
    /// The target is treated as having an effective speculation barrier only
    /// because the build provided an explicit operator attestation cfg.
    ///
    /// On `AArch64`, this is reported when the build sets
    /// `base64_ng_aarch64_csdb_attested`. It remains distinct from
    /// [`Self::HardwareSpeculationBarrier`] so logs preserve the evidence
    /// chain instead of making a build assertion look like a native target
    /// guarantee.
    HardwareSpeculationBarrierBuildAsserted,
    /// The target emits a hardware speculation-barrier sequence whose
    /// effectiveness depends on platform or core-level attestation.
    ///
    /// On `AArch64` this uses `isb sy` plus the CSDB hint encoding. Full
    /// CSDB effectiveness depends on the deployed ARM architecture level;
    /// older cores may treat the hint as a no-op.
    HardwareSpeculationBarrierUnattested,
    /// The target uses an ordering fence where the base ISA does not
    /// provide a canonical speculation barrier.
    OrderingFence,
    /// The target uses compiler fences only.
    CompilerFenceOnly,
}

impl CtGatePosture {
    /// Returns the stable lowercase identifier for this CT gate posture.
    #[must_use]
    pub const fn as_str(self) -> &'static str {
        match self {
            Self::HardwareSpeculationBarrier => "hardware-speculation-barrier",
            Self::HardwareSpeculationBarrierBuildAsserted => {
                "hardware-speculation-barrier-build-asserted"
            }
            Self::HardwareSpeculationBarrierUnattested => "hardware-speculation-barrier-unattested",
            Self::OrderingFence => "ordering-fence",
            Self::CompilerFenceOnly => "compiler-fence-only",
        }
    }
}

impl core::fmt::Display for CtGatePosture {
    fn fmt(&self, formatter: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
        formatter.write_str(self.as_str())
    }
}

/// Whether this crate locks secret allocations into physical memory.
#[derive(Clone, Copy, Debug, Eq, PartialEq)]
#[non_exhaustive]
pub enum MemoryLockPosture {
    /// The crate does not lock memory. Deployments that need locked secret
    /// pages must use platform controls outside `base64-ng`.
    NotProvided,
}

impl MemoryLockPosture {
    /// Returns the stable lowercase identifier for this memory-locking posture.
    #[must_use]
    pub const fn as_str(self) -> &'static str {
        match self {
            Self::NotProvided => "not-provided",
        }
    }
}

impl core::fmt::Display for MemoryLockPosture {
    fn fmt(&self, formatter: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
        formatter.write_str(self.as_str())
    }
}

/// Deployment policy for runtime backend assertions.
#[derive(Clone, Copy, Debug, Eq, PartialEq)]
#[non_exhaustive]
pub enum BackendPolicy {
    /// Require encode/decode execution to use the scalar backend.
    ScalarExecutionOnly,
    /// Require the crate to be built without the `simd` feature.
    SimdFeatureDisabled,
    /// Require no SIMD candidate to be visible to this build and target.
    NoDetectedSimdCandidate,
    /// Require scalar execution, the `simd` feature disabled, no detected
    /// SIMD candidate, the unsafe boundary enforced, and a CT result gate
    /// classified as a native hardware speculation barrier.
    ///
    /// This policy intentionally rejects targets that report only an
    /// unattested hardware barrier, ordering fence, or compiler fence for the
    /// CT result gate. On `AArch64`, the crate emits `isb sy` plus the CSDB
    /// hint but reports that posture as unattested; deployments that rely on
    /// CSDB must carry platform evidence outside this built-in policy check.
    HighAssuranceScalarOnly,
}

impl BackendPolicy {
    /// Returns the stable lowercase identifier for this policy.
    ///
    /// ```
    /// assert_eq!(
    ///     base64_ng::runtime::BackendPolicy::HighAssuranceScalarOnly.as_str(),
    ///     "high-assurance-scalar-only",
    /// );
    /// ```
    #[must_use]
    pub const fn as_str(self) -> &'static str {
        match self {
            Self::ScalarExecutionOnly => "scalar-execution-only",
            Self::SimdFeatureDisabled => "simd-feature-disabled",
            Self::NoDetectedSimdCandidate => "no-detected-simd-candidate",
            Self::HighAssuranceScalarOnly => "high-assurance-scalar-only",
        }
    }
}

impl core::fmt::Display for BackendPolicy {
    fn fmt(&self, formatter: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
        formatter.write_str(self.as_str())
    }
}

mod report;

pub use report::{
    BackendPolicyError, BackendReport, BackendSnapshot, backend_report, require_backend_policy,
};