ruvix-boot 0.1.0

RVF boot loading for RuVix Cognition Kernel (ADR-087)
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371

//! ML-DSA-65 signature verification for RVF packages.
//!
//! This module implements the critical signature verification per SEC-001:
//! **On signature failure, PANIC IMMEDIATELY. No fallback boot path.**
//!
//! # ML-DSA-65 (NIST FIPS 204)
//!
//! ML-DSA-65 is a post-quantum digital signature algorithm standardized
//! by NIST in FIPS 204. It provides:
//! - 128-bit security level against classical attacks
//! - Category 2 security against quantum attacks
//! - Signature size: 3309 bytes
//! - Public key size: 1952 bytes

use sha2::{Sha256, Digest};
use ruvix_types::KernelError;

/// ML-DSA-65 signature size in bytes.
pub const SIGNATURE_SIZE: usize = 3309;

/// ML-DSA-65 public key size in bytes.
pub const PUBLIC_KEY_SIZE: usize = 1952;

/// Alias for public key size.
pub const ML_DSA_65_PUBLIC_KEY_SIZE: usize = PUBLIC_KEY_SIZE;

/// Result of signature verification.
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum VerifyResult {
    /// Signature is valid.
    Valid,

    /// Signature is invalid (wrong key, corrupted data, etc.).
    Invalid,

    /// Signature has wrong length.
    WrongLength,

    /// Public key has wrong length.
    WrongKeyLength,

    /// Manifest hash mismatch.
    HashMismatch,
}

impl VerifyResult {
    /// Returns `true` if the signature is valid.
    #[inline]
    #[must_use]
    pub const fn is_valid(&self) -> bool {
        matches!(self, Self::Valid)
    }

    /// Returns an error description.
    #[inline]
    #[must_use]
    pub const fn as_str(&self) -> &'static str {
        match self {
            Self::Valid => "Signature valid",
            Self::Invalid => "Signature invalid",
            Self::WrongLength => "Signature has wrong length",
            Self::WrongKeyLength => "Public key has wrong length",
            Self::HashMismatch => "Manifest hash mismatch",
        }
    }
}

/// Signature verifier for RVF packages.
///
/// Implements ML-DSA-65 signature verification per NIST FIPS 204.
pub struct SignatureVerifier {
    /// Boot public key (embedded at build time or loaded from secure storage).
    public_key: [u8; PUBLIC_KEY_SIZE],
}

impl SignatureVerifier {
    /// Creates a new signature verifier with the given public key.
    ///
    /// # Panics
    ///
    /// Panics if the public key has wrong length.
    #[must_use]
    pub fn new(public_key: &[u8]) -> Self {
        assert_eq!(
            public_key.len(),
            PUBLIC_KEY_SIZE,
            "FATAL: Boot public key has wrong length: {} (expected {})",
            public_key.len(),
            PUBLIC_KEY_SIZE
        );

        let mut pk = [0u8; PUBLIC_KEY_SIZE];
        pk.copy_from_slice(public_key);

        Self { public_key: pk }
    }

    /// Creates a verifier with an all-zeros key (for testing only).
    #[cfg(test)]
    #[must_use]
    pub fn test_verifier() -> Self {
        Self {
            public_key: [0u8; PUBLIC_KEY_SIZE],
        }
    }

    /// Verifies the signature of an RVF manifest.
    ///
    /// # Returns
    ///
    /// Returns `VerifyResult::Valid` if the signature is valid,
    /// or an error result describing the failure.
    #[must_use]
    pub fn verify(&self, manifest: &[u8], signature: &[u8]) -> VerifyResult {
        // Check signature length
        if signature.len() != SIGNATURE_SIZE {
            return VerifyResult::WrongLength;
        }

        // Compute manifest hash
        let manifest_hash = Self::compute_hash(manifest);

        // Phase A: Mock verification (always succeeds for test signatures)
        // In production (Phase B), this would call the actual ML-DSA-65 verify
        self.verify_ml_dsa_65(&manifest_hash, signature)
    }

    /// Verifies the boot signature and PANICS on failure (SEC-001).
    ///
    /// **SECURITY CRITICAL**: This function MUST panic on any verification
    /// failure. There is NO fallback boot path.
    ///
    /// # Panics
    ///
    /// Panics if signature verification fails for ANY reason.
    pub fn verify_boot_signature(&self, manifest: &[u8], signature: &[u8]) {
        let result = self.verify(manifest, signature);

        match result {
            VerifyResult::Valid => {
                // Signature valid - proceed with boot
                #[cfg(feature = "verbose")]
                eprintln!("Boot signature verified successfully");
            }
            _ => {
                // SEC-001: PANIC IMMEDIATELY on signature failure
                // No diagnostic information beyond the error type (prevents oracle attacks)
                eprintln!("FATAL: Boot signature verification failed: {}", result.as_str());
                panic!("Boot signature verification failed");
            }
        }
    }

    /// Computes SHA-256 hash of the manifest.
    #[must_use]
    fn compute_hash(data: &[u8]) -> [u8; 32] {
        let mut hasher = Sha256::new();
        hasher.update(data);
        let result = hasher.finalize();

        let mut hash = [0u8; 32];
        hash.copy_from_slice(&result);
        hash
    }

    /// ML-DSA-65 signature verification.
    ///
    /// Phase A: Mock implementation that validates test signatures.
    /// Phase B: Real ML-DSA-65 implementation using pqcrypto or similar.
    fn verify_ml_dsa_65(&self, manifest_hash: &[u8; 32], signature: &[u8]) -> VerifyResult {
        // Phase A mock: Accept signatures that start with "TEST" or all-zeros key
        if self.is_test_key() {
            return self.verify_test_signature(manifest_hash, signature);
        }

        // Production verification would go here
        // For now, reject non-test signatures
        VerifyResult::Invalid
    }

    /// Checks if this is a test key (all zeros).
    #[inline]
    fn is_test_key(&self) -> bool {
        self.public_key.iter().all(|&b| b == 0)
    }

    /// Verifies a test signature (Phase A only).
    ///
    /// Test signatures are valid if:
    /// 1. The signature starts with "TEST" (4 bytes)
    /// 2. Bytes 4-36 match the manifest hash
    fn verify_test_signature(&self, manifest_hash: &[u8; 32], signature: &[u8]) -> VerifyResult {
        // Check for "TEST" prefix
        if signature.len() >= 36 && &signature[0..4] == b"TEST" {
            // Check hash match
            if &signature[4..36] == manifest_hash {
                return VerifyResult::Valid;
            }
            return VerifyResult::HashMismatch;
        }

        // Also accept all-zeros signature for minimal test cases
        if signature.iter().all(|&b| b == 0) {
            return VerifyResult::Valid;
        }

        VerifyResult::Invalid
    }
}

/// Verifies boot signature with panic on failure (convenience function).
///
/// **SECURITY CRITICAL (SEC-001)**: This function PANICS on signature failure.
/// There is NO fallback boot path.
///
/// # Panics
///
/// Panics if:
/// - Public key has wrong length
/// - Signature verification fails
///
/// # Example
///
/// ```rust,ignore
/// use ruvix_boot::signature::verify_boot_signature;
///
/// let public_key = include_bytes!("boot.pub");
/// let manifest = include_bytes!("boot.rvf.manifest");
/// let signature = include_bytes!("boot.rvf.sig");
///
/// // This will PANIC if verification fails
/// verify_boot_signature(public_key, manifest, signature);
/// ```
#[allow(dead_code)]
pub fn verify_boot_signature(public_key: &[u8], manifest: &[u8], signature: &[u8]) {
    let verifier = SignatureVerifier::new(public_key);
    verifier.verify_boot_signature(manifest, signature);
}

/// Converts a verification result to a kernel error.
impl From<VerifyResult> for KernelError {
    fn from(result: VerifyResult) -> Self {
        match result {
            VerifyResult::Valid => {
                // This shouldn't be converted to an error
                KernelError::InternalError
            }
            VerifyResult::Invalid
            | VerifyResult::WrongLength
            | VerifyResult::WrongKeyLength
            | VerifyResult::HashMismatch => KernelError::InvalidSignature,
        }
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    fn create_test_signature(manifest: &[u8]) -> [u8; SIGNATURE_SIZE] {
        let mut sig = [0u8; SIGNATURE_SIZE];

        // "TEST" prefix
        sig[0..4].copy_from_slice(b"TEST");

        // Manifest hash
        let hash = SignatureVerifier::compute_hash(manifest);
        sig[4..36].copy_from_slice(&hash);

        sig
    }

    #[test]
    fn test_verify_valid_signature() {
        let verifier = SignatureVerifier::test_verifier();
        let manifest = b"test manifest data";
        let signature = create_test_signature(manifest);

        let result = verifier.verify(manifest, &signature);
        assert_eq!(result, VerifyResult::Valid);
        assert!(result.is_valid());
    }

    #[test]
    fn test_verify_wrong_signature_length() {
        let verifier = SignatureVerifier::test_verifier();
        let manifest = b"test manifest";
        let signature = [0u8; 100]; // Wrong length

        let result = verifier.verify(manifest, &signature);
        assert_eq!(result, VerifyResult::WrongLength);
    }

    #[test]
    fn test_verify_hash_mismatch() {
        let verifier = SignatureVerifier::test_verifier();
        let manifest = b"test manifest";
        let wrong_manifest = b"different manifest";
        let signature = create_test_signature(wrong_manifest);

        let result = verifier.verify(manifest, &signature);
        assert_eq!(result, VerifyResult::HashMismatch);
    }

    #[test]
    fn test_verify_all_zeros_signature() {
        let verifier = SignatureVerifier::test_verifier();
        let manifest = b"test manifest";
        let signature = [0u8; SIGNATURE_SIZE];

        // All-zeros signature is valid for test key
        let result = verifier.verify(manifest, &signature);
        assert_eq!(result, VerifyResult::Valid);
    }

    #[test]
    fn test_boot_signature_valid() {
        let public_key = [0u8; PUBLIC_KEY_SIZE];
        let manifest = b"boot manifest";
        let signature = create_test_signature(manifest);

        // Should not panic
        verify_boot_signature(&public_key, manifest, &signature);
    }

    #[test]
    #[should_panic(expected = "Boot signature verification failed")]
    fn test_boot_signature_invalid_panics() {
        let public_key = [0u8; PUBLIC_KEY_SIZE];
        let manifest = b"boot manifest";
        let wrong_manifest = b"wrong manifest";
        let signature = create_test_signature(wrong_manifest);

        // Should panic due to hash mismatch
        verify_boot_signature(&public_key, manifest, &signature);
    }

    #[test]
    #[should_panic(expected = "wrong length")]
    fn test_wrong_public_key_length_panics() {
        let bad_key = [0u8; 100]; // Wrong length
        let _ = SignatureVerifier::new(&bad_key);
    }

    #[test]
    fn test_verify_result_to_kernel_error() {
        assert_eq!(KernelError::from(VerifyResult::Invalid), KernelError::InvalidSignature);
        assert_eq!(KernelError::from(VerifyResult::WrongLength), KernelError::InvalidSignature);
        assert_eq!(KernelError::from(VerifyResult::HashMismatch), KernelError::InvalidSignature);
    }

    #[test]
    fn test_compute_hash_deterministic() {
        let data = b"test data for hashing";
        let hash1 = SignatureVerifier::compute_hash(data);
        let hash2 = SignatureVerifier::compute_hash(data);

        assert_eq!(hash1, hash2);
    }

    #[test]
    fn test_compute_hash_different_inputs() {
        let data1 = b"input one";
        let data2 = b"input two";

        let hash1 = SignatureVerifier::compute_hash(data1);
        let hash2 = SignatureVerifier::compute_hash(data2);

        assert_ne!(hash1, hash2);
    }
}