@@ -87,6 +87,12 @@ certification claim.
8787 On AArch64, failure is expected unless the operator has attested CSDB
8888 effectiveness with ` --cfg base64_ng_aarch64_csdb_attested ` ; do not use that
8989 cfg without processor, BSP, or certification evidence.
90+ Deployment CI for a certified AArch64 target should run the application or
91+ integration test suite with the same ` RUSTFLAGS ` and assert that this startup
92+ policy passes. Generic project CI must not set that cfg because it would turn
93+ an operator attestation into an unreviewed build default. RISC-V and 32-bit
94+ ARM targets should expect this policy to fail unless the platform provides
95+ external Spectre-v1 mitigation evidence.
9096- Decode tokens, wrapped keys, MAC-adjacent payloads, and equivalent
9197 secret-bearing Base64 through ` base64_ng::ct ` . Use
9298 ` ct::CtEngine::decode_slice_staged_clear_tail ` when the caller-owned output
@@ -130,6 +136,13 @@ secret-adjacent tokens, or attacker-probed fragments of those values. Use
130136` DecodeError::kind() ` for redacted logging, or use the ` ct ` module for opaque
131137malformed-content errors.
132138
139+ ``` rust
140+ let err = base64_ng :: STANDARD
141+ . decode_buffer :: <32 >(input )
142+ . unwrap_err ();
143+ tracing :: warn! (error_kind = % err . kind (), " base64 decode failed" );
144+ ```
145+
133146Legacy whitespace handling is opt-in through explicitly named APIs. Wrapped
134147profiles are strict about the configured line ending and non-final line width.
135148
0 commit comments