Skip to content

Commit f9f88fc

Browse files
committed
Harden high-assurance CT guidance
1 parent 117a765 commit f9f88fc

11 files changed

Lines changed: 58 additions & 7 deletions

File tree

CHANGELOG.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,11 @@
55
- Synchronized all workspace crate package versions to `1.3.6`.
66
- Added consistent companion-crate README headers with the shared project image,
77
core documentation links, and crate-specific one-line summaries.
8+
- Moved the top constant-time guide example to
9+
`decode_slice_staged_clear_tail` so shared-memory and HSM-adjacent users see
10+
the safer staged pattern first.
11+
- Added the custom `base64_ng_require_high_assurance` cfg. When set, builds
12+
that also enable `simd` fail at compile time.
813
- No encode/decode logic, SIMD admission scope, or runtime dependency posture
914
changes.
1015

Cargo.toml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -70,6 +70,7 @@ fuzzing = []
7070
[lints.rust]
7171
unexpected_cfgs = { level = "warn", check-cfg = [
7272
"cfg(base64_ng_aarch64_csdb_attested)",
73+
"cfg(base64_ng_require_high_assurance)",
7374
"cfg(base64_ng_kani_advanced)",
7475
"cfg(kani)",
7576
"cfg(miri)",

README.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -225,6 +225,12 @@ license = "MIT OR Apache-2.0"
225225
| `kani` | no | Reserved for verifier harnesses; normal builds do not require Kani. |
226226
| `fuzzing` | no | Reserved for verifier and fuzz harness integration; published crate stays dependency-free. |
227227

228+
High-assurance deployments that must fail closed when SIMD is enabled can build
229+
with `RUSTFLAGS="--cfg base64_ng_require_high_assurance"`. This custom cfg is
230+
not a Cargo feature, so normal `--all-features` release evidence and docs.rs
231+
builds remain usable. When the cfg is set, `base64-ng` refuses to compile if
232+
the `simd` feature is enabled.
233+
228234
## Companion Crates
229235

230236
The core `base64-ng` crate keeps its zero-runtime-dependency policy. Optional

docs/API_AUDIT.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -45,7 +45,7 @@ audit favors removing or documenting ambiguous APIs over adding convenience.
4545
| `ct` module | documented boundary | Keep non-claim wording and opaque error behavior explicit unless verification evidence changes. |
4646
| `stream` module | documented boundary | Fail-closed decode, retry semantics, state helpers, recovery helpers, and framed-reader behavior are explicit. |
4747
| Runtime backend reporting | candidate stable | Scalar-only posture and stable log identifiers are documented and release-gated. |
48-
| Feature flags | documented boundary | `tokio`, `kani`, `fuzzing`, and `simd` remain inert or reserved unless admitted by their policy docs. `allow-wasm32-best-effort-wipe` is an explicit opt-in for wasm builds that accept compiler-fence-only cleanup; `allow-compiler-fence-only-wipe` is the equivalent opt-in for unsupported native architectures. AArch64 CSDB attestation uses the custom cfg `base64_ng_aarch64_csdb_attested`, not a Cargo feature, so `--all-features` cannot enable it accidentally. |
48+
| Feature flags | documented boundary | `tokio`, `kani`, `fuzzing`, and `simd` remain inert or reserved unless admitted by their policy docs. `allow-wasm32-best-effort-wipe` is an explicit opt-in for wasm builds that accept compiler-fence-only cleanup; `allow-compiler-fence-only-wipe` is the equivalent opt-in for unsupported native architectures. AArch64 CSDB attestation uses the custom cfg `base64_ng_aarch64_csdb_attested`, not a Cargo feature, so `--all-features` cannot enable it accidentally. High-assurance deployments may use custom cfg `base64_ng_require_high_assurance` to fail builds that enable `simd`. |
4949
| Error types | candidate stable | Encode, decode, and alphabet errors are recoverable and diagnostic without committing ct errors to localized detail. |
5050
| Macros and custom alphabets | documented boundary | Compile-time validation and conservative fixed-scan performance/security tradeoffs are explicit. |
5151

docs/CONSTANT_TIME.md

Lines changed: 16 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -17,8 +17,10 @@ payloads:
1717
```rust
1818
use base64_ng::ct;
1919

20+
let mut staging = [0u8; 32];
2021
let mut output = [0u8; 32];
21-
let written = ct::STANDARD.decode_slice_clear_tail(b"...", &mut output)?;
22+
let written = ct::STANDARD
23+
.decode_slice_staged_clear_tail(b"...", &mut output, &mut staging)?;
2224
```
2325

2426
The API should be separate from the default strict decoder so users can choose
@@ -62,6 +64,19 @@ require_backend_policy(BackendPolicy::HighAssuranceScalarOnly)
6264
.expect("base64-ng posture check failed: CT gate not attested on this core");
6365
```
6466

67+
Deployments that want a compile-time fail-closed guard can also build with the
68+
custom cfg `base64_ng_require_high_assurance`. That cfg rejects builds where
69+
the `simd` feature is enabled:
70+
71+
```sh
72+
RUSTFLAGS="--cfg base64_ng_require_high_assurance" cargo build --no-default-features
73+
```
74+
75+
This is a custom cfg rather than a Cargo feature so normal `--all-features`
76+
release evidence and docs.rs builds can continue to exercise every public
77+
feature. Treat the cfg as a deployment policy assertion and keep the runtime
78+
`require_backend_policy(BackendPolicy::HighAssuranceScalarOnly)` startup gate.
79+
6580
`HighAssuranceScalarOnly` is still a build and target posture assertion. On
6681
AArch64, the crate emits `isb sy` plus the CSDB hint for the CT result gate.
6782
By default this reports `CtGatePosture::HardwareSpeculationBarrierUnattested`

docs/CRATE_VERSION_MATRIX.md

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -10,8 +10,11 @@ sets.
1010
The `1.3.6` release keeps the workspace crate family synchronized. The main
1111
crate and all companion crates carry the companion README header refresh so
1212
crate pages share the project image, core documentation links, and a
13-
crate-specific one-line summary. No encode/decode logic, SIMD admission scope,
14-
or runtime dependency posture changes in this release.
13+
crate-specific one-line summary. The main crate also moves the top
14+
constant-time guide example to staged decode and adds the custom
15+
`base64_ng_require_high_assurance` cfg so deployments can fail builds that
16+
combine a high-assurance posture assertion with `simd`. No encode/decode logic,
17+
SIMD admission scope, or runtime dependency posture changes in this release.
1518

1619
| Crate | Version | Publish In 1.3.6 | Cargo |
1720
| --- | --- | --- | --- |

docs/TRUST.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ stable release.
1111
| Active release toolchain | Rust `1.96.1`; MSRV remains Rust `1.90.0` | `rust-toolchain.toml`, `scripts/ci_install_rust.sh` |
1212
| Runtime dependencies | Zero external crates in the core package; optional companion crates are separate opt-in packages | `scripts/validate-dependencies.sh`, `scripts/check_companion_crates.sh` |
1313
| Default dev dependencies | Zero external crates | `Cargo.toml` |
14-
| Optional runtime features | `alloc`, `std`, `stream`; `allow-wasm32-best-effort-wipe` explicit wasm cleanup-limit acceptance; `allow-compiler-fence-only-wipe` explicit unsupported-native cleanup-limit acceptance; reserved `simd`, `tokio`, `kani`, `fuzzing`. AArch64 CSDB attestation uses custom cfg `base64_ng_aarch64_csdb_attested`, not a feature. | `Cargo.toml`, `scripts/check_reserved_features.sh`, `scripts/check_wasm_wipe_policy.sh` |
14+
| Optional runtime features | `alloc`, `std`, `stream`; `allow-wasm32-best-effort-wipe` explicit wasm cleanup-limit acceptance; `allow-compiler-fence-only-wipe` explicit unsupported-native cleanup-limit acceptance; reserved `simd`, `tokio`, `kani`, `fuzzing`. AArch64 CSDB attestation uses custom cfg `base64_ng_aarch64_csdb_attested`, not a feature. High-assurance deployments may set custom cfg `base64_ng_require_high_assurance` to make `simd` a compile-time error. | `Cargo.toml`, `scripts/check_reserved_features.sh`, `scripts/check_wasm_wipe_policy.sh` |
1515
| Unsafe policy | Scalar encode/decode remains safe Rust; audited unsafe is limited to volatile wiping, constant-time comparison, CT alphabet scan and result-gate barriers, and the reviewed SIMD boundary; runtime unsafe-boundary reports are conservative and mark SIMD-enabled builds as not high-assurance-boundary-enforced | `src/cleanup.rs`, `src/ct/`, `src/simd/`, `docs/UNSAFE.md` |
1616
| Active backend | Scalar by default; std x86/x86_64 AVX-512 VBMI encode preferred, then AVX2, then SSSE3/SSE4.1 encode, plus little-endian std aarch64 NEON encode, when `simd` is enabled and platform checks pass. Strict decode has a separate runtime report method and may use std x86/x86_64 AVX-512 VBMI, AVX2, SSSE3/SSE4.1, or little-endian std aarch64 NEON. wasm32 binaries compiled with `target-feature=+simd128`, `simd`, and `allow-wasm32-best-effort-wipe` may use the admitted narrow wasm `simd128` encode and strict-decode backend. | `runtime::backend_report()` tests |
1717
| SIMD status | AVX-512 VBMI, AVX2, SSSE3/SSE4.1, NEON, and narrow wasm `simd128` encode admitted for Standard and URL-safe alphabet families; AVX-512 VBMI, AVX2, SSSE3/SSE4.1, NEON, and narrow wasm `simd128` strict decode admitted for the documented runtime profiles. Wrapped and legacy decode may enter the admitted strict decode backend only after scalar line-profile validation, line-ending compaction, or legacy-whitespace compaction. Strict in-place encode and decode may enter admitted backends only after stack staging. Custom-alphabet, CT secret, big-endian AArch64, RISC-V RVV, broader wasm/browser, and `no_std` acceleration remain prototype-only or scalar. | `docs/SIMD.md` |

release-crates.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ previous_version = "1.3.5"
77
version = "1.3.6"
88
change = "dependency"
99
publish = true
10-
reason = "Publishes the 1.3.6 family patch with synchronized crate versions and refreshed companion crate README headers."
10+
reason = "Publishes the 1.3.6 family patch with synchronized crate versions, refreshed companion crate README headers, staged CT decode docs, and a high-assurance compile cfg guard."
1111

1212
[crates."base64-ng-sanitization"]
1313
previous_version = "1.3.5"

release-notes/RELEASE_NOTES_1.3.6.md

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,8 +10,15 @@ the `base64-ng` crate family.
1010
image, core documentation links, and crate-specific one-line summaries.
1111
- Updated public examples and migration snippets to reference the `1.3.6`
1212
crate family.
13+
- Moved the top constant-time guide example to
14+
`decode_slice_staged_clear_tail` so shared-memory and HSM-adjacent users see
15+
the staged decode pattern first.
16+
- Added the custom `base64_ng_require_high_assurance` cfg. When set, builds
17+
that also enable `simd` fail at compile time.
1318

1419
## Notes
1520

1621
No encode/decode logic, SIMD admission scope, target evidence posture, unsafe
17-
boundary, or runtime dependency policy changes in this release.
22+
boundary, or runtime dependency policy changes in this release. The
23+
high-assurance guard is a custom cfg, not a Cargo feature, so normal
24+
`--all-features` release evidence and docs.rs builds remain usable.

scripts/checks.sh

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,14 @@ scripts/check_companion_crates.sh
3333
echo "checks: reserved feature placeholders"
3434
scripts/check_reserved_features.sh
3535

36+
echo "checks: high-assurance cfg"
37+
RUSTFLAGS="--cfg base64_ng_require_high_assurance" cargo check --no-default-features --lib
38+
if RUSTFLAGS="--cfg base64_ng_require_high_assurance" cargo check --no-default-features --features simd --lib; then
39+
echo "high-assurance cfg: expected simd combination to fail" >&2
40+
exit 1
41+
fi
42+
echo "high-assurance cfg: ok"
43+
3644
echo "checks: unsafe boundary"
3745
scripts/validate-unsafe-boundary.sh
3846

0 commit comments

Comments
 (0)