Add task named 'attest' to acts as the root of trust for reporting.

[flihp]

This task is currently limited to producing a cert chain from the Alias cert back to either the last intermediate before the root (dice-mfg) or a self-signed identity cert (dice-self). A matching PR to humility will provide an interface to extract these certs & provide a nice interface (PEM encoding, combined cert chain etc).

[cbiffle]

I should get around to making this the default, but could I encourage you to apply

encoding: Hubpack,

to each operation in any new IDL interface? It will let you use more flexible argument and error types.

[cbiffle]

FWIW, should you elect to turn on encoding: Hubpack, this type will need to change in the following ways:

1. add derive(Serialize, Deserialize, hubpack::SerializedSize)
2. remove IdolError, FromPrimitive, #[repr(u32)]
3. no longer needs explicit discriminator values.

[cbiffle]

nit: you wound up naming that crate attest-api.

[cbiffle]

If the cert data cannot be loaded, this will cause your task to restart forever, starving all tasks at lower priorities. That's not good.

I recommend instead changing the content of the Server to Option and providing a way of indicating "could not load certs" in the IPC API.

[flihp]

oof that's bad test coverage on my part.

[flihp]

ran across a small bug in lib-lpc55-rot-startup dependencies while testing this: #1402

[flihp]

Implementing this was mostly straight forward. The only bit I'm not wild about is the repetitive code required to pull data out of the handoff ram. I took a swing at implementing a generic function but I couldn't convince the compiler that a ref to the contents of the MaybeUninit was a byte slice.

[cbiffle]

You're doing a somewhat subtle thing here that I think should get added to the comment (because I had to cursor around and convince myself it was correct).

By assigning a link_section you're saying you want this placed in an area of memory -- not at the base of that memory. However, the app config (and thus the linker script) sizes these two sections of memory such that they're exactly the size of these statics. This should ensure that they're placed at the base of the section.

So, I'd mention that intent in the comment, lest someone adjust it later and cause this to become invalid.

This would probably be better served by the extern-regions facility, which helps to avoid this class of thing.

[flihp]

I've added this comment and I'll admit I didn't fully understand the subtlety of the behavior. I'll start looking into replacing this with the extern-regions mechanism as you suggest. If that comes together before this PR gets approved I'll add another commit for it.

[flihp]

Spent some time reading up on the extern-regions stuff over the last few days. This PR has been updated to replace the existing code using link_sections with extern-regions. This took a bit more stack space but there's probably ways to reduce that if necessary (mut statics?).

[flihp]

CI isn't running on this PR, probably caused by the conflicts noted. Rebasing during a review is often frowned upon so I'll hold off fixing these conflicts unless requested.

[flihp]

gah formatting

[github-actions]

license-eye has totally checked 487 files.

Valid	Invalid	Ignored	Fixed
486	1	0	0

Click to see the invalid file list

• task/attest/src/config.rs

[flihp]

and again with my bad license text fixed

[flihp]

oxide-rot-1/app-dev.toml builds fine for me locally but fails in CI needing more flash. Not sure I have any option but to YOLO larger flash values at CI till it works.