chore: Reorganize memfd secret policy

- Policy is now set in main.rs, not cli.rs. - Feature is called experiment_memfd_secret, not enable_memfd_alloc This also fixes the last remaining warnings.
2025-12-12 07:40:30 -08:00 · 2024-08-03 15:06:58 +02:00
parent 648a94ead8
commit 8d3c8790fe
6 changed files with 24 additions and 14 deletions
--- a/rosenpass/Cargo.toml
+++ b/rosenpass/Cargo.toml
@@ -53,5 +53,5 @@ procspawn = {workspace = true}

 [features]
 enable_broker_api = ["rosenpass-wireguard-broker/enable_broker_api"]
-enable_memfd_alloc = []
+experiment_memfd_secret = []
 experiment_libcrux = ["rosenpass-ciphers/experiment_libcrux"]
--- a/rosenpass/src/cli.rs
+++ b/rosenpass/src/cli.rs
@@ -3,9 +3,6 @@ use clap::{Parser, Subcommand};
 use rosenpass_cipher_traits::Kem;
 use rosenpass_ciphers::kem::StaticKem;
 use rosenpass_secret_memory::file::StoreSecret;
-use rosenpass_secret_memory::{
-    secret_policy_try_use_memfd_secrets, secret_policy_use_only_malloc_secrets,
-};
 use rosenpass_util::file::{LoadValue, LoadValueB64, StoreValue};
 use rosenpass_wireguard_broker::brokers::native_unix::{
    NativeUnixBroker, NativeUnixBrokerConfigBaseBuilder, NativeUnixBrokerConfigBaseBuilderError,
@@ -158,13 +155,6 @@ impl CliCommand {
    /// ## TODO
    /// - This method consumes the [`CliCommand`] value. It might be wise to use a reference...
    pub fn run(self, test_helpers: Option<AppServerTest>) -> anyhow::Result<()> {
-        //Specify secret policy
-
-        #[cfg(feature = "enable_memfd_alloc")]
-        secret_policy_try_use_memfd_secrets();
-        #[cfg(not(feature = "enable_memfd_alloc"))]
-        secret_policy_use_only_malloc_secrets();
-
        use CliCommand::*;
        match self {
            Man => {
--- a/rosenpass/src/main.rs
+++ b/rosenpass/src/main.rs
@@ -8,6 +8,14 @@ pub fn main() {
    // parse CLI arguments
    let args = CliArgs::parse();

+    {
+        use rosenpass_secret_memory as SM;
+        #[cfg(feature = "experiment_memfd_secret")]
+        SM::secret_policy_try_use_memfd_secrets();
+        #[cfg(not(feature = "experiment_memfd_secret"))]
+        SM::secret_policy_use_only_malloc_secrets();
+    }
+
    // init logging
    {
        let mut log_builder = env_logger::Builder::from_default_env(); // sets log level filter from environment (or defaults)
--- a/rosenpass/tests/integration_test.rs
+++ b/rosenpass/tests/integration_test.rs
@@ -15,9 +15,19 @@ use std::io::Write;

 const BIN: &str = "rosenpass";

+fn setup_tests() {
+    use rosenpass_secret_memory as SM;
+    #[cfg(feature = "experiment_memfd_secret")]
+    SM::secret_policy_try_use_memfd_secrets();
+    #[cfg(not(feature = "experiment_memfd_secret"))]
+    SM::secret_policy_use_only_malloc_secrets();
+}
+
 // check that we can generate keys
 #[test]
 fn generate_keys() {
+    setup_tests();
+
    let tmpdir = PathBuf::from(env!("CARGO_TARGET_TMPDIR")).join("keygen");
    fs::create_dir_all(&tmpdir).unwrap();

@@ -134,6 +144,7 @@ fn run_server_client_exchange(
 #[test]
 #[serial]
 fn check_exchange_under_normal() {
+    setup_tests();
    setup_logging();

    let tmpdir = PathBuf::from(env!("CARGO_TARGET_TMPDIR")).join("exchange");
@@ -206,6 +217,7 @@ fn check_exchange_under_normal() {
 #[test]
 #[serial]
 fn check_exchange_under_dos() {
+    setup_tests();
    setup_logging();

    //Generate binary with responder with feature integration_test
--- a/rp/Cargo.toml
+++ b/rp/Cargo.toml
@@ -39,5 +39,5 @@ tempfile = {workspace = true}
 stacker = {workspace = true}

 [features]
-enable_memfd_alloc = []
+experiment_memfd_secret = []
 experiment_libcrux = ["rosenpass-ciphers/experiment_libcrux"]
--- a/rp/src/main.rs
+++ b/rp/src/main.rs
@@ -11,9 +11,9 @@ mod key;

 #[tokio::main]
 async fn main() {
-    #[cfg(feature = "enable_memfd_alloc")]
+    #[cfg(feature = "experiment_memfd_secret")]
    policy::secret_policy_try_use_memfd_secrets();
-    #[cfg(not(feature = "enable_memfd_alloc"))]
+    #[cfg(not(feature = "experiment_memfd_secret"))]
    policy::secret_policy_use_only_malloc_secrets();

    let cli = match Cli::parse(std::env::args().peekable()) {