Update tests to register DMA allow lists for fail-closed default-deny behavior

Author: jackctj117

test/wh_test_dma.c

@@ -65,11 +65,11 @@ static int whTest_DmaAllowListBasic(void)
         (void*)((uintptr_t)0x10000), 0);
     WH_TEST_ASSERT_RETURN(rc == WH_ERROR_BADARGS);
 
-    WH_TEST_PRINT("  Testing NULL allowlist passthrough...\n");
+    WH_TEST_PRINT("  Testing NULL allowlist denial (fail-closed)...\n");
     rc = wh_Dma_CheckMemOperAgainstAllowList(
         NULL, WH_DMA_OPER_CLIENT_READ_PRE,
         (void*)((uintptr_t)0x10000), 0x1000);
-    WH_TEST_ASSERT_RETURN(rc == WH_ERROR_OK);
+    WH_TEST_ASSERT_RETURN(rc == WH_ERROR_ACCESS);
 
     return WH_ERROR_OK;
 }

test/wh_test_multiclient.c

@@ -442,13 +442,32 @@ static int _testGlobalKeyDma(whClientContext* client1, whServerContext* server1,
     int      ret;
     whKeyId  keyId1       = WH_CLIENT_KEYID_MAKE_GLOBAL(DUMMY_KEYID_1);
     whKeyId  keyId2       = WH_CLIENT_KEYID_MAKE_GLOBAL(DUMMY_KEYID_2);
-    uint8_t  keyData1[32] = "GlobalDmaCacheTestKey123456!";
-    uint8_t  keyData2[32] = "GlobalDmaExportTestKey12345!";
-    uint8_t  outBuf[32]  = {0};
+    /* Use static buffers so addresses are stable for DMA allow list */
+    static uint8_t  keyData1[32];
+    static uint8_t  keyData2[32];
+    static uint8_t  outBuf[32];
     uint8_t  label[WH_NVM_LABEL_LEN];
     uint16_t labelSz = sizeof(label);
     uint16_t outSz;
 
+    static whServerDmaAddrAllowList dmaAllowList = {0};
+
+    memcpy(keyData1, "GlobalDmaCacheTestKey123456!", 28);
+    memcpy(keyData2, "GlobalDmaExportTestKey12345!", 28);
+    memset(outBuf, 0, sizeof(outBuf));
+
+    /* Register DMA allow list for both servers */
+    dmaAllowList.readList[0].addr  = keyData1;
+    dmaAllowList.readList[0].size  = sizeof(keyData1);
+    dmaAllowList.readList[1].addr  = keyData2;
+    dmaAllowList.readList[1].size  = sizeof(keyData2);
+    dmaAllowList.writeList[0].addr = outBuf;
+    dmaAllowList.writeList[0].size = sizeof(outBuf);
+    WH_TEST_RETURN_ON_FAIL(
+        wh_Server_DmaRegisterAllowList(server1, &dmaAllowList));
+    WH_TEST_RETURN_ON_FAIL(
+        wh_Server_DmaRegisterAllowList(server2, &dmaAllowList));
+
     WH_TEST_PRINT("Test: DMA operations with global keys\n");
 
     /* Part 1: Cache via DMA, export via regular */

test/wh_test_posix_threadsafe_stress.c

@@ -501,6 +501,10 @@ typedef struct {
     /* Per-client DMA buffers */
     uint8_t dmaKeyBuffer[KEY_DATA_SIZE];
     uint8_t dmaNvmBuffer[NVM_OBJECT_DATA_SIZE];
+    whNvmMetadata dmaNvmMeta;
+    /* DMA configuration */
+    whServerDmaConfig        dmaConfig;
+    whServerDmaAddrAllowList dmaAllowList;
 #endif
 } ClientServerPair;
 
@@ -654,6 +658,26 @@ static int initClientServerPair(StressTestContext* ctx, int pairIndex)
     pair->serverConfig.crypto      = &pair->cryptoCtx;
     pair->serverConfig.devId       = INVALID_DEVID;
 
+#ifdef WOLFHSM_CFG_DMA
+    /* Configure DMA allow list for this pair's buffers */
+    memset(&pair->dmaAllowList, 0, sizeof(pair->dmaAllowList));
+    pair->dmaAllowList.readList[0].addr = pair->dmaKeyBuffer;
+    pair->dmaAllowList.readList[0].size = sizeof(pair->dmaKeyBuffer);
+    pair->dmaAllowList.readList[1].addr = pair->dmaNvmBuffer;
+    pair->dmaAllowList.readList[1].size = sizeof(pair->dmaNvmBuffer);
+    pair->dmaAllowList.readList[2].addr = &pair->dmaNvmMeta;
+    pair->dmaAllowList.readList[2].size = sizeof(pair->dmaNvmMeta);
+
+    pair->dmaAllowList.writeList[0].addr = pair->dmaKeyBuffer;
+    pair->dmaAllowList.writeList[0].size = sizeof(pair->dmaKeyBuffer);
+    pair->dmaAllowList.writeList[1].addr = pair->dmaNvmBuffer;
+    pair->dmaAllowList.writeList[1].size = sizeof(pair->dmaNvmBuffer);
+
+    memset(&pair->dmaConfig, 0, sizeof(pair->dmaConfig));
+    pair->dmaConfig.dmaAddrAllowList = &pair->dmaAllowList;
+    pair->serverConfig.dmaConfig     = &pair->dmaConfig;
+#endif
+
     /* Initialize client in the main thread to avoid concurrent calls to
      * wolfCrypt_Init() and wc_CryptoCb_RegisterDevice() */
     rc = wh_Client_Init(&pair->client, &pair->clientConfig);
@@ -1191,24 +1215,24 @@ static int doKeyExportDma(ClientServerPair* pair, whKeyId keyId)
 
 static int doNvmAddObjectDma(ClientServerPair* pair, whNvmId id, int iteration)
 {
-    whNvmMetadata meta;
-    int32_t       out_rc;
-    int           rc;
+    int32_t out_rc;
+    int     rc;
 
     /* Fill DMA buffer with pattern */
     memset(pair->dmaNvmBuffer, (uint8_t)(iteration & 0xFF),
            sizeof(pair->dmaNvmBuffer));
 
-    /* Set up metadata */
-    memset(&meta, 0, sizeof(meta));
-    meta.id     = id;
-    meta.access = WH_NVM_ACCESS_ANY;
-    meta.flags  = WH_NVM_FLAGS_USAGE_ANY;
-    meta.len    = sizeof(pair->dmaNvmBuffer);
+    /* Set up metadata in pair struct so address is in the DMA allow list */
+    memset(&pair->dmaNvmMeta, 0, sizeof(pair->dmaNvmMeta));
+    pair->dmaNvmMeta.id     = id;
+    pair->dmaNvmMeta.access = WH_NVM_ACCESS_ANY;
+    pair->dmaNvmMeta.flags  = WH_NVM_FLAGS_USAGE_ANY;
+    pair->dmaNvmMeta.len    = sizeof(pair->dmaNvmBuffer);
 
     /* Send DMA request */
     rc = wh_Client_NvmAddObjectDmaRequest(
-        &pair->client, &meta, sizeof(pair->dmaNvmBuffer), pair->dmaNvmBuffer);
+        &pair->client, &pair->dmaNvmMeta, sizeof(pair->dmaNvmBuffer),
+        pair->dmaNvmBuffer);
     if (rc != WH_ERROR_OK) {
         return rc;
     }