arch: modify or add safety comments

Signed-off-by: Wei Liu <liuwe@microsoft.com>

arch/src/lib.rs

@@ -99,7 +99,7 @@ pub use x86_64::{
 #[cfg(target_arch = "x86_64")]
 #[inline(always)]
 fn pagesize() -> usize {
-    // Trivially safe
+    // SAFETY: Trivially safe
     unsafe { libc::sysconf(libc::_SC_PAGESIZE) as usize }
 }
 

arch/src/x86_64/mod.rs

@@ -125,9 +125,11 @@ struct MemmapTableEntryWrapper(hvm_memmap_table_entry);
 #[derive(Copy, Clone, Default)]
 struct ModlistEntryWrapper(hvm_modlist_entry);
 
-// SAFETY: These data structures only contain a series of integers
+// SAFETY: data structure only contain a series of integers
 unsafe impl ByteValued for StartInfoWrapper {}
+// SAFETY: data structure only contain a series of integers
 unsafe impl ByteValued for MemmapTableEntryWrapper {}
+// SAFETY: data structure only contain a series of integers
 unsafe impl ByteValued for ModlistEntryWrapper {}
 
 // This is a workaround to the Rust enforcement specifying that any implementation of a foreign
@@ -661,6 +663,7 @@ pub fn generate_common_cpuid(
     // Copy CPU identification string
     for i in 0x8000_0002..=0x8000_0004 {
         cpuid.retain(|c| c.function != i);
+        // SAFETY: call cpuid with valid leaves
         let leaf = unsafe { std::arch::x86_64::__cpuid(i) };
         cpuid.push(CpuIdEntry {
             function: i,
@@ -1011,6 +1014,7 @@ pub fn initramfs_load_addr(
 }
 
 pub fn get_host_cpu_phys_bits() -> u8 {
+    // SAFETY: call cpuid with valid leaves
     unsafe {
         let leaf = x86_64::__cpuid(0x8000_0000);
 
@@ -1121,6 +1125,7 @@ fn update_cpuid_sgx(
 
     // Get host CPUID for leaf 0x12, subleaf 0x2. This is to retrieve EPC
     // properties such as confidentiality and integrity.
+    // SAFETY: call cpuid with valid leaves
     let leaf = unsafe { std::arch::x86_64::__cpuid_count(0x12, 0x2) };
 
     for (i, epc_section) in epc_sections.iter().enumerate() {

arch/src/x86_64/mptable.rs

@@ -37,11 +37,17 @@ struct MpfIntelWrapper(mpspec::mpf_intel);
 
 // SAFETY: These `mpspec` wrapper types are only data, reading them from data is a safe initialization.
 unsafe impl ByteValued for MpcBusWrapper {}
+// SAFETY: see above
 unsafe impl ByteValued for MpcCpuWrapper {}
+// SAFETY: see above
 unsafe impl ByteValued for MpcIntsrcWrapper {}
+// SAFETY: see above
 unsafe impl ByteValued for MpcIoapicWrapper {}
+// SAFETY: see above
 unsafe impl ByteValued for MpcTableWrapper {}
+// SAFETY: see above
 unsafe impl ByteValued for MpcLintsrcWrapper {}
+// SAFETY: see above
 unsafe impl ByteValued for MpfIntelWrapper {}
 
 #[derive(Debug)]
@@ -95,7 +101,7 @@ const CPU_FEATURE_APIC: u32 = 0x200;
 const CPU_FEATURE_FPU: u32 = 0x001;
 
 fn compute_checksum<T: Copy>(v: &T) -> u8 {
-    // Safe because we are only reading the bytes within the size of the `T` reference `v`.
+    // SAFETY: we are only reading the bytes within the size of the `T` reference `v`.
     let v_slice = unsafe { slice::from_raw_parts(v as *const T as *const u8, mem::size_of::<T>()) };
     let mut checksum: u8 = 0;
     for i in v_slice.iter() {

arch/src/x86_64/smbios.rs

@@ -67,7 +67,7 @@ const PCI_SUPPORTED: u64 = 1 << 7;
 const IS_VIRTUAL_MACHINE: u8 = 1 << 4;
 
 fn compute_checksum<T: Copy>(v: &T) -> u8 {
-    // Safe because we are only reading the bytes within the size of the `T` reference `v`.
+    // SAFETY: we are only reading the bytes within the size of the `T` reference `v`.
     let v_slice = unsafe { slice::from_raw_parts(v as *const T as *const u8, mem::size_of::<T>()) };
     let mut checksum: u8 = 0;
     for i in v_slice.iter() {
@@ -145,11 +145,15 @@ struct SmbiosEndOfTable {
     handle: u16,
 }
 
-// SAFETY: These data structures only contain a series of integers
+// SAFETY: data structure only contain a series of integers
 unsafe impl ByteValued for Smbios30Entrypoint {}
+// SAFETY: data structure only contain a series of integers
 unsafe impl ByteValued for SmbiosBiosInfo {}
+// SAFETY: data structure only contain a series of integers
 unsafe impl ByteValued for SmbiosSysInfo {}
+// SAFETY: data structure only contain a series of integers
 unsafe impl ByteValued for SmbiosOemStrings {}
+// SAFETY: data structure only contain a series of integers
 unsafe impl ByteValued for SmbiosEndOfTable {}
 
 fn write_and_incr<T: ByteValued>(

arch/src/x86_64/tdx/mod.rs

@@ -80,7 +80,7 @@ pub fn parse_tdvf_sections(file: &mut File) -> Result<Vec<TdvfSection>, TdvfErro
         .map_err(TdvfError::ReadDescriptor)?;
 
     let mut descriptor: TdvfDescriptor = Default::default();
-    // Safe as we read exactly the size of the descriptor header
+    // SAFETY: we read exactly the size of the descriptor header
     file.read_exact(unsafe {
         std::slice::from_raw_parts_mut(
             &mut descriptor as *mut _ as *mut u8,
@@ -107,7 +107,7 @@ pub fn parse_tdvf_sections(file: &mut File) -> Result<Vec<TdvfSection>, TdvfErro
     let mut sections = Vec::new();
     sections.resize_with(descriptor.num_sections as usize, TdvfSection::default);
 
-    // Safe as we read exactly the advertised sections
+    // SAFETY: we read exactly the advertised sections
     file.read_exact(unsafe {
         std::slice::from_raw_parts_mut(
             sections.as_mut_ptr() as *mut u8,
@@ -211,12 +211,17 @@ struct TdPayload {
     payload_info: PayloadInfo,
 }
 
-// SAFETY: These data structures only contain a series of integers
+// SAFETY: data structure only contain a series of integers
 unsafe impl ByteValued for HobHeader {}
+// SAFETY: data structure only contain a series of integers
 unsafe impl ByteValued for HobHandoffInfoTable {}
+// SAFETY: data structure only contain a series of integers
 unsafe impl ByteValued for HobResourceDescriptor {}
+// SAFETY: data structure only contain a series of integers
 unsafe impl ByteValued for HobGuidType {}
+// SAFETY: data structure only contain a series of integers
 unsafe impl ByteValued for PayloadInfo {}
+// SAFETY: data structure only contain a series of integers
 unsafe impl ByteValued for TdPayload {}
 
 pub struct TdHob {