stm32: crash w/ "unapproved destination" in ENFORCING mode

Summary

vls-hsmd (vls-v0.11.0-rc.1-50-g74569c2-dirty)
 ab4ea82638b1d49e206e6637ae2211010534bf32 lightning (v24.02.1-18-gab4ea8263)
+2aabda19e0d248ba29f6af3b75f61318741a6439 vls (v0.11.0-62-g2aabda19)

(this is on the 2024-03-demo-fixesbranch but is probably onmain as well)

Reproduce:

  1. launch stm32, set mode to ENFORCING
  2. run:
make test-one VLS_MODE=cln:serial TEST=tests/test_plugin.py::test_forward_event_notification VLS_SERIAL_SELECT=2

Crash

227834 demo_signer INFO - starting dbid:   0, SignAnchorspend         , 241KB heap free
227865 vls_protocol_signer::approver INFO - rejected onchain tx with unknown outputs
227877 vls_protocol_signer::handler ERROR - Signing(Status { code: FailedPrecondition, message: "unapproved destination" })
panicked at 'handle: Signing(Status { code: FailedPrecondition, message: "unapproved destination" })', src/demo_signer_main.rs:299:42
────────────────────────────────────────────────────────────────────────────────
stack backtrace:
   0: HardFaultTrampoline
      <exception entry>
   1: lib::inline::__udf
        at ./asm/inline.rs:181:5
   2: __udf
        at ./asm/lib.rs:51:17
   3: cortex_m::asm::udf
        at /home/user/.cargo/registry/src/github.com-1ecc6299db9ec823/cortex-m-0.7.7/src/asm.rs:43:5
   4: rust_begin_unwind
        at /home/user/.cargo/registry/src/github.com-1ecc6299db9ec823/panic-probe-0.2.1/src/lib.rs:76:9
   5: core::panicking::panic_fmt
        at /rustc/96ddd32c4bfb1d78f0cd03eb068b1710a8cebeef/library/core/src/panicking.rs:65:14
   6: core::result::unwrap_failed
        at /rustc/96ddd32c4bfb1d78f0cd03eb068b1710a8cebeef/library/core/src/result.rs:1791:5
   7: core::result::Result<T,E>::expect
        at /rustc/96ddd32c4bfb1d78f0cd03eb068b1710a8cebeef/library/core/src/result.rs:1070:23
   8: demo_signer::handle_requests
        at src/demo_signer_main.rs:299:13
   9: demo_signer::start_normal_mode
        at src/demo_signer_main.rs:161:5
  10: demo_signer::__cortex_m_rt_main
        at src/demo_signer_main.rs:78:40
  11: main
        at src/demo_signer_main.rs:64:1
  12: Reset
(HOST) ERROR the program panicked

Probably relevant: /vls/vls-signer-stm32/src/approver.rs:89

    fn approve_onchain(
        &self,
        _tx: &Transaction,
        _values_sat: &[TxOut],
        _unknown_indices: &[usize],
    ) -> bool {
        false
    }

But why does SignAnchorspend generate an unapproved destination? This might be a bug.

TODO:

  • Add approve_onchain for demo_signer
  • Understand whether anchor destinations should require approval
Edited by Ken Sedgwick