Commit Graph

9800 Commits

Author SHA1 Message Date
Martin Stein
02ef158748 gems: add autopilot test 'file_vault_client'
The script tests the use of an encrypted file system that is created and
provided via the File Vault.

Furthermore the script can be used for test-driving existing File-Vault
containers (created with potentially older File-Vault versions) under the
current File-Vault version. This is done via the "LX_FS_DIR_TEMPLATE"
env variable.

Ref #5062
2024-04-12 15:00:45 +02:00
Martin Stein
fb2d153c92 tresor: check hash of all read vba data
During one of the many re-factorization steps that were applied to the Tresor
library and its predecessor, the CBE library, one of the main features of the
project, the integrity check, accidentally received a grave regression. The
most recent version of the Tresor still used to check all hashes of meta-data
blocks but ignored the hashes of the actual data blocks.

With this commit, the hashes of all but yet uninitialized data blocks get
checked. The reason for ignoring uninitialized blocks is that they are not
actually read from disc but simply generated as an all-zeros block in the
driver in order to prevent having to initialize them all to zero in
Tresor-Init. That said, the integrity of these blocks cannot be compomised.
The according hashes in the meta data remain unset until the data block gets
written for the first time.

Ref #5062
2024-04-12 15:00:45 +02:00
Martin Stein
cf72499919 tresor: unused args at "R/W client data" at blk IO
The request classes Block_io::Read_client_data and Block_io::Write_client_data
used to receive a block reference for no reason. This commit removes these
args.

Ref #5062
2024-04-12 15:00:45 +02:00
Martin Stein
bcd82b7e75 tresor: revive and test app/tresor_check
The tresor_check tool became outdated back when the Tresor project was created
by re-writing its predecessor, the CBE, in C++. At this time, the check tool
was merely renamed but not updated. As there was also no autopilot test for the
tool, the tool remained outdated.

This commit rewrites the tool for the most recent Tresor version and adds an
autopilot test.

Ref #5062
2024-04-12 15:00:45 +02:00
Martin Stein
d8a71e5978 tresor: improved module framework and clean-up
* Make command pool a proper module
  * The command pool used to be kind of a module but it was driven via custom
    tresor-tester specific code. Now, it becomes a proper module that
    is driven by the module framework instead.
  * Move the code for creating and handling the module-execution progress flag
    into Module_composition::execute_modules as the function is always used with
    this code surrounding it.

* Reorganize files, remove deprecated files

* A new class Module_channel is introduced in the module framework and all
  channel classes inherit from it. With that class in place, the formerly
  module-specific implementations of the following methods are replaced by
  new generic implementations in the Module framework:

  * ready_to_submit_request
  * submit_request
  * _peek_completed_request
  * _drop_completed_request
  * _peek_generated_request
  * _drop_generated_request
  * generated_request_complete

* Module requests are now held for the duration of their lifetime at the
  module they originate from and not, like before, at their target module. As
  a result, modules can generate new requests inline (without having to wait
  for the target module), making code much simpler to read, reducing the amount
  of channel state, and allowing for non-copyable request types.

* Introduce a sub-state-machine for securing a superblock in the
  superblock_control module in order to reduce redundancy.

* Some modules, like free_tree, were completely re-designed in order to make
  them more readable.

* Replace all conditional exceptions by using the macros in
  tresor/assertion.h .

* Move methods that are used in multiple modules but that were implemented
  redundantly in each module to tresor/types.h.

* Remove verbosity node and all that was related to it from tresor tester
  config as the targeted verbosity can be achieved with the
  VERBOSE_MODULE_COMMUNICATION flag in tresor/verbosity.h .

* Extract the aspect of translating the byte-granular I/O-requests to
  tresor-block requests from the tresor VFS-plugin and move it to a new module
  called splitter.

* Rename the files and interface of the hashing back-end to not reflect the used
  hashing algorithm/config anymore, while at the same time making the hashing
  interface strict regarding the used types.

* Introduce the NONCOPYABLE macro that makes marking a class noncopyable short
  and clear.

* Replace the former tresor/vfs_utilities.h/.cc with a new tresor/file.h
  that contains the classes Read_write_file and Write_only_file. These classes
  significantly simplify the modules crypto, block_io, and trust_anchor by
  moving the details of file access to a sub-state machine.

* The former, rather trivial block allocator module is replaced by a normal
  object of type Pba_allocator that must be provided by the client of the
  Sb_initializer (reference in the Sb_initializer_request).

Ref #5062

tresor: read uninitialized vbas as all zeroes

Virtual addresses in a Tresor container that were not yet written by the user
should always return a data block that is all-zeroes. This was the concept
right from the beginning of the project. However, somehow this aspect either
never got implement or got lost along the way.

Some context for understanding the commit: The Tresor doesn't initialize the
payload data blocks of a container when creating a new container as this would
be rather expensive. Instead, it marks the leaf metadata nodes of the
virtual-block-device tree (those that reference the payload data blocks in
physical address space) with generation 0.

Now, this commit ensures that, whenever the virtual-block-device module reads
such a generation-0 leaf, instead of asking the block_io and crypto to deliver
data from disc, it directly provides the user with 4K of zeroes.

Ref #5062
2024-04-12 15:00:45 +02:00
Martin Stein
82388f4389 tresor_tester.run: fix free tree exhaustion
The order of execution inside the Tresor lib slightly changed compared to the
previous CBE lib. AFAICT, this is nothing to worry about and related to the
now cleaner structuring. However, it can produce higher peak requirements
regarding the allocation pool in the Free Tree. Therefor, this commit extends
the dimensions of the Free Tree used in the test.

Ref #4971
2024-04-12 15:00:45 +02:00
Martin Stein
801a779a88 tresor: support and test snapshot management
* Implement requests "create snapshot" and "discard snapshot" in tresor lib.
* Adapt tresor tester in order to test the new feature.
  * Remove temporary code from tresor tester that skipped such requests with
    the hint that they were not supported yet.
  * Add mandatory "id" attribute to <request op="create_snapshot"/> and
    <request op="discard_snapshot"/> tag. A "discard snapshot" command always
    refers to the snapshot created by the "create snapshot" command with the
    same "id" value.
  * Clean-up command pool a bit.

Fix #4971
2024-04-12 15:00:45 +02:00
Martin Stein
417fb4e108 tresor: fix bad hash update during rekeying in vbd
The re-keying state machine in the VBD module would use block data of the wrong
block for the hash update of an inner node in a certain circumstance.

On re-keying, the VBD iterates for a given VBA over all snapshots, beginning
with the newest and re-keys the VBA in each of the snapshots. At each snapshot
it therefore loads the branch of the VBA top-down, and then updates the branch
bottom-up. However, if loading a certain level of the branch of a certain
snapshot runs into the same physical block as with the last snapshot on this
level, the algorithm turns around and updates the branch from this point
upwards instead of going further down the whole way to the leaf. This is
because everything below this point has already been re-keyed in the course of
a newer snapshot.

The case where this turning around is not right above the leaf (i.e., the first
shared physical block is a metadata block) that's were the bug was located. In
this situation, we have to re-encode the highest shared metadata block into a
buffer again before starting to update. The update code acts as if the
mentioned block was just written back (which is true when going down all the
way to the leaf before updating) and consequently is present in the encoded
buffer.

Ref #4971
2024-04-12 15:00:45 +02:00
Martin Stein
f8332ce587 tresor: fix <initialize> config constraints
Until now, it was possible to use bad Free-Tree/VBD configurations with the
<initialize/> command. The tresor tester didn't complaining about it but the
tresor lib crashed or, worse, corrupted the tresor container. Now, the tresor
tester checks things, like for instance, that "nr_of_children" must be a power
of 2.

Ref #4971
2024-04-12 15:00:45 +02:00
Martin Stein
b44ffc9361 tresor: snap garbage collection on each request
The Superblock Control module now issues a snapshot garbage collection on each
incoming request. In return for that, the commit removes all calls to the
garbage collection from other modules.

Ref #4971
2024-04-12 15:00:45 +02:00
Martin Stein
3eb5302ab0 tresor: no local impl. of snap garbage collection
Move the implementation of the snapshots garbage collection to the Snapshots
class and remove module-local duplicates.

Ref #4971
2024-04-12 15:00:45 +02:00
Martin Stein
9605a60eac tresor: no local copy of snapshots in vbd module
The Virtual Block Device module used to create a local copy of the Snapshots
array respectively Snapshot root it received with an incoming request. After
finishing the VBD operation on the copy, the source module of the request
used to back-copy the resulting Snapshot array resp. Snapshot root. This is
not only less efficient than referencing but also allowed a bug to sneak into
the new C++ implementation.

In contrast to the old Ada/SPARK implementation (CBE), the new design doesn't
allow for global objects that can be accessed by any module without receiving a
reference in a module request. Therefore, the Free Tree module has to receive a
reference to a Snapshots array with each request in order to be able to use it.
In our case, these requests are allocations for a "Write" operation from the
VBD. However, the VBD itself receives only the one Snapshot required for
writing and therefore causes the Free Tree to make bad decisions on whether or
not a block can be re-allocated or not.

With this commit, the VBD always receive a reference to the whole Snapshots
array and also propagates it this way to the Free Tree.

Ref #4971
2024-04-12 15:00:45 +02:00
Martin Stein
b49f052051 tresor: improve verbosity modes
* make array classes printable
* pba filter for block io verbosity
* streamline read/write/rekey verbosity

Ref #4971
2024-04-12 15:00:45 +02:00
Christian Prochaska
a187f15d8c sculpt: add gdb_x86 to distribution and index
Issue #5076
2024-04-12 15:00:45 +02:00
Christian Prochaska
7248c5cc23 sculpt: add terminal to index
Issue #5076
2024-04-12 15:00:45 +02:00
Christian Prochaska
90239c0787 ports: add 'gdb_support'
Fixes #5163
2024-04-12 15:00:44 +02:00
Christian Prochaska
2eae70d3cd os/vfs.h: add support for symlink creation
Fixes #5162
2024-04-12 15:00:44 +02:00
Pirmin Duss
7f1adbea46 lxip: provide dummy for send_sig
This is function gets called by some libssh applications using vms_lxip.

For the dummy implementation I looked at the old port.

Issue genodelabs#5161
Issue gapfruit#1976
2024-04-12 15:00:44 +02:00
Christian Helmuth
e0fe046ad3 Update tiled_wm test for tiled-console scenario
- always assign apps/overlay to targets (visible=true/false) to
  prevent 0x0 geometry, which is interpreted as close
- add QMenu as exampel to panel button
- use usb-tablet on Qemu
2024-04-12 15:00:44 +02:00
Christian Helmuth
c27d04e338 window_layouter: "visible" assign-node attribute
Per default, windows assigned to targets are visible, which can be
changed with the new boolean "visible" attribute. Thus, window can be
hidden without changing their geometry.
2024-04-12 15:00:44 +02:00
Christian Helmuth
960670b16c decorator: fix handling of back-most window
Before, the current back-most window was not restacked if it was part of
the already, which lead to partially inconsistent view of the window
stack between decorator and nitpicker.
2024-04-12 15:00:44 +02:00
Christian Prochaska
219eecf8d7 qt5: stop signal proxy thread on exit
Fixes #5158
2024-04-12 15:00:44 +02:00
Christian Helmuth
6b50f993bc qt5_common: increase RAM of pointer to 2M 2024-04-12 15:00:44 +02:00
Norman Feske
1866520d6c dde_linux: build initcall_table.c after objects
The added hook 'OBJ_POSTPROC_SRC' gives us a way to post-process object
files for generating supplemental code. By using this hook, the
initcall_table.c generated by import-lx_emul_common.inc gets reliably
executed after all object files are built.

Fixes #5159
2024-04-12 15:00:44 +02:00
Christian Prochaska
bc44104522 qt5: fix use-after-free on exit
Fixes #5156
2024-04-12 15:00:44 +02:00
Norman Feske
891f933863 import-lx_emul_common.inc: don't use 'nm -U'
The option is used during the generation of initcall_table.c.
However, it happens to strip the first argument following the option.
The long option --defined-only works as expected.

Issue #5155
2024-04-12 15:00:44 +02:00
Christian Prochaska
d813a12f20 tool chain: GDB fixes
Fixes #5154
2024-04-12 15:00:44 +02:00
Christian Prochaska
b439924bf9 tool chain: fix GCC internal compiler error
Fixes #5153
2024-04-12 15:00:44 +02:00
Josef Söntgen
ff728eb6ce usb_block: fix 'Request_sense_repsonse' MMIO size
Due to a bug in the original implementation, the size of the MMIO
range covering the 'Request_sense_response' data was set too large
during the MMIO boundary change. This rendered devices that were not
yet ready and required an 'Request_sense' command unusable.

The commit also adapts all other commands where the MMIO size does
not match the expected one.

Fixes #5133.
2024-04-12 15:00:44 +02:00
Christian Helmuth
229f01b153 vbox6-capture: enable Windows BSOD logging
Issue #5099
2024-04-12 15:00:44 +02:00
Alexander Boettcher
5e5fe7291a nic/ipxe: add throttle RX interrupt support
The commit adds support to throttle the rate of the RX IRQs to a specified
value. The effect is, that no RX IRQs below the time threshold will fire and
therefore the CPU load gets reduced on the host. Trade-off gaming between
cpu load, throughput, overload.

Modular Sculpt 23.10 on S938 as testcase. In brackets the CPU affinity is
denoted.

ipxe (0,0) -> nic_router (1,0) -> Debian VM vbox6 (3,0) and (3,1)

VM: iperf -C X.X.X.X -t 60 -R

iperf server X.X.X.X is outside Sculpt and sends data due to '-R' to VM

Non representative measure points:

cpu load   - ipxe  - nic_router - iperf throughput
--------------------------------------------------
w/o  patch -  ~80% -       ~50% - ~706 MBit/s - 0    -> throttling off by default on S938
patch 651  -  ~20% -       ~35% - ~763 MBit/s - 651  -> 0.166ms throttle RX IRQ
patch 5580 -  ~15% -       ~25% - ~650 MBit/s - 5580 -> 1.4ms   throttle RX IRQ

Issue #5149
2024-04-12 15:00:44 +02:00
Alexander Boettcher
31e8b50b7c nic/ipxe: batch TX requests
A bunch of transmit requests received by the Uplink server (nic_router)
are currently added one by one to the ring buffer and every time the hardware
is notified to process each single request.

Instead, add as many as possible transmit requests in the ring buffer of
the hardware and when done trigger the hardware to process the ring.

Additionally, don't receive an "processed" TX IRQ for each element in the
ring, which causes high CPU load.

With this commit the TX IRQs in the ipxe driver for a

iperf -c X.X.X.X -t 60

from within a VM to the outside iperf server is reduced from about
~2'600'000 IRQs to about ~200'000. The overall CPU load for the driver
(when executed alone on CPU 0) is reduced from ~85 percent load to ~45 percent
load.

Issue #5149
2024-04-12 15:00:43 +02:00
Alexander Boettcher
feba5a138e nic/ipxe: batch packets on receive path
Use batching feature of Uplink client base header.

Issue #5149
2024-04-12 15:00:43 +02:00
Alexander Boettcher
d0d9cb6a73 uplink: support batching in client base header
Add support for Uplink drivers to batch requests.

Fixes #5149
2024-04-12 15:00:43 +02:00
Alexander Boettcher
23078154cd vbox: avoid blocking nic_ep thread
during receive the nic_ep may block as long as the guest does not provide
another receive network descriptor. In the meantime, all Genode signals
regarding the network interface, e.g. tx, will be postponed, which may
effect the throughput.

Instead use the nic_ep for rx packets unblocking. Add an notification mechanism
to the e1000 vbox network model, to notify us as soon as the guest added new
receive descriptors in the model.

Issue #5146
2024-04-12 12:57:30 +02:00
Alexander Boettcher
e1e87657c7 vbox: batch network packets
Fixes #5146
2024-04-12 12:57:30 +02:00
Norman Feske
b36a49dfc2 sculpt: host PC framebuffer drivers in runtime
Issue #5150
2024-04-12 12:57:30 +02:00
Norman Feske
27e0500452 sculpt_manager: Pci_info -> Board_info
This is a preparatory commit for issue #5150. Board_info is designated
for the selection of device drivers. It is not specific to PCI devices.
2024-04-12 12:57:30 +02:00
Johannes Schlatow
b67df08c9d intel_fb: add dummy for ZimaBlade support
When booting Sculpt OS on the ZimaBlade, `i915_vm_free_pt_stash` is
called. Providing an empty dummy implementation fixes the issue.

Fixes #5145
2024-04-12 12:57:30 +02:00
Christian Helmuth
609a065503 Static IP config in lighttpd.run on base-linux 2024-04-12 12:57:30 +02:00
Norman Feske
a452390f0b pkg/test-tcp_bulk_lwip: adjust quota for foc/pbxa9
For pbxa9, Qemu is started with only 256 MiB for foc but with 768 MiB
for base-hw. By reducing the RAM quota for all start nodes within the
remote scenario, each component gets enough RAM quota to breathe.
2024-04-12 12:57:30 +02:00
Norman Feske
72a575a5f9 depot_autopilot.run: error message on empty tar
When wrongly invoking the run script by specifying a skipped test
as its only TEST_PKGS argument, the run script fails due to a wrong
tar argument order. Let's better reflect this condition to the user
ahead of invoking tar.
2024-04-12 12:57:30 +02:00
Benjamin Lamowski
1b313df419 linux: force stack area mapping at requested address
With `MAP_FIXED` absent from the mmap(3p) flags, "the implementation uses
addr in an implementation-defined manner to arrive at pa", which may
lead to a mapping at an address diffent to the requested `addr`.

Add `MAP_FIXED` to the mmmap flags to force mapping to the specified
address.

Fixes #5147
2024-04-12 12:57:30 +02:00
Norman Feske
6315a09369 pkg/test-libc_fifo_pipe: ignore Ipc_error messages
Such messages can occur by chance when killing 'echo' while the program
blocks in an IPC call. It gets killed nevertheless. So the message does
not hint at a failure of the test.
2024-04-12 12:57:30 +02:00
Norman Feske
598dfff601 pkg/test-tcp_bulk_lxip: adjust quota for sel4 2024-04-12 12:57:30 +02:00
Norman Feske
5b4e1d22d9 test/timer: adjust min timer period to 250 us
In the context of #5138, the timer drivers for NOVA and base-hw had been
changed to support timeouts at a precision of 250 us (from formerly 1 ms).
Adjust the test to the new expected lower bound.
2024-04-12 12:57:30 +02:00
Norman Feske
956ec2f84c pkg/test-read_only_rom: adjust quota for sel4 2024-04-12 12:57:30 +02:00
Norman Feske
3052260249 Adjust terminal_crosslink RAM quota for seL4
The dynamic buffer allocation increases the RAM demand slightly beyond
1M on seL4. Use 2M, as is already the default in pkg/terminal_crosslink.

Issue #5135
2024-04-12 12:57:30 +02:00
Christian Helmuth
2f1520b4c1 base-hw: fix EPIT duration calculation on roll-over
If Ocif was not reset between two calls to _duration(), the returned
value exceeded _max_value().
2024-04-12 12:57:30 +02:00
Christian Helmuth
abb2045e17 Remove exec_static_constructors from dde_linux drivers
This is a follow-up commit to "lx_emul: generate initcalls during build".

Issue #5096
2024-04-12 12:57:30 +02:00