Commit Graph

10485 Commits

Author SHA1 Message Date
Christian Helmuth
07bb3fc1ec Initial update of init-state ROM in init_loop test
ROM clients have to request an initial update of dynamic ROMs explicitly
and should not depend on artificial signals from the ROM session on
signal-handler registration.

Issue #4274
2021-10-13 14:50:46 +02:00
Johannes Schlatow
93583cce3b sequence: immediately stop child on exit
The sequence app should immediately stop the child when it called
parent().exit(). Otherwise, the child will continue execution which
causes a race condition: The child's ld.lib.so will eventually destruct
an Attached_rom_dataspace for the config rom. If sequence destructed the
corresponding service first, we will get an Ipc_error.

genodelabs/genode#4267
2021-10-13 14:50:46 +02:00
Josef Söntgen
e6bd9fd7da libc: implement SNDCTL_DSP_GETFMTS ioctl
This I/O control is used to query the audio format, e.g. AFMT_S16_LE
in our case.

Fixes #4276.
2021-10-13 14:50:46 +02:00
Martin Stein
870c5c7a81 file_vault: GUI control for encrypted virtual FS's
Warning!

The current version of the file vault is not thought for productive use but
for mere demonstrational purpose! Please refrain from storing sensitive data
with it!

The File Vault component implements a graphical frontend for setting up and
controlling encrypted virtual file systems using the Consistent Block Encrypter
(CBE) for encryption and snapshot management. For more details see
'repos/gems/src/app/file_vault/README'.

Fixes #4032
2021-10-13 14:50:46 +02:00
Martin Stein
3e375e4315 cbe tools: log less by default
Previously unconditional calls to Genode::log in cbe init and the cbe trust
anchor VFS plugin were made dependent on a verbosity flag that is set to
"false" by default.

Ref #4032
2021-10-13 14:50:46 +02:00
Martin Stein
8dfa586462 vfs/cbe_trust_anchor: fix bug in key decrypt
The plugin used the ciphertext instead of the plaintext buffer for key
decryption which led to bogus ciphertext keys.

Ref #4032
2021-10-13 14:50:46 +02:00
Martin Stein
a661aa79de vfs/cbe_trust_anchor: AES-key-wrap private key
Instead of simply encrypting the private key with AES-256 when storing it to
the 'encrypted_private_key' file, wrap it using the AES-key-wrap algorithm
described in RFC 3394 "Advanced Encryption Standard (AES) Key Wrap Algorithm".
This is more secure and enables us to directly check whether the passphrase
entered by the user was correct or not.

Ref #4032
2021-10-13 14:50:46 +02:00
Martin Stein
94701eec09 vfs/cbe_trust_anchor: rename secured_superblock
As the file formerly named 'secured_superblock' actually contains the hash of
the superblock that was secured, it was renamed 'superblock_hash'.

Ref #4032
2021-10-13 14:50:46 +02:00
Martin Stein
a28ca44101 vfs/cbe_trust_anchor: rename keyfile
As the file formerly named 'keyfile' actually contains the encrypted private
key of the Trust Anchor, it was renamed 'encrypted_private_key'.

Ref #4032
2021-10-13 14:50:46 +02:00
Martin Stein
641a738e3d vfs/cbe_trust_anchor: encrypt symmetric keys
By now, the symmetric keys were only XOR'ed with the private key as placeholder
for a real encryption. Now they are encrypted using AES256 with the TA's
private key as key

Ref #4032.
2021-10-13 14:50:46 +02:00
Martin Stein
f41dec67e1 vfs/cbe_trust_anchor: use secure private key
A private key of 256 bits is generated pseudo-randomly using the jitterentropy
VFS plugin on initialization. The private key is stored in the key file
encrypted via AES256 using the SHA256 hash of the users passphrase. When
unlocking the CBE device, the encrypted private key is read from the key file
and decrypted with the hash of the users passphrase.

Ref #4032
2021-10-13 14:50:46 +02:00
Martin Stein
75a55b62a3 vfs/cbe_trust_anchor: use hash of passphrase
Instead of using the user passphrase directly, use its SHA256 hash calculated
using libcrypto. The passphrase hash is still stored in the key file to be
used as base for the very primitive way of generating the private key.

Ref #4032
2021-10-13 14:50:46 +02:00
Martin Stein
989b7f39e1 vfs/cbe_trust_anchor: use secure symmetric keys
Use the jitterentropy vfs plugin for the generation of new symmetric block
encryption keys in the cbe trust anchor vfs plugin.

Ref #4032
2021-10-13 14:50:46 +02:00
Martin Stein
a2d2b874ec vfs/cbe_trust_anchor: sync keyfile-handle close
Closing the keyfile handle after a write operation wasn't synchronised to the
actual end of the write operation.

Issuing a write operation at the back end returns successfull as soon as the
back end has acknowledged that it will execute the operation. However, the
actual writing of the data might still be in progress at this point. But the
plugin used to close the file handle and declare the operation finished at this
point which led to warnings about acks on unknown file handles and leaking
resources. Now, the plugin issues a sync operation directly after the write
operation and waits for the sync to complete. This ensures that the plugin
doesn't declare the operation finished too early.

Ref #4032
2021-10-13 14:50:45 +02:00
Martin Stein
42490208c2 vfs/cbe_trust_anchor: fix unlocking
The unlocking operation in the trust anchor was broken wich caused bad keys in
the CBE. This rewrites the whole operation to work as desired. Note that this
doesn't make it more safe! The private key is still almost the same as the
passphrase and stored plaintext.

Ref #4032
2021-10-13 14:50:45 +02:00
Martin Stein
95639a7492 vfs/cbe_trust_anchor: close handles correctly
The plugin used to close file handles via the 'vfs_env.root_dir.close'.
However, this lead to resource leaks and apparently isn't the right way to
do it. Other VFS plugins do it by calling 'close' directly on the handle and
doing it in the trust anchor plugin also, fixes the leaks.

Ref #4032
2021-10-13 14:50:45 +02:00
Martin Stein
df7de17435 vfs/cbe_trust_anchor: sync hashfile-handle close
Closing the hashfile handle after a write operation wasn't synchronised to the
actual end of the write operation.

Issuing a write operation at the back end returns successfull as soon as the
back end has acknowledged that it will execute the operation. However, the
actual writing of the data might still be in progress at this point. But the
plugin used to close the file handle and declare the operation finished at this
point which led to warnings about acks on unknown file handles and leaking
resources. Now, the plugin issues a sync operation directly after the write
operation and waits for the sync to complete. This ensures that the plugin
doesn't declare the operation finished too early.

Ref #4032
2021-10-13 14:50:45 +02:00
Martin Stein
1b4a80ffae vfs/cbe: control/deinitialize file
There were no means for issuing a Deinitialize request at the CBE using the
CBE VFS plugin. The new control/deinitialize file fixes this. When writing
"true" to the file, a Deinitialize request is submitted at the CBE. When
reading the file, the state of the operation is returned as a string of the
format "[current_state] last-result: [last_result]" where [current_state] can
be "idle" or "in-progress" and [last_result] can be "none", "success", or
"failed".

Ref #4032
2021-10-13 14:50:45 +02:00
Martin Stein
88e6991083 vfs/cbe: fix ID argument on discard_snap
When discarding a snapshot, the CBE VFS plugin didn't communicate the ID of
the snapshot to the CBE. Instead it set the ID argument to 0. Therefore the
operation never had any effect.

Ref #4032
2021-10-13 14:50:45 +02:00
Martin Stein
9b953e79ba vfs/cbe: support watching the snapshots fs
The snapshots file system couldn't be watched. But it's of interest to watch
for appearing and disappearing snapshots.

Ref #4032
2021-10-13 14:50:45 +02:00
Martin Stein
4c1eae97cf vfs/cbe: fix result of SnapshotsFS.num_dirent("/")
The snapshots file system used to return the number of snapshots on
'num_dirent' when called for the root directory although it was expected to
return 1. This confused the tooling ontop of the VFS.

Ref #4032
2021-10-13 14:50:45 +02:00
Martin Stein
f051bfa90d vfs/cbe: support watching "rekey" file
The control/rekey file couldn't be watched although it was meant to be used
to watch the current state of the rekey operation.

Ref #4032
2021-10-13 14:50:45 +02:00
Martin Stein
4ed45dd303 vfs/cbe: support watching "extend" file
The control/extend file couldn't be watched although it was meant to be used
to watch the current state of the extend operation.

Ref #4032
2021-10-13 14:50:45 +02:00
Martin Stein
2d0ac161cb vfs/cbe: mark extend/rekey fs readable
Despite being readable, the files control/extend and control/rekey proclaimed
that they were not when asked. This caused the fs_query tool to not report the
content of the files although it could have.

Ref #4032
2021-10-13 14:50:45 +02:00
Martin Stein
34245376ba vfs/cbe: fix size of extend/rekey fs
Stat calls on the control/extend and control/rekey files returned a bogus file
size that led to an error in the VFS File_content tool. The tool complained
that the size of the file determined while reading the content differs from the
one reported by the stat operation. Now, the stat call will always determine
the actual size of what would be read.  However, it isn't guaranteed that this
size doesn't change in the time after the stat operation and before the read
operation.

Ref #4032
2021-10-13 14:50:45 +02:00
Martin Stein
bd79f93657 cbe/types: invalid generation, generation string
Ref #4032
2021-10-13 14:50:45 +02:00
Martin Stein
731df4b037 recipes/src/cbe: build also cbe_init_trust_anchor
Ref #4032
2021-10-13 14:50:45 +02:00
Martin Stein
d3cc5c9cd2 gems/recipes: api/cbe
Ref #4032
2021-10-13 14:50:45 +02:00
Martin Stein
ff656401b3 gems: update cbe port
This update fixes a bug when discarding snapshots.

Ref #4032
2021-10-13 14:50:45 +02:00
Christian Helmuth
46ee872b50 vbox6: shared clipboard service
The service is loaded dynamically VBoxSharedClipboard.so at runtime. The
VFS configuration mounts the shared object at /VBoxSharedClipboard.so as
the file is checked by contrib code before loading. An init
configuration in pkg/vbox6/runtime illustrates this and how to re-label
the VBoxSharedClipboard.so ROM to its real name
virtualbox6-sharedclipboard.lib.so.
2021-10-13 14:50:45 +02:00
Christian Helmuth
5aee693f70 vbox6: limit wait for ack to 15 ms in AHCI model
During Windows 10 boot with sequential block requests, the AHCI request
worker finished earlier than the EMT thread signals hEvtProcess and
begins waiting for hEvtProcessAck indefinitely. The timeouts helps to
survive this short phase.

A better solution would use conditional variables, which are not
provided in VirtualBox's runtime.
2021-10-13 14:50:45 +02:00
Josef Söntgen
f21cf3f8b1 mesa: name driver library appropriately
Rename the 'egl_drv' library and the various back ends to 'mesa_gpu_drv'
and 'mesa_gpu-<backend>'.

Fixes #4275.
2021-10-13 14:50:37 +02:00
Norman Feske
32c283d26f os: introduce C API for generating Genode events
This patch introduces a C API to be used by input drivers to generate
Genode events. The initial version is limited to multitouch events only.

Fixes #4273
2021-10-13 14:46:54 +02:00
Stefan Kalkowski
f4cb5cc299 dde_linux: preserve Io_signal_handler for IRQs
Do not construct/destruct signal handlers for interrupts dynamically,
but only the Irq session to prevent a deadlock.

Fix #4272
2021-10-13 14:46:54 +02:00
Stefan Kalkowski
6ae55d490b lx_emul: restrict allocations to minimal alignment
* Use the architecture-dependent minimal alignment for all allocations,
  e.g. on ARM it is necessary to have cacheline aligned allocations for DMA
* Remove the allocation functions without alignment from generic API
* Fix a warning

Fix #4268
2021-10-13 14:46:54 +02:00
Stefan Kalkowski
2ac8620f44 lx_emul: invalidate cache for DMA-read only
After a DMA transaction do only invalidate cachelines from the
corresponding DMA buffers if data got transfered from device to
CPU, and not vice versa. Otherwise it might result in data corruption.

Ref #4268
2021-10-13 14:46:54 +02:00
Stefan Kalkowski
d8c344f6b9 lx_emul: do not block kworkers unconditionally
Ref #4268
2021-10-13 14:46:54 +02:00
Stefan Kalkowski
f8cf0442ed lx_emul: implement lookup of dma-addr to virt-addr
* Use the new Lx_kit::Map as lookup structure for virt-to-dma and vice versa,
  instead of a list-based registry

Ref #4268
2021-10-13 14:46:54 +02:00
Stefan Kalkowski
9bc7ecb605 lx_emul: provide alignment for DMA allocations
Ref #4268
2021-10-13 14:46:54 +02:00
Christian Helmuth
4c4ce2f899 report_rom: versioning and explicit notification
The former implementation did not internally track ROM changes notified
vs. delivered to the client. We adapt the versioning implementation
implemented in dynamic_rom_session.h and enable explicit notification of
the current version.

The feature is used by the clipboard to notify permitted readers of the
clipboard ROM service on focus change via the newly created private
Rom::Module::_notify_permitted_readers() function.

Fixes #4274
2021-10-13 14:46:54 +02:00
Stefan Kalkowski
4803937dd2 os: introduce C-API to provide USB service
Fix #4270
2021-10-13 14:46:54 +02:00
Stefan Kalkowski
6789b86871 base-hw: optimize cache maintainance for ARMv8
* Remove the data-synchronization barrier from the inner-loop
* Instead add a system-wide barrier at the end of the operation

Fix #4269
2021-10-13 14:46:54 +02:00
Martin Stein
9542bcf88c base-hw: reduce includes in board.h
The includes for the address-space-ID allocator and the translation table are
usually specific to the CPU in use. Therefore these includes can be moved from
their current location in the board header to the CPU headers. This reduces the
number of decisions a board maintainer has to make if the CPU model he's aiming
for is already available.

This can probably also be applied for other includes in the board headers but I
intentionally leave it for a future commit as I don't have the time to do it
all now.

Ref #4217
2021-10-13 14:46:54 +02:00
Martin Stein
ad059362d2 base-hw: reduce hardware-specific include paths
For base-hw Core, we used to add quite some hardware-specific include paths
to 'INC_DIR'. Generic code used to include, for instance, '<cpu.h>' and
'<translation_table.h>' using these implicit path resolutions. This commit
removes hardware-specific include paths except for

1) the '<board.h>' include paths (e.g., 'src/core/board/pbxa9'),
2) most architecture-specific include paths (e.g., 'src/core/spec/arm_v7'),
3) include paths that reflect usage of virtualization or ARM Trustzone
   (e.g., 'src/core/spec/arm/virtualization').

The first category is kept because, in contrast to the former "spec"-mechanism,
the board variable used for this type of resolution is not deprecated and the
board headers are meant to be the front end of hardware-specific headers
towards generic code which is why they must be available generically via
'<board.h>'.

The second category is kept because it was suggested by other maintainers that
simple arch-dependent headers (like for the declaration of a CPU state) should
not imply the inclusion of the whole '<board.h>' and because the architecture
is given also without the former "spec"-mechanism through the type of the build
directory. I think this is questionable but am fine with it.

The third category is kept because the whole way of saying whether
virtualization resp. ARM Trustzone is used is done in an out-dated manner and
changing it now would blow up this commit a lot and exceed the time that I'm
willing to spend. This category should be subject to a future issue.

Ref #4217
2021-10-13 14:46:53 +02:00
Martin Stein
49b09702b8 base-hw: don't include board.h from hardw. headers
The 'src/core/board/<board>/board.h' header is thought as front end of
hardware-specific headers of a given board towards the generic base-hw Core
code. Therefore it leads to problems (circular includes) if the board.h header
is included from within another hardware-specific header.

If hardware-specific headers access declarations from namespace Board in a
definition, the definition should be moved to a compilation unit that may
include board.h. If hardware-specific headers access declarations from board.h
in a declaration, they should either use the primary declaration from the
original header or, if the declaration must be selected according to the board,
another board-specific header should be introduced to reflect this abstraction.

This is applied by this commit for the current state of base-hw.

Ref #4217
2021-10-13 14:46:53 +02:00
Martin Stein
5d74509b2d base-hw: get rid of static perf counter object
It is not necessary to have a class, an object, and a generic header for the
perfomance counter. The kernel merely enables the counter using cpu registers
('msr' instructions, no MMIO) on arm_v6 and arm_v7 only. Therefore this commit
makes the header arm-specific and replaces class and global static object with
a function for enabling the counter.

Fixes #4217
2021-10-13 14:46:53 +02:00
Martin Stein
b817e1977c base-hw: serial output as Main member
Let the kernel's serial-output driver be a member of the one Kernel::Main
object instead of having it as global static variable.

Ref #4217
2021-10-13 14:46:53 +02:00
Martin Stein
910788313e base-hw: get rid of static variable in Kernel::Pd
Ref #4217
2021-10-13 14:46:53 +02:00
Martin Stein
02f00a999c base-hw: global IRQ controller as Main member
Let the kernel's driver for the global IRQ controller be a member of the one
Kernel::Main object instead of having it as static variables in the drivers for
the local IRQ controllers. Note that this commit spares out renaming 'Pic' to
'Local_interrupt_controller' which would be more sensible now with the new
'Global_interrupt_controller' class. Furthermore, on ARM boards the commit
doesn't move 'Distributer' stuff to the new global IRQ controller class as they
don't have real data members (only MMIO) and can be instanciated for each CPU
anew. However, the right way would be to instanciate them only once in Main as
well.

Ref #4217
2021-10-13 14:46:53 +02:00
Martin Stein
441d137482 base-hw: Address-Space-ID allocator as Main member
Let the kernel's Address-Space-ID allocator be a member of the one
Kernel::Main object instead of having it as global static variable.

Ref #4217
2021-10-13 14:46:53 +02:00