Both keys are physically the same on available keyboards (with varying
labeling). Unfortunately, PS/2 scancode sets and USB HID spec seem to
differ slightly in their interpretation. Therefore, we keep the
driver-level reporting as is but report both as KEY_PRINT in Sculpt,
which allows to use the key(s) for screenshoter rules most prominently.
Also, unify sculpt/event_filter/pc with sculpt_manager.
With the current RAM setting, opening the inspect window fails on a
display with 4K resolution.
Adjust the inspect window's RAM quota to make it work.
Issue #5174
When a new signal arrives, which means a formerly non-pending one,
we should ignore old signal numbers of that context, but only
evaluate newly received data by the last kernel-call.
Fix#5193
The ported i2c_hid driver contains driver code for the "Intel
Tigerlake/Alderlake PCH pinctrl/GPIO" device. Unfortunately, acpica
driver also accesses the same device on Lid open/close via ACPI AML code
of the DSDT table to read out the state of a GPIO pin connected to the
notebook lid. This would fail as I/O memory is handed out only once and
cannot be shared. The workaround disables the region check for the
specified GPIO I/O memory regions and provides both drivers shared
access to the regions.
This is a preliminary workaround. A general solution should separate the
GPIO driver into a component (e.g., platform driver) that regulates
accesses by i2c_hid and acpica.
Issue #5195
During audio and video playback at a high rate by a VMM, nitpicker on the
boot CPU may interfere with the mixer clients, letting them not finish the
schedule RPC at the mixer in time. Moving nitpicker to the same CPU as
leitzentral mitigates the effect at moment.
Issue genodelabs/genode#5174
At least on x86_64/x86_64/pc/hw|nova, the test used to fail because the net
setup sometimes required more than the 3 seconds that the test was giving each
step. This commit raises the step timeout to 5 seconds and the test timeout
from 70 to 90 seconds in order to be on the safe side.
Ref #5192
The default mixer launcher limits the volume to 50%, so raise the
driver's volume to the max to be audible on certain systems where
otherwise audio is barely recognizable.
While there, fix the wrong reporting attribute as well.
Issue #5174.
The version in ui_report and ui_config were merely used for making test output
more readable. However, there are other ways to achieve this goal.
Ref #5190
The File Vault used to sporadically fail to complete Extend or Rekey operations
when it was locked during the operation. The cause was an insufficient state
model that has been fixed with this commit.
Ref #5190
* adds rekeying and resizing controls to config+report api of file vault
* moves common types of file vault to file_vault/include/file_vault/types.h
to be included by other components
* fixes wrong type of nr_of_clients fields in file_vault
* introduces the file_vault_gui component that is a minimal graphical front end
for the file vault based on the dialog lib and that uses the
config+report api of the file vault as back end
Ref #5190
This patch addresses corner cases not considered so far. In particular,
it avoids placing the Add/Options tabs of an unscrollable popup under
the panel. This could happen in the presence of many options. The patch
includes the panel height into the calculation to rule out such
situations. It also tightens the scrolling boundaries to the visible
content.
Issue #5183
This patch handles intermediate situations where the screen mode may
become 1 x 1 (absence of any capture clients). In this case, the
decoration of a maximized window would legitimately exceed the screen
boundary.
Thanks Johannes for the investigation.
Issue #5187
Issue #5180
The blanking state is evaluated by the intel_fb driver, which will switch
off all connectors. When done, the intel_fb driver will exit and the
sculpt_manager will continue with the next step, stopping all drivers.
Issue #5180
This commit adds missing routes to I2c for the framebuffer driver of the
MNT Reform. If build for this concrete board the Board_info::Soc variable
within the sculpt_manager is initialized according to the properties of
this device. The `update_soc` routine is called in the initialization of
the sculpt_manager, otherwise it won't be called at all, if no PCI devices
changes are detected. Missing driver binaries and device-tree-binaries are
add to the run-script.
Issue #5174
A network card can be provided by PCI, and the SoC as well. Therefore,
add an additional state variable in the Board_info::Soc, and check it
appropriatedly.
Issue #5174
Commit "sculpt: safeguard the offering of suspend/resume" was too lax
about the detection of acpi support. In situations where acpi support
is selected but not yet installed, the menu would offer the features
already. This patch restricts the condition such that acpi support must
be running, not merely selected.
Issue #5174
This patch retains the buffer size of the last capture client as mode as
long as no capture client exists. This avoids intermediate mode changes
in situations like suspend/resume where the display driver is restarted.
Issue #5187
In contrast to platforms, like the PC, where the fb driver selection
is a dynamic decision depending on the available hardware, on current
ARM-based SoC machines this configuration is part of the static board
information.
Issue #5174.
This patch disables latency warnings by default. The warnings can be
enabled by setting the 'warning_rate_ms` value to the desired
maximum rate.
Fixes#5186
Issue #5174
The USB host controller gets restarted during the suspend-resume cycle.
Hence, don't offer suspend while any USB storage device is in use, in
particular when deploying Sculpt from a USB stick.
Suspend/resume is not supposed to work with any framebuffer driver other
than intel_fb. Therefore, offer the suspend feature only when using intel_fb.
Issue #5174
The automatic restart of intel_fb got lost during the transition from
the driver manager. This commit restores the heartbeat monitoring of
this driver.
Issue #5174
This patch enhances the sculpt manager to drive the system state
and manage the lifecycle of driver components during suspend-
resume cycles.
The new Power options can be found in the System menu. The suspend
and power-off controls are presented only when the acpi-support
option is activated.
Note that the USB controller is hard restarted when resuming from
suspend. Hence, all components that depend on USB are restarted
implicitely.
Issue #5180
Issue #5174
on display client close (intel_fb). The former code constructed a
temporary object on the stack, which sets up the scratch pages for the
closed client. However, the scratch page backing store (dma_buffer) gets
freed on destruction of the temporary stack object, which leads to DMA faults
with visual noise on the screen. Instead, use the already in use ggtt object
and add the scratch pages explicitly.
Issue #5180
This commits updates the contrib sources to version 8.7.1.
This version requires more random entropy as it queries OpenSSL
about the current random state and will bail if it is not sufficient.
Doubling the content of the '<inline>' VFS plugin as used in static
configurations seems satisfactory.
Furthermore DNS resolving needs a configured '<pipe>' plugin to work
properly.
Fixes#5184.
Instead of returning an invalid capability whenever an interface is
requested that does not exist, create a disconnected interface component.
It is also possible that a client requests an interface that got removed
at the same time. When an invalid capability gets returned, a client
can stumble about invoking it.
Moreover, this commit marks either invalid interface or device components
as disconnected objects to optimize their handling.
Ref genodelabs/genode#5021
This is an intermediate solution for accommodating overly long
text lines that can appear in report/runtime/usb/devices in the
presence of long product strings.
Issue #5174
In the scheduler's implementation preserve the consumed slack-time
over periods of activation/deactivation, but instead of appending
activated jobs to the end of the slack queue, insert it as new head.
Thereby, the extreme discrimination of threads with short execution
times and frequent blocking behaviour against long running computations
gets avoided.
Fixgenodelabs/genode#4796
The check handles the case when the user clicks right of the
radio-button text, yielding an invalid "matching" id. This should not
result in any action.
Issue #5174
When the "system" ROM state turns to "suspend",
the S3 state information of the sleep_states ROM are determined and
are used to invoke the privileged Pd::system_control call.
Issue #5180
triggered by the "system" ROM change. With this information the consumers
of the sleep_states report can determine, when the operation is finished.
Issue #5180
This commit raise various quota to accommodate using a display
resolution of up to '3840x2160' in the static parts, e.g. the
leitzentrale, of Sculpt.
Issue #5174.
This commit introduces the means to configure the framebuffer memory
used by the driver for sizing its buffers.
Originally the avail memory was derived from the avail ram in the PD
session, which roughly corresponds to configured RAM quota.
However, since it is only used in a virtual capacity, we can decouple
it from the actual memory and set to a value that accommodates larger
framebuffer resolutions like 3840x2160. If the configured RAM quota
is not enough to satisfy an allocation request the client will issue
a resource request.
Issue #5174.
This patch complements "sculpt: make component graph scrollable" with
the ability to scroll the popup dialog, which is sometimes needed in the
presence of many services as routing options.
Fixes#5183
Commit 'wifi_drv: re-arm scan timer when enabled again' allowed for
re-arming the scan timer but still uses the old timer value the first
time around. If the timer was disabled, by setting the interval to 0,
it was not enabled again.
We now check if the interval has changed beforehand and potentially
arm the scan timer afterwards.
Fixes#5178.
To differentiate between the legacy and the current VFS OSS plugin both
plugins will feature a 'plugin_version' field in its info file. This
is used for enabling features provide by the current version that are
not supported in the legacy one.
Issue #5167.
The audio launcher configures the 'bsd_audio_drv' component for normal
use where the micrphone selection should work on most Thinkpads.
The mixer launcher configures the 'record_play_mixer' component for
use with the 'audio' launcher and provides also examplary rules for
vbox6 launchers.
This commit prefixes the Play sessions of the audio driver so that
these can be matched differently in the 'record_play_mixer' config.
The same could be archived with re-labling but naming the sessions
differently at the source prevents accidental mis-configuration.
Issue #5167.
The IHD500 is almost a gen9 (skylake) GPU with subtle differences. Linux
maintains a separate feature set `GEN9_LP_FEATURES` for this GPU.
However, foisting the GPU as skylake on the GPU drivers seems to work
quite fine.
genodelabs/genode#5177
Executing a clflush operation on MMIO memory freezes embedded
platforms such as the Celeron N3450 used on the ZimaBlade. Looking into
the current linux code confirms that clflush is only used for ppgtt
entries and not on MMIO memory.
Fixes#5176
Since "sculpt: adjust nitpicker priority", the nitpicker GUI server no
longer runs at the highest priority, yet the runtime_view of the
leitzentrale UI continued to operate at the highest priority.
On slower machines, this results in a visible interference of the CPU-
heavy rendering of the runtime_view with the (now) lower-prioritized
nitpicker, in particular laggy pointer movements.
This commit subordinates the leitzentrale components below the priority
of nitpicker to prevent this interference.
It also simplifies the priority scheme at the static system init: The
timer has the highest priority whereas all other components use the
priority band -1.
Issue #5174
The hard resource limit introduced by "sculpt: upper limit for automatic
quota upgrading" is too conservative for typical use cases of the RAM
fs. This commit makes the limit adjustable per managed component and
relaxes the limit for the RAM fs and depot_rom from 256 MiB to 2 GiB.
Issue #5174
Because all operations in lxip are non-blocking, return
WRITE_ERR_WOULD_BLOCK for data writes as done by read.
Note: This was not the case in the old plugin because 'write' was blocking
operation there.
issue #5165
These generated dummies slipped in when the commit
'pc_linux: enable gpio, audio' got merged and mainly concern old devices
from the 6xxx series.
The functions are normally guarded via 'CONFIG_IWLWIFI_LEDS' but due to
the olddefconfig step when generating our pc_linux config using
LX_DISABLE has no effect.
Issue #5066.
Allow tweaking the driver selection using the manager config:
- The new attribute 'ps2="no"' suppresses the selection of the PS/2 driver.
- The new attribute 'intel_gpu="no"'suppresses the selection of the
Intel GPU and fb drivers, letting Sculpt fall back to VESA or boot-fb.
Note that the dynamic change of those attributes is handled in principle
but not advisable. E.g., disabling the intel driver after startup leaves
the hardware in a state that the VESA driver cannot cope with. However,
when statically defining the attributes in sculpt/manager/default, it is
now possible to build an image that uses VESA on an intel machine.
Issue #5174
The nightly Qemu tests that don't use KVM require more time for completing the
unlock-and-access phase of the test. If the lock phase starts to early, the
file access is interrupted and the output isn't as expected.
Furthermore, on FOC, the cap quota was insufficient.
Ref #5148
The existing allocation scheme of window IDs has the unwelcome effect
that a re-appearing window would not always result in a visible change
of the window list. In such cases, the layouter and decorator would not
be prompted to do their job. This effect could be observered with the
multi-dialog version of menu view in Sculpt OS when manually enforcing
the restart of the runtime_view. Sometimes the panel would not re-appear
after the restart.
This patch changes the allocation of window ID such that new windows get
fresh IDs instead of reusing an ID of a recently disappeared window.
Issue #5170
Rarely. it might happen that events got received shortly before the complete
set of relevant USB devices got recognized. Filter more output in test metric
to stay robust.
This substantially slims down the test in order to reduce the number nightly
tests that fail due to timeouts. Now, the extended test steps (maximum trees
and benchmarks) are only run on Linux. The synchronous access, snapshot
management, rekeying, and resizing tests were removed.
Ref #5148
This patch replaces the former use of one menu-view component per dialog
by a single menu view presenting all dialogs. This change reduces the
runtime config by about 20%, improves the boot time, and lowers RAM and
CPU usage at runtime.
Issue #5170
The font pointers cached in labels can become dangling when the style
database is updated, as happens when changing the font size dynamically.
This patch orderly updates the cached pointers before removing
out-of-date font entries from the style database.
Related to issue #5170
This patch equips the menu-view component with the ability to present
more than one dialog at a time. The dialogs must be declared in the
<config> node as follows.
<config>
...
<dialog name="settings"/>
</config
For each dialog, menu view requests a dedicated ROM session labeled after
the dialog name. The corresponding GUI session is also labeled as such.
Note that only one hover report is generated responding to all dialogs.
The hover report can be correlated with the hovered dialog by inspecting
the the 'name' attribute of the hover report's <dialog> sub node.
The former global config attributes 'xpos', 'ypos', 'width', 'height',
'opaque', and 'background' have become attributes of the <dialog> node.
Fixes#5170
GPU drivers always reside in the runtime subsystem now.
This patch eliminates the risk of requesting a GPU session at the
drivers subsystem, which never gets established.
Issue #5150
The new VFS OSS plugin utilizes the Record and Play session. For the
time being it is a drop-in replacement for the old plugin and shares
its limitations.
In contrast to the old plugin it is possible to force a client to
use a configured fragment size. Some clients work best with larger
fragments, e.g. VBox, where raising the minimal fragment size is
beneficial.
Please look at the README file for more information.
Issue genodelabs/genode#5167.
On some platforms like qemu/x86_64/sel4, accessing the file system is so
slow that it used to hit the timeout of this phase in the run script.
Ref #5148
This patch lays the selection of the used storage target into the hands
of the config/manager file. By default, Sculpt selects the target by its
built-in heuristics, probing for a Sculpt partition. However, by
specifying a <target> node, one can explicitly select a storage target.
E.g., for using the 2nd partition of the SATA disk connected to port 1
of the AHCI controller, one can now specify:
<target driver="ahci" port="1" partition="2"/>
For selecting the ram_fs as target:
<target driver="ram_fs"/>
The latter case is particularly useful for custom Sculpt scenarios
deployed entirely from RAM. For such scenarios, add two lines to
your .sculpt file:
ram_fs: depot
manager: use_ram_fs
The first line configures the ram_fs such that the depot is mounted
as a tar archive. The second line configures the sculpt manager to
select the ram_fs as storage target. You can find this feature
exemplified in default-linux.sculpt scenario.
build/x86_64$ make run/sculpt_test KERNEL=linux BOARD=linux
It is worth noting that the configuration can be changed at runtime.
This allows for switching between different storage targets on the fly.
Issue #5166
The new 'manager' config allows for the passing of configuration data the
sculpt manager without the need to modify the config/leitzentrale subsystem.
Issue #5166
Unlike the previous return value of
`Genode::Packet_allocator::need_size_for_free()` indicated, it does need
the size of the object it has to free to work properly.
The plugin used to call open with the create flag set at rump without file
permissions for create leading to undefined behavior regarding the file
permissions.
Ref #5148
All errors (as in the legacy version) are now propagated as WRITE_ERR_IO
(see Lxip_vfs_file_handle::write), which ultimately will lead to EPIPE
in libc's socket_fs. This also counts for EAGAIN leading to the fact
that partial writes are not supported for blocking sockets in libc, also
libc will not try a second time in case not all data has been written.
issue #5165
The IP stack checks "user" pointer access, for example, for iov's using
'access_ok' which in turn calls '__access_ok'. The function checks if the
pointer is below TASK_SIZE_MAX, which is usually a big value on 64 bit
systems, but 3GB on 32 bit systems. Because the IP stack is mostly used with
Genode's libc, where pointers on some kernels (base-linux) can be >3GB and we
don't want to make an additional copy of each buffer/iov interacting with the
IP stack, we short circuit the function
issue #5165
This patch replaces the dynamic use of Attached_rom_dataspace by a
new Rom_handler utility, which implicitly covers the initial import of
content (safely using 'local_submit'), the registration of the signal
handler, passes the Xml_node to the handler function (no need to
manually call 'update'), and provides scoped access to the content via a
'with_xml' method. The latter reinforces a programming style that does
not need to copy Xml_node objects.
Issue #5150
This patch removes the remains of the original block-device discovery as
done by the former driver manager. Block sessions are now always
provided by components hosted in the runtime subsytem. The storage node
of the graph is no more.
Issue #5150
This patch harmonizes the driver management between the sculpt manager
and the phone manager by hosting the individual drivers in a new
'Drivers' class with a narrow interface towards 'Sculpt::Main'. The
patch also introduces a clean separation of the 'Board_info' between
features detected at runtime (on PC hardware), statically
known/managed features (phone hardware), and options that can be
toggled at runtime.
With common patterns for managing drivers in place now, this commit
also moves the former runtime/wifi_drv.cc and runtime/nic_drv.cc
code to driver/wifi.h and driver/nic.h. The _drv suffix of the wifi
and nic driver components have been dropped.
Issue #5150
The move of block, USB, and input drivers from the drivers subsystem to
the runtime alleviates the need for routing those sessions between the
subsystems.
Issue #5150
This patch moves SoC-specific framebuffer and touchscreen drivers
(PinePhone) to the runtime subsystem. They are enabled for the
phone_manager.
Issue #5150
As the NVMe driver was the last remaining driver controlled by the
driver manager, this patch removes the 'drivers -> dynamic' subsystem
along with the driver manager from sculpt/drivers/pc.
Issue #5150
This patch moves the AHCI driver from the 'drivers -> dynamic'
subsystem to the runtime, managed by the sculpt_manager. One
implication of this change is the new need to supplement a device
port number to the 'Storage_target', in addition to the existing
label and partition. Previously, each block device was addressed by
merely a label specified for a parent session. The meanings of the
'Storage_target' elements are now as follows.
- The label corresponds to the driver component providing the storage.
- The port is used as block-session label when opening the session
at the driver.
- The partition(s) denote the partition information contained in
the block session.
Components operating as clients of the AHCI driver (e.g., a file system)
refer to their storage target as <label>-<port>.<partition> when a port
is defined (for AHCI). For drivers w/o ports, like USB storage where
each USB-block driver correponds to only one device, the storage target
is denoted as <label>.<partition>. When no partition table is present,
the '.<partition>' part is omitted.
Issue #5150
This commit moves the USB and USB HID driver from the drivers subsystem
into the runtime. The former special USB node of the graph corresponds
now to the USB host-controller driver (named "usb"). The management
options for USB storage devices are available inside this component
node now.
Issue #5150
By moving the event_filter and the numlock_remap_rom from the drivers
subsystem to the static system, the filtering can be applied to drivers
hosted in the runtime and drivers hosted in the drivers subsystem.
This is a preparatory step for moving the USB host and HID drivers to
the runtime.
Issue #5150
Remove the "excellent" idea to re-open /dev/stdout etc. for redirection as
cmake uses open(O_TRUNC) and, thus, truncates log output of outer
redirections.
When the kernel does interrupt remapping, we cannot get a non-remapped MSI
for fault event interrupts. We therefore let the kernel do the fault
reporting in this case.
genodelabs/genode#5066
pci_channel_offline() checks if this member is set to
pci_channel_io_normal (which is 1). The former value of 0 is invalid.
This change fixes pc_nic_drv link down-up in cases that require an e1000
reset.
lx_emul_trace_msg() uses Genode::trace() as message function for
lightweight trace points, but also supports Linux format-string
attributes by using vsnprintf().
Only with high-resolution timers enabled timouts can fire between two
jiffies. The option is enabled on all relevant platforms but
unfortunately disabled by tinyconfig.
This option also permits the use of CONFIG_SND_HRTIMER.
* add testing of trees with minimal and maximal dimensions to tresor_tester.run
* replace tresor_init-local configuration type with simpler and more conformant
configuration type in tresor/types.h that does also XML-parsing and
XML-generation of configurations
* raise min degree to 2 because a degree of 1 is not practical und would
require additional logic
* fix overflow with num_blocks=0 in Superblock_control::Read|Write_vbas
* fix off-by-one bug regarding the number of levels in Vbd_initializer
* improve sanity checks in Tree_configuration constructors
* document level indices in tresor_init/README
* fix size of some arrays in order to be able to handle the maximum number of
tree levels
Ref #5077
* fixes two places, where the free tree module used to continue to process a
request after actually having determined that the request fails
* moves the functionality of checking the hash of a read block and decoding it
to a dedicated method in order to improve readability
Ref #5077
Adds a new command attribute "uninitialized_data" to the Tresor Tester
configuration. If a <request op="read"> command has this attribute set to "yes"
it assumes the read blocks to be uninitialized and therefore contain only 0's.
Note, that a command that has "uninitialized_data" set to "yes" cannot have the
attribute "salt".
Ref #5077
Snapshots must only be removed when securing the superblock. Otherwise, the
last secured superblock might get corrupted. The Free Tree allocation algorithm
would not consider the deleted snapshots anymore although they are still active
in the secured superblock and re-use their blocks. This would render the tresor
container unusable if the superblock with the deleted snapshots is not secured
in the end (driver crash, power down, ...).
Ref #5077
Superblock_control::Initialize used to decode a read superblock before checking
its hash. This is not necessary but may cause the operation to end up in a
decoding error on a superblock that is not the desired one anyway.
Ref #5077
Instead of iterating over all superblocks and checking each valid one,
check only the one whose hash matches the hash stored in the trust anchor.
I.e., the last one that was secured to the trust anchor. We must assume that
the other superblocks were corrupted in the meantime by operating the Tresor
container and, anyway, these Superblocks are not used anymore.
Ref #5077
The request of extending a tree used to halt when it found that
it could not add more levels to the tree because the maximum level index was
reached. Now, the library simply marks the request as failed, leaving it to
the user to handle the error condition.
Ref #5077
* differentiates request types that where merged formerly per module;
e.g. instead of type Superblock_control::Request, there are now types
* Superblock_control::Read_vbas
* Superblock_control::Write_vbas
* Superblock_control::Rekey
* Superblock_control::Initialize
* ...
each holding only the state and functionality that is required for exactly
that request
* removes all classes of the Tresor module framework and adapts all
Tresor- and File-Vault- related libs, apps, and tests accordingly
* the former "channel" state is merged into the new request types, meaning, a
request manages no longer only the "call" to a functionality but
also the execution of that functionality; every request has a lifetime
equal to the "call" and an execute method to be driven forward
* state that is used by a request but has a longer lifetime (e.g. VFS file
handles in Tresor::Crypto) is managed by the top level
of the user and handed over via the execute arguments; however, the
synchronization of multiple requests on this state is done by the module
(e.g. Tresor::Crypto)
* requests are now driven explicitly as first argument of the (overloaded)
execute method of their module; the module can, however, stall a request
by returning false without doing anything (used for synchronization on
resources)
* introduces Request_helper, Generated_request and Generatable_request in the
Tresor namespace in order to avoid the redundancy of sub-request generation
and execution
* moves access to Client-Data pointers up to Tresor::Virtual_block_device in
order to simplify Tresor::Block_io and Tresor::Crypto
* removes Tresor::Client_data and introduces pure interface
Client_data_interface in order to remove Tresor::Client_data and
move management of Client Data to the top level of a Tresor user
* introduces pure interface Crypto_files_interface in order to move management
of Crypto files to the top level of a Tresor user
* moves management of Block-IO and Trust-Anchor files to the top level of a
Tresor user
* adapts all execute methods, so, that they return the progress state
instead of modifying a reference argument
* removes Tresor::Request_and Tresor:Request and instead implements
scheduling at the top level of the Tresor user
* the Tresor Tester uses a list as schedule that holds Command objects; this
list ensures, that commands are started in the order of configuration
the Command type is a merge of the state of all possible commands that can
be configured at the Tresor Tester; the actual Tresor requests (if any) are
then allocated on-demand only
* the Tresor VFS plugin does not use a dynamic data structure for scheduling;
the plugin has 5 members that each reflect a distinct type of operation:
* initialize operation
* deinitialize operation
* data operation
* extend operation
* rekey operation
consequently, of each type, there can be only one operation in-flight at a
time; at the user front-end each operation (except "initialize") can be
controlled through a dedicated VFS file; for each of these files, the VFS
expects only one handle to be open at a time and only one file operation
(read, write, sync) active at a time; once an operation gets started it is
finished without preemtion (except of the interleaving at rekey and
extend); when multiple operations are waiting to be started the plugin
follows a static priority scheme:
init op > deinit op > data op > extend op > rekey op
there are some operation-specific details
* the initialize operation is started only by the plugin itself on startup
and will be driven as side effect by subsequent user calls to file
operations
* the data file is the only contiguous file in the front end and the file
operations work as on usual data files
* the other 3 files are transactional files and the user is expected to
follow this scheme when operating on them
1) stat (to determine file size)
2) seek to offset 0
3) read entire file once (this will be queued until there is no operation
of this type pending anymore and return the last result:
"none" | "failed" | "succeeded"; used primarily for synchronization)
4) write operation parameters (this returns immediately and marks the
operation as "requested")
5) read entire file once (the same as above but this time in order to
determine the operation result)
* the rekey op and deinitialize op are requested by writing "true"
* the extend op is requested by writing "tree=[TREE], blocks=[BLOCKS]"
where TREE is either "vbd" or "ft" and BLOCKS is the number of physical
4K blocks by which the physical range of the tresor container expands
(the physical range always starts at block address 0 and is always
expanded upwards)
* replaces the former <trust-anchor op="initialize"> command at the Tresor
Tester with <initialize-trust-achor> as there are no other trust anchor
operations that can be requested through the Tester config anyway
* removes the "sync" attribute from all commands at the Tresor Tester except
from <request op="rekey">, <request "extend_ft">, <request op="extend_vbd">;
as the Tester controls scheduling now, requests are generally synchronous;
at the rekeying and extension commands, the "sync" attribute determines
wether subsequent commands are interleaved with the execution of these
commands (if possible)
* removes "debug" config attribute from Tresor VFS plugin and reworks "verbose"
attribute to generate more sensible output
* removes NONCOPYABLE macro and instead uses Genode::Noncopyable and in-place
Constructors deletion
* introduces types Attr and Execute_attr where a constructor or execute method
have many arguments in order to raise readability
* renames the "hashsum" file that is provided by the Tresor Trust-Anchor VFS
plugin to "hash" in order to become conformant with the wording in the Tresor
lib
* makes the VFS Tresor test an automated test by merging in the functionality
of vfs_tresor_init.run and removing the interactive front end; removes
vfs_tresor_init.run as it is not needed anymore; adds consideration for
autopilot file structure in the Test and adds it to autopilot.list
* removes all snapshot controls and the progress files for rekeying and
extending from the Tresor VFS plugin; both functionalities were tested
only rudimentary by the VFS Tresor test and are not supported with the only
real user, the File Vault
* use /* .. */ instead of // ..
* use (..) instead of { .. } in init lists
Ref #5148
The virtual block device module used to hand over the wrong VBA as
parameter "rekeying VBA" to the Free Tree when allocating PBAs for data
access during rekeying. In certain constellations, this caused the Free
Tree to alloc PBAs that were still in use. The Free Tree PBA selection
algorithm, however, is just fine. When fixing the call parameter, it works
as desired. This re-enables the async rekeying test.
Ref #5075
The script tests the use of an encrypted file system that is created and
provided via the File Vault.
Furthermore the script can be used for test-driving existing File-Vault
containers (created with potentially older File-Vault versions) under the
current File-Vault version. This is done via the "LX_FS_DIR_TEMPLATE"
env variable.
Ref #5062
During one of the many re-factorization steps that were applied to the Tresor
library and its predecessor, the CBE library, one of the main features of the
project, the integrity check, accidentally received a grave regression. The
most recent version of the Tresor still used to check all hashes of meta-data
blocks but ignored the hashes of the actual data blocks.
With this commit, the hashes of all but yet uninitialized data blocks get
checked. The reason for ignoring uninitialized blocks is that they are not
actually read from disc but simply generated as an all-zeros block in the
driver in order to prevent having to initialize them all to zero in
Tresor-Init. That said, the integrity of these blocks cannot be compomised.
The according hashes in the meta data remain unset until the data block gets
written for the first time.
Ref #5062
The request classes Block_io::Read_client_data and Block_io::Write_client_data
used to receive a block reference for no reason. This commit removes these
args.
Ref #5062
The tresor_check tool became outdated back when the Tresor project was created
by re-writing its predecessor, the CBE, in C++. At this time, the check tool
was merely renamed but not updated. As there was also no autopilot test for the
tool, the tool remained outdated.
This commit rewrites the tool for the most recent Tresor version and adds an
autopilot test.
Ref #5062
* Make command pool a proper module
* The command pool used to be kind of a module but it was driven via custom
tresor-tester specific code. Now, it becomes a proper module that
is driven by the module framework instead.
* Move the code for creating and handling the module-execution progress flag
into Module_composition::execute_modules as the function is always used with
this code surrounding it.
* Reorganize files, remove deprecated files
* A new class Module_channel is introduced in the module framework and all
channel classes inherit from it. With that class in place, the formerly
module-specific implementations of the following methods are replaced by
new generic implementations in the Module framework:
* ready_to_submit_request
* submit_request
* _peek_completed_request
* _drop_completed_request
* _peek_generated_request
* _drop_generated_request
* generated_request_complete
* Module requests are now held for the duration of their lifetime at the
module they originate from and not, like before, at their target module. As
a result, modules can generate new requests inline (without having to wait
for the target module), making code much simpler to read, reducing the amount
of channel state, and allowing for non-copyable request types.
* Introduce a sub-state-machine for securing a superblock in the
superblock_control module in order to reduce redundancy.
* Some modules, like free_tree, were completely re-designed in order to make
them more readable.
* Replace all conditional exceptions by using the macros in
tresor/assertion.h .
* Move methods that are used in multiple modules but that were implemented
redundantly in each module to tresor/types.h.
* Remove verbosity node and all that was related to it from tresor tester
config as the targeted verbosity can be achieved with the
VERBOSE_MODULE_COMMUNICATION flag in tresor/verbosity.h .
* Extract the aspect of translating the byte-granular I/O-requests to
tresor-block requests from the tresor VFS-plugin and move it to a new module
called splitter.
* Rename the files and interface of the hashing back-end to not reflect the used
hashing algorithm/config anymore, while at the same time making the hashing
interface strict regarding the used types.
* Introduce the NONCOPYABLE macro that makes marking a class noncopyable short
and clear.
* Replace the former tresor/vfs_utilities.h/.cc with a new tresor/file.h
that contains the classes Read_write_file and Write_only_file. These classes
significantly simplify the modules crypto, block_io, and trust_anchor by
moving the details of file access to a sub-state machine.
* The former, rather trivial block allocator module is replaced by a normal
object of type Pba_allocator that must be provided by the client of the
Sb_initializer (reference in the Sb_initializer_request).
Ref #5062
tresor: read uninitialized vbas as all zeroes
Virtual addresses in a Tresor container that were not yet written by the user
should always return a data block that is all-zeroes. This was the concept
right from the beginning of the project. However, somehow this aspect either
never got implement or got lost along the way.
Some context for understanding the commit: The Tresor doesn't initialize the
payload data blocks of a container when creating a new container as this would
be rather expensive. Instead, it marks the leaf metadata nodes of the
virtual-block-device tree (those that reference the payload data blocks in
physical address space) with generation 0.
Now, this commit ensures that, whenever the virtual-block-device module reads
such a generation-0 leaf, instead of asking the block_io and crypto to deliver
data from disc, it directly provides the user with 4K of zeroes.
Ref #5062
The order of execution inside the Tresor lib slightly changed compared to the
previous CBE lib. AFAICT, this is nothing to worry about and related to the
now cleaner structuring. However, it can produce higher peak requirements
regarding the allocation pool in the Free Tree. Therefor, this commit extends
the dimensions of the Free Tree used in the test.
Ref #4971
* Implement requests "create snapshot" and "discard snapshot" in tresor lib.
* Adapt tresor tester in order to test the new feature.
* Remove temporary code from tresor tester that skipped such requests with
the hint that they were not supported yet.
* Add mandatory "id" attribute to <request op="create_snapshot"/> and
<request op="discard_snapshot"/> tag. A "discard snapshot" command always
refers to the snapshot created by the "create snapshot" command with the
same "id" value.
* Clean-up command pool a bit.
Fix#4971
The re-keying state machine in the VBD module would use block data of the wrong
block for the hash update of an inner node in a certain circumstance.
On re-keying, the VBD iterates for a given VBA over all snapshots, beginning
with the newest and re-keys the VBA in each of the snapshots. At each snapshot
it therefore loads the branch of the VBA top-down, and then updates the branch
bottom-up. However, if loading a certain level of the branch of a certain
snapshot runs into the same physical block as with the last snapshot on this
level, the algorithm turns around and updates the branch from this point
upwards instead of going further down the whole way to the leaf. This is
because everything below this point has already been re-keyed in the course of
a newer snapshot.
The case where this turning around is not right above the leaf (i.e., the first
shared physical block is a metadata block) that's were the bug was located. In
this situation, we have to re-encode the highest shared metadata block into a
buffer again before starting to update. The update code acts as if the
mentioned block was just written back (which is true when going down all the
way to the leaf before updating) and consequently is present in the encoded
buffer.
Ref #4971
Until now, it was possible to use bad Free-Tree/VBD configurations with the
<initialize/> command. The tresor tester didn't complaining about it but the
tresor lib crashed or, worse, corrupted the tresor container. Now, the tresor
tester checks things, like for instance, that "nr_of_children" must be a power
of 2.
Ref #4971
The Superblock Control module now issues a snapshot garbage collection on each
incoming request. In return for that, the commit removes all calls to the
garbage collection from other modules.
Ref #4971
The Virtual Block Device module used to create a local copy of the Snapshots
array respectively Snapshot root it received with an incoming request. After
finishing the VBD operation on the copy, the source module of the request
used to back-copy the resulting Snapshot array resp. Snapshot root. This is
not only less efficient than referencing but also allowed a bug to sneak into
the new C++ implementation.
In contrast to the old Ada/SPARK implementation (CBE), the new design doesn't
allow for global objects that can be accessed by any module without receiving a
reference in a module request. Therefore, the Free Tree module has to receive a
reference to a Snapshots array with each request in order to be able to use it.
In our case, these requests are allocations for a "Write" operation from the
VBD. However, the VBD itself receives only the one Snapshot required for
writing and therefore causes the Free Tree to make bad decisions on whether or
not a block can be re-allocated or not.
With this commit, the VBD always receive a reference to the whole Snapshots
array and also propagates it this way to the Free Tree.
Ref #4971
This is function gets called by some libssh applications using vms_lxip.
For the dummy implementation I looked at the old port.
Issue genodelabs#5161
Issue gapfruit#1976
- always assign apps/overlay to targets (visible=true/false) to
prevent 0x0 geometry, which is interpreted as close
- add QMenu as exampel to panel button
- use usb-tablet on Qemu
Per default, windows assigned to targets are visible, which can be
changed with the new boolean "visible" attribute. Thus, window can be
hidden without changing their geometry.
Before, the current back-most window was not restacked if it was part of
the already, which lead to partially inconsistent view of the window
stack between decorator and nitpicker.
The added hook 'OBJ_POSTPROC_SRC' gives us a way to post-process object
files for generating supplemental code. By using this hook, the
initcall_table.c generated by import-lx_emul_common.inc gets reliably
executed after all object files are built.
Fixes#5159
The option is used during the generation of initcall_table.c.
However, it happens to strip the first argument following the option.
The long option --defined-only works as expected.
Issue #5155
Due to a bug in the original implementation, the size of the MMIO
range covering the 'Request_sense_response' data was set too large
during the MMIO boundary change. This rendered devices that were not
yet ready and required an 'Request_sense' command unusable.
The commit also adapts all other commands where the MMIO size does
not match the expected one.
Fixes#5133.
The commit adds support to throttle the rate of the RX IRQs to a specified
value. The effect is, that no RX IRQs below the time threshold will fire and
therefore the CPU load gets reduced on the host. Trade-off gaming between
cpu load, throughput, overload.
Modular Sculpt 23.10 on S938 as testcase. In brackets the CPU affinity is
denoted.
ipxe (0,0) -> nic_router (1,0) -> Debian VM vbox6 (3,0) and (3,1)
VM: iperf -C X.X.X.X -t 60 -R
iperf server X.X.X.X is outside Sculpt and sends data due to '-R' to VM
Non representative measure points:
cpu load - ipxe - nic_router - iperf throughput
--------------------------------------------------
w/o patch - ~80% - ~50% - ~706 MBit/s - 0 -> throttling off by default on S938
patch 651 - ~20% - ~35% - ~763 MBit/s - 651 -> 0.166ms throttle RX IRQ
patch 5580 - ~15% - ~25% - ~650 MBit/s - 5580 -> 1.4ms throttle RX IRQ
Issue #5149
A bunch of transmit requests received by the Uplink server (nic_router)
are currently added one by one to the ring buffer and every time the hardware
is notified to process each single request.
Instead, add as many as possible transmit requests in the ring buffer of
the hardware and when done trigger the hardware to process the ring.
Additionally, don't receive an "processed" TX IRQ for each element in the
ring, which causes high CPU load.
With this commit the TX IRQs in the ipxe driver for a
iperf -c X.X.X.X -t 60
from within a VM to the outside iperf server is reduced from about
~2'600'000 IRQs to about ~200'000. The overall CPU load for the driver
(when executed alone on CPU 0) is reduced from ~85 percent load to ~45 percent
load.
Issue #5149
during receive the nic_ep may block as long as the guest does not provide
another receive network descriptor. In the meantime, all Genode signals
regarding the network interface, e.g. tx, will be postponed, which may
effect the throughput.
Instead use the nic_ep for rx packets unblocking. Add an notification mechanism
to the e1000 vbox network model, to notify us as soon as the guest added new
receive descriptors in the model.
Issue #5146
For pbxa9, Qemu is started with only 256 MiB for foc but with 768 MiB
for base-hw. By reducing the RAM quota for all start nodes within the
remote scenario, each component gets enough RAM quota to breathe.
When wrongly invoking the run script by specifying a skipped test
as its only TEST_PKGS argument, the run script fails due to a wrong
tar argument order. Let's better reflect this condition to the user
ahead of invoking tar.
With `MAP_FIXED` absent from the mmap(3p) flags, "the implementation uses
addr in an implementation-defined manner to arrive at pa", which may
lead to a mapping at an address diffent to the requested `addr`.
Add `MAP_FIXED` to the mmmap flags to force mapping to the specified
address.
Fixes#5147
Such messages can occur by chance when killing 'echo' while the program
blocks in an IPC call. It gets killed nevertheless. So the message does
not hint at a failure of the test.
In the context of #5138, the timer drivers for NOVA and base-hw had been
changed to support timeouts at a precision of 250 us (from formerly 1 ms).
Adjust the test to the new expected lower bound.
The dynamic buffer allocation increases the RAM demand slightly beyond
1M on seL4. Use 2M, as is already the default in pkg/terminal_crosslink.
Issue #5135
Replace the USB session API by one that provides a devices ROM only,
which contains information about all USB devices available for this client,
as well as methods to acquire and release a single device.
The acquisition of an USB device returns the capability to a device session
that includes a packet stream buffer to communicate control transfers
in between the client and the USB host controller driver. Moreover,
additional methods to acquire and release an USB interface can be used.
The acquisition of an USB interface returns the capability to an interface
session that includes a packet stream buffer to communicate either
bulk, interrupt, or isochronous transfers in between the client and the
USB host controller driver.
This commit implements the API changes in behalf of the Genode C API's
USB server and client side. Addtionally, it provides Usb::Device,
Usb::Interface, and Usb::Endpoint utilities that can be used by native
C++ clients to use the new API and hide the sophisticated packet stream API.
The adaptations necessary target the following areas:
* lx_emul layer for USB host and client side
* Linux USB host controller driver port for PC
* Linux USB client ports: usb_hid_drv and usb_net_drv, additionally
reduce the Linux tasks used inside these drivers
* Native usb_block_drv
* black_hole component
* Port of libusb, including smartcard and usb_webcam driver depending on it
* Port of Qemu XHCI model library, including vbox5 & vbox6 depending on it
* Adapt all run-scripts and drivers_interactive recipes to work
with the new policy rules of the USB host controller driver
Fixgenodelabs/genode#5021
For now this import file is solely there to satisfy the mechansim
in Goa that collects and incorporates import files for used APIs.
Issue genodelabs/goa#81.
The kernel timer used to truncated timeouts to the next lower
millisecond, which not only limits the wakeup accuracy but also results
in situations where a user-level timeout is triggered earlier than
expected. The latter effect results in the observation of a spurious
timeouts and the subsequent programming of another timeout.
The patch solves the problem by preserving the sub-milliseconds bits
in the 'us_to_ticks' implementation(s).
Issue #5142
This patch modifies the mixer's time window allocation by modelling the
drift of the period length over time. This yields a much better
stability of the detected sample rates in the presence of jitter.
Issue #5132
This patch caps the busyness of the rump kernel, which normally calls
sleep with timeouts between 0 and 10 ms even when idle. On Sculpt
running on a x250 laptop, this patch saves 0.4% CPU load, which is
almost the half of the idle load.
Issue #5140
This data structure uses an AVL tree to maintain a time-sorted set of
alarm objects. It supports the use of circular clocks of an bit width.
Issue #5138
The format library is required, otherwise the binary isn't build. This
regression was introduced in
acpica: provide verbose config (issue #5083)
Fixes genodelabs#5136
The package depends on two resources.
- A Nic session should be routed to the nic_router "http" domain make
the HTTP server available from the outside on forwarded port 80.
- A File_system session labeled "webroot" can be routed to any server
by relabeling the session, e.g., to "report" or "config" in parent.
Sculpt deploy exmaple exporting report_fs via HTTP.
<start name="lighttpd" pkg="lighttpd">
<route>
<service name="Nic">
<child name="nic_router" label="http"/>
</service>
<service name="File_system" label="webroot">
<parent label="report"/>
</service>
</route>
</start>
Newer Qemu variants quit with an error about already existing devices
if the same device-id is add and removed in a loop fast. To circumvent
this strange behaviour, simply use consecutive device id numbers.
Ref genodelabs/genode#5021
This patch was back ported from upstream Mesa and generalizes the memory
management of buffer objects used by the binder. Before this patch the
binder was treated as a special case where buffer objects were allocated
with a simple "next block or wrap" allocator. With this commit the
binder now uses the vm_heap allocators as done by all other buffer
allocations which leads to issues with reference counting and object
destruction being resolved.
Original commit message:
We're moving towards a path where all contexts share the same virtual
memory - because this will make implementing vm_bind much easier - ,
and to achieve that we need to rework the binder memzone. As it is,
different contexts will choose overlapping addresses. So in this patch
we adjust the Binder to be 1GB - per Ken's suggestion - and use a real
vma_heap for it. As a bonus the code gets simpler since it just reuses
the same pattern we already have for the other memzones.
This patch contains the mobile variant of Sculpt OS, which evolved
at the genode-allwinner repository until now. In consists of the
following parts:
- gems/src/app/phone_manager plays the role of the sculpt manager
- sculpt/phone-linux allows for test driving the mobile
variant on base-linux
- gems/src/app/dummy_modem mockup of a modem's behavior, used for
GUI development and testing
The parts targeting a specific device (PinePhone) remain local to
the genode-allwinner repository.
To give it a try:
make run/sculpt_test KERNEL=linux BOARD=linux \
SCULPT=phone LOG=core DEPOT=tar
Fixes#5125
- monitor system ROM changes
- stop processing of new Jobs before suspend
- destruct platform device before suspend, but keep platform DMA buffers
- re-construct platform device and reinit resources (mmio, irq) on resume
- re-start block job scheduling on resume
Fixes#5101
- monitor system ROM changes
- stop processing of new Jobs before suspend
- destruct platform device before suspend, but keep platform DMA buffers
- re-construct platform device and reinit resources (mmio, irq) on resume
- re-start block job scheduling on resume
Issue #5101
This commit is a preparation commit for suspend/resume. The commit
refactors the code in order to consolidate all Platform resources into one
instance. All users within the driver should access the resources with
with_* functions, which checks whether the device resource is usable. The
callers are not allowed to store any references to the provided resources.
Issue #5101
- monitor system ROM changes
- stop processing of new Jobs before suspend
- destruct platform device before suspend, but keep platform DMA buffers
- re-construct platform device and reinit resources (mmio, irq) on resume
- re-start GPU job scheduling on resume
Fixes#5081
This commit replaces the mapping of DMA buffers and gets rid of the
bounce-buffer handling, which was introduced to prevent data
corruption noticed when utilizing USB storage with Windows 10 guests,
with accessing the buffers directly.
Due to the way Windows 10 at times manages its DMA memory (many small
pieces instead of few larger ones) the unbounded registry becomes a
problem when containing stale entries.
Changing the 'qemu-usb' implementation allows for using 'read_dma'
and 'write_dma' directly.
Fixes#5121.
This patch enhances the audio driver with the option to operate as a
client of the record and play services instead of providing the audio-in
and audio-out services. The record/play mode can be enabled by setting
the 'record_play="yes"' config attribute.
The audio_in.run and audio_out.run scripts support the selection of the
mode via the 'use_record_play_sessions' hook function.
Issue #5097
A read with MSG_PEEK returns -1 and EGAIN/EWOULDBLOCK in case the socket
is connected. Zero is only returned if the socket is disconnected.
isuee #5104
In case the socket is non-blocking, a read with the MSG_PEEK flag set
has to return -1 and EWOULDBLOCK/EAGAIN in case no data is availble and
the socket is connected. Returning zero implies the socket is in
non-connected state. Therefore, check the connection state in this
situation and return accordingly.
issue #5104
- New session interfaces:
- os/include/play_session (for audio playing / mic-input driver)
- os/include/record_session (for audio recording / audio-output driver)
- Mixer at os/src/record_play_mixer providing both play and record services
- Simple waveform player at os/src/app/waveform_player
- Simple audio-signal capturing component at os/src/app/record_rom
- Simple oscilloscpe at gems/src/app/rom_osci (using record_rom)
- Simple test-audio_play for playing raw stereo f32 data
The _gems/run/waveform_player.run_ script illustrates the use of the new
components and interfaces.
Issue #5097
