Commit Graph

130 Commits

Author SHA1 Message Date
Norman Feske
b45242c50f Add chroot support to core
Since the recent move of the process creation into core, the original chroot trampoline
mechanism implemented in 'os/src/app/chroot' does not work anymore. A
process could simply escape the chroot environment by spawning a new
process via core's PD service. Therefore, this patch moves the chroot
support into core. So the chroot policy becomes mandatory part of the
process creation.  For each process created by core, core checks for
'root' argument of the PD session. If a path is present, core takes the
precautions needed to execute the new process in the specified chroot
environment.

This conceptual change implies minor changes with respect to the Genode
API and the configuration of the init process. The API changes are the
enhancement of the 'Genode::Child' and 'Genode::Process' constructors to
take the root path as argument. Init supports the specification of a
chroot per process by specifying the new 'root' attribute to the
'<start>' node of the process. In line with these changes, the
'Loader::Session::start' function has been enhanced with the additional
(optional) root argument.
2012-11-05 17:31:05 +01:00
Norman Feske
db2b1a37ae Propagate process labels to PD sessions
On Linux, we use the session label for naming the corresponding Linux
process. When looking up the processes via 'ps', the Genode process
hierarchy becomes immediately visible.
2012-11-05 17:31:04 +01:00
Stefan Kalkowski
8393ac6895 base-hw: implement vm_session for TrustZone
* Introduces Schedule_context
* Use fast-interrupts or normal interrupts
* Add mode-transition between secure/non-secure world
* Limit system resources for Genode apps due to non-secure world

This commit implements the newly introduced Vm session interface to be used
on top of TrustZone capable Armv7 CPUs. Therefore a new Schedule_context is
introduced in the kernel. Threads and Vms are both Schedule_contexts used
by the scheduler. In contrast to a thread a vm uses a different assembler
mode switch to the non-secure, virtual world, as well as another exception
is used, when the non-secure world is left. For both worlds to co-exist
the interrupt-controller needs to be configured, so that the secure (Genode)
world uses fast-interrupts only, and the non-secure world only legacy
interrupts.
The only TrustZone capable platform the base-hw kernel works on top of
is the CoreTile Express 9x4 for the Versatile Express motherboard. For a
virtual machine working properly on top some platform resources must be
reserved. Therefore there exist two flavours of this platform now, one with
the 'trustzone' spec-variable enabled, and one without. If 'trustzone' is
specified most platform resources (DDR-RAM, and most IRQs) are reserved
for the Vm and not available to the secure Genode world.
2012-10-29 10:08:30 +01:00
Stefan Kalkowski
94ea3a0acb Move away drivers from generic base-repository
Driver definitions which are used by kernel/core in base-hw, and also by other
drivers (e.g. from the os repository) have to reside in the generic
base-repository, for instance some uart drivers. All drivers which are
interesting for one of the sites only (sp804 for timer driver, or
cortex_a9 cpu driver for base-hw) should reside in the respective repos.

Factorize cpu context out of Cortex A9 specific definitions. Moreover, there
is already a Cpu_state object containing all common ARM registers. We use
this as a base for the cpu context switching done by the base-hw kernel.
The Cpu_state class get extended by a cpu-exception field, that stores the kind
of exception raised when the corresponding context got interrupted. This
information is used not only by the base-hw kernel, but also by the TrustZone
VMM that is build currently.
2012-10-29 10:08:29 +01:00
Stefan Kalkowski
f2d81a8d62 Remove superfluous, generic Thread_state definition
The 'Cpu_state' in 'base/include/base/cpu_state.h' is not needed anymore.
Moreover, it's inconsistent with the architecture-specific definitions
of 'Cpu_state' that all reside in <cpu/cpu_state.h>.
2012-10-29 10:08:29 +01:00
Stefan Kalkowski
96d45c1159 Define board declarations in a more generic fashion
By naming all board declaration (previously in base/include/drivers/board) the
same way, and putting them in platform-specific include-pathes, we save additional
declaration redirection in the base-hw kernel, and in driver definitions.
2012-10-24 16:41:13 +02:00
Alexander Boettcher
83039267fa Cleanup: remove 'first' and 'next' of cpu_session
Fixes #10
2012-10-24 11:34:38 +02:00
Alexander Boettcher
105ff5dfed Provide main thread cap via parent interface
Preparation to solve issue #10
2012-10-24 11:34:38 +02:00
Alexander Boettcher
664e0dc7cd Provide cpu_session_cap via environment object
Preparation to solve issue #10
2012-10-24 11:34:33 +02:00
Sebastian Sumpf
ff0c7825e4 ACPI/IRQ: Add interrupt mode to IRQ connection
Read flags (polarity/trigger) from MADT and add information to 'Irq_connection'
arguments.

Issue #390
2012-10-09 13:47:47 +02:00
Norman Feske
4a1b545770 Move 'Child' API implementation to library 2012-10-09 13:45:33 +02:00
Norman Feske
64245dde3a Avoid superfluous compiler warnings
GCC warns about uninitialized local variables in cases where no
initialization is needed, in particular in the overloads of the
'Capability::call()' function. Prior this patch, we dealt with those
warnings by using an (unreliable) GCC pragma or by disabling the
particular warning altogether (which is a bad idea). This patch removes
the superfluous warnings by telling the compiler that the variable in
question is volatile.
2012-10-08 15:08:21 +02:00
Christian Helmuth
4017e592f0 Compile PDBG() in release mode too
Formerly, GENODE_RELEASE just undef'd PDBG() which concealed bugs in
places PDBG was used, e.g., do to API changes. Unfortunately,
desparately disabling GENODE_RELEASE during bug hunt sometimes
introduced new errors. Now, PDBG is just a branch not taken but seen by
the compiler, which is able to produce warnings/errors when the API is
changed.

Fixes #378.
2012-10-04 14:37:18 +02:00
Alexander Boettcher
9eeec09ebe Fix log2 and alignment calculation - 64bit issue 2012-09-24 09:18:00 +02:00
Alexander Boettcher
11a262c1af Allocate first heap requests from bss
The exception initialization and handling in gcc_eh allocates early (_main)
memory before executing main. In Vancouver the virtual
region from [0,VM size) must be reserved. Vancouver fails if the memory
allocated by the exception handling and the static objects was allocated
inside the [0, VM size) area.

To circumvent the situation allocate the first memory pieces for the heap
from the bss.
2012-09-24 09:17:58 +02:00
Alexander Boettcher
ea38aad30e Move context area definition to native_type 2012-09-24 09:17:54 +02:00
Stefan Kalkowski
689c08e411 Make first block of allocator_avl 64bit fit
The first metadata-block, which is inherent part of the allocator object
itself has a fixed size which isn't suitable enough for some 64bit platforms
(e.g. core's RAM-allocator on a 64bit platform with lots of different regions).
This commit let the block size be address-width aware.
2012-09-18 16:47:59 +02:00
Norman Feske
83bdfea9b0 Extend Cpu_session with thread-affinity API
This patch introduces the functions 'affinity' and 'num_cpus' to the CPU
session interface. The interface extension will allow the assignment of
individual threads to CPUs. At this point, it is just a stub with no
actual platform support.
2012-09-05 10:25:04 +02:00
Norman Feske
d3e8328089 Unify uint64_t among 32-bit and 64-bit platforms
On both 32-bit and 64-bit platforms, 'uint64_t' can be defined as
'unsigned long long', which is the type expected by the %llx
format-string specifier. By unifying the type definitions, we resolve
warnings about unmatching type specifiers. This patch also removes
redundant words from the typedefs.
2012-08-16 13:32:56 +02:00
Norman Feske
47e95d4e18 Support upgrading of child-environment resources
Fixes #5
2012-08-16 10:03:06 +02:00
Alexander Boettcher
8526dc4f19 Set ERR_INVALID_OBEJCT if call failed to server
Tell the client that the last operation failed, instead of continuing doing
useless things.
2012-08-10 10:57:54 +02:00
Sebastian Sumpf
88ac32e3bb Base: New 'memcpy' implementation
Added CPU specific memcpy function ('memcpy_cpu'), which is tried first in
default 'memcpy'. Improved default 'memcpy' to copy eight byte chunks.
2012-08-07 22:21:54 +02:00
Martin Stein
ff65f6f021 Run Genode directly on hardware with 'base-hw'. 2012-08-03 12:06:37 +02:00
Norman Feske
d079ef51ae Adapt GDB monitor and Noux to CPU session changes 2012-08-03 12:06:31 +02:00
Martin Stein
9369057f90 Extend RAM/CPU session for base-hw context-areas. 2012-08-02 16:41:21 +02:00
Martin Stein
9b0a54e980 Fix several bugs in the Cortex A9 drivers.
Avoid the use of deprecated 'MASK' enum in CPU register 'Asid'.

Enable the use of the 'K' bit in MMU translations.

Treat any try to modify existing valid entries in section- and
pagetables when doing 'insert_translation' as error.

Beautify concerned files.
2012-08-02 16:41:21 +02:00
Martin Stein
66bec10276 Fix bug in MMIO framework and test it
Avoid that members of a inheritor overlay those of the
register- and MMIO-framework.

Beautify register- and MMIO-framework.
2012-07-31 12:08:03 +02:00
Norman Feske
693922d789 Support for 64-bit registers in 'util/register.h'
For 64-bit registers we cannot compute MASK and SHIFT values via enums
because enum values are always of type int. But we can use static member
functions instead. Furthermore, the patch fixes the type trait for
64-bit registers. (apparently, this access width was never used so far)
2012-07-25 19:14:06 +02:00
Alexander Boettcher
9e582c59a9 Don't loop forever if upgrade of a donation failed.
The code intended to stop after the first failed attempt,
however the bool variable to control this was reseted
inside the loop and so it endless loops.

Fixes #51
2012-07-19 21:05:51 +02:00
Norman Feske
cfda8ac4ae Add bitfield polling support to MMIO framework 2012-07-09 15:07:32 +02:00
Alexander Boettcher
8ee4442108 Feature: add synchronized allocator 2012-07-04 14:56:47 +02:00
Alexander Boettcher
4d5d91efef Fix: _session_list in child.h must be locked
The _session_list can be modified concurrently,
so the iteration over the list must be locked.
2012-07-04 14:56:46 +02:00
Alexander Boettcher
f612475c99 Bug fix: null ptr dereference in base/semaphore
If nobody is blocked in a semaphore, nothing can be dequeued. If
the semaphore is used for signalling, there can be somebody in the queue,
but not necessarily.
2012-07-04 14:56:44 +02:00
Norman Feske
288fd4e56e Add support for allocating DMA memory
This patch extends the RAM session interface with the ability to
allocate DMA buffers. The client specifies the type of RAM dataspace to
allocate via the new 'cached' argument of the 'Ram_session::alloc()'
function. By default, 'cached' is true, which correponds to the common
case and the original behavior. When setting 'cached' to 'false', core
takes the precautions needed to register the memory as uncached in the
page table of each process that has the dataspace attached.

Currently, the support for allocating DMA buffers is implemented for
Fiasco.OC only. On x86 platforms, it is generally not needed. But on
platforms with more relaxed cache coherence (such as ARM), user-level
device drivers should always use uncacheable memory for DMA transactions.
2012-06-20 09:17:48 +02:00
Norman Feske
e4f28625e3 Construct process member as late as possible
When creating a 'Child' object with an already active entrypoint,
session requests may arrive as soon as the '_process' is created. We
have to make sure that at least all parts of the 'Child' object needed
for serving 'session' requests are constructed. This is particularly
important for the '_policy' member.
2012-06-06 17:24:07 +02:00
Christian Prochaska
c2f23de2e7 Introduce server-role member to 'Child' class
This patch is needed to use children as services in a dynamic
way (closing and reopening sessions).
2012-05-29 13:54:59 +02:00
Norman Feske
cba25cc1d6 Minor coding-style fixes 2012-05-29 13:54:59 +02:00
Martin Stein
2b0c613336 Basic drivers for UART modules PL011 and TL16C750 2012-05-29 13:54:58 +02:00
Martin Stein
a936cba296 Simple driver for the SP804 timer 2012-05-29 13:54:58 +02:00
Martin Stein
45b4cb5bbf Simple driver for the PL390 Interrupt controller 2012-05-29 13:54:58 +02:00
Martin Stein
dce09679bc Simple drivers for the Cortex A9 components 2012-05-29 13:54:58 +02:00
Martin Stein
056f980d4e Atomic compare exchange for ARM platforms
Makes similar kernel-specific implementations unnecessary,
although i don't delete them with this commit.
2012-05-29 13:54:58 +02:00
Martin Stein
2eccfc5dc9 Defs for the boards, supported by 'base-hw' 2012-05-29 13:54:58 +02:00
Martin Stein
4b90cba132 Boolean fields and strict write on Registers/MMIO 2012-05-29 13:54:58 +02:00
Martin Stein
f01f42fdd7 Avoid ambiguousness of entry members in FIFO 2012-05-29 13:54:58 +02:00
Stefan Kalkowski
0971b47b11 Use placement new for Heap::Dataspace (fix #203)
This commit introduces placement new/delete, and a constructor for
Heap::Dataspace objects. It fixes the usage of uninitialized Dataspace
objects when expanding the heap that lead to problems in conjunction
with Native_capability smart-pointer in base-foc. Please refer to
issue #203.
2012-05-10 19:04:35 +02:00
Stefan Kalkowski
685add4774 Use OO-means to copy capabilities (fix #182)
Whenever Native_capability or its derivation Capaility is memcpy'd no copy-
constructor/assignment-operator is used and thereby implementation of
reference-counting gets impossible for these objects. Use object-oriented
means like e.g. copy-constructor instead.
2012-05-09 20:50:56 +02:00
Christian Prochaska
cf9610a958 Implement RAM accounting 2012-05-02 16:54:18 +02:00
Christian Prochaska
7a369bc74d Add an 'executable' flag to 'Rm_session::attach()'
With this patch clients of the RM service can state if they want a mapping
to be executable or not. This allows dataspaces to be mapped as
non-executable on Linux by default and as executable only if needed.

Partially fixes #176.
2012-04-20 11:21:19 +02:00
Norman Feske
9a00ad7ae3 Support for dynamic ROM sessions, fix #170
This patch introduces support for ROM sessions that update their
provided data during the lifetime of the session. The 'Rom_session'
interface had been extended with the new 'release()' and 'sigh()'
functions, which are needed to support the new protocol. All ROM
services have been updated to the new interface.

Furthermore, the patch changes the child policy of init
with regard to the handling of configuration files. The 'Init::Child'
used to always provide the ROM dataspace with the child's config file
via a locally implemented ROM service. However, for dynamic ROM
sessions, we need to establish a session to the real supplier of the ROM
data. This is achieved by using a new 'Child_policy_redirect_rom_file'
policy to handle the 'configfile' rather than handling the 'configfile'
case entirely within 'Child_config'.

To see the new facility in action, the new 'os/run/dynamic_config.run'
script provides a simple scenario. The config file of the test program
is provided by a service, which generates and updates the config data
at regular intervals.

In addition, new support has been added to let slaves use dynamic
reconfiguration. By using the new 'Child_policy_dynamic_rom_file', the
configuration of a slave can be changed dynamically at runtime via the
new 'configure()' function.

The config is provided as plain null-terminated string (instead of a
dataspace capability) because we need to buffer the config data anyway.
So there is no benefit of using a dataspace. For buffering configuration
data, a 'Ram_session' must be supplied. If no 'Ram_session' is specified
at construction time of a 'Slave_policy', no config is supplied to the
slave (which is still a common case).

An example for dynamically reconfiguring a slave is provided by
'os/run/dynamic_config_slave.run'.
2012-04-05 11:25:26 +02:00
Norman Feske
f150b00c0d Spelling fix 2012-04-04 17:03:34 +02:00
Christian Prochaska
d6caa73c13 Fix a compile error reported by GCC 4.7.0 2012-03-30 19:55:56 +02:00
Ivan Loskutov
fa4935627a Fix error for 7th argument call_member 2012-03-30 19:55:55 +02:00
Ivan Loskutov
59221f9c17 Fix misprint 2012-03-30 19:47:35 +02:00
Norman Feske
d6e30c19de Replace 'Native_capability::copy_to' by accessor
The 'copy_to' function turned out to be not flexible enough to
accommodate the Noux fork mechanism. This patch removes the function,
adds an accessor for the capability destination and a compound type
'Native_capability::Raw' to be used wherever plain capability
information must be communicated.
2012-03-28 09:58:51 +02:00
Norman Feske
48739422ac Validate liveliness of signal contexts
We cannot trust signal imprints received with signals to represent valid
pointers to signal contexts. After a signal context has been dissolved
from its receiver, a signal corresponding to the context might still be
in flight. Hence, we need a facility to check received signal imprints
against the list of valid contexts at reception time. The new
'Signal_context_registry' is a very simple attempt to create such a
facility.
2012-03-21 21:37:15 +01:00
Stefan Kalkowski
e34adf883c Introduce design pattern for uncopyable objects.
Introduce a new Noncopyable class, one can derive from to mark a class of
objects to be uncopyable. This way the compiler can check for any violations
for you.
2012-03-16 18:24:52 +01:00
Stefan Kalkowski
ae8cf5f44d Rename tid() to dst() in Native_capability.
As suggested by Norman in the discussion of issue #145, this commit
renames the tid() accessor in Native_capability to dst().
2012-03-10 15:52:19 +01:00
Stefan Kalkowski
42b7c01685 Unify policy name for Native_capability_tpl.
This commit unifies the policy name for the template argument for
Native_capability_tpl to Cap_dst_policy, like suggested by Norman in the
discussion resulting from issue #145. Moreover, it takes the memcpy
operation for copying a Native_capability out of the template, which is
included by a significant bunch of files, and separates it in a library,
analog to the suggestion in issue #145.
2012-03-10 15:52:13 +01:00
Norman Feske
35384faa7a Follow-up tweaks for issue #145
Because we use to pass a policy class to 'Native_capability_tpl'
we can pass the dst type as part of the policy instead of as
a separate template argument. This patch also adds documentation
of the POLICY interface as expected by 'Native_capability_tpl'.
2012-03-08 19:28:32 +01:00
Stefan Kalkowski
c9c21ad39c Merge Native_capability implementations (fix #145).
This patch unifies the Native_capability classes for the different kernel
platforms by introducing an appropriate template, and eliminating naming
differences. Please refer issue #145.
2012-03-08 18:42:39 +01:00
Stefan Kalkowski
fa377f0df5 Make local capability interface explicit. Fix #139.
Introduce a factory-, and dereference method for local capabilities. These are
capabilities that reference objects of services, which are known to be used
protection-domain internally only. To support the new Capability class methods
a protected constructor and accessor to the local object's pointer is needed
in the platform's capability base-classes. For further discussion details please
refer issue #139.
2012-03-08 18:40:48 +01:00
Norman Feske
3e41ff7f23 Minor coding style fix
The 'detail' tag is not conform to the coding style. Tools may stumble
over it.
2012-02-28 08:50:15 +01:00
Martin Stein
bf7a5c2b69 Review doc and style for release. ref #69 2012-02-23 10:42:12 +01:00
Martin Stein
70ae53fe3c Simplify interface of the MMIO framework, ref #69
Parameterize register and bitfield templates to always take their
bitwidth instead of the according types or width exponents as arguments.
2012-02-23 10:42:12 +01:00
Martin Stein
7044b264e6 Beautify class names in 'register.h' and 'mmio.h'
Replace 'Reg_array' in 'Genode::Mmio' by 'Register_array' and 'Subreg'
in 'Genode::Register', 'Genode::Mmio::Register'and
'Genode::Mmio::Register_array' by 'Bitfield'.

Update and beautify comments in the according headers and test programs.
2012-02-23 10:42:12 +01:00
Martin Stein
e1285335ab Replace 'Subreg_array' with 'Reg_array'.
'Reg_array' contains items whose width can be the width of the register
storage type at a max. Nethertheless they can be smaller and iterate all
subregs that are covered by the item width. The array uses as much
successive instances of its storage type as needed.

The test 'run/util_mmio' also tests these new features heavily.
2012-02-23 10:42:12 +01:00
Martin Stein
01bb7536dd Complement test for MMIO framework
The run script 'run/util_mmio.run' runs a test over basic
functionalities of 'Mmio::Register' and 'Mmio::Register::Subreg'. The
test covers the functions 'read' and 'bits', 'set', 'clear' and 'get'.

Inline function in 'Mmio::Register::Subreg' whose definition otherwise
looks ugly.
2012-02-23 10:42:12 +01:00
Martin Stein
9329b91aca Extract more generic parts from 'Genode::Mmio'
To accommodate CPU registers, which have a structured layout but don't
depend on a region base address, this patch introduces the generic
'Genode::Register' and 'Genode::Subreg' to 'register.h'.
'Mmio::Register' and 'Mmio::Subreg' inherit from them.
2012-02-23 10:42:11 +01:00
Martin Stein
1f75ebe9e5 First version of generic MMIO access framework
The MMIO access framework consists of an abstraction for a contiguous
MMIO area with a base address set dynamically. Within this class 'Mmio'
are declarations for 'Register' and 'Subreg'. These two can be
parameterized statically via template parameters to create arbitrary
MMIO structures.

Whereas 'Register' relies to a POD like subregion of 'Mmio', 'Subreg'
relies to a MMIO region within a specific 'Register' and therefore is
smaller or equal then the storage type of its superior 'Register'.

Furthermore with 'Reg_array' and 'Subreg_array', there exists the
possibility to handle arrays of uniform contiguous registers or subregs
by index. 'Subreg_array' therefore abstracts from the width boundary of
its superior 'Register' and handles a steady distance between its
members in addition. Both also check array size limits.

Related to issue #69.
2012-02-23 10:42:11 +01:00
Norman Feske
3ddf7d2b1b Let reload_parent_cap take the new cap as agument 2012-02-23 10:42:03 +01:00
Norman Feske
759af6d9c1 Accessor to obtain parent cap of child
This is needed for the fork support of Noux.
2012-02-22 15:56:45 +01:00
Norman Feske
e4cefe58d5 Make Child's reference RAM session configurable
The 'Child' framework used to perform the transfer of session quota
using 'env()->ram_session()' as hard-wired reference account. When
locally virtualizing the RAM session supplied to the 'Child', this
policy does not work. When closing a session, core would try to transfer
session quota to the virtualized RAM service, which is of course not
possible. This patch makes the reference RAM session configable via the
'Child_policy' interface.
2012-02-22 15:56:45 +01:00
Norman Feske
f3fcb5f56f Facility for reinitializing Platform_env
The new function 'Platform_env::reload_parent_cap' triggers a reload
of the parent capability and its respective resources. It is needed
during the bootstrap of a new process forked from an existing Noux
process.
2012-02-22 15:56:45 +01:00
Norman Feske
dc4f6871c3 Make argument types of min and max more flexible 2012-02-14 16:44:42 +01:00
Norman Feske
210eb98598 Support const RPC functions with no arguments
Until now, the RPC framework did not support const RPC functions. Rather
than being a limitation inherent to the concept, const RPC functions
plainly did not exist. So supporting them was not deemed too important.
However, there are uses of RPC interfaces that would benefit from a way
to declare an RPC function as const. Candidates are functions like
'Framebuffer::Session::mode()' and 'Input::Session::is_pending()'.

This patch clears the way towards declaring such functions as const.
Even though the patch is simple enough, the thorough support for
const-qualified RPC functions would double the number of overloads for
the 'call_member' function template (in 'base/include/util/meta.h'). For
this reason, the patch does support const getter functions with no
arguments only. This appears to be the most common use of such
functions.
2012-01-27 16:54:05 +01:00
Norman Feske
a107c89a8e Exceptions at construction time of dynamic objects
This patch implements the support needed to handle exceptions that occur
during the construction of objects dynamically allocated via the
'Allocator' interface. In this case, the compiler automatically invokes
a special delete operator that takes the allocator type (as supplied to
'new') as second argument. The implementation of this delete operator
has been added to the 'cxx' library. Because the operator delete is
called without the size of the object, we can use only those allocators
that ignore the size argument of the free function and print a warning
otherwise. The added 'Allocator::need_size_for_free()' function is used
to distinguish safe and unsafe allocators.
2012-01-26 21:19:30 +01:00
Norman Feske
08ce32215d Bump year in copyright headers to 2012 2012-01-03 15:35:05 +01:00
Norman Feske
defd6a9b58 Use POSIX threads in Linux/Genode hybrids
- Let hybrid Linux/Genode programs use POSIX threads for the
  implementation of the Thread API.
- Prevent linkage of cxx library to hybrid Linux/Genode programs because
  the cxx functionality is covered by glibc.
2011-12-22 17:17:44 +01:00
Genode Labs
da4e1feaa5 Imported Genode release 11.11 2011-12-22 16:19:25 +01:00