Commit Graph

13081 Commits

Author SHA1 Message Date
Norman Feske
9ea99a896a sculpt: add launcher/black_hole 2024-04-12 15:05:46 +02:00
Martin Stein
fbec6ae030 file_vault_client.run: raise access timeout
On some platforms like qemu/x86_64/sel4, accessing the file system is so
slow that it used to hit the timeout of this phase in the run script.

Ref #5148
2024-04-12 15:05:46 +02:00
Martin Stein
a7ff30d5a4 file_vault_client.run: disable for riscv
Ref #5148
2024-04-12 15:05:46 +02:00
Martin Stein
0ef92baf9d tresor_tester.run: raise block_io_fs caps
On platform imx6q_sabrelite/arm_v7a/imx6q_sabrelite/sel4, the test used to
fail because of a resource request.

Ref #5148
2024-04-12 15:05:46 +02:00
Martin Stein
5cb5610906 tresor_tester.run: raise test timeout
Some platforms (especially the qemu-based ones) used to time out on
nightly tests although they would have succeeded with more time.

Ref #5148
2024-04-12 15:05:46 +02:00
Norman Feske
4a1a29b3d0 sculpt: make storage target configurable
This patch lays the selection of the used storage target into the hands
of the config/manager file. By default, Sculpt selects the target by its
built-in heuristics, probing for a Sculpt partition. However, by
specifying a <target> node, one can explicitly select a storage target.

E.g., for using the 2nd partition of the SATA disk connected to port 1
of the AHCI controller, one can now specify:

  <target driver="ahci" port="1" partition="2"/>

For selecting the ram_fs as target:

  <target driver="ram_fs"/>

The latter case is particularly useful for custom Sculpt scenarios
deployed entirely from RAM. For such scenarios, add two lines to
your .sculpt file:

  ram_fs:  depot
  manager: use_ram_fs

The first line configures the ram_fs such that the depot is mounted
as a tar archive. The second line configures the sculpt manager to
select the ram_fs as storage target. You can find this feature
exemplified in default-linux.sculpt scenario.

  build/x86_64$ make run/sculpt_test KERNEL=linux BOARD=linux

It is worth noting that the configuration can be changed at runtime.
This allows for switching between different storage targets on the fly.

Issue #5166
2024-04-12 15:05:46 +02:00
Norman Feske
508e0bdfbf sculpt: introduce config/manager
The new 'manager' config allows for the passing of configuration data the
sculpt manager without the need to modify the config/leitzentrale subsystem.

Issue #5166
2024-04-12 15:05:14 +02:00
Stefan Kalkowski
2f0fe562ec os: packet_allocator needs size for free
Unlike the previous return value of
`Genode::Packet_allocator::need_size_for_free()` indicated, it does need
the size of the object it has to free to work properly.
2024-04-12 15:05:14 +02:00
Martin Stein
84285881f3 vfs_rump: fix missing create arg in open
The plugin used to call open with the create flag set at rump without file
permissions for create leading to undefined behavior regarding the file
permissions.

Ref #5148
2024-04-12 15:05:14 +02:00
Sebastian Sumpf
65dfd2f9a8 lxip: add ECONNRESET errno
The ECONNRESET/GENODE_ECONNRESET errno was not handled in lxip.

issue #5165
related #5161
2024-04-12 15:02:45 +02:00
Sebastian Sumpf
1056c759fd vfs_lxip: propagate data file write error
All errors (as in the legacy version) are now propagated as WRITE_ERR_IO
(see Lxip_vfs_file_handle::write), which ultimately will lead to EPIPE
in libc's socket_fs. This also counts for EAGAIN leading to the fact
that partial writes are not supported for blocking sockets in libc, also
libc will not try a second time in case not all data has been written.

issue #5165
2024-04-12 15:02:45 +02:00
Sebastian Sumpf
b30bacf86e lxip: shadow asm-generic/access_ok.h
The IP stack checks "user" pointer access, for example, for iov's using
'access_ok' which in turn calls '__access_ok'. The function checks if the
pointer is below TASK_SIZE_MAX, which is usually a big value on 64 bit
systems, but 3GB on 32 bit systems. Because the IP stack is mostly used with
Genode's libc, where pointers on some kernels (base-linux) can be >3GB and we
don't want to make an additional copy of each buffer/iov interacting with the
IP stack, we short circuit the function

issue #5165
2024-04-12 15:02:45 +02:00
Norman Feske
b78b2c7ac9 sculpt_manager: use Rom_handler
This patch replaces the dynamic use of Attached_rom_dataspace by a
new Rom_handler utility, which implicitly covers the initial import of
content (safely using 'local_submit'), the registration of the signal
handler, passes the Xml_node to the handler function (no need to
manually call 'update'), and provides scoped access to the content via a
'with_xml' method. The latter reinforces a programming style that does
not need to copy Xml_node objects.

Issue #5150
2024-04-12 15:02:45 +02:00
Norman Feske
f96cea8151 sculpt: remove notion of system 'block_devices'
This patch removes the remains of the original block-device discovery as
done by the former driver manager. Block sessions are now always
provided by components hosted in the runtime subsytem. The storage node
of the graph is no more.

Issue #5150
2024-04-12 15:02:45 +02:00
Norman Feske
0cf12c6778 gems: use C++20 function template syntax 2024-04-12 15:02:45 +02:00
Norman Feske
4dc1014bfb gems: coding style (avoid superfluous '()' pairs) 2024-04-12 15:02:45 +02:00
Norman Feske
6cabc85ac8 sculpt: group driver management in 'Drivers' class
This patch harmonizes the driver management between the sculpt manager
and the phone manager by hosting the individual drivers in a new
'Drivers' class with a narrow interface towards 'Sculpt::Main'. The
patch also introduces a clean separation of the 'Board_info' between
features detected at runtime (on PC hardware), statically
known/managed features (phone hardware), and options that can be
toggled at runtime.

With common patterns for managing drivers in place now, this commit
also moves the former runtime/wifi_drv.cc and runtime/nic_drv.cc
code to driver/wifi.h and driver/nic.h. The _drv suffix of the wifi
and nic driver components have been dropped.

Issue #5150
2024-04-12 15:02:45 +02:00
Norman Feske
b7bbf8f7e4 sculpt.run: remove outdated session routes
The move of block, USB, and input drivers from the drivers subsystem to
the runtime alleviates the need for routing those sessions between the
subsystems.

Issue #5150
2024-04-12 15:02:45 +02:00
Norman Feske
d8acc3a9f4 sculpt: host MMC driver in runtime
Issue #5150
2024-04-12 15:02:45 +02:00
Norman Feske
d13b8e1937 sculpt: host soc touch and fb drivers in runtime
This patch moves SoC-specific framebuffer and touchscreen drivers
(PinePhone) to the runtime subsystem. They are enabled for the
phone_manager.

Issue #5150
2024-04-12 15:02:45 +02:00
Norman Feske
85e020b8e1 gems: remove driver_manager
The former pkg/drivers_managed-pc has been replaced by the
pkg/sculpt_drivers-pc, which is merely a collection of archives.

Issue #5150
2024-04-12 15:02:45 +02:00
Norman Feske
99da68183f sculpt: abbreviate .part_block suffix to .part
This slightly reduces the horizontal space of the component graph.
2024-04-12 15:02:45 +02:00
Norman Feske
fe596f2219 sculpt: host NVMe driver in runtime
As the NVMe driver was the last remaining driver controlled by the
driver manager, this patch removes the 'drivers -> dynamic' subsystem
along with the driver manager from sculpt/drivers/pc.

Issue #5150
2024-04-12 15:02:45 +02:00
Norman Feske
206bf856bb sculpt: host AHCI driver in runtime
This patch moves the AHCI driver from the 'drivers -> dynamic'
subsystem to the runtime, managed by the sculpt_manager. One
implication of this change is the new need to supplement a device
port number to the 'Storage_target', in addition to the existing
label and partition. Previously, each block device was addressed by
merely a label specified for a parent session. The meanings of the
'Storage_target' elements are now as follows.

- The label corresponds to the driver component providing the storage.
- The port is used as block-session label when opening the session
  at the driver.
- The partition(s) denote the partition information contained in
  the block session.

Components operating as clients of the AHCI driver (e.g., a file system)
refer to their storage target as <label>-<port>.<partition> when a port
is defined (for AHCI). For drivers w/o ports, like USB storage where
each USB-block driver correponds to only one device, the storage target
is denoted as <label>.<partition>. When no partition table is present,
the '.<partition>' part is omitted.

Issue #5150
2024-04-12 15:02:45 +02:00
Norman Feske
e3803fb861 sculpt: host PS/2 driver in runtime
Issue #5150
2024-04-12 15:02:44 +02:00
Norman Feske
556a7b8b17 sculpt: host PC USB driver in runtime
This commit moves the USB and USB HID driver from the drivers subsystem
into the runtime. The former special USB node of the graph corresponds
now to the USB host-controller driver (named "usb"). The management
options for USB storage devices are available inside this component
node now.

Issue #5150
2024-04-12 15:02:44 +02:00
Norman Feske
3580bb6e17 sculpt: move event_filter to static system
By moving the event_filter and the numlock_remap_rom from the drivers
subsystem to the static system, the filtering can be applied to drivers
hosted in the runtime and drivers hosted in the drivers subsystem.

This is a preparatory step for moving the USB host and HID drivers to
the runtime.

Issue #5150
2024-04-12 15:02:44 +02:00
Norman Feske
06c4b0248b sculpt: upper limit for automatic quota upgrading 2024-04-12 15:02:44 +02:00
Martin Stein
e53b00aafb run/file_vault_client: remove troublesome § char
Ref #5148
2024-04-12 15:02:44 +02:00
Martin Stein
5907307af6 file_vault: re-enable support for 32-bit platforms
Ref #5148
2024-04-12 15:00:46 +02:00
Christian Helmuth
f3610dc3a8 sel4: prevent stdout/stderr truncation in cmake
Remove the "excellent" idea to re-open /dev/stdout etc. for redirection as
cmake uses open(O_TRUNC) and, thus, truncates log output of outer
redirections.
2024-04-12 15:00:46 +02:00
Johannes Schlatow
9971f41f8c platform/pc: fix IOMMU fault reporting
When the kernel does interrupt remapping, we cannot get a non-remapped MSI
for fault event interrupts. We therefore let the kernel do the fault
reporting in this case.

genodelabs/genode#5066
2024-04-12 15:00:46 +02:00
Christian Helmuth
c54e8ec3e2 lx_emul: init pci_dev::error_state
pci_channel_offline() checks if this member is set to
pci_channel_io_normal (which is 1). The former value of 0 is invalid.

This change fixes pc_nic_drv link down-up in cases that require an e1000
reset.
2024-04-12 15:00:46 +02:00
Christian Helmuth
e691af4e97 pc_nic_drv: basic rtnetlink for lock/unlock and netdev_run_todo() 2024-04-12 15:00:46 +02:00
Christian Helmuth
38d2b8d46a lx_emul: function to generate trace messages
lx_emul_trace_msg() uses Genode::trace() as message function for
lightweight trace points, but also supports Linux format-string
attributes by using vsnprintf().
2024-04-12 15:00:46 +02:00
Christian Helmuth
66286d6f17 dde_linux: remove custom *printf implementation
The DDE uses Linux-internal formatted printk for a while now, thus
remove the unused code.
2024-04-12 15:00:46 +02:00
Christian Helmuth
5ff1ef82d1 lx_kit: preserve priority order in scheduler 2024-04-12 15:00:46 +02:00
Christian Helmuth
68925a6d33 pc/lx_emul: enable HIGH_RES_TIMERS
Only with high-resolution timers enabled timouts can fire between two
jiffies. The option is enabled on all relevant platforms but
unfortunately disabled by tinyconfig.

This option also permits the use of CONFIG_SND_HRTIMER.
2024-04-12 15:00:46 +02:00
Martin Stein
b903ddeea7 tresor: fix and test handling of minimal trees
* add testing of trees with minimal and maximal dimensions to tresor_tester.run
* replace tresor_init-local configuration type with simpler and more conformant
  configuration type in tresor/types.h that does also XML-parsing and
  XML-generation of configurations
* raise min degree to 2 because a degree of 1 is not practical und would
  require additional logic
* fix overflow with num_blocks=0 in Superblock_control::Read|Write_vbas
* fix off-by-one bug regarding the number of levels in Vbd_initializer
* improve sanity checks in Tree_configuration constructors
* document level indices in tresor_init/README
* fix size of some arrays in order to be able to handle the maximum number of
  tree levels

Ref #5077
2024-04-12 15:00:46 +02:00
Martin Stein
067a8a35cd tresor: fix faults on failed free-tree requests
* fixes two places, where the free tree module used to continue to process a
  request after actually having determined that the request fails
* moves the functionality of checking the hash of a read block and decoding it
  to a dedicated method in order to improve readability

Ref #5077
2024-04-12 15:00:46 +02:00
Martin Stein
81b17ba1e4 tresor_tester: check uninitialized vba data
Adds a new command attribute "uninitialized_data" to the Tresor Tester
configuration. If a <request op="read"> command has this attribute set to "yes"
it assumes the read blocks to be uninitialized and therefore contain only 0's.
Note, that a command that has "uninitialized_data" set to "yes" cannot have the
attribute "salt".

Ref #5077
2024-04-12 15:00:46 +02:00
Martin Stein
4a68f6bf75 tresor: discard snapshots only when writing the sb
Snapshots must only be removed when securing the superblock. Otherwise, the
last secured superblock might get corrupted. The Free Tree allocation algorithm
would not consider the deleted snapshots anymore although they are still active
in the secured superblock and re-use their blocks. This would render the tresor
container unusable if the superblock with the deleted snapshots is not secured
in the end (driver crash, power down, ...).

Ref #5077
2024-04-12 15:00:46 +02:00
Martin Stein
518c32e1af tresor: don't decode superblock before hash check
Superblock_control::Initialize used to decode a read superblock before checking
its hash. This is not necessary but may cause the operation to end up in a
decoding error on a superblock that is not the desired one anyway.

Ref #5077
2024-04-12 15:00:45 +02:00
Martin Stein
016a769605 tresor: check only the last secured superblock
Instead of iterating over all superblocks and checking each valid one,
check only the one whose hash matches the hash stored in the trust anchor.
I.e., the last one that was secured to the trust anchor. We must assume that
the other superblocks were corrupted in the meantime by operating the Tresor
container and, anyway, these Superblocks are not used anymore.

Ref #5077
2024-04-12 15:00:45 +02:00
Martin Stein
d2af024349 tresor: don't halt on extension beyond limits
The request of extending a tree used to halt when it found that
it could not add more levels to the tree because the maximum level index was
reached. Now, the library simply marks the request as failed, leaving it to
the user to handle the error condition.

Ref #5077
2024-04-12 15:00:45 +02:00
Martin Stein
b4c4681733 tresor: streamline design further
* differentiates request types that where merged formerly per module;
  e.g. instead of type Superblock_control::Request, there are now types
  * Superblock_control::Read_vbas
  * Superblock_control::Write_vbas
  * Superblock_control::Rekey
  * Superblock_control::Initialize
  * ...
  each holding only the state and functionality that is required for exactly
  that request

* removes all classes of the Tresor module framework and adapts all
  Tresor- and File-Vault- related libs, apps, and tests accordingly
  * the former "channel" state is merged into the new request types, meaning, a
    request manages no longer only the "call" to a functionality but
    also the execution of that functionality; every request has a lifetime
    equal to the "call" and an execute method to be driven forward
  * state that is used by a request but has a longer lifetime (e.g. VFS file
    handles in Tresor::Crypto) is managed by the top level
    of the user and handed over via the execute arguments; however, the
    synchronization of multiple requests on this state is done by the module
    (e.g. Tresor::Crypto)
  * requests are now driven explicitly as first argument of the (overloaded)
    execute method of their module; the module can, however, stall a request
    by returning false without doing anything (used for synchronization on
    resources)

* introduces Request_helper, Generated_request and Generatable_request in the
  Tresor namespace in order to avoid the redundancy of sub-request generation
  and execution

* moves access to Client-Data pointers up to Tresor::Virtual_block_device in
  order to simplify Tresor::Block_io and Tresor::Crypto

* removes Tresor::Client_data and introduces pure interface
  Client_data_interface in order to remove  Tresor::Client_data and
  move management of Client Data to the top level of a Tresor user

* introduces pure interface Crypto_files_interface in order to move management
  of Crypto files to the top level of a Tresor user

* moves management of Block-IO and Trust-Anchor files to the top level of a
  Tresor user

* adapts all execute methods, so, that they return the progress state
  instead of modifying a reference argument

* removes Tresor::Request_and Tresor:Request and instead implements
  scheduling at the top level of the Tresor user
  * the Tresor Tester uses a list as schedule that holds Command objects; this
    list ensures, that commands are started in the order of configuration
    the Command type is a merge of the state of all possible commands that can
    be configured at the Tresor Tester; the actual Tresor requests (if any) are
    then allocated on-demand only
  * the Tresor VFS plugin does not use a dynamic data structure for scheduling;
    the plugin has 5 members that each reflect a distinct type of operation:
    * initialize operation
    * deinitialize operation
    * data operation
    * extend operation
    * rekey operation
    consequently, of each type, there can be only one operation in-flight at a
    time; at the user front-end each operation (except "initialize") can be
    controlled through a dedicated VFS file; for each of these files, the VFS
    expects only one handle to be open at a time and only one file operation
    (read, write, sync) active at a time; once an operation gets started it is
    finished without preemtion (except of the interleaving at rekey and
    extend); when multiple operations are waiting to be started the plugin
    follows a static priority scheme:

      init op > deinit op > data op > extend op > rekey op

    there are some operation-specific details
    * the initialize operation is started only by the plugin itself on startup
      and will be driven as side effect by subsequent user calls to file
      operations
    * the data file is the only contiguous file in the front end and the file
      operations work as on usual data files
    * the other 3 files are transactional files and the user is expected to
      follow this scheme when operating on them
      1) stat (to determine file size)
      2) seek to offset 0
      3) read entire file once (this will be queued until there is no operation
         of this type pending anymore and return the last result:
         "none" | "failed" | "succeeded"; used primarily for synchronization)
      4) write operation parameters (this returns immediately and marks the
         operation as "requested")
      5) read entire file once (the same as above but this time in order to
         determine the operation result)
    * the rekey op and deinitialize op are requested by writing "true"
    * the extend op is requested by writing "tree=[TREE], blocks=[BLOCKS]"
      where TREE is either "vbd" or "ft" and BLOCKS is the number of physical
      4K blocks by which the physical range of the tresor container expands
      (the physical range always starts at block address 0 and is always
      expanded upwards)

* replaces the former <trust-anchor op="initialize"> command at the Tresor
  Tester with <initialize-trust-achor> as there are no other trust anchor
  operations that can be requested through the Tester config anyway

* removes the "sync" attribute from all commands at the Tresor Tester except
  from <request op="rekey">, <request "extend_ft">, <request op="extend_vbd">;
  as the Tester controls scheduling now, requests are generally synchronous;
  at the rekeying and extension commands, the "sync" attribute determines
  wether subsequent commands are interleaved with the execution of these
  commands (if possible)

* removes "debug" config attribute from Tresor VFS plugin and reworks "verbose"
  attribute to generate more sensible output

* removes NONCOPYABLE macro and instead uses Genode::Noncopyable and in-place
  Constructors deletion

* introduces types Attr and Execute_attr where a constructor or execute method
  have many arguments in order to raise readability

* renames the "hashsum" file that is provided by the Tresor Trust-Anchor VFS
  plugin to "hash" in order to become conformant with the wording in the Tresor
  lib

* makes the VFS Tresor test an automated test by merging in the functionality
  of vfs_tresor_init.run and removing the interactive front end; removes
  vfs_tresor_init.run as it is not needed anymore; adds consideration for
  autopilot file structure in the Test and adds it to autopilot.list

* removes all snapshot controls and the progress files for rekeying and
  extending from the Tresor VFS plugin; both functionalities were tested
  only rudimentary by the VFS Tresor test and are not supported with the only
  real user, the File Vault

* use /* .. */ instead of // ..
* use (..) instead of { .. } in init lists

Ref #5148
2024-04-12 15:00:45 +02:00
Martin Stein
14f4aa6e05 tresor_utils.run: use [build_artifacts]
Ref #5148
2024-04-12 15:00:45 +02:00
Martin Stein
ef0c3f9d2c tresor_tester.run: fix asynchronous rekeying test
The virtual block device module used to hand over the wrong VBA as
parameter "rekeying VBA" to the Free Tree when allocating PBAs for data
access during rekeying. In certain constellations, this caused the Free
Tree to alloc PBAs that were still in use. The Free Tree PBA selection
algorithm, however, is just fine. When fixing the call parameter, it works
as desired. This re-enables the async rekeying test.

Ref #5075
2024-04-12 15:00:45 +02:00
Martin Stein
02ef158748 gems: add autopilot test 'file_vault_client'
The script tests the use of an encrypted file system that is created and
provided via the File Vault.

Furthermore the script can be used for test-driving existing File-Vault
containers (created with potentially older File-Vault versions) under the
current File-Vault version. This is done via the "LX_FS_DIR_TEMPLATE"
env variable.

Ref #5062
2024-04-12 15:00:45 +02:00
Martin Stein
fb2d153c92 tresor: check hash of all read vba data
During one of the many re-factorization steps that were applied to the Tresor
library and its predecessor, the CBE library, one of the main features of the
project, the integrity check, accidentally received a grave regression. The
most recent version of the Tresor still used to check all hashes of meta-data
blocks but ignored the hashes of the actual data blocks.

With this commit, the hashes of all but yet uninitialized data blocks get
checked. The reason for ignoring uninitialized blocks is that they are not
actually read from disc but simply generated as an all-zeros block in the
driver in order to prevent having to initialize them all to zero in
Tresor-Init. That said, the integrity of these blocks cannot be compomised.
The according hashes in the meta data remain unset until the data block gets
written for the first time.

Ref #5062
2024-04-12 15:00:45 +02:00