This patch changes the way of how the client-selected sub directory is
communicated to the server. The former opaque session argument is now
passed as last label element, which allows for the flexible tweaking
of this argument by init's session-routing and label-rewriting
mechansims. In particular, it alleviates the need for creating chroot
component instances.
This change requires the following four adaptations at the
configuration level:
- Each file-system session request must now carry a path starting
with / as last session arguments. Hence, <vfs> <fs> nodes that
feature a 'label' attributes must extend the attribute value
with " -> /". For <fs> nodes with no label attribute, "/" is
used as last label argument by default.
- For matching session-routing rules at init's configuration,
the matching of full labels should be replaced by 'label_prefix'
matches, excluding the last (path) argument.
- Wherever a label of a file-system session is rewritten by using
init's 'label' attribute of a <parent> or <child> target node,
the new attribute 'identity' should be used instead. This replaces
the identity part of the label while preserving the client's
directory argument.
- Analogously to the matching of session-routing rules, server-side
policy-selection rules that formerly matched a concrete 'label'
must be changed to match a 'label_prefix' instead.
As a good practice, 'label_prefix' values should end with " ->" if
possible, which clearly delimits the identity part of the label
used by the matching.
Issue #5445
This patch adds the feature of moving and resizing windows by clicking
anywhere within a window while the global window-management key is held.
Depending on the position within the window, the click is interpreted as
click on the title (when clicking at inner 50% of the window, or as a
click on the border (when clicking at an area nearby the window
boundary).
This mode of interaction requires more flexibility of the handling of
key sequences. The formerly hard-wired handling of the drag and drop as
response to BTN_LEFT events does not suffice. Therefore, this patch
moves the driving of the drag-and-drop state to the config level by
introducing the actions "drag" and "drop"
Fixes#5403
This patch moves the formerly hard-wired drag-and-drop handling
to the configuration level by introducing the actions "drag" and "drop".
To aid the robust handling of release events matching their
corresponding press events, the patch refines the policy-matching of the
current combination of keys against the hierarchy of <press> and
<release> nodes. If no policy for a concrete combination exists, a
release event also considers the policy of its matching <press> node.
This way, the regular drag-and-drop rules can be expressed as
<press key="BTN_LEFT" action="drag">
<release key="BTN_LEFT" action="drop"/>
</press>
This also works when releasing BTN_LEFT while pressing additional keys,
for which no policy exists.
With this change, the layouter supports the matching of multiple key
sequences instead of only one, thereby supporting multiple actions at
once and allowing for decoupling different user interactions in the
configuration.
Issue #5403
To accommodate multi-monitor window management, the window-layouter
rules must be extended. By renaming the rules file to a version number
reflecting the date of change (24.12), we prevent the loss of
window-layout state when switching back and forth between different
versions of the window-layouter.
The default rules contain now the definition of three displays
("primary", "secondary", and "ternary") and map 3 screens to each
display.
Issue #5390
The new 'action' attribute values can be used to realize the
keyboard-based assignement of windows to screens. The "pick_up" action
(on a key press) selects the focused window to be held at the current
position until the "place_down" action is issued (by a key release).
While the focused window is held, "screen" actions can be executed
taking the picked up window to the selected screen.
Issue #5390
This patch enables the user to interactively change the assignment of
windows to screens. For screens visible side by side in a multi-monitor
setup, one can now move a window from one screen to another by dragging
the window title. When using screens as virtual desktops on one display,
a window can be moved to another screen by switching the screen (by
pressing a key matching a desired screen) while the window is dragged
with the mouse. So the user can drag the window between virtual desktops.
Issue #5390
This patch implements the following policy for applications requesting
exclusive input (relative motion): The pointer is grabbed as soon as the
user clicks inside the application window. It is forcibly ungrabbed on
any window-focus change or when tapping the KEY_SCREEN. An application
can always enable (transient) exclusive input during a key sequence,
e.g., when dragging the mouse while holding the mouse button. Transient
exclusive input is revoked when releasing the last button/key.
Fixes#5355
The recent changes of the GUI stack (proper accounting of cap and RAM
resources by the window manager and nitpicker, output buffered at the
server side) require quota adjustments at various GUI-related places.
Issue #5356
With this patch, the wm accounts RAM and caps consumed on behalf of its
clients to the respective client's session quota instead of paying out
of its own pocket. This should make the wm resilient against resource
exhaustion and lowers the quota requirements.
Issue #5340
The current default session RAM quota of 36 KiB reflects the needs of
the nitpicker GUI server. However, in most commonly used scenarios, a
GUI client connects to nitpicker indirectly via the wm. The low value
worked so far because the wm did not account RAM and cap usage per
client so far but paid out of its own pocket and faithfully forwarded
all resource upgrades to nitpicker.
When adding resource accounting to the wm, the old default value has the
effect that a new client has to repeatedly attempt the session creation -
each time offering sligthly more session quota - until both nitpicker and
the wm are satisfied.
By roughly doubling the default to 80 KiB, a wm client immediately
succeeds with opening a GUI session without repeated attempts.
By specifying a custom 'cap_quota' amount to the 'Genode::Connection',
the Gui::Connection now donates enough caps for both the wm and
nitpicker.
Issue #5340
Differences in TAR archive member metadata results in unstable depot
hashes. The following properties have to be fixed: modification time
(incl. time zone), numeric owner and group, permission modes.
Releated to #2842
* ARM support and detaching from Ada/SPARK
* Remove all CBE-related code - especially the Ada/SPARK-based CBE library.
* We have no means or motivation of further maintaining big projects in
Ada/SPARK (the core Genode team is native to C++).
* The Genode Ada/SPARK toolchain and runtime don't support ARM so far - an
important architecture for Genode. This would mean extra commitment in
Ada/SPARK.
* We realize that block encryption more and more becomes a fundamental
feature of Genode systems.
* Implement a new block encryption library named Tresor that is inspired by
the design and feature set of the former CBE library and that is entirely
C++ and part of the Genode gems repository.
* The Tresor block encryption is backwards-compatible with the on-disk
data layout of the former CBE block encryption.
* Except from the snapshot management and the "dump" tool, the Tresor
block encryption provides the same feature set as the former CBE block
encryption and accepts the same user requests at the level of the
Tresor library API.
* So far, the Tresor block encryption does not support the creation of
user-defined snapshots.
* In contrast to the former CBE, the Tresor ecosystem has
no "dump" tool beause with the CBE library it turned out to be rarely of
use.
* In contrast to the Block back-end of the CBE "init" tool, the Tresor
"init" tool uses a File System back-end.
* The former CBE VFS-plugin is replaced with a new Tresor VFS-Plugin.
* The Tresor-VFS plugin in general is similar to the former CBE VFS but
has a slightly different API when it comes to re-keying and re-sizing.
Each of these operations now is controlled via two files. The first
file is named <operation> and the user writes the start command to it.
The user must then read this file once in order to drive the operation.
The read returns the result of the operation, once it is finished.
The second file is named <operation>_progress and can be watched and
read for obtaining the progress of the operation as percentage.
* The file vault is adapted to use the new Tresor ecosystem
instead of the former CBE ecosystem and thereby also gains ARM support.
* The former CBE tester and CBE VFS-tests are replaced by equivalent
Tresor variants and are now run on ARM as well (testing with a persistent
storage back-end is supported only when running on Linux).
* So far, the new Tresor block encryption has no internal cache for meta
data blocks like the former CBE.
* Add config/report user interface
* Add a second option for the administration front end to the file vault
named "config and report". With this front end the File Vault communicates
with the user via XML strings. A ROM session is requested for user input
and a Report session for user output. The front end type must be set at
startup via the component config and is a static setting. The graphical
front end that was used up to now is named "menu view" and remains the
default.
* The File Vault can now reflect its internal state and user input ("config
and report" mode only) at the LOG session via two new static config
attributes "verbose_state" and "verbose_ui_config" (both defaulting to
"no").
* The Shutdown button in "menu view" mode is replaced with a Lock button. The
new button doesn't terminate the File Vault but merely lock the encrypted
container and return to a cleared passphrase input. The same transition is
also provided in "config and report" mode.
* The file_vault.run script is replaced with file_vault_menu_view.run and
file_vault_cfg_report.run that address the two front end modes. In contrast
to the former script, which is interactive, the latter script is suitable
for automatic testing.
* There is a new recipe/pkg/test-file_vault_cfg_report that essentially does
the same as file_vault_cfg_report.run but uses the File Vault package and
can be executed with the Depot Autopilot. The new test package is added to
the default test list of depot_autopilot.run
* The File Vault README is updated to the new version of the component and
has gained a chapter "functional description".
* Fixes a regression with the cbe_init_trust_anchor component that prevented
reacting to a failed unlock attempt in the File Vault.
* The new Tresor software Trust Anchor has an optional deterministic mode in
which it replaces the normally randomized symmetric keys with 0. This mode
comes in handy for debugging. However, it should never be activated in
productive systems. When activated, the user is warned extensively on the
LOG that this system mode is insecure.
Ref #4819
This patch enhances the depot_download subsystem with support for
downloading and querying system images.
The installation ROM support the following two now download types:
<image_index path="<user>/image/index"/>
<image path="<user>/image/<name>"/>
Internally, the depot-download subsystem employs the depot-query
component to determine the missing depot content. This component
accepts the following two new queries:
<images user="..."/>
<image_index user="..."/>
If present in the query, depot_query generates reports labeled as
"images" and "image_index" respectively.
The also tracks the completion of each job depending on the depot-
query results, so that the final report contains a result for each
installation item requested. Prior this patch, the inactivity of the
depot-download manager (indicated by an empty state report) was
interpreted as success. But that prevents the proper association of
results and requested installation items.
Issue #4744
This change increases the quota to allow the use of bigger fonts, and
tweaks the style such that the keyboard gets a decent appearance on the
PinePhone's 1440x720 display.
2560x1440 resolutions require more RAM resources. Additionally, make
sure that the decorator 'init' receives enough CAPs to service the
decorator configuration.
fixes#4485
