This patch restricts 'Region_map::attach_executable' to create read-only
mappings, while offering the option to map the full rights using a new
'attach_rwx' method.
The 'attach_rwx' method is now used by the dynamic linker to explicitly
attach the linker area with full rwx rights. With the old page-fault
handling code, the execute flag was evaluated only for leaf dataspaces,
not for managed dataspaces while traversing region-map hierarchies.
With the new page-fault handling code, the execute bit is downgraded
to no-execute when passing a managed dataspace that is not attached
as executable.
Issue #4920
The change "core: allow offset-attached managed dataspaces" addressed a
corner case of the use of nested region maps. Apparently, this change
negatively affects other scenarios (tool_chain_auto).
In order to confidently cover all the differnt situations, this patch
reworks the page-fault resolution code for improved clarity and safety,
by introducing dedicated result types, reducing the use of basic types,
choosing expressive names, and fostering constness.
It also introduces a number of 'print' hooks that greatly ease manual
instrumentation and streamlines the error messages printed by core.
Those messages no longer appear when a user-level page-fault handler
is reistered for the faulted-at region map. So the monitor component
produces less noise on the attempt to dump non-existing memory.
Issue #4917Fixes#4920
The new monitor component at os/src/monitor is the designated successor
of the gdb_monitor. This initial version, however, implements only the
subset needed to inspect the memory of the monitored component(s).
In contrast to the gdb_monitor, the new component supports the monitoring
of multiple components, leveraging the sandbox API. It can therefore be
used as a drop-in replacement for the init component. Like the gdb_monitor,
the new monitor speaks the GDB protocol over Genode's terminal session.
But the protocol implementation does not re-use any gdbserver code,
sidestepping the complexities of POSIX.
There exist two run scripts illustrating the new component. The
os/run/monitor.run script exercises memory inspection via the 'm' command
by letting a test program monitor itself. The os/run/monitor_gdb.run
script allows for the interactive use of GDB to interact with monitored
components.
Issue #4917
Let the sandbox library disregard all unknown config sub nodes so that
supplemental information - like the monitor policy configuration - is
not interpreted as a misconfiguration ("unknown config element type ...").
Issue #4917
This patch moves the destruction of the child's PD session after the
closing of all other sessions because the PD session's role as resource
container might still be needed for orderly reverting the session quotas
when closing the other remaining sessions.
Issue #4917
By default, the sandbox uses the Env::pd() as reference PD session of
the sandbox children.
However, to accomodate use cases where the interplay of the reference
PD session and the child's address space needs to be intercepted, this
patch adds a constructor that takes an interface for the controlled
access of PD intrinsics as argument.
Issue #4917
This patch replaces the former 'address_space' accessor by a new
'with_address_space' interface that grants access to the region map of
the child's address space, but limits the interface lifetime to the
scope of the caller.
Issue #4917
This patch adds the missing application of the region offset to the
resolution of page faults inside managed dataspaces, which resulted in
an unexpected "invalid mapping" message after attaching a managed
dataspace with an offset.
This limitation could be observed during the implementation of the debug
monitor that locally maps a portion of the debugging target's address
space, e.g., a view port of 16 MiB. All traditional uses of managed
dataspaces (e.g., stack area, linker area) happened to attach the
managed dataspaces from their beginning.
Issue #4917
* add semaphore command to ring in order to be able to stop ring
execution before reset (Wa KabyLake)
* implement reset sequence as done by the Linux driver
* reset ring and cancel job of vgpu causing hang
* lower watchdog timeout 1000ms -> 200ms
* improve scheduling of vgpus so progress after reset is made
* improve the generation chaos a little
* tested on Skylake, Kaby Lake, Tiger Lake
issue #4916
* Use jitterentropy only if supported.
On certain targets like pbxa9 or zynq_qemu, the performance counter always
yields 0, which renders jitterentropy unusable. On these platforms, the
Tresor tests now use a static value as entropy source instead.
* Adds a new package test-file_vault_config_report_no_entropy that is used by
the Depot Autopilot on targets without jitterentropy support instead of
test-file_vault_config_report. The only difference between the two packages
is the value of the above described new config attribute of the File Vault.
* Circumvent alignment fault.
The Tresor lib for now has the deficiency of using on-disc data structures
directly in code instead of decoding them first to unpacked, naturally
aligned structures. This causes problems with memory-access alignment on
several platforms (rpi, imx6q_sabrelite, imx53_qsb, imx7d_sabre). As fixing
this properly is a bit of work, the commit disables the tresor_tester and
file_vault_config_report test on the affected platforms in autopilot mode for
now.
* Further adjustments
* Make benchmarks optional
* Use a smaller tresor for rekeying
* Clean up image parameters
* No use implicit routes/resources
* Reduce ram consumption
* Reduce test timeout
* Raise cap quota, required for sel4 x86_64.
Ref #4819
The debug mode turned out to be unnecessry because the plugin can be simply
replaced with an <inline> file VFS plugin that has a content size of 32 bytes.
Ref #4819
* relaxes the timing and reduces the test steps because pistachio is quite
slow and would otherwise trigger problems with our easy approach of using a
dynamic rom instead of a proper manager
* provide IO_PORT and IRQ session to timer driver
Ref #4819
With the update to sel4 and the gcc 12, assembly instructions are generated
and used, like POPCNT. The instruction is available on our native hardware,
but not emulated by the default cpu model necessarily, which leads to
undefined opcode exceptions (Qemu 4.2.1 && seL4). Additionally, the features
of the default Qemu cpu model may vary between Qemu releases and makes it
harder to correlate effects.
The attachment removal is triggered actually on _ds member destruction time,
but after the io_mem representation for the specific base-<platform> possibly
vanished already during _unmap_local in the ~Io_mem_dataspace. This creates
on base-sel4 several kernel warnings about invalid capabilities.
Issue #4913
Using $(shell find $(REP_DIR)/patches -name *.patch) fails if the
current working directory contains *.patch files due to shell wildcard
expansion before execution. Additionally, the patch list was unstable
because it was not sorted resulting in divergent hashes.
On platforms different than x86 the subsys initcall `pci_subsys_init`
is not available. Therefore, we choose an alternative one here.
Fixgenodelabs/genode#4907
In our binaries, the .note.GNU-stack section is missing, which is okay
as we do not interpret these sections anyway and map stack pages
non-executable per default.
Issue #4827
The main user of libsparkcrypto in the past was the CBE block encryption
ecosystem. However, the CBE was replaced with the Tresor block encryption that
uses libcrypto instead.
Ref #4819
This commit introduces preliminary support for joining networks secured
via WPA3-personal. So far it was only tested with the one OpenWRT AP
configured for WPA3 (see excerpt below) where it WPA3-only as well as
WPA2/WPA3 mixed worked fine.
Scan results excerpt:
00:11:22:33:44:55 5180 -45 [WPA2-SAE-CCMP][SAE-H2E][ESS][UTF-8] PewPew
00:11:22:33:44:55 2412 -67 [WPA2-PSK+SAE+PSK-SHA256-CCMP][SAE-H2E][ESS][UTF-8] PewPew2
Issue #4861.
It turns out solely relying on the name of the compilation-unit
is not enough. In at least one multi-device driver, e.g. rtlwifi,
an equally called compilation-unit is found in several different
directories. There KBUILD_MODNAME is used to name the driver,
which fails later on as the driver framework refuses to register
an equally named driver twice.
Instead of only considering the name of the compilation-unit also
include the last element of the path to generate differentiating
KBUILD_MODNAME value.
Issue #4861.
The supplicant is updated to the current release and is now downloaded
as archive rather than pulled from git. For the time being 'libnl' is
still kept at 3.2.25 as the current 3.7.0 release relies on more Linux
infrastructure that our integration does not provide.
Issue #4861.
This commit changes the firmware handling from requesting each
firmware file as a ROM module that is checked against a list of
known images (including their size) to requesting each file via
the local VFS of the 'wifi_drv'. This allows for using the original
probing mechanism that tries to select a matching firmware version.
The 'repos/dde_linux/src/drivers/wifi/README' file contains more
detailed information on how to configure the driver.
Issue #4861.
This function is called when decrypting RX frames on the CPU on 32 bit
platforms. Since the frames are normally decrypted by the wireless LAN
device and this code path is triggered rather infrequently the byte-wise
implementation should not pose a performance risk.
So far it was only encounter with a 7260 device when running netperf.
Issue #4861.
The bulk of the driver code now lives in the 'dde_linux' repository,
which is available on all platforms, from where it can be referenced by
other repositories.
The 'wifi_drv' binary was delegated to a generic harness that includes
all configuration and management functionality shared by all wireless
device driver components, e.g., the wpa_supplicant. The code of the
device driver emulation environment is located in 'src/lib/wifi'. It
is referenced by the platform-specific driver library that resides in
the corresponding platform repository. The runtime configuration needs
to point the driver to proper driver library.
The platform-specific library is in charge of orchestrating the contrib
source utilized by the driver as well as providing the 'source.list'
and 'dep.list' files. It must include the generic library snippet
'repos/dde_linux/lib/wifi.inc' that deals with managing the emulation
environment code.
The 'repos/dde_linux/src/drivers/wifi/README' file contains more
detailed information on how to deploy the driver.
Issue #4861.
* ARM support and detaching from Ada/SPARK
* Remove all CBE-related code - especially the Ada/SPARK-based CBE library.
* We have no means or motivation of further maintaining big projects in
Ada/SPARK (the core Genode team is native to C++).
* The Genode Ada/SPARK toolchain and runtime don't support ARM so far - an
important architecture for Genode. This would mean extra commitment in
Ada/SPARK.
* We realize that block encryption more and more becomes a fundamental
feature of Genode systems.
* Implement a new block encryption library named Tresor that is inspired by
the design and feature set of the former CBE library and that is entirely
C++ and part of the Genode gems repository.
* The Tresor block encryption is backwards-compatible with the on-disk
data layout of the former CBE block encryption.
* Except from the snapshot management and the "dump" tool, the Tresor
block encryption provides the same feature set as the former CBE block
encryption and accepts the same user requests at the level of the
Tresor library API.
* So far, the Tresor block encryption does not support the creation of
user-defined snapshots.
* In contrast to the former CBE, the Tresor ecosystem has
no "dump" tool beause with the CBE library it turned out to be rarely of
use.
* In contrast to the Block back-end of the CBE "init" tool, the Tresor
"init" tool uses a File System back-end.
* The former CBE VFS-plugin is replaced with a new Tresor VFS-Plugin.
* The Tresor-VFS plugin in general is similar to the former CBE VFS but
has a slightly different API when it comes to re-keying and re-sizing.
Each of these operations now is controlled via two files. The first
file is named <operation> and the user writes the start command to it.
The user must then read this file once in order to drive the operation.
The read returns the result of the operation, once it is finished.
The second file is named <operation>_progress and can be watched and
read for obtaining the progress of the operation as percentage.
* The file vault is adapted to use the new Tresor ecosystem
instead of the former CBE ecosystem and thereby also gains ARM support.
* The former CBE tester and CBE VFS-tests are replaced by equivalent
Tresor variants and are now run on ARM as well (testing with a persistent
storage back-end is supported only when running on Linux).
* So far, the new Tresor block encryption has no internal cache for meta
data blocks like the former CBE.
* Add config/report user interface
* Add a second option for the administration front end to the file vault
named "config and report". With this front end the File Vault communicates
with the user via XML strings. A ROM session is requested for user input
and a Report session for user output. The front end type must be set at
startup via the component config and is a static setting. The graphical
front end that was used up to now is named "menu view" and remains the
default.
* The File Vault can now reflect its internal state and user input ("config
and report" mode only) at the LOG session via two new static config
attributes "verbose_state" and "verbose_ui_config" (both defaulting to
"no").
* The Shutdown button in "menu view" mode is replaced with a Lock button. The
new button doesn't terminate the File Vault but merely lock the encrypted
container and return to a cleared passphrase input. The same transition is
also provided in "config and report" mode.
* The file_vault.run script is replaced with file_vault_menu_view.run and
file_vault_cfg_report.run that address the two front end modes. In contrast
to the former script, which is interactive, the latter script is suitable
for automatic testing.
* There is a new recipe/pkg/test-file_vault_cfg_report that essentially does
the same as file_vault_cfg_report.run but uses the File Vault package and
can be executed with the Depot Autopilot. The new test package is added to
the default test list of depot_autopilot.run
* The File Vault README is updated to the new version of the component and
has gained a chapter "functional description".
* Fixes a regression with the cbe_init_trust_anchor component that prevented
reacting to a failed unlock attempt in the File Vault.
* The new Tresor software Trust Anchor has an optional deterministic mode in
which it replaces the normally randomized symmetric keys with 0. This mode
comes in handy for debugging. However, it should never be activated in
productive systems. When activated, the user is warned extensively on the
LOG that this system mode is insecure.
Ref #4819
Changes to the platform driver triggered a map() error while mapping an
address block at 0x3000 of size 0x800. Since the mapped size was larger, the
loop continued and tried mapping address 0x4000 where no dataspace was
found.
genodelabs/genode#4761
By transforming the Device_pd into an Io_mmu::Domain, we implement an
IOMMU device that uses the kernel API for controlling the IOMMU. This
device gets special treatment and is used by default for every device
that has no <io_mmu/> child.
genodelabs/genode#4761
Every session component manages a registry of Io_mmu::Domain objects
that it creates on demand depending on the acquired devices (i.e. the
IOMMU devices referenced by the acquired devices). Via the domain
objects, a session component adds/removes the address ranges of the
allocated DMA buffers. Additionally, domain objects provide an interface
for enabling/disabling pci devices.
Domain objects get destroyed with the corresponding control device.
Moreover, on devices/policy ROM updates, domain objects of control
devices that are not referenced by any acquired device anymore get destroyed.
genodelabs/genode#4761
This allows referencing an arbitrary number of IOMMU devices within a
<devices> node, e.g.:
<device>
<io_mmu name="foobar"/>
</device>
The specified name is supposed to refer to an existing device in the
devices ROM. The platform driver automatically acquires known IOMMU
devices whenever they become available so that the device object can be
looked up from the platform-driver-owned devices.
genodelabs/genode#4761
With this change, platform-specific code is able to define factories that
acquire IOMMU devices to be used by the platform driver.
genodelabs/genode#4761
The method did not handle device changes properly. When a new policy
does not contain an owned device any more, we must consider this device
as changed and release it. Moreover, the warning messages were interchanged.
genodelabs/genode#4761
"-cpu phenom" does not support all CPU instructions necessary with
gcc 12 toolchain update issuing more SSSE3, e.g. pshufb.
Additionally, remove good/bad Qemu version check of outdated versions.
Issue genodelabs/genode-world#329
In 'SUPR3InitEx' (SUPLib.cpp) a 'SUPQUERYFUNCS' structure is allocated
with
! (PSUPQUERYFUNCS)RTMemAllocZ(SUP_IOCTL_QUERY_FUNCS_SIZE(CookieReq.u.Out.cFunctions));
where 'CookieReq.u.Out.cFunctions' is 0. To determine the size of the
allocation
! #define SUP_IOCTL_QUERY_FUNCS_SIZE(cFuncs) \
! RT_UOFFSETOF_DYN(SUPQUERYFUNCS, u.Out.aFunctions[(cFuncs)])
is used with cFuncs = 0 (SUPDrvIOC.h) leading to an allocation up to the
arrow below
! typedef struct SUPQUERYFUNCS
! {
! /** The header. */
! SUPREQHDR Hdr;
! union
! {
! struct
! {
! /** Number of functions returned. */
! uint32_t cFunctions;
! /** Array of functions. */
==> end of allocation
! SUPFUNC aFunctions[1];
! } Out;
! } u;
==> sizeof(SUPQUERYFUNCS)
! } SUPQUERYFUNCS, *PSUPQUERYFUNCS;
In sup.cc (Genode) 'ioctl(SUPQUERYFUNCS &request)' will lead to
'with_out_ioctl'
! auto &out = request.u.Out;
where auto is 'SUPQUERYFUNCS' and finally
! out = { };
will zero out 'SUPQUERYFUNCS' up to the second arrow above. Because
'RTMemAllocZ' will call 'calloc' to allocate the memory 'out = { };'
will corrupt the slab block after the allocation. Therefore, it is
reasonable to allocate at least 'sizeof(SUPQUERYFUNCS)'.
Note there might be other 'ioctl' cases like this. A better way might be
to use 'SUPQUERYFUNCS.Hdr.cbOut' to determine the 'out' size.
fixes#4675
In case the meta data (or more) got zeroed upon 'free', print error
message. The offset in the meta data can never be zero. This does not
help on other memory corruptions, but at least gives a hint in the too
much zeroed out case.
issue #4675
GPU device access is hard to achieve in run scripts and even harder to
implement generic.
Use the "Modularize Sculpt OS image creation"
(commit b723b11b30)
approach instead.
issue #4900
The XHCI model reserves 0x4000 of IO memory but uses only 0x530.
Implement read (0) and write (nop) for these regions as real hardware
does.
fixes#4902
Triggered by the toolchain update to GCC 12 certain pragmas lead to
a build error as those are now unknown. As quick-fix add '-gnatwG',
which suppresses warnings on unrecognized pragmas.
Issue #4880.
When a GPU session is destroyed, remove vgpu of session from scheduling
and as possible active vgpu. Otherwise, page faults might occur in case
already destroyed vgpu object is referenced during interrupt handling.
fixes#4881
Apparently we need to save the floating point arguments when entering
the linker in case "-fno-tree-vectorize" is at work. Otherwise this
registers get corrupted during jump slot relocation.
Fixes#4879
Either enable strict-alignment or disable FPU code generation by gcc
regarding bootstrap code, which cannot handle alignment faults during
initialization properly.
Ref genodelabs/genode#4827
/data/genode/repos/os/src/server/lx_fs/directory.h: In member function ‘virtual Genode::size_t Lx_fs::Directory::read(char*, Genode::size_t, File_system::seek_off_t)’:
/data/genode/repos/os/src/server/lx_fs/directory.h:224:53: error: ‘dent’ may be used uninitialized [-Werror=maybe-uninitialized]
224 | .type = type(dent->d_type),
| ~~~~~~^~~~~~
/data/genode/repos/os/src/server/lx_fs/directory.h:197:40: note: ‘dent’ was declared here
197 | struct dirent *dent;
| ^~~~
Issue genodelabs/genode#4827
Eliminate the creation of 'Genode::String's before the linker has been
self relocated, because 'Genode::String's will call 'Genode::strlen' on
construction from C-Strings, which has now become a GOT relative call,
while the GOT contains only zeros before relocation -> page fault at
IP 0.
fixes#4867
related to #4827
error: 'void operator delete(void*, Genode::Deallocator&)' called on pointer returned from a mismatched allocation function [-Werror=mismatched-new-delete]
Issue #4827Fixes#4850
error: ‘void operator delete(void*, Genode::Deallocator&)’ called on pointer returned from a mismatched allocation function [-Werror=mismatched-new-delete]
Issue #4827Fixes#4848
An early version of nitpicker used a pointer as 'owner' with the null
pointer representing nitpicker's built-in views, which are nowadays
represented by 'Main::_global_view_ower'. The null-pointer check is a
left-over from the earlier days.
Fixes#4847
Since repos/base/board/pc/devices is empty, the run script no longer
works on PC. Nobody noticed because the use case of this run script -
as development test loop for the ps2 and fb_sdl - are better served by
other scenarios nowadays, e.g., using declaring 'build: ps2' for a
custom Sculpt OS build.
Removed in the context of issue #4860.
Bit 0:3 indicate which of the (up to) 16 supported LBA formats is
used for this namespace. Instead of only looking at those bits the
driver looked at the complete 0:7 bits. Those, however, also include
information on how metadata may be transferred. That leads to using
the wrong index for reading the LBA format.
Fixes#4832.
This patch solves keyboard-focus issues with the wifi dialog that were
caused by making the focus update conditional. However, since the update
is not expensive, we can unconditionally re-evaluate the focus atfer
each user interaction.
Issue #4820Fixes#4856
This patch solves the false-negative error message "failed to open file"
referring to an ioctl info file during an ioctl call. The message is
now avoided by checking for the existence of the file before reading it.
However, the observed symptom uncovered an actual bug that was
introduced in commit "libc vfs: open OSS 'info' file only once" with
the attempt to cache the content of ioctl info files. When called
multiple time for different paths, 'Vfs_plugin::_with_info' would
wrongly return the info from the first call as cached in a local
static variable.
The patch fixes the problem by a new added 'Cached_ioctl_info'
implementation in the scope of the 'Vfs_plugin'.
Issue #4372Fixes#4852
This patch includes the system dialog in the global keyboard focus
handling, supports hovering of the "Edit" and "Add" buttons,
allows the use of the enter key to finish URL editing, and
triggers a re-scan of depot users after adding a new one.
Issue #4820
Should the selected depot user not be present in the depot - for example
after switching the sculpt partition to another - unfold the selection
of all present depot users so that the one can pick an existing one.
Issue #4820
If the DMA memory allocation alignment is unfortunate (not natural size
aligned), the IOMMU (AMD/INTEL) may not use larger(super) pages with effects
on the page table walk frequency and TLB caching.
Issue #4820
We repeatedly experience issues with XHCI handoff in the USB host driver
at runtime on modern systems. Mostly, these issues manifest as
initialization delays with very high CPU load. Investigations show that
during this time the handoff MMIO write does not return, which hints the
firmware driver enters some spinning loop. I suspect the enabled IOMMU
does not play well with the firmware due to insufficient RMRR
information.
Therefore, we disable USB handoff in Sculpt via the driver manager (as
we do for dedicated devices already in other contexts). Note, UHCI and
EHCI handoff is still done in the platform driver and succeeds on all
our test hardware.
Issue #4820
This split allows us to cross-compile all arm_v8a packages needed for
'goa build' by creating pkg/arm_v8a/goa.
The components featured on pkg/goa-linux are solely needed for 'goa
run'. As they contain a number of lx/hybrid components, pkg/goa-linux
must be complied on Linux running on the target architecture.
Fixes a regression with the cbe_init_trust_anchor component that prevented
reacting to a failed unlock attempt in the File Vault. The regression was
caused by new semantics in the vfs that did not allow for using the file
operation result as indicator for whether the unlock attempt failed or
succeeded. The correct and hereby applied approach is to check for the data
read from the file after having written the unlock command. The data reads
either "ok" or "failed".
Before scheduling we check if the execlist is empty. When many clients
are present, the bits might not be cleared by hardware yet. Before the
watchdog timer would trigger, because we scheduled nothing. Now we try
serval times, even if this fails, we still schedule because in the worst
case only a preemption would happen.
issue #4820
Commit "vbox: avoid uncaught nic Empty_ack_queue exception" introduced a
performance regression due to packet retransmission because of faulty
GSO segment handling. As fixing the GSO handling is fairly complex, we
disable GSO until a fix was developed.
Issue #4820
Issue #4821
This patch mitigates potential busy feedback effects when evaluating the
reports produced by 'depot_deploy' in a closed control loop. Reports
are now generated only if the deployment state has changed.
Issue #4818
This patch marks a child as incomplete if one of the ROM modules listed
in its blueprint is missing. This, in turn, triggers the update system
in Sculpt, which then tries to download the missing pieces.
Issue #4818
By managing downloads issued by the deploy subsystem via the
'Download_queue', failed downloads (e.g., due to HTTP error 404) are
properly tracked and don't cause infinite re-attempts.
Issue #4818
This patch promotes the event of an exiting child to become immediately
reported, reducing delays for management components that watch the exit
status of children.
Fixes#4814
This patch replaces the former 'nic_drv' and 'nic_drv_dtb' functions
by a more general 'nic_driver_routes' function that can return one or
multiple platform-specific ROM routes for NIC-driver binaries and dtb
files. This allows for supplying customizations for the wifi driver
as well. E.g., on the PinePhone, this hook can be used to handle the
renaming of the 'wifi_drv' to 'a64_wifi_drv'.
Related to issue #4813 and issue genodelabs/genode-allwinner#17.
The wifi VFS plugin is solely there to provide a hook for calling
'Lx_kit::initialize()' prior to the static ctors. As the corresponding
symbol can be resolved at run-time there is no need to add the
library as a build-time dependency.
Issue #4813
The device-tree binary is normally required on ARM-based platforms
where as on x86 it is omitted. The platform-specific DTB helper
provides a generic interface for accssing the DTB and needs to be
implemented on each platform.
Issue #4813
The SDIO connected wireless device on the PinePhone is not available
on start-up, which leads to the supplicant failing to initalize
'wlan0'. Normally the supplicant would be used in a way that handling
devices that appear at run-time happens gracefully.
Rather than supporting this behavior we defer the start-up of the
supplicant until the device could be openend successfully for now.
Issue #4813
The MAC address device report should be published once the device is
available. Since this may happen at a later time we have to check the
call.
Issue #4813
This commit introduces support for building the WLAN driver for ARM
platforms. It makes the WPA supplicant and its support libraries
available for all platforms. It also seperates the PCI parts to
accommodate platforms where other bus protocols are used.
Issue #4813
The driver was only tested with an "Atheros AR9462 Rev:2" [168c:0034]
device using the 'wifi.run' run script.
Note: for it to work MSI may not be used as otherwise interrupts do not
work. Using an IOMMU leads to the following fault:
[ 0] IOMMU:0xffffffff817eb0b0 FRR:0 FR:0x22 BDF:4:0:0 FI:0xb0000000000000 (0)
Issue #4813
The way the 'struct page' management is currently implemented it is
not safe to rely on it in case allocations share the same page. This
is in particular true where the virtual address is obtained by
querying the page object for maintaining the CPU caches.
Issue #4813
Optionally log scheduling-context execution time in addition to the
thread-context. This may be relevant on kernel platforms that do not
schedule threads on their own CPU share only but implement some kind of
donation scheme, for example, NOVA.
Usage
<config sc_time="yes" ...> ... </config>
Fixes#4805
This commit updates the used firmware images for the iwlwifi device
to latest available ones (supported by the current 6.1.x driver).
It also removes old firmware images that by now are not used anymore.
Fixes#4807.
Unfortunately, the change of "depot: remove empty config from
pkg/nano3d" broke the manual deployment of the nano3d demo because no
<config> is provided in this case.
This patch splits pkg/nano3d into two variants. The regular nano3d pkg
comes with an empty <config/> node as before. The unconfigured_nano3d
pkg does not feature any <config/> node and can thereby be configured
via a ROM route to a dynamic-rom service.
This patch equips the depot_download subsystem with the option to
explicitly skip the signature verification for downloads by specifying
the attribute 'verify="no"' for an <installation> item. This is useful
in scenarios where the lack of integrity of downloaded content does not
pose a risk, e.g., for untrusted applications that are rigidly
sandboxed, or during development.
Note that this option does not entirely discarge the signature checking.
Whenever an download has dependencies that are verifyable - for
which the public key exists in the depot - the dependencies are still
verified. This allows untrusted content to depend of verifyable content
while protecting the integrity the verifyable content.
Issue #4804
This patch adds the 'Verify' argument to all download-related interfaces
in order to control the checking of signatures for downloads. Note that
it does not change the sculpt_manager's existing built-in policy of
always checking signatures.
Issue #4804
This patch moves the interfaces needed for the interactive addition of runtime
components from the 'Popup_dialog' to the 'model/component.h'. So those
interfaces are no longer tied to one specific view implementation.
This free-standing function is meant to gradually replace
'Dialog::match_sub_dialog' interface, which relies on the caching of
the hover state. The new function is more flexible because dialogs do no
longer need to inherit 'Dialog'.
The missing else statements resulted in the addition of a
superfluous <archive> node when installing an <index>, causing
warning messages by the depot-download subsytem.
This patch adds the ability to specify an optional 'as' attribute in a
<rom> module declarion of a runtime file.
<runtime ...>
...
<content>
<rom label="camera-pinephone.dtb" as="dtb"/>
...
</content>
</runtime>
If specified, The depot-deploy tool uses the provided attribute value to
hand out the ROM 'camera-pinephone.dtb' under the label 'dtb' to the
subsystem.
Recent devices are configured with 4096 RX pages that lead to an
increased memory usage. For the moment lower the amount to 2048
and treat in potientially lower throughput for more conservative
memory consumption.
Fixes#4801.
For Windows guests, it's crucial to configure the paravirtualization
provider in .vbox6 like follows. Otherwise, the TSC calibration fails
(issue #4726) and the CPU frequency (in task manager) is bogus.
<Paravirt provider="HyperV"/>
Fixes#4726
The get_cycles() call within the test doesn't apply to RDTSC
access when running on ARM but to arch_timer_read_counter, which
is an empty function pointer. By setting it to a function that
returns Genode::Trace::timestamp() we can enable the test for ARM.
Issue #4775
- move metadata specific to isochronous transfers from the descriptor
into the content of USB-session packets
- restore support for 32 in-flight packets in the USB C API
Fixes#4749
Now, block_devices are reported earliest right after the devices ROM was
parsed and neither AHCI nor NVMe were found. If one or both devices were
found, the report is deferred after all expected reports arrived.
Issue #4791
Previously the 'partitions' report was implicitly generated after
parsing the partition-table by accessing the referenced reporter
object.
Now the report is explicitly created by calling the 'generate_report'
member function. At this point we no longer have access to all
required information so the 'Partition' class was extended to
accommodate for the data needed by MBR as well as GPT reports.
Fixes#4786.
The 'File_content' utility throws an exception whenever a file happens
to get truncated during the reading process. But it silently truncates
the data against the specified limit. In practice, exceeding the limit
is usually an error case. This patch enhances the 'File_content' utility
by throwing 'Truncated_during_read' in the limit-exceeded case as well,
in order to ease the diagnosis of such cases.
Issue #4788
'cap()' will return invalid capability within session destructor, therefore Vram
objects that belong to the session will not be destroyed, leading to danling
references later on. Use '_owner.cap' of session instead.
The new 'init_platform' function performs the platform-specific
component-local low-level initialization. It allows for the
differentiation between core and regular components as well as
kernel-dependent peculiarities.
This patch introduces a consistent notion of a 'Platform'. Within core,
the 'Platform' contains the kernel-specific initialization. Outside
core, the platform sets up the interplay with the parent component. In
all cases, the platform is constructed while running on the initial
stack.
Issue #4784
VirtIO device models can assert interrupts to notify about
buffer and configuration changes. By now, we could only assert
buffer notification interrupts, but no configuration changes.
The latter is needed, e.g. to notify about GPU mode changes.
Ref genodelabs/genode#4783
Depending on the number of partitions the current fixed size of 4096
bytes might not be sufficient for the resulting partitions report.
The use of the expanding reporter allows for accomodating large reports
while still keeping the resource usage down for the common case of
few partitions (with potentially short names).
Fixes#4782.
The implementations of snprintf and vsnprintf are not needed for the
loading of png images by the demo applications. So we can avoid the
dependency from the format library hosted in the libports repository.
Issue #2064
This commit introduces support for the HMB feature and will setup the
buffer during start-up. The host-memory-buffer (HMB) feature is mostly
used on NVMe devices that do not make use of an DRAM cache to store its
translation tables amongst other operational data. Not using HMB can
impair the performance on such devices.
The memory is allocated in 2 MiB chunks of DMA-capable memory and its
total size in bytes is configurable via the 'hmb_size' config attribute.
The driver always checks the minimal and preferred size of the HMB and
issues a warning in case it is not enabled via the configuration.
Moreover, if the configured size is less than the minimal amount
required by the device the HMB is not configured at all and a warning
is issued also. If the configured size is more than the preferred size
it will be capped to that amount.
Fixes#4715.
This patch converts the loader implementation to the 'Session_object'
interface to implement the ability to upgrade the session caps and RAM
after after the session creation. This is needed to accommodate the
change of the Loader::Connection in commit "Remove format strings from
connection types".
Issue #2064
This patch ultimatedly removes format strings from Genode's base API.
Users of the former base/snprintf.h and base/console.h headers may
use the free-standing 'format' library hosted in the ports repository.
Fixes#2064Fixes#3869
This little library implements rudimentary format-string support. It is
useful for porting 3rd-party code that ought not depend on a full libc.
Issue #2064
The new 'Connection' constructor accepts the session label, affinity,
and args as constructor arguments. The session arguments are passed as a
'Genode::String'. This allows for side-stepping the need for rendering a
format string passed to 'Env::session'.
Issue #2064
The additional files provide Chacha implementation in case
may_use_simd() returns false because in_interrupt() returns true.
Related to issue #4778, commit "lx_emul: track irq state changes"
Implement udelay for all architectures within common lx_emul code,
remove driver-specific version.
Always do busy looping in udelay and use cpu_relax()
like the original Linux code. Thereby, we profit from architecture specific
instructions (cpu cool down), and jiffies are updated if irqs are on.
Ref genodelabs/genode#4778
There are rare use-cases where cpu_relax is used inside a busy loop
(i2c bus functions), which only will break when the jiffies counter
reaches a specific value.
Because of the cooperative scheduling done in lx_emul, no timer
interrupt will break such a loop. As a workaround, we check for
necessary jiffies updates inside cpu_relax if interrupts are enabled.
Ref genodelabs/genode#4778
To be able to check for interrupts being on or off,
the enabling and disabling is tracked in lx_emul.
When interrupts get received, they have to be turned off.
Ref genodelabs/genode#4778
Do not start and stop idle ticking within the timer interrupt
routine, but do it around the whole Lx_kit scheduling, which
is always called when Linux code gets active again, either
because of backend signals, interrupts, or timing signals.
This commit implicitly reverts the (incomplete) solution of
issue #4550
Ref genodelabs/genode#4778
Linux kernel static functions usb_string_sub() and usb_get_langid() were
made accessible to implement robust string rerieval.
Fixes#4756Fixes#4757Fixes#4772
The namespace draws a clear line between the base library and the core
component.
It is declared at the new core-local header <types.h>, which is expected
to be included by all code of the core component. It is thereby a
natural place for kernel-agnostic general types like commonly used C++
utilities.
Fixes#4777
Implicitely fixes problems with USB devices having more than 4G blocks.
Formerly the 16-Cmd LBA requests were silently casted to 32-bit.
Fixgenodelabs/genode#4771
In case the packet is erronous the value of 'actual_size' can be
invalid and using it may lead to a page-fault due to out-of-bounce
access.
With this commit access is only performed on successful packets.
Fixes#4763.
Workers are only summoned by the manager or when there are no workers on
a work queue. In case a work in front of a work queue depends on a work
behind it, a deadlock may occur. To solve this Linux spawns a rescue
worker using timers. Timing of Linux based drivers is currently reworked
and not reliable. Therefore, we increase the number of workers that are
spawned from 1 to 3 per work queue in order to resolve possible
deadlocks.
Fixes#4762
Set wakeup pointer in FADT/FACS tables and prepare/place ACPI resume code
at application processors (AP) 16-bit entry. Exclude memory used for AP resume
from RAM range to avoid usage by Genode core in allocators.
Issue #4669
The CPUs are woken all at once and up to now the IDs are assigned depending
on the arrival order, which is unfortunate for the resume case. Keep track
of once assigned IDs for CPUs, so that on resume the very same CPU id is given.
The APIC id is guaranteed to be fixed per CPU on suspend, but unfortunately
not dense packed.
Issue #4669
The ACPI table FACS and FADT are required to support ACPI suspend/resume. The
commits add the lookup of the ACPI table in bootstrap and the general usage
of the ACPI registers via the MMIO framework.
Issue #4669
Add explicit init() to Timer infrastructure to re-initialize the hardware
based on the parameters given during constructing time of the timer object.
Issue #4669
On resume the CPU state must be re-initialized, since all CPUs have been
potentially off (depending on sleep form) and lost state. Handle the halt
and suspend state explicitly by an extra Job implementation which can be
executed without holding the global kernel lock.
Issue #4669
Instead of re-using the register values found in HCR_EL2 and CPTR_EL2
and setting single bits within them, define the complete content to
prevent inconsistent hardware/hypervisor state.
Ref genodelabs/genode#4759
Several explicit casts could not be avoided yet, due to the missing
differentiation in between virtual and physical addresses that leads
to casting problems when using 32-bit ARM, and because the MMIO
register framework does not allow to return narrowed types of bitfields.
Apart from that, this commit fixes a switch-case fallthrough error in
Mmio_register::write.
Fixgenodelabs/genode#4770
The read_config and write_config functions in the generic virtio
headers used by all drivers lead to compiler warnings resp. errors
if effective-c++ switch is enabled. Moreover, the functions require
to define the access width as parameter. We can better turn them
into template functions using the value type to read resp. write to
derive the access width.
Ref genodelabs/genode#4344
The 'file_size' type denotes the size of files on disk in bytes. On
32-bit architectures it is larger than the size_t, which refers to
in-memory object sizes.
Whereas the use of 'file_size' is appropriate for ftruncate and seek, it
is not a suitable type for the parameters of read/write operations
because those operations refer to in-memory buffers.
This patch replaces the use of 'file_size' by size_t. However, since it
affects all sites where the read/write interface is uses, it takes the
opportunity to replace the C-style (pointer, size) arguments by
'Byte_range_ptr' and 'Const_byte_range_ptr'.
Issue #4706
Prior to this change the libdrm Lima implementation supported the
creation of multiple contexts where each context, however, was
treated as the same client like it was done in the Lima driver
itself.
With this commit each context becomes its own client while the
main context always performs all buffer object related allocation
and the other context import each needed BO before submitting.
Fixes#4760.
Sync file-descriptors a purely virtual and are not known by the libc and
should be only accessed by 'drm_poll'. To prevent accidental access move
them to range never used by the libc fd allocator.
Issue #4760.
We determine the owner of a Vram object by the session cap of the
session that created the object. We should not copy this cap to other
places because this increases reference counting, that can become very
large with many objects. Therefore, we pass a wrapper 'Owner' object
containing the cap by reference.
issue #4713
* 'map_buffer', GTT mappings are currently not used by Iris
* 'set_tiling', tiling is currently not used by Iris because there are
no GTT mappings
issue #4713
Change the abstraction from buffers to video RAM (VRAM). The notion of
buffers can be provided at the client side (e.g., Mesa) and multiple
buffers can be there be associated to one VRAM area, thus saving
resources (meta data overhead) when allocating many buffers. A VRAM area
can also be mapped to one single buffer as before for clients or drivers
that do not take advantage of this feature.
issue #4713
by checking for it in core, submitting a signal (if registered) and not
replying instantly. Before this commit, an exception (a non page fault)
caused and endless "unknown exception" loop between originator and core.
This was handled before commit "core: kernel-agnostic 'Mapping' type" by
throwing an exception, which was with that commit not working anymore.
Fixes#4751
Segment assignment stays valid for all sections following .dynamic,
which implies that .got and co also end up in the PT_DYNAMIC segment.
This is not intended. Therefore, we move the .dynamic section before
bss and assign bss to the rw PT_LOAD segment only.
fixes#4750
The screenshot trigger displays a little red dot at the upper-left
corner of the screen. When touched or clicked-on, it generates an
artificial key-press-release sequence for the print key and disappears
for one second. In this time, a separate screenshot component can handle
the print key by capturing the screen without the red dot appearing in
the saved picture.
The touch-keyboard config accepts the new attributes 'opaque="yes"
and 'background=#112233' to control the dialog background. The
attributes are passed unmodified to embedded the menu view.
This patch add the support needed for implementing on-target
system-update functionality. The new 'empty' method is required for the
two-step procedure of updating image-index files - removing the old
index, followed by downloading the most current one. It is used to the
detect the completion of the first step.
Issue #4744
This patch reflects more details such as the percentage value for
downloads maintained in the download queue. This makes this information
easier to display at the GUI.
Issue #4744
This patch replaces the generic "In progress..." message by slightly
more concrete information about the type of operation. This is useful to
distinguish the two steps during the expansion of a partition.
This patch enhances the depot_download subsystem with support for
downloading and querying system images.
The installation ROM support the following two now download types:
<image_index path="<user>/image/index"/>
<image path="<user>/image/<name>"/>
Internally, the depot-download subsystem employs the depot-query
component to determine the missing depot content. This component
accepts the following two new queries:
<images user="..."/>
<image_index user="..."/>
If present in the query, depot_query generates reports labeled as
"images" and "image_index" respectively.
The also tracks the completion of each job depending on the depot-
query results, so that the final report contains a result for each
installation item requested. Prior this patch, the inactivity of the
depot-download manager (indicated by an empty state report) was
interpreted as success. But that prevents the proper association of
results and requested installation items.
Issue #4744
The 'scan' query for depot users used to list the names of depot users.
However, the URL and existence of a pubkey is useful to know when
assembling a GUI menu from this list.
Issue #4744
This patch improves the Readonly_file::read method such that the
capacity of the specified buffer is used as upper bound for the read
operation instead of VFS-internal I/O buffer sizes. This relieves the
caller from implementing a read loop in most cases.
As a step away from C-ish use of the API, the patch deprecates the old
'read' method that takes the buffer as char *, size_t arguments.
Fixes#4745
Each time when enlarging the menu view, a new 'Gui_buffer' is
constructed with the new size. At its contruction time, the default
reset background color is in effect, which is evaluated by
'reset_surface' as part of the construction. A custom reset color
takes effect only after the construction. Hence, when the Gui_buffer is
flushed to screen immediately at construction time, the gray default
becomes visible for a short time.
This patch changes the Gui_buffer to accept the reset background color
as construction argument so that it takes immediate effect.
Related to #4592
The new utility returns a key code for a passed name and is implemented
by linear search, which is slow but sufficient in situations like config
updates.
Issue #4748
The leading newline in the _capture function confused _filecontent,
which resulted in empty port hashes.
Fixes regression introduced in 437fd21ba0
(issue #4725).
lwip uses a sophisticated reference-counting scheme in chains of pbufs,
which the former manual implementation of read() for TCP data broke.
Using pbuf_free_header() keeps the chain intact and also relieves our
implementation from the burden of "offset" maintenance.
Fixes#4722
Due to lacking hardware access the driver was test with one RTL8188EE
based device, namely [10ec:8179] (rev 01), only. As the access to the
PCI config space is restricted the driver loads the non power-saving
FW and the driver port is therefor only tested with that. The
accesses are documented should we choose to support them one way or
another later on.
The 'wifi.run' run script as well as Sculpt served as testing ground
where the driver worked fine so far.
Fixes#4714.
Check if we are able to submit the Usb packet before attempting to
allocate it. In case the queue is already full we wait until another
pending packet is freed.
Fixes#4701.
Up to now it was only checked if an issued admin command was processed
in a timely fashion. Otherwise it has been treated as failed.
However, the completion-queue entry was not examined and the caller was
not able to access the entry itself. Depending on the command, checking
the completion-queue entry might be necessary, e.g. GET/SET_FEATURE.
Issue #4715.
Since the 'Platform::Device' constructor will defer the creation until
the content of the devices ROM is valid performing the PRP list helper
creation afterwards should be done with valid IOMMU information.
Issue #4715.
Some USB devices (e.g., webcams) fail to deliver their configuration
descriptor early after power-up. Testing revealed that retrying the
requests usually succeeds on second or third attempt.
Fixes#4739
Genode build system allows to easily enable 'ccache' for builds. This
change allows to enable using 'ccache' also for build of reference
Linux kernel used during porting device drivers.
To enable 'ccache' it is enough to pass value of 'CC' variable when
executing Linux build but this build by default depends on time when it
is built which causes 'ccache' misses. To solve this issue additional
flags are passed to make build independent from time, current user and
host on which build is performed.
Issue #4718
With the new 'presets:' tag, .sculpt files can now refer to deploy
configurations to be integrated in the presets/ subdirectory of the
config file system. Those files can thereby be used as preconfigured
system scenarios. Such a preconfigured scenario can be loaded at
runtime by copying the preset file to config/deploy.
Issue #4731
In case of very rapid config ROM change (<300ms), the linux driver may still
be in progress of applying the previous change (e.g. switching connector on/off).
During this progress all tasks may become not runnable (waiting for IRQ/timeouts
until hardware state settles), the newest config ROM change/signal gets
dispatched, which lead to continuing the previous change request, but not
to re-starting/re-applying the new config change. To avoid this situation,
explicitly track whether a previous config change was finished and track if an
interim config change request came in. If so, re-start the lx_user
task with the newest config change.
Fixes#4721
* Update links from forward rules only with forward rules and links from
transport-routing rules only with transport-routing rules. Besides raising
the performance of the code, this also fixes a former bug that allowed
forward-rule links to falsely stay active because of a transport-routing
rule that matched the client destination ip and port.
* Don't use good-case exceptions for updating TCP/UDP links on re-configuration
of the router.
* Make conditions when to dismiss a forward rule easier to read.
* Introduces != operator to the public Port class in the net library.
* Fix unnecessary log message that a link was dismissed when only a potentially
matching forward rule turned out to be not matching.
* Apply Genode coding style to if statements with a single body statement.
Fix#4728
This fixes a bug that was introduced by this earlier commit:
"nic_router: find forward rules w/o exceptions"
The NIC router used to falsely dissolve TCP/UDP connection states when
reconfiguring although the connection states were still legal according to the
new config. The reason was that the above mention commit nested lambdas but
missed to return from the last nesting level when having found a configuration
that legitimates the connection state.
Ref #4728
Tests on qemu would fail when started with RAM sizes from 1025MiB to
2048MiB, because the the mapping hole in the page table from 1GiB to
2GiB would interfere with qemu's mapping addresses for ACPI.
Identity-map the complete first 4GiB of memory to catch all early
memory accesses during bootstrap.
Fixes#4724.
This patch simplifies the 'Deploy::update_managed_deploy_config'
interface by keeping an internal copy of the currently used deploy
template inside the 'Deploy' class. The template is updated whenever
the config/deploy file is modified.
This change weakens the coupling between the '_manual_deploy_rom' and
the '_deploy' subsystem, easing the upcoming implementation of the
switching between presets.
Adds befriended test-local wrappers for the classes Cpu_share and Cpu_scheduler
and adds a print method to the scheduler wrapper that prints the internal state
of the scheduler to the given output. Cpu_shares are referenced in the output
via a the IDs that the test uses to organize them. I.e., this corresponds to
how the CPU shares are named when calling the atomic steps the test is made of.
Ref #4151
Ref #4710
This adapts the test to the changes that were applied to the scheduling scheme
by the following commits:
* base-hw scheduler: optimize quota depletion events
* base-hw scheduler: fix bug on removing head
* base-hw scheduler: fix ready method
* base-hw: optimize & cleanup scheduler
Part of that is that the test used to check whether the act of setting a share
ready outdates the head or not. However, with the current version of the
scheduler, this check is not possible anymore. We can merely check whether the
head is outdated after setting the share ready. So, among other adaptions, this
commit adapts the expectations of the test to the new semantics of the check.
Ref #4151
Ref #4710
* Get rid of preprocessor macros.
* Introduce Main as class.
* Exit with -1 instead of endless loops on errors.
* Don't try to deal with error conditions, just print a message and exit
with -1.
* Only one operation per line.
Ref #4151
Ref #4710
This is an optimization for the case that a prioritized scheduling context
needs slightly more time during a round than granted via quota. If this is the
case, we move the scheduling context to the front of the unprioritized schedule
once its quota gets depleted and thereby at least ensure that it does not have
to wait for all unprioritized scheduling contexts as well before being
scheduled again.
Note that this introduces the possibility of undeserved starvation of
unprioritized scheduling contexts to the scheduling scheme. If there are
enough prioritized contexts that deplete their quota during a round,
they may cover up also the rest of the round with their unprioritized time
slices. If this happens every round, contexts without a priority/quota may
never get a turn. In the previous scheduling scheme, this could not occur as
the unprioritized schedule was completely independent from prioritized
schedules and rounds.
Ref #4151
Ref #4710
The scheduler did not consider the consumed quota during a call to "update"
if the head that consumed the quota was removed from the scheduler. When this
occured, the internal round time did not advance as expected but remained at
its previous value untile the next call to "update" (without a removed head)
This commit introduces a new flag that is set only when the head gets removed
in order to detect and handle the situation correctly on the next call to
"update".
Ref #4151
Ref #4710
Setting the _need_to_schedule member in the 'ready' method of the scheduler
was not done correctly. At least, the _need_to_schedule was set true in
situations were the head was not outdated by the 'ready' operation.
Ref #4151
* Remove *request* in context of: wait, reply, send to shorten it.
* Use ready_to_* instead of can_*, which is regularily used in Genode's APIs
* Replace helping_sink with helping_destination, as destination is more common
Ref genodelabs/genode#4704
The IPC protcol violations are:
* Sending to an unknown thread (cap)
* Waiting for messages if a reply hasn't happened yet
This silents threads that otherwise repeatedly cause kernel messages
about the violation.
Ref genodelabs/genode#4704
* Split the internal state into incoming and outgoing message relations
* Avoid fragmenting of one state like formerly '_state' and '_help'
* Remove pointer to caller, use incoming FIFO instead
This commit fixes at least two bugs that were triggered by tests that
destroy threads in many different states, like run/bomb:
* The '_help' data member was not reset reliable in each situation where a
helping relationship came to an end. However, when we fixed this bug alone
in the old state model, the issues remained. The new state model fixes
this bug as well.
* A thread sometimes referenced an already dead thread as receiver. This caused
the kernel IPC code to access the vtable of an object that didn't exist any
longer. Note that the two threads were not in direct IPC relationship while
the receiver was destroyed, so, there must have been an intermediate node
between them. Due to the complexity of this problem, we eventually gave up
pin-pointing the exact reason in the kernel IPC code. The issue disappeared
with the new state model.
Fixgenodelabs/genode#4704
When writing the GPT header, the tool always wrote the GPT entries
belonging to the primary header to LBA following the header. Normally
this is LBA 2 as the header is located in LBA 1. The GPT allows for
up to 128 entries that all in all cover 16 KiB of storage space.
However, on some systems, e.g. ARM-based machines, the bootloader can
be stored in this region. For this reason the GPT entries may be moved
to a different LBA.
This commit changes the tool to adhere to then given GPE LBA in header
when writing out the modified GPT data.
Fixes#4720.
The old 'Io_response_handler::io_progress_response' interface has been
replaced by the 'Vfs::Env::User::wakeup_vfs_user' (issue #4697). The
remaining 'read_ready_response' method is now hosted in the
appropriately named 'Read_ready_response_handler'.
Issue #4706
This patch keeps driving the internal state machines until no progress
can be made. This required fixing the return values of several execute
functions, which used to report progress while being in complete state.
Along the way, the patch removes default switch cases to ensure that all
states are covered.
Issue #4706
This commit supplements the various I/O signal handlers of the VFS
plugins with calls of the new 'Vfs::Env::User::wakeup_vfs_user'
interface, which will subsequently replace the old 'Io_progress_handler'
(issue #4697).
Issue #4706
The 'blocked_handles' queue was used to notify the VFS user via the
'io_progress_response' mechanism. This is now covered by the
'wakeup_vfs_user' interface introduced in issue #4697.
Issue #4706
Information about PS/2 and PIT where moved to app/pci_decode in the
following commit.
pci_decode: report devices from ACPI info
We still provide an empty <devices> node as the file itself is used by
platform agnostic run scripts.
When running on x86, and riscv never enter the kernel for cache maintainance,
but use the dummy implementation of the generic base library instead.
On ARMv8 it is not necessary to enter privileged mode for cache cleaning, and
unification of instruction/data cache, but only for invalidating cache lines
at all levels, which is necessary for the use cases, where this function it
needed (coherency of DMA memory).
Fixgenodelabs/genode#4339
This call is used to query the cache line size of the underlying CPU.
For now it is only implemented and used by 'arm_v8' platforms.
It does not distinguish between D-/I-cache sizes and always uses the
smallest size. Furthermore it does not account for any discrepancy
in 'big.little' CPUs.
Issue #4339.
To prevent the kernel to deadlock, or call itself with a syscall when
using a lock potentially hold by a core thread, the log console's
backend for core (hw) gets replaced by a specific variant that checks
whether it runs in the kernel context before using the mutex.
Fixgenodelabs/genode#3280
When a domain receives a new dynamic router IP address and that domain has
active connection states (TCP/UDP/ICMP) from another domain with NAT applied,
the connection states used to stay active while becoming obsolete. They
become obsolete because their identification and their packet processor
use the old routers IP address due to NAT.
One consequence was that connections became dysfunctional when the server
domain received a new dynamic router IP address. Request packets were still
routed from client to server, but when entering the server, their source IP
address was the outdated router address. Consequently, the server responses
used the outdated address as destination and the router dropped the responses
because it did not know this address anymore.
This commit fixes the problem by letting a domain destroy all its connection
states that were initiated from within other domains whenever it detaches from
its current IP configuration.
Strictly speaking, it is not necessary to destroy all connection states, only
those that the domain applies NAT to. However, the Genode AVL tree is not built
for removing a selection of nodes and trying to do it anyways is complicated.
So, for now, we simply destroy all connection states.
Note that the other way around was handled correctly already. When a domain
detaches from its IP config, all interfaces of that domain destroy all the
connection states they created (towards other domains).
Fixes#4696
If the IP config does not change on updates to the router IP config of a domain
change (a common case on DHCP RENEW), prevent detaching from the old config and
attaching to the new one. Because this would not only create unnecessary CPU
overhead but also force all clients at all interfaces that are listening to
this config (via config attribute 'dns_config_from') to restart their
networking (re-do DHCP).
Ref #4696
Check 'pv == nullptr' in 'ShClSvcImplWriteData' and return
VERR_INVALID_POINTER if invalid (as is done, for example, in the X11
implementation).
issue #4666
By adding a 'write_ready' interface following the lines of the existing
'read_ready', VFS plugins become able to propagate the (de-)saturation
of I/O buffers to the VFS user. This information is important when using
a non-blocking file descriptor for writing into a TCP socket. Once the
application observes EAGAIN, it expects a subsequent 'select' call to
return as soon as new I/O buffer space becomes available.
Before this patch, the select call would always return under this
condition, causing an unnecessarily busy write loop.
Issue #4697
The new interface is meant to replace the 'Vfs::Io_response_handler'.
In contrast to the 'Io_response_handler', which had to be called
on a 'Vfs_handle', the new interface does not require any specific
'Vfs_handle'. It is merely meant to prompt the VFS user (like the libc)
to re-attempt stalled I/O operations but it does not provide any
immediate hint, about which of the handles have become ready for
reading/writing.
Issue #4697
This patch removes the 'Insufficient_buffer' exception by returning the
WRITE_ERR_WOULD_BLOCK result value instead. It also eliminates the
superfluous WRITE_ERR_AGAIN and WRITE_ERR_INTERRUPT codes.
Issue #4697
The original size of 16K impedes the batched processing of network
packets. Changing the value to 256K reduces the number of context
switches when downloading large files and thereby improves the
throughput by more than 25% (base-hw on qemu_x86_64, using fetchurl
to download a file of 100 MiB via the NIC router from lighttpd).
Issue #4697
This patch fosters the batching of network packets transferred by the
lwIP stack over the NIC connection. It replaces the eager submission of
the packet-stream's data-flow signals by explicit wakeup notifications.
The commit also increases the NIC session's buffer size from 128 to 1024
packets.
Issue #4697
...and tighten constness in adjacent code parts.
The VFS-internal synchronization via mutexes is no longer needed because
the access to the VFS is serialized by the VFS client, i.e., the libc.
Issue #4697
Since the lwip library is used only by the vfs_lwip plugin, this patch
moves the Genode-specific support code local to the VFS plugin, easing
further simplification and allowing for a tighter integration with the
VFS plugin.
The recipes for api/lwip and src/vfs_lwip stay separate as both parts
use different licenses.
Issue #4697
This networking scenario is useful for analysing and optimizing the
interplay of the VFS, libc, TCP/IP, and the NIC router. It downloads a
file via fetchurl from lighttpd, both of which are hosted on a virtual
network.
Issue #4697
This patch facilitates the batching of I/O operations in the VFS library
by replacing the implicit wakeup of remote peer (via the traditional
packet-stream interface like 'submit_packet') by explicit wakeup
signalling.
The wakeup signalling is triggered not before the VFS user settles down.
E.g., for libc-based applications, this is the case if the libc goes
idle, waiting for external I/O.
In the case of a busy writer to a non-blocking file descriptor or socket
(e.g., lighttpd), the remote peers are woken up once a write operation
yields an out-count of 0.
The deferring of wakeup signals is accommodated by the new 'Remote_io'
mechanism (vfs/remote_io.h) that is designated to be used by all VFS
plugins that interact with asynchronous Genode services for I/O.
Issue #4697
This test reveals the patters of the batching of consecutive write
operations on a file-system session. It issues 100 writes of one byte
each, which should ideally result in large batches of operations
submitted to the file-system session at once.
The run script performs the write operations through a chain of two VFS
servers, thereby exercising the write batching of both the libc and the
intermediate VFS server.
Issue #4697
By replacing the calls of 'acknowledge_packet' and 'get_packet' with
'try_ack_packet' and 'try_get_packet', we avoid the implicit triggering
of data-flow signals. Instead, the VFS server now relies on explicit
calls of the packet stream's 'wakeup' interface.
Issue #4697
The change of the queue size from 16 to 32 has negligible costs (4 KiB
instead of 2 KiB for the packet-stream queues) while facilitating the
batching of many small consecutive write operations.
Issue #4697
Some signal-heavy scenarios (e.g., libc_integration) produced the
following warning that hinted a data race on signal data in the context
object.
Warning: returning signal with num == 0
The cause was the use of Signal_context::local_submit() in the libc
introduced in
424ed1b79a libc: remove Reconstructible / use local_submit in kernel
in combination with a missing context-mutex aquisition resulting in a
data race on Signal_context::_curr_signal.
Issue #3923
The commit "sculpt_manager: relax nic_drv policy label" introduced the use of
the "label_prefix" attribute instead of "label" for the uplink policy in the
NIC router. However, it missed an appropriate adaption of the lookup of that
attribute when the Sculpt manager has to decide which uplink is used in a
manually managed router config. This caused the uplink to disappear whenever a
user created a manually managed router config. This commit fixes the problem.
Issue #4660Fixes#4695
This prevents errors like the following during parallel builds.
MERGE ld-hw.abi.so
/usr/local/genode/tool/21.05/bin/genode-arm-ld:symbol.map:0: syntax error in VERSION script
Replace usb_kill_urb() by usb_unlink_urb() in the timeout handler for
control URBs, as usb_kill_urb() may block and is not allowed to be
called in IRQ/bottom half contexts.
Fixes#4681
Count more accurately how much packets are in flied, and whether
new packets can be handled. Moreover, catch potential exceptions
whenever acknowledging a packet, and warn about the lost acknowledgement.
Fixgenodelabs/genode#4678
There is at least one client that performs DRM calls from multiple
pthreads, which is not supported for now. We guard the concurrent
access by grabbing a pthread_mutex before each operation.
This commit circumvents faulty behaviour of base-pistachio, if
the PCI config space gets requested megabyte-wise. It occurs that
we get a mapping sequence in between sigma0, core and component,
like the following: 0xe1000000 => 0xbf001000 => 0x10b000,
with the consequence that the component stalls when accessing
the latter one. By requesting I/O memory aligned to the size,
the faulty behaviour vanishes.
Ref #4686
This is required for scenarios in which a device appears at a later
point in time. If the ROM is not updated, the device_by_type() method may
operate on an outdated dataspace and never find the device it is waiting for.
Although we do not have the full ACPI information parsed yet, to
announce non-PCI devices derived from the ACPI tables, the device
description of the assumed devices is now integral-part of pci_decode.
Formerly, the information was gained separatedly as boot-module, whereby
we lost synchronization in between ACPI/PCI parsing, BIOS handover, and
PS/2 emulation code already acting.
This recipe combines the dummy_rtc_drv, which consumes a given time,
and provides the "Rtc" service to its clients with the simple NTP client,
which provides the current time to the RTC driver in regular intervals.
Ref genodelabs/genode#4687
Test to trigger periodically ACPI suspend and resume and periodically
trying to restart graphic driver.
Tested successfully with X201 and T420.
Issue #4669
It looks like http://www.elm-chan.org is blocking certain IP ranges,
because downloading the source archive on certain machines fails with
"403 Forbidden".
Fixesgenodelabs/genode#4623
During interrupt handling the driver masked and cleared interrupts as
recommended in the spec to prevent spurious or unnecessary interrupts
from occurring.
Due to the way the current implementation operates new Block requests
got submitted while handling completions for already finished ones.
Since interrupts where masked at this point the controller did not
generate interrupts when the newly submitted requests got completed.
As the mask/clear optimization is apparently not strictly needed and
according to the spec undefined when using MSI-X it is removed.
Fixes#4684
200 TSC ticks for max measurement duration can get too small on platforms
with high TSC frequencies (e.g., >3GHz) and low CPU frequencies often
caused by HWP configurations. Therefore, we express the measurement
duration in NS (not ticks) and calculate max duration ticks using the
TSC frequency. This way the max duration becomes independent of the TSC
frequency.
fixes#4672
This commit enables users of the VMM to define CPU type and count, RAM size,
kernel and initrd ROM names, GIC version, and Virtio devices to be used.
Derived from the configuration values a flattened device-tree blob (DTB) is
generated and transfered to the VM.
Fixgenodelabs/genode#4670
Lack of MSI-X support in DDE Linux causes a timeout when the Intel AX211
tries to call back into the driver while loading the PNVM file while
interrupts are still disabled.
With the patch picked up from QubesOS the card works on an X1 Nano G2:
5fcfe0f19e
Issue #4663
Until now, requesting optional blobs such as 'iwl-debug-yoyo.bin' has
just failed silently. To support desired blobs such as PNVM firmware,
implement the loading of optional firmware while preserving the nowarn
characteristics of the function.
Issue #4663
Try to allocate within constraint area first. In case the area is exhausted,
try allocation at other memory locations.
The motivation for this is to limit DMA allocations to 4GB (since some
devices require addresses below 4GB). On some platforms there is little
physical RAM in this area (<1GB) and the constrainted area exhausts. In
case an IOMMU is present, RAM at higher locations can still be mapped
below 4GB, which is done in the platform drivers.
issue #4665
Consume '<iommu/>' tag from 'devices' report. In case an IOMMU is
present map physical memory to arbitrary locations within IO page table
range 1K-4G. This way every device PD has access to ~4GB of DMA space.
issue #4665
The platform driver configuration is missing the required 'info'
attribute that allows the 'vesa_fb_drv' to map the proper I/O
memory address of the framebuffer. In addition the driver requires
at least '2' more CAPs, so raise the quota to '110'.
Fixes#4668.
There is one binder with one memory zone per OpenGL context. The patch was
needed before because Genode didn't have proper context support (separate page
tables) leading to binders from one or more context being allocated to the same
GPU address with the same page tables. This was clearly an error and is fixed
with context support.
issue #4664
'_env_ram' allocations can lead to
'Expanding_pd_session_client::try_alloc' quota upgrades, which in turn
may lead to a resource request by the platform driver. Therefore, we
check the available quota within the platform driver before allocations.
This is not an optimal solution.
issue #4667
related issue #3767
This patch makes the component graph better reusable for the phone
version of Sculpt. In the phone version, the '+' menu does not exist.
So we need to omit the corresponding button. Furthermore, the storage
dialog is presented in a dedicate section of the GUI instead of
presenting it inside the 'storage' graph node. The phone version
also does not offer the inspect view. So we need to omit the
corresponding buttons.
To prevent caching side-effects of USB DMA memory taken from the packet stream
all allocations of USB packets need to be on separated cachelines at least.
Fixgenodelabs/genode#4655
To complement the GPIO support allow for setting and reading input
pins. So far this is needed by drivers that attempt to perform I2C
bit-banging via GPIO pins.
Fixes#4624.
In case the allocation fails for the largest possible connector mode,
try smaller modes. Additional add option to specify maximal resolution.
Issue #4659
Increase "assumed" internal kernel memory size based on available memory
to support allocation of framebuffer larger than 16M, which was before
hardcoded.
Issue #4659
When using the newer genode_c_api uplink library, an uplink connection uses
the device name as label, which enables integrators to use different policies
resp. routes for different devices driven by one driver. The nic_drv policy
of the nic_roouter configuration generated by the sculpt_manager however uses
an empty label like: "nic_drv -> ". This is the way how existent NIC drivers,
like ipxe_nic_drv requested their uplink session. To support both driver
variants this commit relaxes the policy by checking for a prefix only.
Ref genodelabs/genode#4660
This patch equips the pin-driver framework with support for the
time-multiplexed operation of a pin as output or input. This is needed
when implementing I2C communication via a bit-banging driver.
To operate pin in both directions, a driver obtains both a pin-state and
a pin-control session for the same pin. The pin-state session can be
used to sense the current pin state. The control session allows the
client to set the pin to high or low (using the 'state' method), or to
set it to high-impedance via the 'yield' method. Once switched to
high-impedance, the pin can be used as input.
Issue genodelabs/genode-allwinner#10
The tar.gz archive of version 2.4.9 vanished from sourceforge. As the
project moves to GitHub currently and the archive of 2.4.9 is still
available there, just update the download location.
Content and hashes did not change.
If a device should not be reset, powered off, and its clocks
shall stay untouched when it gets released, the leave_operational
attribute can be set to true in the device node of the related
device inside the devices ROM delivered to the platform driver.
This is useful for drivers, which only enable and initialize
their device, and can be closed afterwards.
Ref genodelabs/genode#4654
To enable other irqchip declarations beyond the lx_emul generic code base,
make the ARM specific initialization routine public.
Ref genodelabs/genode#4651
With "grub2: update to newer grub2 2.06 version" a regression slipped in
which makes the ISO not bootable on real hardware. The commit reverts to
the previous behaviour, to load the GRUB2 modules after boot later one by
one in the ISO format case.
Fixes#4647
Prevents errors like follows.
/bin/bash: arch/arm64/crypto/poly1305-core.S: No such file or directory
make[4]: *** [.../genode/repos/dde_linux/lib/mk/spec/arm_64/wireguard_lx_inc_dirs.mk:17: arch/arm64/crypto/poly1305-core.S] Error 1
Reintroduce:
USB Attached SCSI devices might expose a bulk-only interface
as fall-back at interface 0 and alternate setting 0. This commit
allows for probing all alternate settings of the active interface
to be able to use such devices.
The configuration was extended so that in case the device interface
is known beforehand the driver can be configured accordingly.
Additionally:
Perform configuration reset upon sessions close in order to bring USB
device to a well defined state.
fixes#4494
The NOVA kernel and Genode's roottask core are configured to be runnable
with up to 64 CPUs (MAX_SUPPORTED_CPUS in core resp. NUM_CPU in kernel).
On machines with more CPUs a reset occurred. The commit checks for this
case, bootstraps the first 64 CPUs only, and sends all other CPUs to
sleep.
Also, the platform_info ROM size is increased to host information about
more than 32 CPUs.
Issue #4640
If `select_from_ports` is evaluated lazily, we might miss a port during
the dependency check. A way to prevent this is to use the `:=` operator.
Fixesgenodelabs/genode#4618
Implement the guest code in dedicated assembler source file, assemble
and link the binary to vmm_x86. The resulting guest-code binary
populates one page that is mapped to host the reset vector of the guest.
This approach simplifies future guest code adaption resp. extension,
e.g., to test rdmsr/wrmsr exiting.
Fixes#4638
plain_decorator_theme.tar is not linked to the app but must be generated
as side effect. Therefore, use CUSTOM_TARGET_DEPS to trigger the
generation.
Fixes#4637
This reverts commit 9a37ccfe29 except for the
new declarations in public headers (in order to not change any APIs again).
We revert the commit as we found that there are corner cases in which it
produces a bad UDP checksum. The bad UDP checksum was observed via Wireshark at
a TFTP server in a Sculpt 22.10 Debian 11 VM on the first request of fetching a
file with the TFTP client of the uboot on our iMX8 test board.
Ref #4636
According to OpenBSD's azalia driver some AMD HDAudio devices do not
play nice with MSIs although the capability is set. At least the
0x1457 device was tested and worked using GSIs only.
genodelabs/genode#4578
During initialization _handle_link_state may be called concurrently from EMT and
"nic_ep" (signal handler). Therefore, sent signal to "nic_ep" instead of calling
_handle_link_state from EMT thread.
issue #4632
Some DHCP clients (Debian VM in Sculpt) persistently store the last lease they
obtained and try to directly DHCP REQUEST it on a new startup whithout doing
DHCP DISCOVER beforehand. In case the NIC router doesn't know about the lease
anymore (timeout, new router instance), the router used to just ignore the DHCP
REQUEST. This led to significant delays in the network startup of the client
(delayed retries until give-up and DHCP DISCOVER). With this commit, the router
answers such packets with a DHCP NAK instead, causing the client to directly
switch to DHCP DISCOVER.
Fixes#4634
This patch removes the intermediate querying of the depot while the
installation of packages is in progress. This avoids misleading warning
messages and reduces superfluous file-system load during the
installation of large packages.
Issue #4631
On-demand initialization prevents read-write operations on BARs of
invalid devices at construction time, which may result in surprising
behavior later on, for example, when resetting X260 notebooks via ACPI
information.
These utilities simplify the control of clocks, resets, and power
domains from within the platform driver.
This is needed when driving a low-level device directly from the
platform driver, for example for driving the mbox mechanism to access
the system-control processor of the PinePhone.
This patch reflects both the pci_decode results and the platform
driver's aggregated device information in Sculpt's /report/drivers/ in
the form of pci_devices and devices files respectively.
The configured 'st_blksize' influences the sizing of the FILE buffer,
see '__swhatbuf()'. Increasing the blksize hint can lead to larger
'fread()' requests and in return to fewer roundtrips.
This commit updates the driver from version 6.6 to 7.1. In contrast
to the old driver the new one will now probe all available HDA devices
and will drive the first usable one, e.g.:
```
[init -> audio_drv] azalia0 [8086:160c]
[init -> audio_drv] :
[init -> audio_drv] azalia0: no supported codecs
[init -> audio_drv] azalia1 [8086:9ca0]
[init -> audio_drv] :
[init -> audio_drv] azalia1: codecs: Realtek ALC292
[init -> audio_drv] audio0 at azalia1
```
Fixes#4629.
Implemented as depicted in the OpenBSD driver, register description
found in 'AMD SB700/710/750 Register Reference Guide'
(43009_sb7xx_rrg_pub_1.00.pdf).
Issue #4629.
Instead of using a global value to enumerate the MSIs, use a function argument
instead. Whenever the process of PCI device reporting gets started again,
due to an initially too small report buffer, the MSI enumeration value is reset
again. Formerly, we wasted MSI numbers.
Ref genodelabs/genode#4628
Don't skip IRQ reporting if legacy IRQ/GSIs are not supported as the
device may support MSI/MSI-X exclusively.
The commit also enables reserved_memory reporting of devices without
IRQs.
Ref genodelabs/genode#4578
Until now, the /config/system ROM was not handled by the sculpt manager
but solely managed by the user. Its main purpose was the ability to
reset or power-down the machine by manually modifying the 'state'
attribute. However, down the road, we'd like to enable the sculpt
manager to drive this state, e.g., to implement the multi-staged
loading of drivers, or to drive suspend-resume states.
The support such scenarios, the 'system' state has been moved from
/config/system to /config/managed/system.
