This commit adds support to initialize the timekeeping for
the Linux subsystem with the value from the RTC.
Only the seconds part of timespec64 is supported.
Issue genodelabs/genode#4957
FreeBSD libc code uses only a single spinlock instance and, thus there
is no obvious reason why it would need to be implemented as an actual
spinlock. _spinlock() and _spinunlock() functions are implemented with a
static pthread mutex.
Issue #725
This commit adds a new configuration option, `dst_addr` to the
'sntp_client' that accepts either an IP address or a DNS hostname. If a
DNS hostname is provided, the 'sntp_client' will resolve the IP address
before each SNTP request. The 'dst_ip' configuration option is
deprecated but kept for compatibility until 'dst_addr' is fully adopted.
xsd/net_types.xsd: add Net_address type
sntp_dummy_rtc: adjust configuration to use pool.ntp.org
Fixesgenodelabs/genode#5003
`Expandind_pd_session_client::try_alloc` is an overriden virtual method
of `Ram_allocator::try_alloc`. The latter specifies the default Cache
argument as CACHED. The overriden method should either do the same or
not even specify a default argument at all.
genodelabs/genode#5000
On x86, DMA buffers are actually always mapped as cached. We should
therefore actually ask for a cached buffer in order to avoid confusion.
genodelabs/genode#5000
On x86, DMA buffers are actually always mapped as cached. We should
therefore actually ask for a cached buffer in order to avoid confusion.
genodelabs/genode#5000
On x86, DMA buffers are actually always mapped as cached. We should
therefore actually ask for a cached buffer in order to avoid confusion.
genodelabs/genode#5000
Feed the high-frequent fetchurl reports into a list model to speed up
the subsequent evaluation of the data.
Also limit the rate of state reporting during updates to visible changes
in percent such that most fetchurl reports do not cause any UI activity
(status updating) any longer.
This patch noticeably speeds up the installation of complex packages
(i.e., the morph browser) on the PinePhone.
Issue #5038
The execution of global-static constructors in Genode is optional for
native components or determined in the libc for libc components. By
convention, we avoid static constructors wherever possible but in rare
cases the component can tweak the point when constructors are executed
and initialize an environment beforehand. The wifi_drv applies this
pattern for the uplink initialization, but is a libc component on the
other hand, and, thus, statics in the Genode C API for uplink are
constructed later by the libc. So, the prior initialization is reverted,
i.e. the signal-handler capability becomes invalid.
This addresses a regression exposed by the following commit.
drivers/wifi: perform multi-staged construction
Related to #3509Fixes#5024
Component names can be larger than widget IDs, which are capped at 20
characters. To uniquely correlate the component depicted in the graph
with clicks, this patch uses a dedicated graph ID for each runtime
component instead.
Fixes#5034
This patch allows for the interactive assignment of the system-control role
to a new component via the resource dialog. This is useful for integrating
low-level components like the Intel frequency/power monitoring tool.
Fixes#5033
Commit "menu_view: ignore zero-sized widgets in box layout" introduces
zero-sized child widgets as a special case but defined zero-sized as
zero covered pixels (w*h == 0). However, for layouting, a widget with a
non-zero height and zero width is not zero-sized.
This patch refines the zero-size condition such that only widgets with
both zero width and zero height are considered as zero-sized.
It thereby solves the missing display of empty lines in the text_area
component.
The 'Xml_node::differs_from' method takes the constructor arguments
(addr, size) for a byte-wise comparison whereas 'with_raw_node'
restricts the byte range to the actual XML tags. In cases where
the XML start tag is preceeded by whitespace, both ranges can differ.
Since the 'differs_from' method is meant for comparing actual XML
nodes - not any whitespace around them - whitespace should be ignored
on both operands.
Issue #5029
This is a follow-up fix for commit "sculpt: apply Dialog API to diag,
panel, and graph", which happened to render the legacy dialogs (network
and settings) inaccessible.
The patch avoids the use of clack seq numbers for the 'popup_opened'
condition (which happens on click, not clack). It also overrides old
click information on the arrival of a new click, avoiding the evaluation
of stale click sequence numbers in distant_runtime.cc. Furthermore, it
reduces the rate of 'Distant_runtime::_try_handle_click_and_clack'.
Issue #5008
On WPA3 encrypted networks the AP picker does not indicate encryption
and does not prompt for a passphrase.
Also indicate an encrypted network when "protection=WPA3", remedying
both issues.
Fixes#5022
Up to now, when using force_*, all other configured modes of a connector
got overwritten and the force_* got enforced. With the commit,
the connector mode is considered (if below max_*) and the resulting
framebuffer may be larger then the dimension of force_*.
Differences in TAR archive member metadata results in unstable depot
hashes. The following properties have to be fixed: modification time
(incl. time zone), numeric owner and group, permission modes.
Releated to #2842
This change allows for the hosting of system-management components
in Sculpt's runtime. The special role must be declared either as
<launcher managing_system="yes"> attribute or in the deploy
configuration's <start managing_system="yes"> attribute.
Issue #5009
Rename locally extended VCPU state from State to Vcpu_state for clarity.
The local namespace only adds two accessor methods, which does not
justify a local generic name.
Ref #4968
Make naming across architectures coherent by renaming Vm_state to
Vcpu_state, to reflect that it contains the state of a Vcpu and not that
of an entire VM.
Ref #4968
Per Affinity::Location a system control cap can be requested. The capability
provides an RPC interface to request and set Cpu_state, as provided by the
former Pd::managing_system(Cpu_state) method. Invocation of those system
control capabilities then *can* (see below) be executed on the desired CPU
as described by Affinity::Location.
The system control cap will be invalid for kernels that don't support
system_control/managing_system functionality at all.
The system control cap will be ever by the same, e.g. ignoring the
Affinity::Location parameter, if the used kernel doesn't support or doesn't
require the feature to execute the system control per CPU.
The commit is a preparation step to add guarded and selective x86 MSR
access per CPU.
Fixes#5009
This patch partially converts the Sculpt manager to the dialog API.
At this stage, both the old utilities and the new dialog API are still
used simultaneously.
Issue #5008
The so-called 'Distant_runtime' implements GUI dialogs via menu_view
components hosted at a distant init instance as opposed to child
components (as implemented by the 'Sandboxed_runtime'). This is
particular the case in Sculpt OS where the sculpt manager is not the
parent of the menu_view instances.
Issue #5008
By renaming 'Dialog' to 'Deprecated_dialog', we become able to use the
name 'Dialog' for the new API while temporarily keeping the original
interface in tact.
Issue #5008
- Increase default timeout to one minute
- Ignore power-button events during display-driver startup to avoid
entering another forced blank when pressing the power button twice.
- Prevent wakeup from user activity except for the power button.
So the volume can be adjusted without leaving the screensaver.
Issue #4950
The new API at gems/include/dialog/ aids the creation of simple GUI
applications based on the menu-view widget renderer. Its use is
illustrated by the simple test application at src/test/dialog/
that is accompanied with the dialog.run script.
Issue #5008
Each hover change of the character position within a label results in a
new hover report, which needs to be evaluated by the application. For
the common cases where labels are used as button texts or for presenting
passive information, the level of detail is not needed while the
recurring hover reports induce overhead at the application side.
This patch mitigates this overhead by excluding labels from the hover
reporting by default.
For use cases that actually depend of precise hover reporting of labels,
for example an editable text area, the hover reporting can be enabled by
setting the 'hover="yes"' attribute of the label.
The 'Widget::_version' attribute was meant to allow the deliberate
replacement of a widget by a same-named widget by changing the version
while keeping the name, thereby suppressing any geomety animation.
However, the implementation missed to populate the attribute with the
value provided by the dialog ROM, prompting the unconditional
re-creation of the widget whenever a 'version' attribute was specified.
Even though this had the (desired) effect of preventing geometry
animations, it could cause feedback loops between hover reports and
dialog ROMs because the 'hover_changed' condition in 'Menu_view::Main'
would always stay true while a versioned widget is hovered.
To prevent exessive allocations the bounce buffers are allocated
once and afterwards re-used. The DMA buffers are provided by an
range allocator whose backing store increases in 4 MiB chunks.
The range allocator might not merge the ranges as those chunks
are not necessarily allocated continously. Allocations larger
than the static chunk size are therefor treated as error.
Internally libyuv uses malloc & free for short time dynamic memory
allocation during image transformation. The converted images are
such large, that the Libc allocator will create and destroy new Genode
dataspace per image. In time sensitive code paths, the overhead can be
noticeable by the caller of the image transformation.
The patch adds the option to register callbacks in the libyuv library to
implement the image allocation by users of the library. They may implement
caching strategies to avoid the overhead, e.g. as seen with qemu-usb and
the webcam model.
and not before. On Windows guest with more than 1 vCPU, the packets
seem to arrive and/or seem to be handled too late in the Webcam model.
An intermediate state, to due the late packet, has been used to decide to
close the Capture session too early.
In SDL2, support has been added for multiple windows.
As such, prior to this commit, invoking _sdl_screen.construct
would create a new window each time the original window was
resized.
To avoid this, refactor to only construct the window once, and
upon resize events, reconstruct the SDL_Surface and SDL_Texture
of Sdl_screen to the new window dimensions.
Issue identified by @chelmuth in https://github.com/genodelabs/genode/pull/4993#issuecomment-1729530634Fixes#4993
Following the official migration guide of SDL [1], the
fb_sdl framebuffer driver was update from SDL1 to SDL2.
The sdl2 port in world/src/lib/sdl2 is used.
Since SDL1 is in maintenance mode [2], support for other
display servers than X11 will never be implemented. In
particular, support for Wayland is missing from SDL1.
Fortunately, a port of sdl2 is maintained in genode-world.
As SDL2 is actively developed, it will provide support for
modern hardware architectures, and has mature support for
Wayland [3].
[1]: https://wiki.libsdl.org/SDL2/MigrationGuide
[2]: https://wiki.debian.org/Wayland#SDL1_.28unsupported.29
[3]: https://wiki.debian.org/Wayland#SDL2_.28supported_since_2.0.2.2B-.29
Issue #4993
The new API emphasizes control over the vCPU data by granting access
through the Vcpu::with_state() method, which makes sure that the vCPU is
stopped, invokes the supplied function with a reference to the VM state
and resumes the vCPU if the function returns true.
The old Vcpu::run(), Vcpu::pause() and Vcpu::state() methods are removed
in favor of the new API. Execution of the vCPU is now interrupted by
sending a native Genode Signal to its Vcpu_handler, which will run the
VMM's exit handling method. When this method retrieves the vCPU state by
calling Vcpu::with_state(), the outside interruption is detected and on
x86 a recall exit is injected into the state to signal the vCPU
interruption / pause request to the VMM's vCPU handler.
Ref #4968
instead via the hardware registers of the FPU. On Genode all components and
so VMMs are built such, that the compiler may generate optimized code by
using the FPU at any time. We had to make sure to save the
FPU state as early as possible before the VMM component touches the FPU,
to avoid corrupting & losing guest FPU state. This caused headache again
and again. To avoid the uncertainty, we remove this feature and explicitly
transfer the FPU state via the UTCB.
Depending on the client and use-case the current minimal timeout
value of 5 ms could be too high, lowering it to 1 ms stays within
the limit imposed by most timer drivers.
Issue #4990.
When the wait value is too small the HALT attempt turnes into
busy-polling in the VMM. To prevent that always wait a minimal
amount of time.
Issue #4990.
This patch removes the obsolete 'io_progress_elem', which was wrongly
enqueued to the 'read_ready_waiters' fifo and not dequeued at
destruction time.
Fixes#4987
Remove 'usb_hid', 'usb_net', 'usb_modem' from dde_linux port. These
versions have been updated to Linux 6.1.20 which uses the 'linux.port'
file.
issue #4958
The driver is superseded by the USB network driver (usb_net) which also
contains MBIM support for LTE modems previously provided by this
driver.
issue #4958
The drivers uses the 'virt_linux' api and the current lx_kit
implementation. It is a drop-in replacement for the Linux 4.16.3 based
version.
issue #4958
NCM tries to batch TX packets using timeouts (500us) and does not send packets
before 3 packets are in the submit queue. Timeouts take milliseconds on
dde_linux which leads to delayed ACKs and poor performance for the RX case.
Therefore, we send small packets (<100 Bytes) immediately without batching (it
might be an ACK or last packet of a larger transfer).
issue #4958
The PinePhone Modems' CDC Ethernet Interface does not respond if RX/TX queue size
is greater 12 (experimentally determined), the default would be 60, meaning 60
RX Bulk URBs are sent at once to the device.
issue #4958
A WRITE_ERR_WOULD_BLOCK may occur when large reports are written to a file
system because this fills up the submit queue of the packet-stream interface.
Fixesgenodelabs/genode#4988
This commits introduces changes to test number 4, so it must keep
more than one PKG. Also, it introduces a 5th test to verify that the
<remove_all/> functionality does delete everything in the depot.
Issue genodelabs#4866
This commits introduces improvements to the test functions to avoid
code duplication, and renames these functions to reflect better what they
are used for.
Issue genodelabs#4866
The last character should only be skipped if a `\0` or `\n` is found. If
the string ends without such a character or the maximum line length is
hit, we do not skip the last character.
Fixesgenodelabs/genode#4985
Dynamically loading the `compat-libc` breaks `fork(2)` on Genode.
Switch `compat-libc` to a special api package that provides a source
file for statically linking the library, analogous to the `blit`
package. This also requires a quirk in Goa but should prevent breaking
`fork()` and removes the runtime and archive dependencies for Rust
packages using `compat-libc`.
Ref genodelabs/goa#61
Implement FBSD_1.0 versions of libc functions ('stat', 'fstat'). The
functions are versioned with @FBSD_1.0, and therefore, will not clash
with libc during linking. However, to be called by our dynamic linker,
the library must be before libc in the NEEDED section of the binary
using it. This requires the lib to be in front of libc in the LIBS
variable. The library currently will call libc 'stat' and 'fstat' by
looking up the symbols via 'dlsym'.
Ref genodelabs/goa#61
Some Ubuntu installations (e.g., 20.04) create installation disks with
strange C/H/S MBR partitions like 3988/255/2. Normally, VirtualBox reads
the MBR to guess disk geometry information for the virtual BIOS.
Unfortuantely, the strange values from Ubuntu lead to a heavy
virtual-disk activity on boot. Therefore, this commit forces the use of
calculated values based on the assumption that large disks use LBA
addressing anyway.
Fixes#4978
Adds Genode::Hex_dump class to the formatted_output.h header. This class can be
used to print a hexadecimal dump of a byte range. The data is printed in a
format similar to that used by Linux's 'xxd'. In addition to the 'xxd' format,
consecutive duplicate lines are replaced with a single "*\n" as done also by
Linux's 'hexdump'.
Ref #4966
The DHCP client implementations of Ping originally is a copy of the NIC router
implementation adapted for Ping. The two versions diverged further over the
years. This issue should be solved by should merging them into a centralized
implementation. However, this commit treats only a recent issue with the
nic_uplink.run test on pbxa9 qemu but does this by re-aligning the two
implementations partially. The final merge should be done in a separate commit.
Ref #4966
The Depot Autopilot used to filter out tabs and color sequences before
forwarding the test log to the own log. This commit prevents this and further
cleans up the string-filters code.
Ref #4922
The new 'log_prefix' attribute is effective when used in a tests runtime in
<succeed> or <fail> tags that have a non-empty content string. When matching
the log against the pattern given in the affected <succeed> or <fail> tag, the
Depot Autopilot will consider only those test-log lines that start with the
given prefix.
Ref #4922
* Removes the <event> tag from all test package runtime files and replaces the
contained <timeout> and <log> sub-tags with the new tags <succeed> and
<fail>. If a <succeed> or <fail> tag has a content, it defines a log pattern
that should be recognized and render the test failed or successful. If a
<succeed> or <fail> tag has an attribute after_seconds that is not set to 0,
it defines a timeout after which the test should be rendered failed or
successful.
* Adapts the Depot Autopilot to support the new syntax in the test-package
runtime files. However, for now, the Depot Autopilot is kept compatible to
the old syntax as well. If the <events> tag is present, it is prioritized
over the new syntax.
Fixes#4922
Several nightly network-related tests fail currently on sel4/pc because the
new e1000 NIC driver requires more capabilities. The "drivers nic" package
was already adapted to the new requirement but some tests fail to provide
enough caps to the corresponding sub system. This commit tries to fix all
remaining tests.
Ref #4923
* During a session-close, the device-specific usb task and driver data
gets freed. Part of it was the RPC data. To prevent use-after-free
turn it into a pointer and leave it on the stack of the caller thread
* During a device release, URBs discards, and reset operation the Linux task
might get blocked, and then a RPC caller task might return if the RPC
operation was marked as finished already, although it hasn't succeeded yet
* USB devio RESET has to be done before a device release to be effective
Fixgenodelabs/genode#4969
* Within flush_transfer of the USB session a given entrypoint gets
resetted, to be effective al related URBs need to be discarded first
* Discarding URBs shall be done in reverse order, like libusb is doing it,
where it warns about potential races otherwise
Ref genodelabs/genode#4969
* Adds a new component server/nic_uplink that forwards packets unmodified
between one Uplink session at one side and potentially multiple Nic sessions
at the other side.
* Adds a new run script nic_uplink.run that does a basic test with multiple
Nic clients on this component and adds it to the autopilot list.
* Adds a new depot recipe src/nic_uplink for this component.
* Adds a new depot recipe pkg/pc_nic for deploying the pc_nic_driver together
with a nic_uplink server. This allows for raw access to the network connected
to the Nic of the system in contrast to the commonly used routed and NAT'd
access via NIC router. That said, it enables the use of network protocols
not yet supported by the NIC router at the cost of less protection.
Ref #4966
Introduces a new class that does the clean-up if some exception is
thrown while creating the session. This reduces redundancy and overall
lines of code.
Ref #4966
by just test the migration feature, without relying on load measured on the
CPUs. On Qemu (and depending on other load in the Linux system), the migration
feature gets not triggered in time reliable.
* Allow support for kernel configurations without CONFIG_IRQ_DOMAIN_HIERARCHY
* Export `irq_domain` instantiated for driver-specific extensions of the irqchip
Fixgenodelabs/genode#4964
This change allows a monitored VBox instance to specify a distinct
(lower) priority to the VM session to ensure that the VMM is always
prioritized higher than the VCPUs. This is important because host
I/O at the VMM should always be able to preempt a busy guest.
Issue #4917
Decreasing the internal buffer size will implicitly limit the number
of blocks provisioned for recording and brings them in line with
the number of blocks used for playback (2).
Note that this patch also sets an upper-bound on the number of
samples in 'Audio_*::PERIOD'.
If all connectors are set to disabled by configuration, the connectors
stayed enabled since the new configuration reveals no preferred or minimal
resolution/mode. Instead, use the last set resolution in order to get to the
disabling code.
The memory barriers where introduced with commit "test-timeout: fix build
errors with -std=gnu++20" presumably in order to prevent GCC optimization from
removing the empty for loops the test is using because using a volatile index
variable was no longer an option.
However, the memory barriers seem to have a negative effect on the measurements
performed with the affected loops. The commit caused the timeout test to fail
at least on imx53_qsb.
This commit fixes the issue by using a simple empty for loop without volatiles
or memory barriers but protected inside a function that is compiled with
optimization disabled.
Ref #4959
This commit extends the Lx_kit initialization function by passing in
a signal handler that is used to perform the normally occurring
scheduler execution and is a follow-up change for the decoupling
scheduler execution commit.
Instead of burying the signal handler in the 'Lx_kit::Scheduler'
object it is provided by the main object where the driver is free
to perform any additional step before or after executing the scheduler.
Issue #4927Fixes#4952
Since the wireless LAN driver is actually a 'Libc::Component' due to
its incorporation of the 'wpa_spplicant' application, we have to
intercept its construction because we have to initialize the Lx_kit
environment before any static ctors are executed. Most Linux initcalls
are implemented as ctors that will be otherwise implicitly executed
before the controll is given to us in 'Libc::Component::construct'.
Issue #4927.
The timer used to read the counter first and then the IRQ status. This
could cause a non-wrapped counter value to be considered a wrapped
counter value, leading to bogus timeout durations.
This commit fixes the bug and documents the used timer mode in the
driver in order to make future debugging of the driver easier.
Ref #4959
Prevent missing new RPC calls handed over to a Linux task
of a corresponding usb-device, while that task blocked
during enqueuing of asynchronous URBs.
Fixedgenodelabs/genode#4955
* add a sensible priority setup into the test script in order to protect
drivers and stack components from the demanding net clients
* delay the starting of the net clients by 5 seconds in order to give the
drivers and stack components some time to startup in peace
* use only explicit service routing and caps values
Ref #4923
This patch replaces the exception-based error propagation by the use of
'Attempt' return values, which eliminates side effects of the exception
handling - cxx_heap allocations - from code paths that are used by the
the cxx_heap itself (when growing the cxx_heap).
It thereby fixes the failure of the sub_rm test at the "attach RAM ds to
any position at sub rm - this should fail" step.
Fixes#4953
This patch enhances Sculpt with the ability to detect user inactivity
for driving a screensaver by combining nitpicker's hover and focus
reports with a timer.
Issue #4950
Nitpicker's hover and focus reports contain an 'active' attribute, which
can be inspected for the detection of user activity, e.g., as trigger
for a screensaver or for dynamic clipboard policies.
When using the 'Event' session, the reporting code updated the reports
only on incoming events. This patch adds the periodic reporting as used
when using the old 'Input' session.
Issue #4950
Decoupling the scheduler execution can lead to missed interrupts
because the current implementation only handles one pending
interrupt and requires immediate processing.
This commit introduces a helper object that is used to capture
any occuring interrupts that are then handled consecutively.
Issue #4927.
Prior to this commit, whenever an external event occurred, for example
timer or interrupt, the corresponding I/O signal handler was triggered.
This handler unblocked the task waiting for the event and initiated the
immediate execution of all unblocked tasks. Since these tasks may hit
serialization points, e.g. synchronously waiting for packet stream
operations, that require handling of other I/O signals this leads to
nested execution. This, however, is not supported and mixes application
and I/O level signal handling.
The flagging of the scheduling intent is now decoupled from its
execution by using an application level signal handler that is run in
the context of the components main entrypoint. The I/O signal handler
now triggers the scheduling execution by sending a local signal to
the EP.
Since it might be necessary to execute a pending schedule from the EP
directly the scheduler is extended with the 'execute' member function
that performs the check that the scheduler is called from within the
EP and triggers the execution afterwards.
Issue #4927.
On disconnect of displays, e.g. seen with Type-C connectors, the encoder was
not properly disabled due to a missing drm_client_modeset_commit. In order that
the commit succeed, however a fb must be assigned to the modeset. Missing to
do so leads to an -EINVAL by the drm_client_modeset_commit.
Fixes#4948
Fixes alignment faults that occured in the AES256 implementations while
wrapping or unwrapping keys on imx53_qsb, imx6q_sabrelite, and imx7d_sabre.
The problem was that the unwrap_key/wrap_key functions did reinterpret casts
from unsigned char pointers to uint64_t pointers and then directly used the 64
bit values of referenced by the latter. Most probably this caused the compiler
to optimize operations in the assumption that the pointer is 8-byte aligned
which then created alignment faults.
As a solution, this commit changes the interface of the wrap_key/unwrap_key
functions to take uint64 pointers as arguments instead of unsigned char
pointers and then adapts the function users to ensure that they refer to
appropriately aligned memory regions.
Fixed#4932
The initial memory backend implementation was brought over from DDE
Linux and was geared towards use-cases where a high-performing
allocator is useful. In case of the audio driver this is overkill
and since no other driver that could benefit from such an
implementation was ported in the meantime rather use a simpler
implementation that keeps the overhead down.
Fixes#4946.
Since component.cc is no longer linked to core, we can also remove
entrypoint.cc, which was merely a dependency of component.cc.
Related to issue #4784
This patch replaces the global '_wait_for_exit_sem' object by a local
static variable, which does not rely on the global ctors. It thereby
fixes the fault_detection test after the removal of the global ctors
execution from core ("base: remove component.cc from core").
Issue #4784
With these options enabled comparative testing between pc_linux drivers
and bzImages becomes much easier on EFI-only machines. The impact on the
actual Genode drivers is minimal.
This patch removes the use of the Entrypoint::schedule_suspend mechanism
and the call of glibc's exit from the lx_hybrid tests, for two reasons.
First, the interplay of atexit handlers executed by the glibc and
Genode's lx_hybrid library is complicated while bringing no benefits in
practice as lx_hybrid applications are usually servers that don't exit
anyway.
Second, the Entrypoint::schedule_suspend mechanism in not used by any
other component. By removing its use from the lx_hybrid tests, we can
remove this mechanism from the base library.
Issue #4940
By supplying only the parts of the Env that are actually relevant for
initializing the cxx heap, we avoid the need for the 'Env' interface.
The patch also moves the call of 'init_ldso_phdr' to the outside
of the cxx library because it does not belong there.
Issue #4784
USB devices that are never associated to client sessions lack
usb_per_dev_data (and a kernel thread). Therefore, the devices should be
discontinued directly on unplug as no URBs can be pending.
Issue genodelabs/genode#4795
This commits enables the R8169 driver and was tested with two
RTL8168h/8111h (10ec:8168 rev 0x15 sub 1462:7a38 / 1d05:109f) and
two equal RTL8125B (10ec:8125 rev 0x5 sub 1458:e000) devices
running Sculpt.
Firmware loading is for now not implemented but specific Linux
commits suggest it could be necessary. However, doing so will be
post-poned until we have gathered more experience with the driver.
Restarting the driver might lead to the following IOMMU error
messages but the device seems to work anyway:
[ 0] IOMMU:0xffffffff817ec040 FR:0x8a00000000002500 FI:0xfffffffdf8d30000 type:0x8 BDF:25:00.0
[ 0] IOMMU:0xffffffff817ec040 FR:0x2000004200002500 FI:0x000c21b0 type:0x2 BDF:25:00.0
[ 0] IOMMU:0xffffffff817ec040 FR:0x2020004200002500 FI:0x000c21a0 type:0x2 BDF:25:00.0
[ 0] IOMMU:0xffffffff817ec040 FR:0x2020004200002500 FI:0x00138000 type:0x2 BDF:25:00.0
[…]
[ 0] IOMMU:0xffffffff817ec040 FR:0x8a00000000002500 FI:0xfffffffdf8d30000 type:0x8 BDF:25:00.0
[ 0] IOMMU:0xffffffff817ec040 FR:0x2020004300002500 FI:0x00124000 type:0x2 BDF:25:00.0
Issue #4921.
While this approach still scans "holes" in the bus range, it stops
scanning at the maximum subordinate bus number reachable from the base
PCI bus at the host bridge. Startup under Qemu no longer takes about 12
seconds for scanning 256 buses.
By splitting the 'init_capability_slab()' implementation to a separate
compilation unit 'capability_slab.cc', base-hw no longer needs a
customized version of 'lib/base/platform.cc'.
Related to issue #4784
This patch replaces the internal use 'env_deprecated()' from the
implementation of the thread API in the base library. It also
replaces the global accessor 'main_thread_cap' by the explicit
propagation of the main-thread's capability to the single point of
use via a new 'init_thread_bootstap' function.
Issue #4784
This back end can be used in place of the existing jitterentropy based
on in case random is not strictly needed by the component but one
wants to use the available 'shadow/drivers/char/random.c'
implementation.
Issue genodelabs/genode-allwinner#21.
The implementation was already part of the Zynq's sd_card driver and
since other ARM drivers need it as well, promote it to the common
shadow library.
Issue genodelabs/genode-allwinner#21.
* Removes all previous structs that represented an on-disc block layout
and were therfore subject to a number of layout restrictions (packed,
padding members, enum representations, etc.).
* Adds a replacement struct without any layout restrictions for each of the
removed structs. The new structs are named similar to the old structs.
* Adds block encoding and decoding utilities for easily converting from the
new structs to on-disc blocks and vice-versa (Block_scanner, Block_generator,
T::decode_to_blk, T::encode_from_blk)
* Adapts all affected places in the library to encode and decode proberly
instead of simply casting pointers.
* Thereby cleans up the hashing utilities to use typed-reference args instead
of void pointers.
* Re-enables run/tresor_tester and test-file_vault_vonfig_report for platforms
rpi, imx53_qsb, imx53_qsb_tz, imx6q_sabrelite, imx7d_sabre.
Ref #4819
* Replaces bool access types with uint8_t access types
* Ensures, that the framework always uses the smalles possible uint type
for the return value wherever a bitfield is read and returned to the user.
Ref #4924
In some instances, the fetchurl progress determined by
depot_download_manager will be empty when the download fails (e.g. due
to a 404), this commit fixes a bug where this would be interpreted as
the download having completed which would subsequently start hash
verification of a package that has never actually been downloaded.
Fixes#4919
The depot_remove component can delete PKG archives with
automatically resolving dependencies and deleting archives that are not
required on the system anymore.
Issue genodelabs#4866
On some platforms (x86_32/pistachio, x86_64/sel4) system startup is slow
and the previously configured 30 seconds not sufficient. With this commit, the
timeout is raised to 60 seconds only when running on such a platform.
Ref #4923
This test was originally a copy of ping.run and therefore unnecessarily
inherited all its complexity for testing ping component behavior. Additionally,
ping.run was more actively maintained and evolved over time whereas
nic_dump.run didn't receive the same care. Now, the test fails on certain
platforms although NIC dump works just fine. Therefore, this commit reduces the
test behavior to what is really necessary for testing nic_dump and by doing so,
also fixes the failing targets.
Fixes#4926
On x86_32 okl4, the test timed out although the test timeout was already at
240 seconds for this platform. Instaed of raising it further, this commit
reduces the number of ping rounds for all platforms that are considered as
slower by the test.
Ref #4923
This patch restricts 'Region_map::attach_executable' to create read-only
mappings, while offering the option to map the full rights using a new
'attach_rwx' method.
The 'attach_rwx' method is now used by the dynamic linker to explicitly
attach the linker area with full rwx rights. With the old page-fault
handling code, the execute flag was evaluated only for leaf dataspaces,
not for managed dataspaces while traversing region-map hierarchies.
With the new page-fault handling code, the execute bit is downgraded
to no-execute when passing a managed dataspace that is not attached
as executable.
Issue #4920
The change "core: allow offset-attached managed dataspaces" addressed a
corner case of the use of nested region maps. Apparently, this change
negatively affects other scenarios (tool_chain_auto).
In order to confidently cover all the differnt situations, this patch
reworks the page-fault resolution code for improved clarity and safety,
by introducing dedicated result types, reducing the use of basic types,
choosing expressive names, and fostering constness.
It also introduces a number of 'print' hooks that greatly ease manual
instrumentation and streamlines the error messages printed by core.
Those messages no longer appear when a user-level page-fault handler
is reistered for the faulted-at region map. So the monitor component
produces less noise on the attempt to dump non-existing memory.
Issue #4917Fixes#4920
The new monitor component at os/src/monitor is the designated successor
of the gdb_monitor. This initial version, however, implements only the
subset needed to inspect the memory of the monitored component(s).
In contrast to the gdb_monitor, the new component supports the monitoring
of multiple components, leveraging the sandbox API. It can therefore be
used as a drop-in replacement for the init component. Like the gdb_monitor,
the new monitor speaks the GDB protocol over Genode's terminal session.
But the protocol implementation does not re-use any gdbserver code,
sidestepping the complexities of POSIX.
There exist two run scripts illustrating the new component. The
os/run/monitor.run script exercises memory inspection via the 'm' command
by letting a test program monitor itself. The os/run/monitor_gdb.run
script allows for the interactive use of GDB to interact with monitored
components.
Issue #4917
Let the sandbox library disregard all unknown config sub nodes so that
supplemental information - like the monitor policy configuration - is
not interpreted as a misconfiguration ("unknown config element type ...").
Issue #4917
This patch moves the destruction of the child's PD session after the
closing of all other sessions because the PD session's role as resource
container might still be needed for orderly reverting the session quotas
when closing the other remaining sessions.
Issue #4917
By default, the sandbox uses the Env::pd() as reference PD session of
the sandbox children.
However, to accomodate use cases where the interplay of the reference
PD session and the child's address space needs to be intercepted, this
patch adds a constructor that takes an interface for the controlled
access of PD intrinsics as argument.
Issue #4917
This patch replaces the former 'address_space' accessor by a new
'with_address_space' interface that grants access to the region map of
the child's address space, but limits the interface lifetime to the
scope of the caller.
Issue #4917
This patch adds the missing application of the region offset to the
resolution of page faults inside managed dataspaces, which resulted in
an unexpected "invalid mapping" message after attaching a managed
dataspace with an offset.
This limitation could be observed during the implementation of the debug
monitor that locally maps a portion of the debugging target's address
space, e.g., a view port of 16 MiB. All traditional uses of managed
dataspaces (e.g., stack area, linker area) happened to attach the
managed dataspaces from their beginning.
Issue #4917
* add semaphore command to ring in order to be able to stop ring
execution before reset (Wa KabyLake)
* implement reset sequence as done by the Linux driver
* reset ring and cancel job of vgpu causing hang
* lower watchdog timeout 1000ms -> 200ms
* improve scheduling of vgpus so progress after reset is made
* improve the generation chaos a little
* tested on Skylake, Kaby Lake, Tiger Lake
issue #4916
* Use jitterentropy only if supported.
On certain targets like pbxa9 or zynq_qemu, the performance counter always
yields 0, which renders jitterentropy unusable. On these platforms, the
Tresor tests now use a static value as entropy source instead.
* Adds a new package test-file_vault_config_report_no_entropy that is used by
the Depot Autopilot on targets without jitterentropy support instead of
test-file_vault_config_report. The only difference between the two packages
is the value of the above described new config attribute of the File Vault.
* Circumvent alignment fault.
The Tresor lib for now has the deficiency of using on-disc data structures
directly in code instead of decoding them first to unpacked, naturally
aligned structures. This causes problems with memory-access alignment on
several platforms (rpi, imx6q_sabrelite, imx53_qsb, imx7d_sabre). As fixing
this properly is a bit of work, the commit disables the tresor_tester and
file_vault_config_report test on the affected platforms in autopilot mode for
now.
* Further adjustments
* Make benchmarks optional
* Use a smaller tresor for rekeying
* Clean up image parameters
* No use implicit routes/resources
* Reduce ram consumption
* Reduce test timeout
* Raise cap quota, required for sel4 x86_64.
Ref #4819
The debug mode turned out to be unnecessry because the plugin can be simply
replaced with an <inline> file VFS plugin that has a content size of 32 bytes.
Ref #4819
* relaxes the timing and reduces the test steps because pistachio is quite
slow and would otherwise trigger problems with our easy approach of using a
dynamic rom instead of a proper manager
* provide IO_PORT and IRQ session to timer driver
Ref #4819
With the update to sel4 and the gcc 12, assembly instructions are generated
and used, like POPCNT. The instruction is available on our native hardware,
but not emulated by the default cpu model necessarily, which leads to
undefined opcode exceptions (Qemu 4.2.1 && seL4). Additionally, the features
of the default Qemu cpu model may vary between Qemu releases and makes it
harder to correlate effects.
The attachment removal is triggered actually on _ds member destruction time,
but after the io_mem representation for the specific base-<platform> possibly
vanished already during _unmap_local in the ~Io_mem_dataspace. This creates
on base-sel4 several kernel warnings about invalid capabilities.
Issue #4913
Using $(shell find $(REP_DIR)/patches -name *.patch) fails if the
current working directory contains *.patch files due to shell wildcard
expansion before execution. Additionally, the patch list was unstable
because it was not sorted resulting in divergent hashes.
On platforms different than x86 the subsys initcall `pci_subsys_init`
is not available. Therefore, we choose an alternative one here.
Fixgenodelabs/genode#4907
In our binaries, the .note.GNU-stack section is missing, which is okay
as we do not interpret these sections anyway and map stack pages
non-executable per default.
Issue #4827
The main user of libsparkcrypto in the past was the CBE block encryption
ecosystem. However, the CBE was replaced with the Tresor block encryption that
uses libcrypto instead.
Ref #4819
This commit introduces preliminary support for joining networks secured
via WPA3-personal. So far it was only tested with the one OpenWRT AP
configured for WPA3 (see excerpt below) where it WPA3-only as well as
WPA2/WPA3 mixed worked fine.
Scan results excerpt:
00:11:22:33:44:55 5180 -45 [WPA2-SAE-CCMP][SAE-H2E][ESS][UTF-8] PewPew
00:11:22:33:44:55 2412 -67 [WPA2-PSK+SAE+PSK-SHA256-CCMP][SAE-H2E][ESS][UTF-8] PewPew2
Issue #4861.
It turns out solely relying on the name of the compilation-unit
is not enough. In at least one multi-device driver, e.g. rtlwifi,
an equally called compilation-unit is found in several different
directories. There KBUILD_MODNAME is used to name the driver,
which fails later on as the driver framework refuses to register
an equally named driver twice.
Instead of only considering the name of the compilation-unit also
include the last element of the path to generate differentiating
KBUILD_MODNAME value.
Issue #4861.
The supplicant is updated to the current release and is now downloaded
as archive rather than pulled from git. For the time being 'libnl' is
still kept at 3.2.25 as the current 3.7.0 release relies on more Linux
infrastructure that our integration does not provide.
Issue #4861.
This commit changes the firmware handling from requesting each
firmware file as a ROM module that is checked against a list of
known images (including their size) to requesting each file via
the local VFS of the 'wifi_drv'. This allows for using the original
probing mechanism that tries to select a matching firmware version.
The 'repos/dde_linux/src/drivers/wifi/README' file contains more
detailed information on how to configure the driver.
Issue #4861.
This function is called when decrypting RX frames on the CPU on 32 bit
platforms. Since the frames are normally decrypted by the wireless LAN
device and this code path is triggered rather infrequently the byte-wise
implementation should not pose a performance risk.
So far it was only encounter with a 7260 device when running netperf.
Issue #4861.
The bulk of the driver code now lives in the 'dde_linux' repository,
which is available on all platforms, from where it can be referenced by
other repositories.
The 'wifi_drv' binary was delegated to a generic harness that includes
all configuration and management functionality shared by all wireless
device driver components, e.g., the wpa_supplicant. The code of the
device driver emulation environment is located in 'src/lib/wifi'. It
is referenced by the platform-specific driver library that resides in
the corresponding platform repository. The runtime configuration needs
to point the driver to proper driver library.
The platform-specific library is in charge of orchestrating the contrib
source utilized by the driver as well as providing the 'source.list'
and 'dep.list' files. It must include the generic library snippet
'repos/dde_linux/lib/wifi.inc' that deals with managing the emulation
environment code.
The 'repos/dde_linux/src/drivers/wifi/README' file contains more
detailed information on how to deploy the driver.
Issue #4861.
* ARM support and detaching from Ada/SPARK
* Remove all CBE-related code - especially the Ada/SPARK-based CBE library.
* We have no means or motivation of further maintaining big projects in
Ada/SPARK (the core Genode team is native to C++).
* The Genode Ada/SPARK toolchain and runtime don't support ARM so far - an
important architecture for Genode. This would mean extra commitment in
Ada/SPARK.
* We realize that block encryption more and more becomes a fundamental
feature of Genode systems.
* Implement a new block encryption library named Tresor that is inspired by
the design and feature set of the former CBE library and that is entirely
C++ and part of the Genode gems repository.
* The Tresor block encryption is backwards-compatible with the on-disk
data layout of the former CBE block encryption.
* Except from the snapshot management and the "dump" tool, the Tresor
block encryption provides the same feature set as the former CBE block
encryption and accepts the same user requests at the level of the
Tresor library API.
* So far, the Tresor block encryption does not support the creation of
user-defined snapshots.
* In contrast to the former CBE, the Tresor ecosystem has
no "dump" tool beause with the CBE library it turned out to be rarely of
use.
* In contrast to the Block back-end of the CBE "init" tool, the Tresor
"init" tool uses a File System back-end.
* The former CBE VFS-plugin is replaced with a new Tresor VFS-Plugin.
* The Tresor-VFS plugin in general is similar to the former CBE VFS but
has a slightly different API when it comes to re-keying and re-sizing.
Each of these operations now is controlled via two files. The first
file is named <operation> and the user writes the start command to it.
The user must then read this file once in order to drive the operation.
The read returns the result of the operation, once it is finished.
The second file is named <operation>_progress and can be watched and
read for obtaining the progress of the operation as percentage.
* The file vault is adapted to use the new Tresor ecosystem
instead of the former CBE ecosystem and thereby also gains ARM support.
* The former CBE tester and CBE VFS-tests are replaced by equivalent
Tresor variants and are now run on ARM as well (testing with a persistent
storage back-end is supported only when running on Linux).
* So far, the new Tresor block encryption has no internal cache for meta
data blocks like the former CBE.
* Add config/report user interface
* Add a second option for the administration front end to the file vault
named "config and report". With this front end the File Vault communicates
with the user via XML strings. A ROM session is requested for user input
and a Report session for user output. The front end type must be set at
startup via the component config and is a static setting. The graphical
front end that was used up to now is named "menu view" and remains the
default.
* The File Vault can now reflect its internal state and user input ("config
and report" mode only) at the LOG session via two new static config
attributes "verbose_state" and "verbose_ui_config" (both defaulting to
"no").
* The Shutdown button in "menu view" mode is replaced with a Lock button. The
new button doesn't terminate the File Vault but merely lock the encrypted
container and return to a cleared passphrase input. The same transition is
also provided in "config and report" mode.
* The file_vault.run script is replaced with file_vault_menu_view.run and
file_vault_cfg_report.run that address the two front end modes. In contrast
to the former script, which is interactive, the latter script is suitable
for automatic testing.
* There is a new recipe/pkg/test-file_vault_cfg_report that essentially does
the same as file_vault_cfg_report.run but uses the File Vault package and
can be executed with the Depot Autopilot. The new test package is added to
the default test list of depot_autopilot.run
* The File Vault README is updated to the new version of the component and
has gained a chapter "functional description".
* Fixes a regression with the cbe_init_trust_anchor component that prevented
reacting to a failed unlock attempt in the File Vault.
* The new Tresor software Trust Anchor has an optional deterministic mode in
which it replaces the normally randomized symmetric keys with 0. This mode
comes in handy for debugging. However, it should never be activated in
productive systems. When activated, the user is warned extensively on the
LOG that this system mode is insecure.
Ref #4819
Changes to the platform driver triggered a map() error while mapping an
address block at 0x3000 of size 0x800. Since the mapped size was larger, the
loop continued and tried mapping address 0x4000 where no dataspace was
found.
genodelabs/genode#4761
By transforming the Device_pd into an Io_mmu::Domain, we implement an
IOMMU device that uses the kernel API for controlling the IOMMU. This
device gets special treatment and is used by default for every device
that has no <io_mmu/> child.
genodelabs/genode#4761
Every session component manages a registry of Io_mmu::Domain objects
that it creates on demand depending on the acquired devices (i.e. the
IOMMU devices referenced by the acquired devices). Via the domain
objects, a session component adds/removes the address ranges of the
allocated DMA buffers. Additionally, domain objects provide an interface
for enabling/disabling pci devices.
Domain objects get destroyed with the corresponding control device.
Moreover, on devices/policy ROM updates, domain objects of control
devices that are not referenced by any acquired device anymore get destroyed.
genodelabs/genode#4761
This allows referencing an arbitrary number of IOMMU devices within a
<devices> node, e.g.:
<device>
<io_mmu name="foobar"/>
</device>
The specified name is supposed to refer to an existing device in the
devices ROM. The platform driver automatically acquires known IOMMU
devices whenever they become available so that the device object can be
looked up from the platform-driver-owned devices.
genodelabs/genode#4761
With this change, platform-specific code is able to define factories that
acquire IOMMU devices to be used by the platform driver.
genodelabs/genode#4761
The method did not handle device changes properly. When a new policy
does not contain an owned device any more, we must consider this device
as changed and release it. Moreover, the warning messages were interchanged.
genodelabs/genode#4761
"-cpu phenom" does not support all CPU instructions necessary with
gcc 12 toolchain update issuing more SSSE3, e.g. pshufb.
Additionally, remove good/bad Qemu version check of outdated versions.
Issue genodelabs/genode-world#329
In 'SUPR3InitEx' (SUPLib.cpp) a 'SUPQUERYFUNCS' structure is allocated
with
! (PSUPQUERYFUNCS)RTMemAllocZ(SUP_IOCTL_QUERY_FUNCS_SIZE(CookieReq.u.Out.cFunctions));
where 'CookieReq.u.Out.cFunctions' is 0. To determine the size of the
allocation
! #define SUP_IOCTL_QUERY_FUNCS_SIZE(cFuncs) \
! RT_UOFFSETOF_DYN(SUPQUERYFUNCS, u.Out.aFunctions[(cFuncs)])
is used with cFuncs = 0 (SUPDrvIOC.h) leading to an allocation up to the
arrow below
! typedef struct SUPQUERYFUNCS
! {
! /** The header. */
! SUPREQHDR Hdr;
! union
! {
! struct
! {
! /** Number of functions returned. */
! uint32_t cFunctions;
! /** Array of functions. */
==> end of allocation
! SUPFUNC aFunctions[1];
! } Out;
! } u;
==> sizeof(SUPQUERYFUNCS)
! } SUPQUERYFUNCS, *PSUPQUERYFUNCS;
In sup.cc (Genode) 'ioctl(SUPQUERYFUNCS &request)' will lead to
'with_out_ioctl'
! auto &out = request.u.Out;
where auto is 'SUPQUERYFUNCS' and finally
! out = { };
will zero out 'SUPQUERYFUNCS' up to the second arrow above. Because
'RTMemAllocZ' will call 'calloc' to allocate the memory 'out = { };'
will corrupt the slab block after the allocation. Therefore, it is
reasonable to allocate at least 'sizeof(SUPQUERYFUNCS)'.
Note there might be other 'ioctl' cases like this. A better way might be
to use 'SUPQUERYFUNCS.Hdr.cbOut' to determine the 'out' size.
fixes#4675
In case the meta data (or more) got zeroed upon 'free', print error
message. The offset in the meta data can never be zero. This does not
help on other memory corruptions, but at least gives a hint in the too
much zeroed out case.
issue #4675
GPU device access is hard to achieve in run scripts and even harder to
implement generic.
Use the "Modularize Sculpt OS image creation"
(commit b723b11b30)
approach instead.
issue #4900
The XHCI model reserves 0x4000 of IO memory but uses only 0x530.
Implement read (0) and write (nop) for these regions as real hardware
does.
fixes#4902
Triggered by the toolchain update to GCC 12 certain pragmas lead to
a build error as those are now unknown. As quick-fix add '-gnatwG',
which suppresses warnings on unrecognized pragmas.
Issue #4880.
When a GPU session is destroyed, remove vgpu of session from scheduling
and as possible active vgpu. Otherwise, page faults might occur in case
already destroyed vgpu object is referenced during interrupt handling.
fixes#4881
Apparently we need to save the floating point arguments when entering
the linker in case "-fno-tree-vectorize" is at work. Otherwise this
registers get corrupted during jump slot relocation.
Fixes#4879
