Commit Graph

1154 Commits

Author SHA1 Message Date
Norman Feske
b723b11b30 Modularize Sculpt OS image creation
This patch equips Sculpt with the ability to customize the system image
in very flexible ways.

All customizable aspects of the image have been relocated from the
former sculpt.run script and the accompanied gems/run/sculpt/ directory
to a new location - the sculpt/ directory - which can exist in any
repository. The directory at repos/gems/sculpt/ serves as reference.

The sculpt directory can host any number of <name>-<board>.sculpt files,
each containing a list of ingredients to be incorporated into the
Sculpt system image. The <name> can be specified to the sculpt.run
script. E.g., the following command refers to the 'default-pc.sculpt'
file:

  make run/sculpt KERNEL=nova BOARD=pc SCULPT=default

If no 'SCULPT' argument is supplied, the value 'default' is used.

A .sculpt file refers to a selection of files found at various
subdirectries named after their respective purpose. In particular, There
exists a subdirectory for each file in Sculpt's config fs, like
nitpicker, drivers... The .sculpt file selects the alternative to use
by a simple tag-value notation.

  drivers: pc

The supported tags are as follows.

*Optional* selection of /config files. If not specified, those files are
omitted, which prompts Sculpt to manage those configurations
automatically or via the Leitzentrale GUI:

  fonts
  nic_router
  event_filter
  wifi
  runtime
  gpu_drv

Selection of mandatory /config files. If not specified, the respective
'default' alternative will be used.

  nitpicker
  deploy
  fb_drv
  clipboard
  drivers
  numlock_remap
  leitzentrale
  usb
  system
  ram_fs

Furthermore, the .sculpt file supports the optional selection of
supplemental content such as a set of launchers.

  launches: nano3d system_shell

Another type of content are the set of blessed pubkey/download files
used for installing and verifying software on target.

With the new version, it has become possible to supply a depot with the
the system image. The depot content is assembled according to the 'pkg'
attributes found in launcher files and the selected deploy config.
The resulting depot is incorporated into the system image as 'depot.tar'
archive. It can be supplied to the Sculpt system by mounting it into the
ram fs as done by the 'ram_fs/depot' configuration for the ram fs.

It is possible to add additional boot modules to the system image. There
are two options.

  build: <list of targets>

This tag prompts the sculpt.run script to build the specified targets
directly using the Genode build system and add the created artifacts
into the system image as boot modules.

  import: <list of depot src or pkg archives>

This tag instructs Sculpt to supply the specifid depot-archive content
as boot modules to the system image. This change eliminates the need for
board-specific pkg/sculpt-<board> archives. The board-specific
specializations can now be placed directly into the respective .sculpt
files by using 'import:'.

To make the use of Sculpt as testbed during development more convenient,
the log output of the drivers, leitzentrale, and runtime subsystems
can be redirected to core using the optional 'LOG=core' argument, e.g.,

  make run/sculpt KERNEL=linux BOARD=linux LOG=core

The former pkg/sculpt-installation and pkg/sculpt-installation-pc
archives have been replaced by pkg/sculpt_distribution-pc, which
references the generic pkg/sculpt_distribution archive. Those pkgs are
solely used for publishing / distribution purposes.

Fixes #4369
2022-01-19 12:38:11 +01:00
Norman Feske
ce53d88235 sculpt: support base-linux
- Consider 'sdl' as source of input events in the event-filter
  configuration as generated by the sculpt manager

- Supply an artificial 'platform_info' ROM as requested by the
  sculpt manager to obtain the affinity-space information

- Substitute 'fs_rom' for 'cached_fs_rom' as a workaround for the
  lack of support for managed dataspaces on Linux

Fixes #4362
2022-01-19 12:35:49 +01:00
Norman Feske
f1b46c3205 Move depot keys to repos/gems/sculpt/depot
This change keeps the version-controlled 'pubkey' and 'download' files
separate from files generated via depot/create or downloaded via
depot/download. So one can remove the entire depot/ directory without
interfering with git.

Furthermore, depot keys can now be hosted in supplemental repositories
independent from Genode's main repository.

Fixes #4364
2022-01-19 12:35:49 +01:00
Christian Helmuth
18e00c7772 depot_autopilot: enable riscv 2022-01-19 12:35:48 +01:00
Norman Feske
5611fd2355 depot: update recipe hashes 2021-12-17 15:06:38 +01:00
Norman Feske
3cc6df3116 base: tighten affinity handling
This patch improves the robustness of the CPU-affinity handling.

- The types in base/affinity.h received the accessors
  'Location::within(space)' and 'Affinity::valid', which alleviates
  the fiddling with coordinates when sanity checking the values,
  in init or core.

- The 'Affinity::Location::valid' method got removed because its
  meaning was too vague. For sanity checks of affinity configurations,
  the new 'within' method is approriate. In cases where only the x,y
  values are used for selecting a physical CPU (during thread creation),
  the validity check (width*height > 0) was not meaningful anyway.

- The 'Affinity::Location::from_xml' requires a 'Affinity::Space'
  as argument because a location always relates to the bounds of
  a specific space. This function now implements the selection of
  whole rows or columns, which has previously a feature of the
  sandbox library only.

- Whenever the sandbox library (init) encounters an invalid affinity
  configuration, it prints a warning message as a diagnostic aid.

- A new 'Affinity::unrestricted' function constructs an affinity that
  covers the whole affinity space. The named functions clarifies
  the meaning over the previous use of the default constructor.

- Core's CPU service denies session requests with an invalid
  affinity parameter. Previously, it would fall back to an
  unrestricted affinity.

Issue #4300
2021-12-17 15:06:38 +01:00
Sebastian Sumpf
7dcd9a9f8d vfs_trace: remove Trace::Session::subject_info
issue #4349
2021-12-17 15:04:49 +01:00
Josef Söntgen
f9e0548d0c sculpt_manager: integrate GPU device access
Similar to other devices allow for selecting a graphics device as
well. This is currently only useful on iMX8-based systems like
iMX8Q-EVK and MNT Reform2 where the driver is explicitly started
from a pkg.

Fixes #4342.
2021-12-17 15:04:48 +01:00
Norman Feske
8a1675e12e gems: avoid implicit conversions
Issue #23
2021-12-17 15:04:46 +01:00
Christian Helmuth
92b7be4d11 depot: update recipe hashes 2021-11-30 12:08:54 +01:00
Christian Helmuth
0bb0ac079a sculpt: version 21.11 2021-11-29 15:11:53 +01:00
Norman Feske
dc39a8db62 base: introduce Allocator::try_alloc
This patch changes the 'Allocator' interface to the use of 'Attempt'
return values instead of using exceptions for propagating errors.

To largely uphold compatibility with components using the original
exception-based interface - in particluar use cases where an 'Allocator'
is passed to the 'new' operator - the traditional 'alloc' is still
supported. But it existes merely as a wrapper around the new
'try_alloc'.

Issue #4324
2021-11-29 15:11:52 +01:00
Johannes Schlatow
c0c2ed2bf5 tool/run: make qemu RAM sanity check more robust
First, the former implementation has only considered the pure numerical
variant of the -m argument. Yet, qemu also allows specifying the amount
of memory by `-m 1G`, `-m size=1G` and more.

Second, the default amount of memory for BOARD=pc was 512M (800M in case of okl4).
Since the depot_autopilot.run also required at least 768M on all
platforms it seems reasonable to take 800M as a default value for BOARD=pc and
thereby remove the special treatment of okl4.

genodelabs/genode#4311
2021-11-29 15:10:52 +01:00
Stefan Kalkowski
b12b0ed93d imx8q_evk: remove board support from repository
Moved to separate repo at https://github.com/skalk/genode-imx/

Fix #4301
2021-11-29 15:10:51 +01:00
Norman Feske
275479867d window_layouter: handle decorator margins at start
This patch adds a missing call of '_handle_decorator_margins' at
construction time. Up to commit "report_rom: versioning and explicit
notification" this problem was masked by an unconditional signal, which
implicitely triggered the call.

Issue #4274
Fixes #4306
2021-11-29 15:10:51 +01:00
Tomasz Gajewski
ecb1a6187c ssh_terminal: moved to genode world
Fixes #4258
2021-11-29 15:10:50 +01:00
Christian Helmuth
abc9a2f232 depot: update recipe hashes 2021-10-14 13:46:25 +02:00
Norman Feske
0a35e02961 sculpt: documentation update
Issue #4281
2021-10-14 13:22:18 +02:00
Norman Feske
31567c8e46 sculpt: curate default index / installation
- CPU-architecture annotations
- Change order of top-level menu, moving Mesa driver to the end
- Add black_hole, recall_fs, file_fault
- Add usb_webcam, test-capture
- Add audio driver and mixer
- Add vbox6, keeping vbox5-nova-sculpt as fallback
- Remove recall_fs launcher, which is obsolete with the recall_fs pkg
- Replace system_clock by system_clock-pc pkg

Issue #4281
2021-10-14 11:02:18 +02:00
Norman Feske
006e807103 sculpt: version 21.10 2021-10-14 11:02:18 +02:00
Norman Feske
4dac2fd008 sculpt: increase RAM of leitzentrale nitpicker
This follow-up commit to "sculpt: avoid flickering of leitzentrale"
allows nitpicker to double-buffer pixels during resize operation on a
screen size of 1920x1200.
2021-10-14 11:02:17 +02:00
Norman Feske
6a89f8b19e wm: fix key_cnt consistency glitch
This patch presents all press and release events to the pointer state,
fixing the problem that _key_cnt was decreased but never increased.
However, the inconsistency had no observable effects in practice.

Issue #4176
2021-10-14 11:02:17 +02:00
Norman Feske
1088035f8e wm: defer pointer report update
This patch ensures that the pointer report is updated not before all
input events are handled. The change does not solve any observed
practical issue but the potential problem was spotted while reviewing
the code.

Issue #4176
2021-10-14 11:02:17 +02:00
Norman Feske
440debfc39 depot_query: filter index by CPU architecture
This patch changes the depot_query tool to filter the returned index
data depending on the 'arch' as specified for the query. This way, one
index file can support multiple CPU architectures while allowing
individual entries to be architecture-specific.

Fixes #4295
2021-10-14 11:02:14 +02:00
Norman Feske
96997ead62 sculpt: fix warning during prepare step
This patch adds the missing definition of 'prio_levels' in the prepare
sub init, fixing the warning:

  [init -> runtime -> prepare] Warning: vfs: invalid priority, upgrading from -2 to 0

Issue #4281
2021-10-14 11:02:13 +02:00
Norman Feske
42541fcc92 sculpt: limit depot selection
This patch reduces the items of the default depot-selection menu to
users that actively maintain a Sculpt index.

Issue #4281
2021-10-14 11:02:08 +02:00
Norman Feske
7cae324726 sculpt: remove RTC driver from base system
The RTC driver is not needed by the base system and can thereby be
handled as a user-installable component.

Issue #4281
2021-10-13 14:50:46 +02:00
Martin Stein
870c5c7a81 file_vault: GUI control for encrypted virtual FS's
Warning!

The current version of the file vault is not thought for productive use but
for mere demonstrational purpose! Please refrain from storing sensitive data
with it!

The File Vault component implements a graphical frontend for setting up and
controlling encrypted virtual file systems using the Consistent Block Encrypter
(CBE) for encryption and snapshot management. For more details see
'repos/gems/src/app/file_vault/README'.

Fixes #4032
2021-10-13 14:50:46 +02:00
Martin Stein
3e375e4315 cbe tools: log less by default
Previously unconditional calls to Genode::log in cbe init and the cbe trust
anchor VFS plugin were made dependent on a verbosity flag that is set to
"false" by default.

Ref #4032
2021-10-13 14:50:46 +02:00
Martin Stein
8dfa586462 vfs/cbe_trust_anchor: fix bug in key decrypt
The plugin used the ciphertext instead of the plaintext buffer for key
decryption which led to bogus ciphertext keys.

Ref #4032
2021-10-13 14:50:46 +02:00
Martin Stein
a661aa79de vfs/cbe_trust_anchor: AES-key-wrap private key
Instead of simply encrypting the private key with AES-256 when storing it to
the 'encrypted_private_key' file, wrap it using the AES-key-wrap algorithm
described in RFC 3394 "Advanced Encryption Standard (AES) Key Wrap Algorithm".
This is more secure and enables us to directly check whether the passphrase
entered by the user was correct or not.

Ref #4032
2021-10-13 14:50:46 +02:00
Martin Stein
94701eec09 vfs/cbe_trust_anchor: rename secured_superblock
As the file formerly named 'secured_superblock' actually contains the hash of
the superblock that was secured, it was renamed 'superblock_hash'.

Ref #4032
2021-10-13 14:50:46 +02:00
Martin Stein
a28ca44101 vfs/cbe_trust_anchor: rename keyfile
As the file formerly named 'keyfile' actually contains the encrypted private
key of the Trust Anchor, it was renamed 'encrypted_private_key'.

Ref #4032
2021-10-13 14:50:46 +02:00
Martin Stein
641a738e3d vfs/cbe_trust_anchor: encrypt symmetric keys
By now, the symmetric keys were only XOR'ed with the private key as placeholder
for a real encryption. Now they are encrypted using AES256 with the TA's
private key as key

Ref #4032.
2021-10-13 14:50:46 +02:00
Martin Stein
f41dec67e1 vfs/cbe_trust_anchor: use secure private key
A private key of 256 bits is generated pseudo-randomly using the jitterentropy
VFS plugin on initialization. The private key is stored in the key file
encrypted via AES256 using the SHA256 hash of the users passphrase. When
unlocking the CBE device, the encrypted private key is read from the key file
and decrypted with the hash of the users passphrase.

Ref #4032
2021-10-13 14:50:46 +02:00
Martin Stein
75a55b62a3 vfs/cbe_trust_anchor: use hash of passphrase
Instead of using the user passphrase directly, use its SHA256 hash calculated
using libcrypto. The passphrase hash is still stored in the key file to be
used as base for the very primitive way of generating the private key.

Ref #4032
2021-10-13 14:50:46 +02:00
Martin Stein
989b7f39e1 vfs/cbe_trust_anchor: use secure symmetric keys
Use the jitterentropy vfs plugin for the generation of new symmetric block
encryption keys in the cbe trust anchor vfs plugin.

Ref #4032
2021-10-13 14:50:46 +02:00
Martin Stein
a2d2b874ec vfs/cbe_trust_anchor: sync keyfile-handle close
Closing the keyfile handle after a write operation wasn't synchronised to the
actual end of the write operation.

Issuing a write operation at the back end returns successfull as soon as the
back end has acknowledged that it will execute the operation. However, the
actual writing of the data might still be in progress at this point. But the
plugin used to close the file handle and declare the operation finished at this
point which led to warnings about acks on unknown file handles and leaking
resources. Now, the plugin issues a sync operation directly after the write
operation and waits for the sync to complete. This ensures that the plugin
doesn't declare the operation finished too early.

Ref #4032
2021-10-13 14:50:45 +02:00
Martin Stein
42490208c2 vfs/cbe_trust_anchor: fix unlocking
The unlocking operation in the trust anchor was broken wich caused bad keys in
the CBE. This rewrites the whole operation to work as desired. Note that this
doesn't make it more safe! The private key is still almost the same as the
passphrase and stored plaintext.

Ref #4032
2021-10-13 14:50:45 +02:00
Martin Stein
95639a7492 vfs/cbe_trust_anchor: close handles correctly
The plugin used to close file handles via the 'vfs_env.root_dir.close'.
However, this lead to resource leaks and apparently isn't the right way to
do it. Other VFS plugins do it by calling 'close' directly on the handle and
doing it in the trust anchor plugin also, fixes the leaks.

Ref #4032
2021-10-13 14:50:45 +02:00
Martin Stein
df7de17435 vfs/cbe_trust_anchor: sync hashfile-handle close
Closing the hashfile handle after a write operation wasn't synchronised to the
actual end of the write operation.

Issuing a write operation at the back end returns successfull as soon as the
back end has acknowledged that it will execute the operation. However, the
actual writing of the data might still be in progress at this point. But the
plugin used to close the file handle and declare the operation finished at this
point which led to warnings about acks on unknown file handles and leaking
resources. Now, the plugin issues a sync operation directly after the write
operation and waits for the sync to complete. This ensures that the plugin
doesn't declare the operation finished too early.

Ref #4032
2021-10-13 14:50:45 +02:00
Martin Stein
1b4a80ffae vfs/cbe: control/deinitialize file
There were no means for issuing a Deinitialize request at the CBE using the
CBE VFS plugin. The new control/deinitialize file fixes this. When writing
"true" to the file, a Deinitialize request is submitted at the CBE. When
reading the file, the state of the operation is returned as a string of the
format "[current_state] last-result: [last_result]" where [current_state] can
be "idle" or "in-progress" and [last_result] can be "none", "success", or
"failed".

Ref #4032
2021-10-13 14:50:45 +02:00
Martin Stein
88e6991083 vfs/cbe: fix ID argument on discard_snap
When discarding a snapshot, the CBE VFS plugin didn't communicate the ID of
the snapshot to the CBE. Instead it set the ID argument to 0. Therefore the
operation never had any effect.

Ref #4032
2021-10-13 14:50:45 +02:00
Martin Stein
9b953e79ba vfs/cbe: support watching the snapshots fs
The snapshots file system couldn't be watched. But it's of interest to watch
for appearing and disappearing snapshots.

Ref #4032
2021-10-13 14:50:45 +02:00
Martin Stein
4c1eae97cf vfs/cbe: fix result of SnapshotsFS.num_dirent("/")
The snapshots file system used to return the number of snapshots on
'num_dirent' when called for the root directory although it was expected to
return 1. This confused the tooling ontop of the VFS.

Ref #4032
2021-10-13 14:50:45 +02:00
Martin Stein
f051bfa90d vfs/cbe: support watching "rekey" file
The control/rekey file couldn't be watched although it was meant to be used
to watch the current state of the rekey operation.

Ref #4032
2021-10-13 14:50:45 +02:00
Martin Stein
4ed45dd303 vfs/cbe: support watching "extend" file
The control/extend file couldn't be watched although it was meant to be used
to watch the current state of the extend operation.

Ref #4032
2021-10-13 14:50:45 +02:00
Martin Stein
2d0ac161cb vfs/cbe: mark extend/rekey fs readable
Despite being readable, the files control/extend and control/rekey proclaimed
that they were not when asked. This caused the fs_query tool to not report the
content of the files although it could have.

Ref #4032
2021-10-13 14:50:45 +02:00
Martin Stein
34245376ba vfs/cbe: fix size of extend/rekey fs
Stat calls on the control/extend and control/rekey files returned a bogus file
size that led to an error in the VFS File_content tool. The tool complained
that the size of the file determined while reading the content differs from the
one reported by the stat operation. Now, the stat call will always determine
the actual size of what would be read.  However, it isn't guaranteed that this
size doesn't change in the time after the stat operation and before the read
operation.

Ref #4032
2021-10-13 14:50:45 +02:00
Martin Stein
bd79f93657 cbe/types: invalid generation, generation string
Ref #4032
2021-10-13 14:50:45 +02:00