Adjust the plugin to use the socket C-API found under
dde_linux/src/lib/lxip/include/genode_c_api/socket.h'.
This is the first minor step in generalizing the plugin.
isse #5104
The lxip_raw.run script will spawn a client/server scenario that tests
Genode C-API calls. The scenario can be used standalone, meaning no
actual network card is required.
issue #5104
This commit updates lxip from version 4.4.3 to 6.1.20. It uses the
current lx_kit approach and is a shared library again. The stack has
been tested for x86_32/x86_64/arm_v6/arm_v7/arm_8.
The C-interface of the IP stack can be found under
lxip/include/genode_c_api/socket.h.
issue #5104
CONFIG_X86_USE_PPRO_CHECKSUM is a 'def_bool y' and gets re-enabled by
'make olddefconfig'. The PPRO version contains text relocations which we cannot
have in binaries (e.g., 'lea 45f(%ebx ...).').
issue #5104
add bottom half enable/disable to functions with suffix "_bh" were
missing, because some functions release the bottom half separately
(__neigh_event_send).
issue #5104
Add the possibility to execute a module-init call by name using
'lx_emul_init_call', this is used, for example, by lxip to configure and
re-configure the IP address through 'ip_auto_config'.
issue #5104
The classes Genode::Mmio, Genode::Register_set, Genode::Attached_mmio, and
Platform::Device::Mmio now receive a template parameter 'size_t SIZE'. In each
type that derives from one of these classes, it is now statically checked that
the range of each Genode::Register::Register- and
Genode::Register_set::Register_array-deriving sub-type is within [0..SIZE).
That said, SIZE is the minimum size of the memory region provided to the above
mentioned Mmio classes in order to avoid page faults or memory corruption when
accessing the registers and register arrays declared inside.
Note, that the range end of a register array is not the end of the last item
but the end of integer access that is used for accessing the last bit in the
last item.
The constructors of Genode::Mmio, Genode::Attached_mmio, and
Platform::Device::Mmio now receive an argument 'Byte_range_ptr range' that is
expected to be the range of the backing memory region. In each type that derives
from on of these classes, it is now dynamically checked that 'range.num_bytes
>= SIZE', thereby implementing the above mention protection against page faults
and memory corruption.
The rest of the commit adapts the code throughout the Genode Labs repositories
regarding the changes. Note that for that code inside Core, the commits mostly
uses a simplified approach by constructing MMIO objects with range
[base..base+SIZE) and not with a mapping- or specification-related range size.
This should be fixed in the future.
Furthermore, there are types that derive from an MMIO class but don't declare
any registers or register arrays (especially with Platform::Device::Mmio). In
this case SIZE is set to 0. This way, the parameters must be actively corrected
by someone who later wants to add registers or register arrays, plus the places
can be easily found by grep'ing for Mmio<0>.
Fix#4081
I2C EEPROMs of the type at24xxx are really slow (ca. 10 kHZ).
This adds the `bus_speed_khz` attribute to the config of the driver and
adapts the i.MX8 driver to support the feature.
Issue gapfruit#1996
Fixes genodelabs#5090
The physical address of the memory used for the guest VMCB is already
present in Vcpu_data. Use the information there instead of storing the
physical address in the host data area, thereby freeing up 8 bytes for
a bigger Mmio class.
Issue #4081
Hitting a BOSD in a Windows guest in Virtualbox 6 leads to calling
`DBGFR3ReportBugCheck`, which leads to the following error since it is
unimplemented in our port:
```
Error: DBGFR3ReportBugCheck: DBGFR3ReportBugCheck called, not implemented, eip=0x1a5c4e4
```
Including the actual method from Virtualbox 6 enables logging
diagnostics for the Windows Blue Screen of Death (BSOD).
To see Blue Screen logging output, enable "dbgf" and "gim" logging
via the `VBOX_LOG` following environment variable in the vbox6 runtime
config.
When manually triggering a BSOD in the Windows guest, this should
produce the following logging diagnostics:
```
GIM: HyperV: Guest indicates a fatal condition! P0=0xe2 P1=0x0 P2=0x0 P3=0x0 P4=0x0
GIMHv: BugCheck e2 {0, 0, 0, 0}
MANUALLY_INITIATED_CRASH
```
Fixes#5099
The libc's internal calculation of the tv_sec and tv_nsec fields must be
based on the same ms value. Otherwise, tv_sec is not always immediately
incremented whenever tv_nsec wraps. For applications, this inconsistency
can result in observed jumps in time.
Fixes#5098
Functions registered with 'module_init' (i.e., '__define_initcalls'),
'OF_DECLARE', and 'DECLARE_PCI_FIXUP_CLASS_FINAL' used to be static
constructors and had be explicitly registered using
'exec_static_constructors' before executing any Linux code.
With this commit we remove the constructor attributes from these
functions and create a global function pointer in the form of
__initptr_<name>_<id>_<counter>_<line number of macro>
'import-lx_emul_common.inc' will collect these '__initptr' symbols after
the compile step and generate a 'lx_emul_register_initcalls' function
that executes the functions pointed to. This step is now automatically
performed in 'lx_emul_start_kernel'. This way a call to
'exec_static_constructors' can be omitted in case there are no other
constructors in place.
issue #5096
The former implementation relied on input drvdata always pointing to
struct hid_device, which is not true for Wacom touch devices (at least).
Now, we implement the input handler for devices providing LEDs
(evbit[EV_LED] set) only and use input_inject_event() to set the LED
states.
This commit brings the etnaviv back end implementation in line
with the one from lima. Since the etnaviv driver itself handles
different contexts implicitly rather explicitly like lima and
iris for the moment only a main-context is used for all operations.
Issue genodelabs/genode-imx#8.
Uploading large files via HTTP PUT failed when the file system was
accessed via a file system session because lighttpd opened the
destination file with O_NONBLOCK and the write operation stalled
at some point.
genodelabs/genode#5093
These domains allow for the hosting of plain http and telnet servers
reachable from the outside. The change is designated for the goa
testbed.
Issue #5092
The commit is a preparation commit for suspend/resume. It prepares the GPU
structures relying on gmadr.cap() (MMIO) to be re-constructible by applying
the with* pattern to context, ring_buffer and ggtt mmio map. It removes
the managed dataspace handling of gmadr subsets to make the with_* pattern
possible.
Issue #5081
This commit is a preparation commit for suspend/resume. The commit
refactors the code in order to consolidate all Platform resources into one
instance. All users within the GPU driver should access the resources with
with_* functions, which checks whether the device resource is usable. The
callers are not allowed to store any references to the provided resources.
With this change, it will be possible in follow up commits, to release
the platform device and to re-acquire it and its resources, e.g. mmio, irq,
gmadr.
Issue #5081
- add PS/2 input drivers
- add GPU client test case - glmark2
- remove display driver before suspend
- route log output via terminal on display to gather information, since in
most cases serial/AMT is not available after ACPI resume
Issue #5081
Clearing very large RAM dataspaces could fill up core's page table,
because the dataspaces are locally mapped to clear them.
This would manifest in a loop where exhausting the local page table
leads to its flushing (which does not work for core) and a retry that
again fills up the page table and so on.
To prevent this, flush RAM dataspaces in chunks of at most 128MiB.
Fixes#5086
If "verbose" is set to true in the config, AcpiOsPrintf etc. are enabled
to log to a dedicated LOG session using the Format:Console utility.
Issue #5083
Prevent errors if precision and left alignment are part of the string.
String precision is applied to limit access to the configured number of
characters but ignored for other types.
Issue #5083
The axis IDs correspond to 2x analog sticks with 2 axes and 2x triggers.
While being at it, the commit changes the Axis_id type to Axis::Id.
Fixes#3669
Failed allocations were still denoted with a successful return value
to the caller. This situation was triggered by artificial testing and
has not been observed yet in practice. In case the 'LIMA_GEM_CREATE'
I/O control fails Mesa will dereference invalid pointers anyway.
Issue genodelabs/genode-allwinner#27.
The frame-pointer-based backtrace does not work without enabling
-fno-omit-frame-pointer explicitly and in most cases leads to page
faults because non-pointer stack values are dereferenced during the
walk. The best we can do is to limit the backtrace walk to the stack of
the current thread to prevent page faults unrelated to the system state
without the use of the backtrace utility.
This commit introduces a printable Backtrace class usable in
Genode::log(), Genode::trace(), etc. The class is based on the new
function for_each_return_address(auto const &fn) that walks the stack in
its limits and calls fn() for each discovered return address on the
stack in the new os/include/os/backtrace.h. Archtecture-specific
stack-pointer retrieval and walk loops are implemented in dedicated
os/include/spec/<arch>/os/for_each_return_address.h files. Also, the
well-known Genode::backtrace() function (which logs the return-address
values) is provided for backwards compatibility.
Fixes#5078
The number of hash entries for TCP/UDP corresponds to the number of
sockets managed by the stack. In case there are more sockets than
entries available, buckets will be created to compensate for the lack of
space. The default values for TCP (524288) and UDP (65536) are meant for
the in kernel that manages all sockets of the user land and leads
to very large hash table allocations (>20MB) during initialization.
Since on Genode a component has its own instance of the IP stack or uses
the VFS server, we do not need these kind of large default settings.
issue #2181
This patch changes the unlink operation of the ram fs to defer the
destruction of a file until it is no longer referenced by any VFS handle.
When unlinked, the file no longer appears in the directory. But it can
still be opened and accessed.
With this change, a parent process of a Unix-like subsystem becomes able
to pass the content of an unlinked file to a forked child process. This
mechanism is required when using the 'exec' command in Tcl scripts.
Another use case is the 'tmpfile()' function.
Fixes#3577
The traced top instance was configured to be active every two seconds
whereas the trace test uses a grace time of only 1.5 seconds before
raising the FOREIGN state of a trace subject as an error.
The state of a trace subject can change only whenever the traced thread
passes a trace point. Hence, with the original configuration, the
release of top as trace subject can take up to two seconds. The patch
reduces the rate to 0.5 seconds to satisfy the expectation of
test-trace.
Following Github support removal for svn [1], dde_rump port fails to
prepare. This commit introduces a new install rule for ports,
'.sparse-git'. It performs a sparse-checkout on the port repository, only
fetching required files.
[1] https://github.blog/2023-01-20-sunsetting-subversion-support/
Co-authored-by: Benjamin Lamowski <benjamin.lamowski@genode-labs.com>
Issue genodelabs#5072
Issue genodelabs/goa#28
According to RFC 1812 ICMP Destination unreachable (Network unreachable)
does not quite our case of clients directly behind the router.
If a packet is to be forwarded to a host on a network that is directly
connected to the router (i.e., the router is the last-hop router) and
the router has ascertained that there is no path to the destination
host then the router MUST generate a Destination Unreachable, Code 1
(Host Unreachable) ICMP message.
Issue #4729
By using `mktime()`, which assumes local time, we render the `TZ`
environment variable ineffective. Instead, `timegm()` should be used to
set the real-time clock to UTC.
genodelabs/genode#5074
The management of Linux page structs is now tied to the life time of DMA
buffers. Thus, page structs are created when a buffer is allocated and
deallocated only when a buffer is freed - not on lx_emul_mem_free()
because DMA buffers are cached. Page struct refcounting was entirely
reworked in lx_emul/shadow/mm/page_alloc.c.
Fixes#4809
When multiple threads (EMT-0..X + nic_ep) enter the very same
critical section, the use of RTCritSectTryEnter may reflect the contention
case to the Network Model (E1000). Since no one notifies the model, when the
critical section is free again, solely the next packet/event triggered by the
guest will resume the former operation. This may lead to long delays until
packets are sent actually.
Instead of using the RTCritSectTryEnter use RTCritSecEnter to avoid the
situation. All of our network code is non blocking, so the network backend
will only be contented a short time.
Follow up commit to
Issue #5045
The devio API in the Linux kernel promised to be a stable layer for our
USB host controller drivers, but the additional bookkeeping and dynamic
allocations increase CPU overhead in a way that we do not accept further.
Therefore, we go a step back and process DMA transactions directly in and
out of the packet stream from the clients.
Fixgenodelabs/genode#5071
Per default Tslab checks that 8 slabs incl. overhead fit into one block.
If this is not desired the template parameter 'MIN_SLABS_PER_BLOCK' can
be used to control the minimum number of blocks.
Fixes#3834
The argument was originally designated to restrict the reach of the
trace monitor but the idea remained unimplemented. It is now superseded
by the use of the trace-session label as trace-subject filter.
Issue #847
This patch changes core's TRACE service to expose trace subjects only if
their PD label matches the label of the TRACE monitor. Hence, by default,
a trace monitor can only observe itself and its child components. Only
if the trace monitor's parent rewrites the trace-session's label, the
view of trace monitor can become broader. For example, when rewriting
the trace label to an empty string "", the trace monitor becomes able to
observe the sibling components hosted in the same init instance as the
trace monitor.
To grant a trace session the special privilege of obtaining a global
system view (including the kernel's trace subjects), the top-level init
has to rewrite the session's label to an empty string. At core, this
specific label "init -> " is handled as a special case that discharges
the filtering/namespacing of trace subjects.
Note that the trace-subject label as reported as subject info is now
given relative to the label of the trace session. As a nice side effect
of this change, the pkg/test-trace_logger works now when executed by the
depot_autopilot as well as via the test.run script.
Issue #847
This option is useful in cases where batching is configured and
failing to fetch a resource should not influence the over-all
result.
Issue genodelabs/genodians.org#32.
In the scope of alloc_dma_buffer(), Out_of_* exceptions might be thrown
at different stages. By adding a Guard object, we make sure to rollback
already created objects accordingly.
genodelabs/genode#5002
As a consequence of the adding IOMMU support to the platform driver,
additional RAM and CAPs are needed for setting up IO page-table
structures.
genodelabs/genode#5002
The platform driver needs additional 2MB of RAM for managing IO page
tables (root table and context tables) that are shared among sessions.
genodelabs/genode#5002
By adding the `irq_type` argument, one can explicitly specify whether to
use LEGACY, MSI or MSI-X interrupts. We formerly used the
`device_phys_config` to implicitly select MSI, however, with the
addition of IOMMU support to the platform driver there is at least one
instance where we need an MSI for a non-PCI device.
Yet, by adding another session argument to the Irq session, we exceed
the character limit for session args. Since not all arguments are
relevant for LEGACY interrupts resp. MSI, we can split the Irq_connection
constructor to handle the two cases separately and omit unneeded
arguments.
genodelabs/genode#5002
DMA buffer allocations are always performed as full pages. However, they
got mapped into the IOMMU domain using the requested size, which may not
be a multiple of the page size. This behaviour was introduced as a regression
by #4761 and is corrected by this commit.
genodelabs/genode#5002
The virtual add_range()-method must not be called from the base-class
constructor since the derived class is not be fully initialized at
this point.
genodelabs/genode#5002
The sculpt manager views only launchers in the + menu that are not present in
the runtime already. However, this check was missing when finding the right
launcher on a click event inside that menu. This could cause the manager to
try deploying an already deployed launcher a again (without any effect)
instead of deploying the launcher that was actually clicked.
Ref #5064
This is a follow-up commit to the adaptation of the run scripts to the
consistent use of [build_artifacts] (issue #4860).
The missing build of libm remained undetected until the recent removal
of implicit shared-library builds (issue #5061).
This patch removes the implicit build of all shared libraries a target
depends on. Targets only depend on the respective ABIs instead. This
alleviates the need to locally build complex shared libraries (think of
Qt) when developing applications. Instead, application developers can
use binary depot archives.
The implementation splits the mk/lib.mk file into three files:
- mk/a.mk for building one static library (.lib.a)
- mk/so.mk for building one shared object (.lib.so)
- mk/abi.mk for building one ABI stub (.abi.so)
Furthermore, the commit moves messages and the collection of build
artifacts to var/libdeps, triggers the build of kernel-specific
ld-<kernel>.lib.so, and prunes the lib-dependency tree at ABIs.
Fixes#5061
- finished tx ack queue should be checked before new allocations
- packets which got not sent must be released in packet stream,
otherwise the network packet stream gets filled up and starves after a while
- rRegister for ack avail packets and process them concurrently to EMT-* threads
by nic_ep thread (thanks @Peter for the findings) + add synchronization.
- add sigh_ready_to_submit to network adapter to improve latency by notifying
the network model explicitly in case we had a full packet stream error case
(_retry resp. VERR_TRY_LATER)
Fixes#5045
This patch mirrors the interface of Sculpt's distant_runtime to the
sandboxed_runtime variant, allowing the configuration of xpos, ypos,
min_width, min_height, opaque, and background color.
Issue #5008
This patch moves the text-editing facility of app/text_area to a
text-area widget as part of the dialog library. This has two benefits.
First, it simplifies app/text_area by using the dialog API. Second, the
editor can now easily be reused by other dialog-API-based applications.
Fixes#5058
The 'Dynamic_array' utility is used by the text_area as internal
representation of text. As a prerequisite step of making the text
editing features generally available as a text-area widget, the
utility must become public.
Issue #5008
This method allows for the inquiry of the current hovering state,
e.g., to suppress an update of the Wifi accesspoint list while
the list is hovered.
Issue #5008
Issue #5053
Several DMA pools of the EHCI/UHCI USB host controller driver declare
that buffers should not cross 4K boundaries. If this property is not met
fatal errors like NMIs may happen during USB operation.
Discussed in issue #5000
Certain USB devices do not react anymore after an endpoint reset
in the use case of USB devices passed through to a virtual machine.
When investigating the only USB session client that needs the
flush transfers request - namely the Qemu xhci model used in
VirtualBox - there seems to be no need to reset the endpoint in fact.
Fixgenodelabs/genode#5050
USB devio splits large transaction into 16 KiB buffers in scatter-gather
lists. Unfortunately, this mechanism seems unreliable most certainly because
of issue #4809 "DDE Linux struct page object aliasing".
Issue #5036
Currently, running ripgrep on Genode emits
"Warning: sysconf(71) not implemented".
Return -1 without setting errno, which is a valid return value according
to getpwnam(3) and silence the warning.
Fixes#5043
This patch replaces the original policy-based 'update_from_xml' by a new
method that takes three functors for creating, destroying, and updating
elements as arguments. XML nodes are associated with their corresponding
internal data models by annotating the element type with the
'type_matches' class function and the 'matches' method.
The patch also improves safety by enforcing that list-model elements can
never be copied.
Fixes#4317
This commit adds support to initialize the timekeeping for
the Linux subsystem with the value from the RTC.
Only the seconds part of timespec64 is supported.
Issue genodelabs/genode#4957
FreeBSD libc code uses only a single spinlock instance and, thus there
is no obvious reason why it would need to be implemented as an actual
spinlock. _spinlock() and _spinunlock() functions are implemented with a
static pthread mutex.
Issue #725
This commit adds a new configuration option, `dst_addr` to the
'sntp_client' that accepts either an IP address or a DNS hostname. If a
DNS hostname is provided, the 'sntp_client' will resolve the IP address
before each SNTP request. The 'dst_ip' configuration option is
deprecated but kept for compatibility until 'dst_addr' is fully adopted.
xsd/net_types.xsd: add Net_address type
sntp_dummy_rtc: adjust configuration to use pool.ntp.org
Fixesgenodelabs/genode#5003
`Expandind_pd_session_client::try_alloc` is an overriden virtual method
of `Ram_allocator::try_alloc`. The latter specifies the default Cache
argument as CACHED. The overriden method should either do the same or
not even specify a default argument at all.
genodelabs/genode#5000
On x86, DMA buffers are actually always mapped as cached. We should
therefore actually ask for a cached buffer in order to avoid confusion.
genodelabs/genode#5000
On x86, DMA buffers are actually always mapped as cached. We should
therefore actually ask for a cached buffer in order to avoid confusion.
genodelabs/genode#5000
On x86, DMA buffers are actually always mapped as cached. We should
therefore actually ask for a cached buffer in order to avoid confusion.
genodelabs/genode#5000
Feed the high-frequent fetchurl reports into a list model to speed up
the subsequent evaluation of the data.
Also limit the rate of state reporting during updates to visible changes
in percent such that most fetchurl reports do not cause any UI activity
(status updating) any longer.
This patch noticeably speeds up the installation of complex packages
(i.e., the morph browser) on the PinePhone.
Issue #5038
The execution of global-static constructors in Genode is optional for
native components or determined in the libc for libc components. By
convention, we avoid static constructors wherever possible but in rare
cases the component can tweak the point when constructors are executed
and initialize an environment beforehand. The wifi_drv applies this
pattern for the uplink initialization, but is a libc component on the
other hand, and, thus, statics in the Genode C API for uplink are
constructed later by the libc. So, the prior initialization is reverted,
i.e. the signal-handler capability becomes invalid.
This addresses a regression exposed by the following commit.
drivers/wifi: perform multi-staged construction
Related to #3509Fixes#5024
Component names can be larger than widget IDs, which are capped at 20
characters. To uniquely correlate the component depicted in the graph
with clicks, this patch uses a dedicated graph ID for each runtime
component instead.
Fixes#5034
This patch allows for the interactive assignment of the system-control role
to a new component via the resource dialog. This is useful for integrating
low-level components like the Intel frequency/power monitoring tool.
Fixes#5033
Commit "menu_view: ignore zero-sized widgets in box layout" introduces
zero-sized child widgets as a special case but defined zero-sized as
zero covered pixels (w*h == 0). However, for layouting, a widget with a
non-zero height and zero width is not zero-sized.
This patch refines the zero-size condition such that only widgets with
both zero width and zero height are considered as zero-sized.
It thereby solves the missing display of empty lines in the text_area
component.
The 'Xml_node::differs_from' method takes the constructor arguments
(addr, size) for a byte-wise comparison whereas 'with_raw_node'
restricts the byte range to the actual XML tags. In cases where
the XML start tag is preceeded by whitespace, both ranges can differ.
Since the 'differs_from' method is meant for comparing actual XML
nodes - not any whitespace around them - whitespace should be ignored
on both operands.
Issue #5029
This is a follow-up fix for commit "sculpt: apply Dialog API to diag,
panel, and graph", which happened to render the legacy dialogs (network
and settings) inaccessible.
The patch avoids the use of clack seq numbers for the 'popup_opened'
condition (which happens on click, not clack). It also overrides old
click information on the arrival of a new click, avoiding the evaluation
of stale click sequence numbers in distant_runtime.cc. Furthermore, it
reduces the rate of 'Distant_runtime::_try_handle_click_and_clack'.
Issue #5008
On WPA3 encrypted networks the AP picker does not indicate encryption
and does not prompt for a passphrase.
Also indicate an encrypted network when "protection=WPA3", remedying
both issues.
Fixes#5022
Up to now, when using force_*, all other configured modes of a connector
got overwritten and the force_* got enforced. With the commit,
the connector mode is considered (if below max_*) and the resulting
framebuffer may be larger then the dimension of force_*.
Differences in TAR archive member metadata results in unstable depot
hashes. The following properties have to be fixed: modification time
(incl. time zone), numeric owner and group, permission modes.
Releated to #2842
This change allows for the hosting of system-management components
in Sculpt's runtime. The special role must be declared either as
<launcher managing_system="yes"> attribute or in the deploy
configuration's <start managing_system="yes"> attribute.
Issue #5009
Rename locally extended VCPU state from State to Vcpu_state for clarity.
The local namespace only adds two accessor methods, which does not
justify a local generic name.
Ref #4968
Make naming across architectures coherent by renaming Vm_state to
Vcpu_state, to reflect that it contains the state of a Vcpu and not that
of an entire VM.
Ref #4968
Per Affinity::Location a system control cap can be requested. The capability
provides an RPC interface to request and set Cpu_state, as provided by the
former Pd::managing_system(Cpu_state) method. Invocation of those system
control capabilities then *can* (see below) be executed on the desired CPU
as described by Affinity::Location.
The system control cap will be invalid for kernels that don't support
system_control/managing_system functionality at all.
The system control cap will be ever by the same, e.g. ignoring the
Affinity::Location parameter, if the used kernel doesn't support or doesn't
require the feature to execute the system control per CPU.
The commit is a preparation step to add guarded and selective x86 MSR
access per CPU.
Fixes#5009
This patch partially converts the Sculpt manager to the dialog API.
At this stage, both the old utilities and the new dialog API are still
used simultaneously.
Issue #5008
The so-called 'Distant_runtime' implements GUI dialogs via menu_view
components hosted at a distant init instance as opposed to child
components (as implemented by the 'Sandboxed_runtime'). This is
particular the case in Sculpt OS where the sculpt manager is not the
parent of the menu_view instances.
Issue #5008
By renaming 'Dialog' to 'Deprecated_dialog', we become able to use the
name 'Dialog' for the new API while temporarily keeping the original
interface in tact.
Issue #5008
- Increase default timeout to one minute
- Ignore power-button events during display-driver startup to avoid
entering another forced blank when pressing the power button twice.
- Prevent wakeup from user activity except for the power button.
So the volume can be adjusted without leaving the screensaver.
Issue #4950
The new API at gems/include/dialog/ aids the creation of simple GUI
applications based on the menu-view widget renderer. Its use is
illustrated by the simple test application at src/test/dialog/
that is accompanied with the dialog.run script.
Issue #5008
Each hover change of the character position within a label results in a
new hover report, which needs to be evaluated by the application. For
the common cases where labels are used as button texts or for presenting
passive information, the level of detail is not needed while the
recurring hover reports induce overhead at the application side.
This patch mitigates this overhead by excluding labels from the hover
reporting by default.
For use cases that actually depend of precise hover reporting of labels,
for example an editable text area, the hover reporting can be enabled by
setting the 'hover="yes"' attribute of the label.
The 'Widget::_version' attribute was meant to allow the deliberate
replacement of a widget by a same-named widget by changing the version
while keeping the name, thereby suppressing any geomety animation.
However, the implementation missed to populate the attribute with the
value provided by the dialog ROM, prompting the unconditional
re-creation of the widget whenever a 'version' attribute was specified.
Even though this had the (desired) effect of preventing geometry
animations, it could cause feedback loops between hover reports and
dialog ROMs because the 'hover_changed' condition in 'Menu_view::Main'
would always stay true while a versioned widget is hovered.
To prevent exessive allocations the bounce buffers are allocated
once and afterwards re-used. The DMA buffers are provided by an
range allocator whose backing store increases in 4 MiB chunks.
The range allocator might not merge the ranges as those chunks
are not necessarily allocated continously. Allocations larger
than the static chunk size are therefor treated as error.
Internally libyuv uses malloc & free for short time dynamic memory
allocation during image transformation. The converted images are
such large, that the Libc allocator will create and destroy new Genode
dataspace per image. In time sensitive code paths, the overhead can be
noticeable by the caller of the image transformation.
The patch adds the option to register callbacks in the libyuv library to
implement the image allocation by users of the library. They may implement
caching strategies to avoid the overhead, e.g. as seen with qemu-usb and
the webcam model.
and not before. On Windows guest with more than 1 vCPU, the packets
seem to arrive and/or seem to be handled too late in the Webcam model.
An intermediate state, to due the late packet, has been used to decide to
close the Capture session too early.
In SDL2, support has been added for multiple windows.
As such, prior to this commit, invoking _sdl_screen.construct
would create a new window each time the original window was
resized.
To avoid this, refactor to only construct the window once, and
upon resize events, reconstruct the SDL_Surface and SDL_Texture
of Sdl_screen to the new window dimensions.
Issue identified by @chelmuth in https://github.com/genodelabs/genode/pull/4993#issuecomment-1729530634Fixes#4993
Following the official migration guide of SDL [1], the
fb_sdl framebuffer driver was update from SDL1 to SDL2.
The sdl2 port in world/src/lib/sdl2 is used.
Since SDL1 is in maintenance mode [2], support for other
display servers than X11 will never be implemented. In
particular, support for Wayland is missing from SDL1.
Fortunately, a port of sdl2 is maintained in genode-world.
As SDL2 is actively developed, it will provide support for
modern hardware architectures, and has mature support for
Wayland [3].
[1]: https://wiki.libsdl.org/SDL2/MigrationGuide
[2]: https://wiki.debian.org/Wayland#SDL1_.28unsupported.29
[3]: https://wiki.debian.org/Wayland#SDL2_.28supported_since_2.0.2.2B-.29
Issue #4993
The new API emphasizes control over the vCPU data by granting access
through the Vcpu::with_state() method, which makes sure that the vCPU is
stopped, invokes the supplied function with a reference to the VM state
and resumes the vCPU if the function returns true.
The old Vcpu::run(), Vcpu::pause() and Vcpu::state() methods are removed
in favor of the new API. Execution of the vCPU is now interrupted by
sending a native Genode Signal to its Vcpu_handler, which will run the
VMM's exit handling method. When this method retrieves the vCPU state by
calling Vcpu::with_state(), the outside interruption is detected and on
x86 a recall exit is injected into the state to signal the vCPU
interruption / pause request to the VMM's vCPU handler.
Ref #4968
instead via the hardware registers of the FPU. On Genode all components and
so VMMs are built such, that the compiler may generate optimized code by
using the FPU at any time. We had to make sure to save the
FPU state as early as possible before the VMM component touches the FPU,
to avoid corrupting & losing guest FPU state. This caused headache again
and again. To avoid the uncertainty, we remove this feature and explicitly
transfer the FPU state via the UTCB.
Depending on the client and use-case the current minimal timeout
value of 5 ms could be too high, lowering it to 1 ms stays within
the limit imposed by most timer drivers.
Issue #4990.
When the wait value is too small the HALT attempt turnes into
busy-polling in the VMM. To prevent that always wait a minimal
amount of time.
Issue #4990.
This patch removes the obsolete 'io_progress_elem', which was wrongly
enqueued to the 'read_ready_waiters' fifo and not dequeued at
destruction time.
Fixes#4987
Remove 'usb_hid', 'usb_net', 'usb_modem' from dde_linux port. These
versions have been updated to Linux 6.1.20 which uses the 'linux.port'
file.
issue #4958
The driver is superseded by the USB network driver (usb_net) which also
contains MBIM support for LTE modems previously provided by this
driver.
issue #4958
The drivers uses the 'virt_linux' api and the current lx_kit
implementation. It is a drop-in replacement for the Linux 4.16.3 based
version.
issue #4958
NCM tries to batch TX packets using timeouts (500us) and does not send packets
before 3 packets are in the submit queue. Timeouts take milliseconds on
dde_linux which leads to delayed ACKs and poor performance for the RX case.
Therefore, we send small packets (<100 Bytes) immediately without batching (it
might be an ACK or last packet of a larger transfer).
issue #4958
The PinePhone Modems' CDC Ethernet Interface does not respond if RX/TX queue size
is greater 12 (experimentally determined), the default would be 60, meaning 60
RX Bulk URBs are sent at once to the device.
issue #4958
A WRITE_ERR_WOULD_BLOCK may occur when large reports are written to a file
system because this fills up the submit queue of the packet-stream interface.
Fixesgenodelabs/genode#4988
This commits introduces changes to test number 4, so it must keep
more than one PKG. Also, it introduces a 5th test to verify that the
<remove_all/> functionality does delete everything in the depot.
Issue genodelabs#4866
This commits introduces improvements to the test functions to avoid
code duplication, and renames these functions to reflect better what they
are used for.
Issue genodelabs#4866
The last character should only be skipped if a `\0` or `\n` is found. If
the string ends without such a character or the maximum line length is
hit, we do not skip the last character.
Fixesgenodelabs/genode#4985
Dynamically loading the `compat-libc` breaks `fork(2)` on Genode.
Switch `compat-libc` to a special api package that provides a source
file for statically linking the library, analogous to the `blit`
package. This also requires a quirk in Goa but should prevent breaking
`fork()` and removes the runtime and archive dependencies for Rust
packages using `compat-libc`.
Ref genodelabs/goa#61
Implement FBSD_1.0 versions of libc functions ('stat', 'fstat'). The
functions are versioned with @FBSD_1.0, and therefore, will not clash
with libc during linking. However, to be called by our dynamic linker,
the library must be before libc in the NEEDED section of the binary
using it. This requires the lib to be in front of libc in the LIBS
variable. The library currently will call libc 'stat' and 'fstat' by
looking up the symbols via 'dlsym'.
Ref genodelabs/goa#61
Some Ubuntu installations (e.g., 20.04) create installation disks with
strange C/H/S MBR partitions like 3988/255/2. Normally, VirtualBox reads
the MBR to guess disk geometry information for the virtual BIOS.
Unfortuantely, the strange values from Ubuntu lead to a heavy
virtual-disk activity on boot. Therefore, this commit forces the use of
calculated values based on the assumption that large disks use LBA
addressing anyway.
Fixes#4978
Adds Genode::Hex_dump class to the formatted_output.h header. This class can be
used to print a hexadecimal dump of a byte range. The data is printed in a
format similar to that used by Linux's 'xxd'. In addition to the 'xxd' format,
consecutive duplicate lines are replaced with a single "*\n" as done also by
Linux's 'hexdump'.
Ref #4966
The DHCP client implementations of Ping originally is a copy of the NIC router
implementation adapted for Ping. The two versions diverged further over the
years. This issue should be solved by should merging them into a centralized
implementation. However, this commit treats only a recent issue with the
nic_uplink.run test on pbxa9 qemu but does this by re-aligning the two
implementations partially. The final merge should be done in a separate commit.
Ref #4966
The Depot Autopilot used to filter out tabs and color sequences before
forwarding the test log to the own log. This commit prevents this and further
cleans up the string-filters code.
Ref #4922
The new 'log_prefix' attribute is effective when used in a tests runtime in
<succeed> or <fail> tags that have a non-empty content string. When matching
the log against the pattern given in the affected <succeed> or <fail> tag, the
Depot Autopilot will consider only those test-log lines that start with the
given prefix.
Ref #4922
* Removes the <event> tag from all test package runtime files and replaces the
contained <timeout> and <log> sub-tags with the new tags <succeed> and
<fail>. If a <succeed> or <fail> tag has a content, it defines a log pattern
that should be recognized and render the test failed or successful. If a
<succeed> or <fail> tag has an attribute after_seconds that is not set to 0,
it defines a timeout after which the test should be rendered failed or
successful.
* Adapts the Depot Autopilot to support the new syntax in the test-package
runtime files. However, for now, the Depot Autopilot is kept compatible to
the old syntax as well. If the <events> tag is present, it is prioritized
over the new syntax.
Fixes#4922
Several nightly network-related tests fail currently on sel4/pc because the
new e1000 NIC driver requires more capabilities. The "drivers nic" package
was already adapted to the new requirement but some tests fail to provide
enough caps to the corresponding sub system. This commit tries to fix all
remaining tests.
Ref #4923
* During a session-close, the device-specific usb task and driver data
gets freed. Part of it was the RPC data. To prevent use-after-free
turn it into a pointer and leave it on the stack of the caller thread
* During a device release, URBs discards, and reset operation the Linux task
might get blocked, and then a RPC caller task might return if the RPC
operation was marked as finished already, although it hasn't succeeded yet
* USB devio RESET has to be done before a device release to be effective
Fixgenodelabs/genode#4969
* Within flush_transfer of the USB session a given entrypoint gets
resetted, to be effective al related URBs need to be discarded first
* Discarding URBs shall be done in reverse order, like libusb is doing it,
where it warns about potential races otherwise
Ref genodelabs/genode#4969
* Adds a new component server/nic_uplink that forwards packets unmodified
between one Uplink session at one side and potentially multiple Nic sessions
at the other side.
* Adds a new run script nic_uplink.run that does a basic test with multiple
Nic clients on this component and adds it to the autopilot list.
* Adds a new depot recipe src/nic_uplink for this component.
* Adds a new depot recipe pkg/pc_nic for deploying the pc_nic_driver together
with a nic_uplink server. This allows for raw access to the network connected
to the Nic of the system in contrast to the commonly used routed and NAT'd
access via NIC router. That said, it enables the use of network protocols
not yet supported by the NIC router at the cost of less protection.
Ref #4966
Introduces a new class that does the clean-up if some exception is
thrown while creating the session. This reduces redundancy and overall
lines of code.
Ref #4966
by just test the migration feature, without relying on load measured on the
CPUs. On Qemu (and depending on other load in the Linux system), the migration
feature gets not triggered in time reliable.
* Allow support for kernel configurations without CONFIG_IRQ_DOMAIN_HIERARCHY
* Export `irq_domain` instantiated for driver-specific extensions of the irqchip
Fixgenodelabs/genode#4964
This change allows a monitored VBox instance to specify a distinct
(lower) priority to the VM session to ensure that the VMM is always
prioritized higher than the VCPUs. This is important because host
I/O at the VMM should always be able to preempt a busy guest.
Issue #4917
Decreasing the internal buffer size will implicitly limit the number
of blocks provisioned for recording and brings them in line with
the number of blocks used for playback (2).
Note that this patch also sets an upper-bound on the number of
samples in 'Audio_*::PERIOD'.
If all connectors are set to disabled by configuration, the connectors
stayed enabled since the new configuration reveals no preferred or minimal
resolution/mode. Instead, use the last set resolution in order to get to the
disabling code.
The memory barriers where introduced with commit "test-timeout: fix build
errors with -std=gnu++20" presumably in order to prevent GCC optimization from
removing the empty for loops the test is using because using a volatile index
variable was no longer an option.
However, the memory barriers seem to have a negative effect on the measurements
performed with the affected loops. The commit caused the timeout test to fail
at least on imx53_qsb.
This commit fixes the issue by using a simple empty for loop without volatiles
or memory barriers but protected inside a function that is compiled with
optimization disabled.
Ref #4959
This commit extends the Lx_kit initialization function by passing in
a signal handler that is used to perform the normally occurring
scheduler execution and is a follow-up change for the decoupling
scheduler execution commit.
Instead of burying the signal handler in the 'Lx_kit::Scheduler'
object it is provided by the main object where the driver is free
to perform any additional step before or after executing the scheduler.
Issue #4927Fixes#4952
Since the wireless LAN driver is actually a 'Libc::Component' due to
its incorporation of the 'wpa_spplicant' application, we have to
intercept its construction because we have to initialize the Lx_kit
environment before any static ctors are executed. Most Linux initcalls
are implemented as ctors that will be otherwise implicitly executed
before the controll is given to us in 'Libc::Component::construct'.
Issue #4927.
The timer used to read the counter first and then the IRQ status. This
could cause a non-wrapped counter value to be considered a wrapped
counter value, leading to bogus timeout durations.
This commit fixes the bug and documents the used timer mode in the
driver in order to make future debugging of the driver easier.
Ref #4959
Prevent missing new RPC calls handed over to a Linux task
of a corresponding usb-device, while that task blocked
during enqueuing of asynchronous URBs.
Fixedgenodelabs/genode#4955
* add a sensible priority setup into the test script in order to protect
drivers and stack components from the demanding net clients
* delay the starting of the net clients by 5 seconds in order to give the
drivers and stack components some time to startup in peace
* use only explicit service routing and caps values
Ref #4923
This patch replaces the exception-based error propagation by the use of
'Attempt' return values, which eliminates side effects of the exception
handling - cxx_heap allocations - from code paths that are used by the
the cxx_heap itself (when growing the cxx_heap).
It thereby fixes the failure of the sub_rm test at the "attach RAM ds to
any position at sub rm - this should fail" step.
Fixes#4953
This patch enhances Sculpt with the ability to detect user inactivity
for driving a screensaver by combining nitpicker's hover and focus
reports with a timer.
Issue #4950
Nitpicker's hover and focus reports contain an 'active' attribute, which
can be inspected for the detection of user activity, e.g., as trigger
for a screensaver or for dynamic clipboard policies.
When using the 'Event' session, the reporting code updated the reports
only on incoming events. This patch adds the periodic reporting as used
when using the old 'Input' session.
Issue #4950
Decoupling the scheduler execution can lead to missed interrupts
because the current implementation only handles one pending
interrupt and requires immediate processing.
This commit introduces a helper object that is used to capture
any occuring interrupts that are then handled consecutively.
Issue #4927.
Prior to this commit, whenever an external event occurred, for example
timer or interrupt, the corresponding I/O signal handler was triggered.
This handler unblocked the task waiting for the event and initiated the
immediate execution of all unblocked tasks. Since these tasks may hit
serialization points, e.g. synchronously waiting for packet stream
operations, that require handling of other I/O signals this leads to
nested execution. This, however, is not supported and mixes application
and I/O level signal handling.
The flagging of the scheduling intent is now decoupled from its
execution by using an application level signal handler that is run in
the context of the components main entrypoint. The I/O signal handler
now triggers the scheduling execution by sending a local signal to
the EP.
Since it might be necessary to execute a pending schedule from the EP
directly the scheduler is extended with the 'execute' member function
that performs the check that the scheduler is called from within the
EP and triggers the execution afterwards.
Issue #4927.
On disconnect of displays, e.g. seen with Type-C connectors, the encoder was
not properly disabled due to a missing drm_client_modeset_commit. In order that
the commit succeed, however a fb must be assigned to the modeset. Missing to
do so leads to an -EINVAL by the drm_client_modeset_commit.
Fixes#4948
Fixes alignment faults that occured in the AES256 implementations while
wrapping or unwrapping keys on imx53_qsb, imx6q_sabrelite, and imx7d_sabre.
The problem was that the unwrap_key/wrap_key functions did reinterpret casts
from unsigned char pointers to uint64_t pointers and then directly used the 64
bit values of referenced by the latter. Most probably this caused the compiler
to optimize operations in the assumption that the pointer is 8-byte aligned
which then created alignment faults.
As a solution, this commit changes the interface of the wrap_key/unwrap_key
functions to take uint64 pointers as arguments instead of unsigned char
pointers and then adapts the function users to ensure that they refer to
appropriately aligned memory regions.
Fixed#4932
The initial memory backend implementation was brought over from DDE
Linux and was geared towards use-cases where a high-performing
allocator is useful. In case of the audio driver this is overkill
and since no other driver that could benefit from such an
implementation was ported in the meantime rather use a simpler
implementation that keeps the overhead down.
Fixes#4946.
Since component.cc is no longer linked to core, we can also remove
entrypoint.cc, which was merely a dependency of component.cc.
Related to issue #4784
This patch replaces the global '_wait_for_exit_sem' object by a local
static variable, which does not rely on the global ctors. It thereby
fixes the fault_detection test after the removal of the global ctors
execution from core ("base: remove component.cc from core").
Issue #4784
With these options enabled comparative testing between pc_linux drivers
and bzImages becomes much easier on EFI-only machines. The impact on the
actual Genode drivers is minimal.
This patch removes the use of the Entrypoint::schedule_suspend mechanism
and the call of glibc's exit from the lx_hybrid tests, for two reasons.
First, the interplay of atexit handlers executed by the glibc and
Genode's lx_hybrid library is complicated while bringing no benefits in
practice as lx_hybrid applications are usually servers that don't exit
anyway.
Second, the Entrypoint::schedule_suspend mechanism in not used by any
other component. By removing its use from the lx_hybrid tests, we can
remove this mechanism from the base library.
Issue #4940
By supplying only the parts of the Env that are actually relevant for
initializing the cxx heap, we avoid the need for the 'Env' interface.
The patch also moves the call of 'init_ldso_phdr' to the outside
of the cxx library because it does not belong there.
Issue #4784
USB devices that are never associated to client sessions lack
usb_per_dev_data (and a kernel thread). Therefore, the devices should be
discontinued directly on unplug as no URBs can be pending.
Issue genodelabs/genode#4795
This commits enables the R8169 driver and was tested with two
RTL8168h/8111h (10ec:8168 rev 0x15 sub 1462:7a38 / 1d05:109f) and
two equal RTL8125B (10ec:8125 rev 0x5 sub 1458:e000) devices
running Sculpt.
Firmware loading is for now not implemented but specific Linux
commits suggest it could be necessary. However, doing so will be
post-poned until we have gathered more experience with the driver.
Restarting the driver might lead to the following IOMMU error
messages but the device seems to work anyway:
[ 0] IOMMU:0xffffffff817ec040 FR:0x8a00000000002500 FI:0xfffffffdf8d30000 type:0x8 BDF:25:00.0
[ 0] IOMMU:0xffffffff817ec040 FR:0x2000004200002500 FI:0x000c21b0 type:0x2 BDF:25:00.0
[ 0] IOMMU:0xffffffff817ec040 FR:0x2020004200002500 FI:0x000c21a0 type:0x2 BDF:25:00.0
[ 0] IOMMU:0xffffffff817ec040 FR:0x2020004200002500 FI:0x00138000 type:0x2 BDF:25:00.0
[…]
[ 0] IOMMU:0xffffffff817ec040 FR:0x8a00000000002500 FI:0xfffffffdf8d30000 type:0x8 BDF:25:00.0
[ 0] IOMMU:0xffffffff817ec040 FR:0x2020004300002500 FI:0x00124000 type:0x2 BDF:25:00.0
Issue #4921.
While this approach still scans "holes" in the bus range, it stops
scanning at the maximum subordinate bus number reachable from the base
PCI bus at the host bridge. Startup under Qemu no longer takes about 12
seconds for scanning 256 buses.
By splitting the 'init_capability_slab()' implementation to a separate
compilation unit 'capability_slab.cc', base-hw no longer needs a
customized version of 'lib/base/platform.cc'.
Related to issue #4784
This patch replaces the internal use 'env_deprecated()' from the
implementation of the thread API in the base library. It also
replaces the global accessor 'main_thread_cap' by the explicit
propagation of the main-thread's capability to the single point of
use via a new 'init_thread_bootstap' function.
Issue #4784
This back end can be used in place of the existing jitterentropy based
on in case random is not strictly needed by the component but one
wants to use the available 'shadow/drivers/char/random.c'
implementation.
Issue genodelabs/genode-allwinner#21.
The implementation was already part of the Zynq's sd_card driver and
since other ARM drivers need it as well, promote it to the common
shadow library.
Issue genodelabs/genode-allwinner#21.
* Removes all previous structs that represented an on-disc block layout
and were therfore subject to a number of layout restrictions (packed,
padding members, enum representations, etc.).
* Adds a replacement struct without any layout restrictions for each of the
removed structs. The new structs are named similar to the old structs.
* Adds block encoding and decoding utilities for easily converting from the
new structs to on-disc blocks and vice-versa (Block_scanner, Block_generator,
T::decode_to_blk, T::encode_from_blk)
* Adapts all affected places in the library to encode and decode proberly
instead of simply casting pointers.
* Thereby cleans up the hashing utilities to use typed-reference args instead
of void pointers.
* Re-enables run/tresor_tester and test-file_vault_vonfig_report for platforms
rpi, imx53_qsb, imx53_qsb_tz, imx6q_sabrelite, imx7d_sabre.
Ref #4819
* Replaces bool access types with uint8_t access types
* Ensures, that the framework always uses the smalles possible uint type
for the return value wherever a bitfield is read and returned to the user.
Ref #4924
In some instances, the fetchurl progress determined by
depot_download_manager will be empty when the download fails (e.g. due
to a 404), this commit fixes a bug where this would be interpreted as
the download having completed which would subsequently start hash
verification of a package that has never actually been downloaded.
Fixes#4919
The depot_remove component can delete PKG archives with
automatically resolving dependencies and deleting archives that are not
required on the system anymore.
Issue genodelabs#4866
On some platforms (x86_32/pistachio, x86_64/sel4) system startup is slow
and the previously configured 30 seconds not sufficient. With this commit, the
timeout is raised to 60 seconds only when running on such a platform.
Ref #4923
This test was originally a copy of ping.run and therefore unnecessarily
inherited all its complexity for testing ping component behavior. Additionally,
ping.run was more actively maintained and evolved over time whereas
nic_dump.run didn't receive the same care. Now, the test fails on certain
platforms although NIC dump works just fine. Therefore, this commit reduces the
test behavior to what is really necessary for testing nic_dump and by doing so,
also fixes the failing targets.
Fixes#4926
On x86_32 okl4, the test timed out although the test timeout was already at
240 seconds for this platform. Instaed of raising it further, this commit
reduces the number of ping rounds for all platforms that are considered as
slower by the test.
Ref #4923
This patch restricts 'Region_map::attach_executable' to create read-only
mappings, while offering the option to map the full rights using a new
'attach_rwx' method.
The 'attach_rwx' method is now used by the dynamic linker to explicitly
attach the linker area with full rwx rights. With the old page-fault
handling code, the execute flag was evaluated only for leaf dataspaces,
not for managed dataspaces while traversing region-map hierarchies.
With the new page-fault handling code, the execute bit is downgraded
to no-execute when passing a managed dataspace that is not attached
as executable.
Issue #4920
The change "core: allow offset-attached managed dataspaces" addressed a
corner case of the use of nested region maps. Apparently, this change
negatively affects other scenarios (tool_chain_auto).
In order to confidently cover all the differnt situations, this patch
reworks the page-fault resolution code for improved clarity and safety,
by introducing dedicated result types, reducing the use of basic types,
choosing expressive names, and fostering constness.
It also introduces a number of 'print' hooks that greatly ease manual
instrumentation and streamlines the error messages printed by core.
Those messages no longer appear when a user-level page-fault handler
is reistered for the faulted-at region map. So the monitor component
produces less noise on the attempt to dump non-existing memory.
Issue #4917Fixes#4920
The new monitor component at os/src/monitor is the designated successor
of the gdb_monitor. This initial version, however, implements only the
subset needed to inspect the memory of the monitored component(s).
In contrast to the gdb_monitor, the new component supports the monitoring
of multiple components, leveraging the sandbox API. It can therefore be
used as a drop-in replacement for the init component. Like the gdb_monitor,
the new monitor speaks the GDB protocol over Genode's terminal session.
But the protocol implementation does not re-use any gdbserver code,
sidestepping the complexities of POSIX.
There exist two run scripts illustrating the new component. The
os/run/monitor.run script exercises memory inspection via the 'm' command
by letting a test program monitor itself. The os/run/monitor_gdb.run
script allows for the interactive use of GDB to interact with monitored
components.
Issue #4917
Let the sandbox library disregard all unknown config sub nodes so that
supplemental information - like the monitor policy configuration - is
not interpreted as a misconfiguration ("unknown config element type ...").
Issue #4917
This patch moves the destruction of the child's PD session after the
closing of all other sessions because the PD session's role as resource
container might still be needed for orderly reverting the session quotas
when closing the other remaining sessions.
Issue #4917
By default, the sandbox uses the Env::pd() as reference PD session of
the sandbox children.
However, to accomodate use cases where the interplay of the reference
PD session and the child's address space needs to be intercepted, this
patch adds a constructor that takes an interface for the controlled
access of PD intrinsics as argument.
Issue #4917
This patch replaces the former 'address_space' accessor by a new
'with_address_space' interface that grants access to the region map of
the child's address space, but limits the interface lifetime to the
scope of the caller.
Issue #4917
This patch adds the missing application of the region offset to the
resolution of page faults inside managed dataspaces, which resulted in
an unexpected "invalid mapping" message after attaching a managed
dataspace with an offset.
This limitation could be observed during the implementation of the debug
monitor that locally maps a portion of the debugging target's address
space, e.g., a view port of 16 MiB. All traditional uses of managed
dataspaces (e.g., stack area, linker area) happened to attach the
managed dataspaces from their beginning.
Issue #4917
* add semaphore command to ring in order to be able to stop ring
execution before reset (Wa KabyLake)
* implement reset sequence as done by the Linux driver
* reset ring and cancel job of vgpu causing hang
* lower watchdog timeout 1000ms -> 200ms
* improve scheduling of vgpus so progress after reset is made
* improve the generation chaos a little
* tested on Skylake, Kaby Lake, Tiger Lake
issue #4916
* Use jitterentropy only if supported.
On certain targets like pbxa9 or zynq_qemu, the performance counter always
yields 0, which renders jitterentropy unusable. On these platforms, the
Tresor tests now use a static value as entropy source instead.
* Adds a new package test-file_vault_config_report_no_entropy that is used by
the Depot Autopilot on targets without jitterentropy support instead of
test-file_vault_config_report. The only difference between the two packages
is the value of the above described new config attribute of the File Vault.
* Circumvent alignment fault.
The Tresor lib for now has the deficiency of using on-disc data structures
directly in code instead of decoding them first to unpacked, naturally
aligned structures. This causes problems with memory-access alignment on
several platforms (rpi, imx6q_sabrelite, imx53_qsb, imx7d_sabre). As fixing
this properly is a bit of work, the commit disables the tresor_tester and
file_vault_config_report test on the affected platforms in autopilot mode for
now.
* Further adjustments
* Make benchmarks optional
* Use a smaller tresor for rekeying
* Clean up image parameters
* No use implicit routes/resources
* Reduce ram consumption
* Reduce test timeout
* Raise cap quota, required for sel4 x86_64.
Ref #4819
The debug mode turned out to be unnecessry because the plugin can be simply
replaced with an <inline> file VFS plugin that has a content size of 32 bytes.
Ref #4819
* relaxes the timing and reduces the test steps because pistachio is quite
slow and would otherwise trigger problems with our easy approach of using a
dynamic rom instead of a proper manager
* provide IO_PORT and IRQ session to timer driver
Ref #4819
With the update to sel4 and the gcc 12, assembly instructions are generated
and used, like POPCNT. The instruction is available on our native hardware,
but not emulated by the default cpu model necessarily, which leads to
undefined opcode exceptions (Qemu 4.2.1 && seL4). Additionally, the features
of the default Qemu cpu model may vary between Qemu releases and makes it
harder to correlate effects.
The attachment removal is triggered actually on _ds member destruction time,
but after the io_mem representation for the specific base-<platform> possibly
vanished already during _unmap_local in the ~Io_mem_dataspace. This creates
on base-sel4 several kernel warnings about invalid capabilities.
Issue #4913
Using $(shell find $(REP_DIR)/patches -name *.patch) fails if the
current working directory contains *.patch files due to shell wildcard
expansion before execution. Additionally, the patch list was unstable
because it was not sorted resulting in divergent hashes.
On platforms different than x86 the subsys initcall `pci_subsys_init`
is not available. Therefore, we choose an alternative one here.
Fixgenodelabs/genode#4907
In our binaries, the .note.GNU-stack section is missing, which is okay
as we do not interpret these sections anyway and map stack pages
non-executable per default.
Issue #4827
The main user of libsparkcrypto in the past was the CBE block encryption
ecosystem. However, the CBE was replaced with the Tresor block encryption that
uses libcrypto instead.
Ref #4819
This commit introduces preliminary support for joining networks secured
via WPA3-personal. So far it was only tested with the one OpenWRT AP
configured for WPA3 (see excerpt below) where it WPA3-only as well as
WPA2/WPA3 mixed worked fine.
Scan results excerpt:
00:11:22:33:44:55 5180 -45 [WPA2-SAE-CCMP][SAE-H2E][ESS][UTF-8] PewPew
00:11:22:33:44:55 2412 -67 [WPA2-PSK+SAE+PSK-SHA256-CCMP][SAE-H2E][ESS][UTF-8] PewPew2
Issue #4861.
It turns out solely relying on the name of the compilation-unit
is not enough. In at least one multi-device driver, e.g. rtlwifi,
an equally called compilation-unit is found in several different
directories. There KBUILD_MODNAME is used to name the driver,
which fails later on as the driver framework refuses to register
an equally named driver twice.
Instead of only considering the name of the compilation-unit also
include the last element of the path to generate differentiating
KBUILD_MODNAME value.
Issue #4861.
The supplicant is updated to the current release and is now downloaded
as archive rather than pulled from git. For the time being 'libnl' is
still kept at 3.2.25 as the current 3.7.0 release relies on more Linux
infrastructure that our integration does not provide.
Issue #4861.
This commit changes the firmware handling from requesting each
firmware file as a ROM module that is checked against a list of
known images (including their size) to requesting each file via
the local VFS of the 'wifi_drv'. This allows for using the original
probing mechanism that tries to select a matching firmware version.
The 'repos/dde_linux/src/drivers/wifi/README' file contains more
detailed information on how to configure the driver.
Issue #4861.
This function is called when decrypting RX frames on the CPU on 32 bit
platforms. Since the frames are normally decrypted by the wireless LAN
device and this code path is triggered rather infrequently the byte-wise
implementation should not pose a performance risk.
So far it was only encounter with a 7260 device when running netperf.
Issue #4861.
The bulk of the driver code now lives in the 'dde_linux' repository,
which is available on all platforms, from where it can be referenced by
other repositories.
The 'wifi_drv' binary was delegated to a generic harness that includes
all configuration and management functionality shared by all wireless
device driver components, e.g., the wpa_supplicant. The code of the
device driver emulation environment is located in 'src/lib/wifi'. It
is referenced by the platform-specific driver library that resides in
the corresponding platform repository. The runtime configuration needs
to point the driver to proper driver library.
The platform-specific library is in charge of orchestrating the contrib
source utilized by the driver as well as providing the 'source.list'
and 'dep.list' files. It must include the generic library snippet
'repos/dde_linux/lib/wifi.inc' that deals with managing the emulation
environment code.
The 'repos/dde_linux/src/drivers/wifi/README' file contains more
detailed information on how to deploy the driver.
Issue #4861.
* ARM support and detaching from Ada/SPARK
* Remove all CBE-related code - especially the Ada/SPARK-based CBE library.
* We have no means or motivation of further maintaining big projects in
Ada/SPARK (the core Genode team is native to C++).
* The Genode Ada/SPARK toolchain and runtime don't support ARM so far - an
important architecture for Genode. This would mean extra commitment in
Ada/SPARK.
* We realize that block encryption more and more becomes a fundamental
feature of Genode systems.
* Implement a new block encryption library named Tresor that is inspired by
the design and feature set of the former CBE library and that is entirely
C++ and part of the Genode gems repository.
* The Tresor block encryption is backwards-compatible with the on-disk
data layout of the former CBE block encryption.
* Except from the snapshot management and the "dump" tool, the Tresor
block encryption provides the same feature set as the former CBE block
encryption and accepts the same user requests at the level of the
Tresor library API.
* So far, the Tresor block encryption does not support the creation of
user-defined snapshots.
* In contrast to the former CBE, the Tresor ecosystem has
no "dump" tool beause with the CBE library it turned out to be rarely of
use.
* In contrast to the Block back-end of the CBE "init" tool, the Tresor
"init" tool uses a File System back-end.
* The former CBE VFS-plugin is replaced with a new Tresor VFS-Plugin.
* The Tresor-VFS plugin in general is similar to the former CBE VFS but
has a slightly different API when it comes to re-keying and re-sizing.
Each of these operations now is controlled via two files. The first
file is named <operation> and the user writes the start command to it.
The user must then read this file once in order to drive the operation.
The read returns the result of the operation, once it is finished.
The second file is named <operation>_progress and can be watched and
read for obtaining the progress of the operation as percentage.
* The file vault is adapted to use the new Tresor ecosystem
instead of the former CBE ecosystem and thereby also gains ARM support.
* The former CBE tester and CBE VFS-tests are replaced by equivalent
Tresor variants and are now run on ARM as well (testing with a persistent
storage back-end is supported only when running on Linux).
* So far, the new Tresor block encryption has no internal cache for meta
data blocks like the former CBE.
* Add config/report user interface
* Add a second option for the administration front end to the file vault
named "config and report". With this front end the File Vault communicates
with the user via XML strings. A ROM session is requested for user input
and a Report session for user output. The front end type must be set at
startup via the component config and is a static setting. The graphical
front end that was used up to now is named "menu view" and remains the
default.
* The File Vault can now reflect its internal state and user input ("config
and report" mode only) at the LOG session via two new static config
attributes "verbose_state" and "verbose_ui_config" (both defaulting to
"no").
* The Shutdown button in "menu view" mode is replaced with a Lock button. The
new button doesn't terminate the File Vault but merely lock the encrypted
container and return to a cleared passphrase input. The same transition is
also provided in "config and report" mode.
* The file_vault.run script is replaced with file_vault_menu_view.run and
file_vault_cfg_report.run that address the two front end modes. In contrast
to the former script, which is interactive, the latter script is suitable
for automatic testing.
* There is a new recipe/pkg/test-file_vault_cfg_report that essentially does
the same as file_vault_cfg_report.run but uses the File Vault package and
can be executed with the Depot Autopilot. The new test package is added to
the default test list of depot_autopilot.run
* The File Vault README is updated to the new version of the component and
has gained a chapter "functional description".
* Fixes a regression with the cbe_init_trust_anchor component that prevented
reacting to a failed unlock attempt in the File Vault.
* The new Tresor software Trust Anchor has an optional deterministic mode in
which it replaces the normally randomized symmetric keys with 0. This mode
comes in handy for debugging. However, it should never be activated in
productive systems. When activated, the user is warned extensively on the
LOG that this system mode is insecure.
Ref #4819
Changes to the platform driver triggered a map() error while mapping an
address block at 0x3000 of size 0x800. Since the mapped size was larger, the
loop continued and tried mapping address 0x4000 where no dataspace was
found.
genodelabs/genode#4761
By transforming the Device_pd into an Io_mmu::Domain, we implement an
IOMMU device that uses the kernel API for controlling the IOMMU. This
device gets special treatment and is used by default for every device
that has no <io_mmu/> child.
genodelabs/genode#4761
Every session component manages a registry of Io_mmu::Domain objects
that it creates on demand depending on the acquired devices (i.e. the
IOMMU devices referenced by the acquired devices). Via the domain
objects, a session component adds/removes the address ranges of the
allocated DMA buffers. Additionally, domain objects provide an interface
for enabling/disabling pci devices.
Domain objects get destroyed with the corresponding control device.
Moreover, on devices/policy ROM updates, domain objects of control
devices that are not referenced by any acquired device anymore get destroyed.
genodelabs/genode#4761
This allows referencing an arbitrary number of IOMMU devices within a
<devices> node, e.g.:
<device>
<io_mmu name="foobar"/>
</device>
The specified name is supposed to refer to an existing device in the
devices ROM. The platform driver automatically acquires known IOMMU
devices whenever they become available so that the device object can be
looked up from the platform-driver-owned devices.
genodelabs/genode#4761
With this change, platform-specific code is able to define factories that
acquire IOMMU devices to be used by the platform driver.
genodelabs/genode#4761
The method did not handle device changes properly. When a new policy
does not contain an owned device any more, we must consider this device
as changed and release it. Moreover, the warning messages were interchanged.
genodelabs/genode#4761
"-cpu phenom" does not support all CPU instructions necessary with
gcc 12 toolchain update issuing more SSSE3, e.g. pshufb.
Additionally, remove good/bad Qemu version check of outdated versions.
Issue genodelabs/genode-world#329
In 'SUPR3InitEx' (SUPLib.cpp) a 'SUPQUERYFUNCS' structure is allocated
with
! (PSUPQUERYFUNCS)RTMemAllocZ(SUP_IOCTL_QUERY_FUNCS_SIZE(CookieReq.u.Out.cFunctions));
where 'CookieReq.u.Out.cFunctions' is 0. To determine the size of the
allocation
! #define SUP_IOCTL_QUERY_FUNCS_SIZE(cFuncs) \
! RT_UOFFSETOF_DYN(SUPQUERYFUNCS, u.Out.aFunctions[(cFuncs)])
is used with cFuncs = 0 (SUPDrvIOC.h) leading to an allocation up to the
arrow below
! typedef struct SUPQUERYFUNCS
! {
! /** The header. */
! SUPREQHDR Hdr;
! union
! {
! struct
! {
! /** Number of functions returned. */
! uint32_t cFunctions;
! /** Array of functions. */
==> end of allocation
! SUPFUNC aFunctions[1];
! } Out;
! } u;
==> sizeof(SUPQUERYFUNCS)
! } SUPQUERYFUNCS, *PSUPQUERYFUNCS;
In sup.cc (Genode) 'ioctl(SUPQUERYFUNCS &request)' will lead to
'with_out_ioctl'
! auto &out = request.u.Out;
where auto is 'SUPQUERYFUNCS' and finally
! out = { };
will zero out 'SUPQUERYFUNCS' up to the second arrow above. Because
'RTMemAllocZ' will call 'calloc' to allocate the memory 'out = { };'
will corrupt the slab block after the allocation. Therefore, it is
reasonable to allocate at least 'sizeof(SUPQUERYFUNCS)'.
Note there might be other 'ioctl' cases like this. A better way might be
to use 'SUPQUERYFUNCS.Hdr.cbOut' to determine the 'out' size.
fixes#4675
In case the meta data (or more) got zeroed upon 'free', print error
message. The offset in the meta data can never be zero. This does not
help on other memory corruptions, but at least gives a hint in the too
much zeroed out case.
issue #4675
GPU device access is hard to achieve in run scripts and even harder to
implement generic.
Use the "Modularize Sculpt OS image creation"
(commit b723b11b30)
approach instead.
issue #4900
The XHCI model reserves 0x4000 of IO memory but uses only 0x530.
Implement read (0) and write (nop) for these regions as real hardware
does.
fixes#4902
Triggered by the toolchain update to GCC 12 certain pragmas lead to
a build error as those are now unknown. As quick-fix add '-gnatwG',
which suppresses warnings on unrecognized pragmas.
Issue #4880.
When a GPU session is destroyed, remove vgpu of session from scheduling
and as possible active vgpu. Otherwise, page faults might occur in case
already destroyed vgpu object is referenced during interrupt handling.
fixes#4881
Apparently we need to save the floating point arguments when entering
the linker in case "-fno-tree-vectorize" is at work. Otherwise this
registers get corrupted during jump slot relocation.
Fixes#4879
Either enable strict-alignment or disable FPU code generation by gcc
regarding bootstrap code, which cannot handle alignment faults during
initialization properly.
Ref genodelabs/genode#4827
/data/genode/repos/os/src/server/lx_fs/directory.h: In member function ‘virtual Genode::size_t Lx_fs::Directory::read(char*, Genode::size_t, File_system::seek_off_t)’:
/data/genode/repos/os/src/server/lx_fs/directory.h:224:53: error: ‘dent’ may be used uninitialized [-Werror=maybe-uninitialized]
224 | .type = type(dent->d_type),
| ~~~~~~^~~~~~
/data/genode/repos/os/src/server/lx_fs/directory.h:197:40: note: ‘dent’ was declared here
197 | struct dirent *dent;
| ^~~~
Issue genodelabs/genode#4827
Eliminate the creation of 'Genode::String's before the linker has been
self relocated, because 'Genode::String's will call 'Genode::strlen' on
construction from C-Strings, which has now become a GOT relative call,
while the GOT contains only zeros before relocation -> page fault at
IP 0.
fixes#4867
related to #4827
error: 'void operator delete(void*, Genode::Deallocator&)' called on pointer returned from a mismatched allocation function [-Werror=mismatched-new-delete]
Issue #4827Fixes#4850
error: ‘void operator delete(void*, Genode::Deallocator&)’ called on pointer returned from a mismatched allocation function [-Werror=mismatched-new-delete]
Issue #4827Fixes#4848
An early version of nitpicker used a pointer as 'owner' with the null
pointer representing nitpicker's built-in views, which are nowadays
represented by 'Main::_global_view_ower'. The null-pointer check is a
left-over from the earlier days.
Fixes#4847
Since repos/base/board/pc/devices is empty, the run script no longer
works on PC. Nobody noticed because the use case of this run script -
as development test loop for the ps2 and fb_sdl - are better served by
other scenarios nowadays, e.g., using declaring 'build: ps2' for a
custom Sculpt OS build.
Removed in the context of issue #4860.
Bit 0:3 indicate which of the (up to) 16 supported LBA formats is
used for this namespace. Instead of only looking at those bits the
driver looked at the complete 0:7 bits. Those, however, also include
information on how metadata may be transferred. That leads to using
the wrong index for reading the LBA format.
Fixes#4832.
This patch solves keyboard-focus issues with the wifi dialog that were
caused by making the focus update conditional. However, since the update
is not expensive, we can unconditionally re-evaluate the focus atfer
each user interaction.
Issue #4820Fixes#4856
This patch solves the false-negative error message "failed to open file"
referring to an ioctl info file during an ioctl call. The message is
now avoided by checking for the existence of the file before reading it.
However, the observed symptom uncovered an actual bug that was
introduced in commit "libc vfs: open OSS 'info' file only once" with
the attempt to cache the content of ioctl info files. When called
multiple time for different paths, 'Vfs_plugin::_with_info' would
wrongly return the info from the first call as cached in a local
static variable.
The patch fixes the problem by a new added 'Cached_ioctl_info'
implementation in the scope of the 'Vfs_plugin'.
Issue #4372Fixes#4852
This patch includes the system dialog in the global keyboard focus
handling, supports hovering of the "Edit" and "Add" buttons,
allows the use of the enter key to finish URL editing, and
triggers a re-scan of depot users after adding a new one.
Issue #4820
Should the selected depot user not be present in the depot - for example
after switching the sculpt partition to another - unfold the selection
of all present depot users so that the one can pick an existing one.
Issue #4820
