The virtual block device module used to hand over the wrong VBA as
parameter "rekeying VBA" to the Free Tree when allocating PBAs for data
access during rekeying. In certain constellations, this caused the Free
Tree to alloc PBAs that were still in use. The Free Tree PBA selection
algorithm, however, is just fine. When fixing the call parameter, it works
as desired. This re-enables the async rekeying test.
Ref #5075
The script tests the use of an encrypted file system that is created and
provided via the File Vault.
Furthermore the script can be used for test-driving existing File-Vault
containers (created with potentially older File-Vault versions) under the
current File-Vault version. This is done via the "LX_FS_DIR_TEMPLATE"
env variable.
Ref #5062
The tresor_check tool became outdated back when the Tresor project was created
by re-writing its predecessor, the CBE, in C++. At this time, the check tool
was merely renamed but not updated. As there was also no autopilot test for the
tool, the tool remained outdated.
This commit rewrites the tool for the most recent Tresor version and adds an
autopilot test.
Ref #5062
* Make command pool a proper module
* The command pool used to be kind of a module but it was driven via custom
tresor-tester specific code. Now, it becomes a proper module that
is driven by the module framework instead.
* Move the code for creating and handling the module-execution progress flag
into Module_composition::execute_modules as the function is always used with
this code surrounding it.
* Reorganize files, remove deprecated files
* A new class Module_channel is introduced in the module framework and all
channel classes inherit from it. With that class in place, the formerly
module-specific implementations of the following methods are replaced by
new generic implementations in the Module framework:
* ready_to_submit_request
* submit_request
* _peek_completed_request
* _drop_completed_request
* _peek_generated_request
* _drop_generated_request
* generated_request_complete
* Module requests are now held for the duration of their lifetime at the
module they originate from and not, like before, at their target module. As
a result, modules can generate new requests inline (without having to wait
for the target module), making code much simpler to read, reducing the amount
of channel state, and allowing for non-copyable request types.
* Introduce a sub-state-machine for securing a superblock in the
superblock_control module in order to reduce redundancy.
* Some modules, like free_tree, were completely re-designed in order to make
them more readable.
* Replace all conditional exceptions by using the macros in
tresor/assertion.h .
* Move methods that are used in multiple modules but that were implemented
redundantly in each module to tresor/types.h.
* Remove verbosity node and all that was related to it from tresor tester
config as the targeted verbosity can be achieved with the
VERBOSE_MODULE_COMMUNICATION flag in tresor/verbosity.h .
* Extract the aspect of translating the byte-granular I/O-requests to
tresor-block requests from the tresor VFS-plugin and move it to a new module
called splitter.
* Rename the files and interface of the hashing back-end to not reflect the used
hashing algorithm/config anymore, while at the same time making the hashing
interface strict regarding the used types.
* Introduce the NONCOPYABLE macro that makes marking a class noncopyable short
and clear.
* Replace the former tresor/vfs_utilities.h/.cc with a new tresor/file.h
that contains the classes Read_write_file and Write_only_file. These classes
significantly simplify the modules crypto, block_io, and trust_anchor by
moving the details of file access to a sub-state machine.
* The former, rather trivial block allocator module is replaced by a normal
object of type Pba_allocator that must be provided by the client of the
Sb_initializer (reference in the Sb_initializer_request).
Ref #5062
tresor: read uninitialized vbas as all zeroes
Virtual addresses in a Tresor container that were not yet written by the user
should always return a data block that is all-zeroes. This was the concept
right from the beginning of the project. However, somehow this aspect either
never got implement or got lost along the way.
Some context for understanding the commit: The Tresor doesn't initialize the
payload data blocks of a container when creating a new container as this would
be rather expensive. Instead, it marks the leaf metadata nodes of the
virtual-block-device tree (those that reference the payload data blocks in
physical address space) with generation 0.
Now, this commit ensures that, whenever the virtual-block-device module reads
such a generation-0 leaf, instead of asking the block_io and crypto to deliver
data from disc, it directly provides the user with 4K of zeroes.
Ref #5062
The order of execution inside the Tresor lib slightly changed compared to the
previous CBE lib. AFAICT, this is nothing to worry about and related to the
now cleaner structuring. However, it can produce higher peak requirements
regarding the allocation pool in the Free Tree. Therefor, this commit extends
the dimensions of the Free Tree used in the test.
Ref #4971
* Implement requests "create snapshot" and "discard snapshot" in tresor lib.
* Adapt tresor tester in order to test the new feature.
* Remove temporary code from tresor tester that skipped such requests with
the hint that they were not supported yet.
* Add mandatory "id" attribute to <request op="create_snapshot"/> and
<request op="discard_snapshot"/> tag. A "discard snapshot" command always
refers to the snapshot created by the "create snapshot" command with the
same "id" value.
* Clean-up command pool a bit.
Fix#4971
- always assign apps/overlay to targets (visible=true/false) to
prevent 0x0 geometry, which is interpreted as close
- add QMenu as exampel to panel button
- use usb-tablet on Qemu
When wrongly invoking the run script by specifying a skipped test
as its only TEST_PKGS argument, the run script fails due to a wrong
tar argument order. Let's better reflect this condition to the user
ahead of invoking tar.
This patch modifies the mixer's time window allocation by modelling the
drift of the period length over time. This yields a much better
stability of the detected sample rates in the presence of jitter.
Issue #5132
This data structure uses an AVL tree to maintain a time-sorted set of
alarm objects. It supports the use of circular clocks of an bit width.
Issue #5138
- New session interfaces:
- os/include/play_session (for audio playing / mic-input driver)
- os/include/record_session (for audio recording / audio-output driver)
- Mixer at os/src/record_play_mixer providing both play and record services
- Simple waveform player at os/src/app/waveform_player
- Simple audio-signal capturing component at os/src/app/record_rom
- Simple oscilloscpe at gems/src/app/rom_osci (using record_rom)
- Simple test-audio_play for playing raw stereo f32 data
The _gems/run/waveform_player.run_ script illustrates the use of the new
components and interfaces.
Issue #5097
This change allows for the hosting of system-management components
in Sculpt's runtime. The special role must be declared either as
<launcher managing_system="yes"> attribute or in the deploy
configuration's <start managing_system="yes"> attribute.
Issue #5009
The new API at gems/include/dialog/ aids the creation of simple GUI
applications based on the menu-view widget renderer. Its use is
illustrated by the simple test application at src/test/dialog/
that is accompanied with the dialog.run script.
Issue #5008
This commits introduces changes to test number 4, so it must keep
more than one PKG. Also, it introduces a 5th test to verify that the
<remove_all/> functionality does delete everything in the depot.
Issue genodelabs#4866
This commits introduces improvements to the test functions to avoid
code duplication, and renames these functions to reflect better what they
are used for.
Issue genodelabs#4866
Several nightly network-related tests fail currently on sel4/pc because the
new e1000 NIC driver requires more capabilities. The "drivers nic" package
was already adapted to the new requirement but some tests fail to provide
enough caps to the corresponding sub system. This commit tries to fix all
remaining tests.
Ref #4923
This patch enhances Sculpt with the ability to detect user inactivity
for driving a screensaver by combining nitpicker's hover and focus
reports with a timer.
Issue #4950
* Removes all previous structs that represented an on-disc block layout
and were therfore subject to a number of layout restrictions (packed,
padding members, enum representations, etc.).
* Adds a replacement struct without any layout restrictions for each of the
removed structs. The new structs are named similar to the old structs.
* Adds block encoding and decoding utilities for easily converting from the
new structs to on-disc blocks and vice-versa (Block_scanner, Block_generator,
T::decode_to_blk, T::encode_from_blk)
* Adapts all affected places in the library to encode and decode proberly
instead of simply casting pointers.
* Thereby cleans up the hashing utilities to use typed-reference args instead
of void pointers.
* Re-enables run/tresor_tester and test-file_vault_vonfig_report for platforms
rpi, imx53_qsb, imx53_qsb_tz, imx6q_sabrelite, imx7d_sabre.
Ref #4819
The depot_remove component can delete PKG archives with
automatically resolving dependencies and deleting archives that are not
required on the system anymore.
Issue genodelabs#4866
* Use jitterentropy only if supported.
On certain targets like pbxa9 or zynq_qemu, the performance counter always
yields 0, which renders jitterentropy unusable. On these platforms, the
Tresor tests now use a static value as entropy source instead.
* Adds a new package test-file_vault_config_report_no_entropy that is used by
the Depot Autopilot on targets without jitterentropy support instead of
test-file_vault_config_report. The only difference between the two packages
is the value of the above described new config attribute of the File Vault.
* Circumvent alignment fault.
The Tresor lib for now has the deficiency of using on-disc data structures
directly in code instead of decoding them first to unpacked, naturally
aligned structures. This causes problems with memory-access alignment on
several platforms (rpi, imx6q_sabrelite, imx53_qsb, imx7d_sabre). As fixing
this properly is a bit of work, the commit disables the tresor_tester and
file_vault_config_report test on the affected platforms in autopilot mode for
now.
* Further adjustments
* Make benchmarks optional
* Use a smaller tresor for rekeying
* Clean up image parameters
* No use implicit routes/resources
* Reduce ram consumption
* Reduce test timeout
* Raise cap quota, required for sel4 x86_64.
Ref #4819
* relaxes the timing and reduces the test steps because pistachio is quite
slow and would otherwise trigger problems with our easy approach of using a
dynamic rom instead of a proper manager
* provide IO_PORT and IRQ session to timer driver
Ref #4819
This commit changes the firmware handling from requesting each
firmware file as a ROM module that is checked against a list of
known images (including their size) to requesting each file via
the local VFS of the 'wifi_drv'. This allows for using the original
probing mechanism that tries to select a matching firmware version.
The 'repos/dde_linux/src/drivers/wifi/README' file contains more
detailed information on how to configure the driver.
Issue #4861.
The bulk of the driver code now lives in the 'dde_linux' repository,
which is available on all platforms, from where it can be referenced by
other repositories.
The 'wifi_drv' binary was delegated to a generic harness that includes
all configuration and management functionality shared by all wireless
device driver components, e.g., the wpa_supplicant. The code of the
device driver emulation environment is located in 'src/lib/wifi'. It
is referenced by the platform-specific driver library that resides in
the corresponding platform repository. The runtime configuration needs
to point the driver to proper driver library.
The platform-specific library is in charge of orchestrating the contrib
source utilized by the driver as well as providing the 'source.list'
and 'dep.list' files. It must include the generic library snippet
'repos/dde_linux/lib/wifi.inc' that deals with managing the emulation
environment code.
The 'repos/dde_linux/src/drivers/wifi/README' file contains more
detailed information on how to deploy the driver.
Issue #4861.
* ARM support and detaching from Ada/SPARK
* Remove all CBE-related code - especially the Ada/SPARK-based CBE library.
* We have no means or motivation of further maintaining big projects in
Ada/SPARK (the core Genode team is native to C++).
* The Genode Ada/SPARK toolchain and runtime don't support ARM so far - an
important architecture for Genode. This would mean extra commitment in
Ada/SPARK.
* We realize that block encryption more and more becomes a fundamental
feature of Genode systems.
* Implement a new block encryption library named Tresor that is inspired by
the design and feature set of the former CBE library and that is entirely
C++ and part of the Genode gems repository.
* The Tresor block encryption is backwards-compatible with the on-disk
data layout of the former CBE block encryption.
* Except from the snapshot management and the "dump" tool, the Tresor
block encryption provides the same feature set as the former CBE block
encryption and accepts the same user requests at the level of the
Tresor library API.
* So far, the Tresor block encryption does not support the creation of
user-defined snapshots.
* In contrast to the former CBE, the Tresor ecosystem has
no "dump" tool beause with the CBE library it turned out to be rarely of
use.
* In contrast to the Block back-end of the CBE "init" tool, the Tresor
"init" tool uses a File System back-end.
* The former CBE VFS-plugin is replaced with a new Tresor VFS-Plugin.
* The Tresor-VFS plugin in general is similar to the former CBE VFS but
has a slightly different API when it comes to re-keying and re-sizing.
Each of these operations now is controlled via two files. The first
file is named <operation> and the user writes the start command to it.
The user must then read this file once in order to drive the operation.
The read returns the result of the operation, once it is finished.
The second file is named <operation>_progress and can be watched and
read for obtaining the progress of the operation as percentage.
* The file vault is adapted to use the new Tresor ecosystem
instead of the former CBE ecosystem and thereby also gains ARM support.
* The former CBE tester and CBE VFS-tests are replaced by equivalent
Tresor variants and are now run on ARM as well (testing with a persistent
storage back-end is supported only when running on Linux).
* So far, the new Tresor block encryption has no internal cache for meta
data blocks like the former CBE.
* Add config/report user interface
* Add a second option for the administration front end to the file vault
named "config and report". With this front end the File Vault communicates
with the user via XML strings. A ROM session is requested for user input
and a Report session for user output. The front end type must be set at
startup via the component config and is a static setting. The graphical
front end that was used up to now is named "menu view" and remains the
default.
* The File Vault can now reflect its internal state and user input ("config
and report" mode only) at the LOG session via two new static config
attributes "verbose_state" and "verbose_ui_config" (both defaulting to
"no").
* The Shutdown button in "menu view" mode is replaced with a Lock button. The
new button doesn't terminate the File Vault but merely lock the encrypted
container and return to a cleared passphrase input. The same transition is
also provided in "config and report" mode.
* The file_vault.run script is replaced with file_vault_menu_view.run and
file_vault_cfg_report.run that address the two front end modes. In contrast
to the former script, which is interactive, the latter script is suitable
for automatic testing.
* There is a new recipe/pkg/test-file_vault_cfg_report that essentially does
the same as file_vault_cfg_report.run but uses the File Vault package and
can be executed with the Depot Autopilot. The new test package is added to
the default test list of depot_autopilot.run
* The File Vault README is updated to the new version of the component and
has gained a chapter "functional description".
* Fixes a regression with the cbe_init_trust_anchor component that prevented
reacting to a failed unlock attempt in the File Vault.
* The new Tresor software Trust Anchor has an optional deterministic mode in
which it replaces the normally randomized symmetric keys with 0. This mode
comes in handy for debugging. However, it should never be activated in
productive systems. When activated, the user is warned extensively on the
LOG that this system mode is insecure.
Ref #4819
This patch replaces the former 'nic_drv' and 'nic_drv_dtb' functions
by a more general 'nic_driver_routes' function that can return one or
multiple platform-specific ROM routes for NIC-driver binaries and dtb
files. This allows for supplying customizations for the wifi driver
as well. E.g., on the PinePhone, this hook can be used to handle the
renaming of the 'wifi_drv' to 'a64_wifi_drv'.
Related to issue #4813 and issue genodelabs/genode-allwinner#17.
The screenshot trigger displays a little red dot at the upper-left
corner of the screen. When touched or clicked-on, it generates an
artificial key-press-release sequence for the print key and disappears
for one second. In this time, a separate screenshot component can handle
the print key by capturing the screen without the red dot appearing in
the saved picture.
With the new 'presets:' tag, .sculpt files can now refer to deploy
configurations to be integrated in the presets/ subdirectory of the
config file system. Those files can thereby be used as preconfigured
system scenarios. Such a preconfigured scenario can be loaded at
runtime by copying the preset file to config/deploy.
Issue #4731
Until now, the /config/system ROM was not handled by the sculpt manager
but solely managed by the user. Its main purpose was the ability to
reset or power-down the machine by manually modifying the 'state'
attribute. However, down the road, we'd like to enable the sculpt
manager to drive this state, e.g., to implement the multi-staged
loading of drivers, or to drive suspend-resume states.
The support such scenarios, the 'system' state has been moved from
/config/system to /config/managed/system.
This patch splits the former DEPOT=omit option into two variants.
The new 'list' option behaves like the former 'omit' option, skipping
the creation of the tar archive from the depot content referenced by the
deploy configuration but showing a list of depot archives that need to
be published for the deployment.
When specifying 'omit' in th new version, the local depot is not queried
for the packages referenced in the deploy configuration. So the
deployment can refer to packaged hosted only remotely.
Fixes#4605
This patch allows the sculpt manager hosted in the leitzentrale
subsystem to observe the toggling between the runtime and the
administrative GUI. This enables alternatives to the use of the
gui_fader for switching between both views. In particular, the
upcoming phone_manager toggles the visibility of its own GUI
depending on the leitzentrale state.
In a Sculpt system based on the upcoming phone_manager, the event filter
obtains its static configuration from /config/managed/event_filter.
Without the requirement for changes at runtime, there is no need to
have the phone_manager in the loop after all.
Without this patch however, this file was always initialized with the
template gems/sculpt/event_filter/default, which was presumably used
only at boot time until the sculpt manager has produced the first
generated event-filter configuration.
This patch applies the choice of optional configs - i.e., a custom
event_filter config - to both the config/ and the initial content of
config/managed/. So in cases where the /config/managed/event_filter
remains entirely static, the latter properly reflects the choosen
variant.
This patch allows the leitzentrale subsystem to control an audio driver
hosted in the drivers subsystem. An example use case is the toggling of
the speaker during phone calls.
Instead of having a generic "virt_qemu" board use "virt_qemu_<arch>" in
order to have a clean distinction between boards. Current supported
boards are "virt_qemu_arm_v7a", "virt_qemu_arm_v8a", and
"virt_qemu_riscv".
issue #4034
To not integrate referenced depot packages when building a sculpt image,
just set the environment variable DEPOT= to be empty. This allows to produce
slim images to the price that you have to publish the packages yourself.
In that case the sculpt run-script reminds you, and prints the package
versions.
Fixgenodelabs/genode#4530
By assigning CPU budgets, base-hw's priorities come into effect.
Even though the chosen values are rather guessed than informed, they
yield a visibly improved responsiveness on the Pinephone.
* Creates sessions to all supported services of the black hole component
* Test-drives the Event and Capture session with dummy input
* Adds the test to the default list of depot_autopilot.run
* Test-driving the Audio_in and Audio_out sessions is still missing and should
be added via a dedicated commit
Ref #4419
The functionality of the test-block-client, test-block-server, and
test-block-bench components is now covered by the block_tester
application and the vfs_block server.
Issue #4405
This patch equips Sculpt with the ability to customize the system image
in very flexible ways.
All customizable aspects of the image have been relocated from the
former sculpt.run script and the accompanied gems/run/sculpt/ directory
to a new location - the sculpt/ directory - which can exist in any
repository. The directory at repos/gems/sculpt/ serves as reference.
The sculpt directory can host any number of <name>-<board>.sculpt files,
each containing a list of ingredients to be incorporated into the
Sculpt system image. The <name> can be specified to the sculpt.run
script. E.g., the following command refers to the 'default-pc.sculpt'
file:
make run/sculpt KERNEL=nova BOARD=pc SCULPT=default
If no 'SCULPT' argument is supplied, the value 'default' is used.
A .sculpt file refers to a selection of files found at various
subdirectries named after their respective purpose. In particular, There
exists a subdirectory for each file in Sculpt's config fs, like
nitpicker, drivers... The .sculpt file selects the alternative to use
by a simple tag-value notation.
drivers: pc
The supported tags are as follows.
*Optional* selection of /config files. If not specified, those files are
omitted, which prompts Sculpt to manage those configurations
automatically or via the Leitzentrale GUI:
fonts
nic_router
event_filter
wifi
runtime
gpu_drv
Selection of mandatory /config files. If not specified, the respective
'default' alternative will be used.
nitpicker
deploy
fb_drv
clipboard
drivers
numlock_remap
leitzentrale
usb
system
ram_fs
Furthermore, the .sculpt file supports the optional selection of
supplemental content such as a set of launchers.
launches: nano3d system_shell
Another type of content are the set of blessed pubkey/download files
used for installing and verifying software on target.
With the new version, it has become possible to supply a depot with the
the system image. The depot content is assembled according to the 'pkg'
attributes found in launcher files and the selected deploy config.
The resulting depot is incorporated into the system image as 'depot.tar'
archive. It can be supplied to the Sculpt system by mounting it into the
ram fs as done by the 'ram_fs/depot' configuration for the ram fs.
It is possible to add additional boot modules to the system image. There
are two options.
build: <list of targets>
This tag prompts the sculpt.run script to build the specified targets
directly using the Genode build system and add the created artifacts
into the system image as boot modules.
import: <list of depot src or pkg archives>
This tag instructs Sculpt to supply the specifid depot-archive content
as boot modules to the system image. This change eliminates the need for
board-specific pkg/sculpt-<board> archives. The board-specific
specializations can now be placed directly into the respective .sculpt
files by using 'import:'.
To make the use of Sculpt as testbed during development more convenient,
the log output of the drivers, leitzentrale, and runtime subsystems
can be redirected to core using the optional 'LOG=core' argument, e.g.,
make run/sculpt KERNEL=linux BOARD=linux LOG=core
The former pkg/sculpt-installation and pkg/sculpt-installation-pc
archives have been replaced by pkg/sculpt_distribution-pc, which
references the generic pkg/sculpt_distribution archive. Those pkgs are
solely used for publishing / distribution purposes.
Fixes#4369
- Consider 'sdl' as source of input events in the event-filter
configuration as generated by the sculpt manager
- Supply an artificial 'platform_info' ROM as requested by the
sculpt manager to obtain the affinity-space information
- Substitute 'fs_rom' for 'cached_fs_rom' as a workaround for the
lack of support for managed dataspaces on Linux
Fixes#4362
This change keeps the version-controlled 'pubkey' and 'download' files
separate from files generated via depot/create or downloaded via
depot/download. So one can remove the entire depot/ directory without
interfering with git.
Furthermore, depot keys can now be hosted in supplemental repositories
independent from Genode's main repository.
Fixes#4364
First, the former implementation has only considered the pure numerical
variant of the -m argument. Yet, qemu also allows specifying the amount
of memory by `-m 1G`, `-m size=1G` and more.
Second, the default amount of memory for BOARD=pc was 512M (800M in case of okl4).
Since the depot_autopilot.run also required at least 768M on all
platforms it seems reasonable to take 800M as a default value for BOARD=pc and
thereby remove the special treatment of okl4.
genodelabs/genode#4311
