Commit Graph

1030 Commits

Author SHA1 Message Date
Norman Feske
9e69c7301a sculpt: safeguard the offering of suspend/resume
The USB host controller gets restarted during the suspend-resume cycle.
Hence, don't offer suspend while any USB storage device is in use, in
particular when deploying Sculpt from a USB stick.

Suspend/resume is not supposed to work with any framebuffer driver other
than intel_fb. Therefore, offer the suspend feature only when using intel_fb.

Issue #5174
2024-04-19 08:54:22 +02:00
Norman Feske
c6aa50ec56 dialog: don't scroll beyond text bounds
Issue #5174
2024-04-19 08:54:21 +02:00
Norman Feske
4a6ab846e5 sculpt: restore heartbeat watchdog for intel_fb
The automatic restart of intel_fb got lost during the transition from
the driver manager. This commit restores the heartbeat monitoring of
this driver.

Issue #5174
2024-04-19 08:54:21 +02:00
Norman Feske
f34bf0d19e sculpt: power options (suspend, reset, power off)
This patch enhances the sculpt manager to drive the system state
and manage the lifecycle of driver components during suspend-
resume cycles.

The new Power options can be found in the System menu. The suspend
and power-off controls are presented only when the acpi-support
option is activated.

Note that the USB controller is hard restarted when resuming from
suspend. Hence, all components that depend on USB are restarted
implicitely.

Issue #5180
Issue #5174
2024-04-19 08:54:21 +02:00
Christian Helmuth
def630c3db sculpt_manager: remove obsolete "storage" node
Issue #5174
2024-04-19 08:54:21 +02:00
Norman Feske
7c7c4e80e1 sculpt: attach nic and wifi to hardware node
This makes the grouping of these two drivers consistent with the
other drivers.

Issue #5174
2024-04-19 08:54:21 +02:00
Josef Söntgen
344831ec06 curl: update to version 8.7.1
This commits updates the contrib sources to version 8.7.1.

This version requires more random entropy as it queries OpenSSL
about the current random state and will bail if it is not sufficient.
Doubling the content of the '<inline>' VFS plugin as used in static
configurations seems satisfactory.

Furthermore DNS resolving needs a configured '<pipe>' plugin to work
properly.

Fixes #5184.
2024-04-19 08:54:21 +02:00
Norman Feske
fe144a6c5f sculpt: increase text-edit quota
This is an intermediate solution for accommodating overly long
text lines that can appear in report/runtime/usb/devices in the
presence of long product strings.

Issue #5174
2024-04-19 08:54:21 +02:00
Norman Feske
4e78e91bc2 sculpt: sanitize keyboard-layout choice
The check handles the case when the user clicks right of the
radio-button text, yielding an invalid "matching" id. This should not
result in any action.

Issue #5174
2024-04-19 08:54:20 +02:00
Norman Feske
e1ab69491c sculpt: fix focus between inspect and file edit
Issue #5174
2024-04-19 08:54:20 +02:00
Josef Söntgen
75e1f1797d sculpt_manager: raise runtime_view RAM quota
Issue #5174.
2024-04-19 08:54:20 +02:00
Norman Feske
4c4adec5ad sculpt: reset routing dialog after add-component
Issue #5174
2024-04-19 08:52:41 +02:00
Norman Feske
29960db32c sculpt: provide empty usb default policy
This avoids service-denied errors of USB clients like VBox at
integration time when client-specific policy exists yet.

Issue #5174
2024-04-15 16:39:16 +02:00
Norman Feske
22a731b671 sculpt: make popup dialog scrollable
This patch complements "sculpt: make component graph scrollable" with
the ability to scroll the popup dialog, which is sometimes needed in the
presence of many services as routing options.

Fixes #5183
2024-04-12 17:44:19 +02:00
Norman Feske
7df19173af sculpt: make component graph scrollable
This patch allows the user to vertically scroll the component graph
either via the scroll wheel or via the page up/down keys.

Issue #5183
2024-04-12 17:10:55 +02:00
Norman Feske
a5dcb8494e sculpt: include grub.cfg in system update
Issue #5182
2024-04-12 16:26:32 +02:00
Christian Prochaska
7fca026b48 sculpt_manager: check devices ROM before fb driver start
Issue #5174
2024-04-12 15:08:01 +02:00
Josef Söntgen
d0aa8362db vfs/oss: support different sample rates
This commit introduces support for different samples rates. For now
the range is capped to 8kHz up to 48kHz.

Issue #5167.
2024-04-12 15:08:01 +02:00
Josef Söntgen
33735d0af8 Add plugin version to VFS OSS plugins
To differentiate between the legacy and the current VFS OSS plugin both
plugins will feature a 'plugin_version' field in its info file. This
is used for enabling features provide by the current version that are
not supported in the legacy one.

Issue #5167.
2024-04-12 15:08:01 +02:00
Norman Feske
edaff9fb96 sculpt: adjust leitzentrale priority
Since "sculpt: adjust nitpicker priority", the nitpicker GUI server no
longer runs at the highest priority, yet the runtime_view of the
leitzentrale UI continued to operate at the highest priority.
On slower machines, this results in a visible interference of the CPU-
heavy rendering of the runtime_view with the (now) lower-prioritized
nitpicker, in particular laggy pointer movements.

This commit subordinates the leitzentrale components below the priority
of nitpicker to prevent this interference.

It also simplifies the priority scheme at the static system init: The
timer has the highest priority whereas all other components use the
priority band -1.

Issue #5174
2024-04-12 15:08:01 +02:00
Norman Feske
a1e3f9a73e sculpt: allow RAM fs to grow up to 2 GiB
The hard resource limit introduced by "sculpt: upper limit for automatic
quota upgrading" is too conservative for typical use cases of the RAM
fs. This commit makes the limit adjustable per managed component and
relaxes the limit for the RAM fs and depot_rom from 256 MiB to 2 GiB.

Issue #5174
2024-04-12 15:08:01 +02:00
Alexander Boettcher
f59883427f sculpt_manager: provide platform_info for boot_fb
Issue #5174
2024-04-12 15:08:00 +02:00
Norman Feske
8875e3b879 dialog: allow out-of-view cursor when scrolling
This patch relaxes the counter-intuitive enforcement of keeping the
text cursor always in view when using the scroll wheel.

Issue #5174
2024-04-12 15:08:00 +02:00
Norman Feske
e04336d087 sculpt: driver-policy tweaks
Allow tweaking the driver selection using the manager config:

- The new attribute 'ps2="no"' suppresses the selection of the PS/2 driver.
- The new attribute 'intel_gpu="no"'suppresses the selection of the
  Intel GPU and fb drivers, letting Sculpt fall back to VESA or boot-fb.

Note that the dynamic change of those attributes is handled in principle
but not advisable. E.g., disabling the intel driver after startup leaves
the hardware in a state that the VESA driver cannot cope with. However,
when statically defining the attributes in sculpt/manager/default, it is
now possible to build an image that uses VESA on an intel machine.

Issue #5174
2024-04-12 15:08:00 +02:00
Norman Feske
3f66bf25aa sculpt: restore wifi and nic restart option
Issue #5174
2024-04-12 15:08:00 +02:00
Norman Feske
1f24eb2401 wm: avoid eager reuse of window IDs
The existing allocation scheme of window IDs has the unwelcome effect
that a re-appearing window would not always result in a visible change
of the window list. In such cases, the layouter and decorator would not
be prompted to do their job. This effect could be observered with the
multi-dialog version of menu view in Sculpt OS when manually enforcing
the restart of the runtime_view. Sometimes the panel would not re-appear
after the restart.

This patch changes the allocation of window ID such that new windows get
fresh IDs instead of reusing an ID of a recently disappeared window.

Issue #5170
2024-04-12 15:08:00 +02:00
Martin Stein
0404cc6907 file_vault/file_vault_client: recalibrate quota
Recalibrates RAM and CAP quota in app and test in order for the
file_vault_client test to succeed on qemu/x86_64/sel4 and qemu/pbxa9/foc.

Ref #5148
2024-04-12 15:08:00 +02:00
Norman Feske
ac2d708205 sculpt: use one menu_view for all dialogs
This patch replaces the former use of one menu-view component per dialog
by a single menu view presenting all dialogs. This change reduces the
runtime config by about 20%, improves the boot time, and lowers RAM and
CPU usage at runtime.

Issue #5170
2024-04-12 15:08:00 +02:00
Norman Feske
9ce7c72c7c dialog: use one menu_view for multiple dialogs
Issue #5170
2024-04-12 15:08:00 +02:00
Norman Feske
d6cb9cf854 menu_view: make font-style updates more robust
The font pointers cached in labels can become dangling when the style
database is updated, as happens when changing the font size dynamically.
This patch orderly updates the cached pointers before removing
out-of-date font entries from the style database.

Related to issue #5170
2024-04-12 15:08:00 +02:00
Norman Feske
550dea7279 menu_view: support multiple dialogs
This patch equips the menu-view component with the ability to present
more than one dialog at a time. The dialogs must be declared in the
<config> node as follows.

  <config>
    ...
    <dialog name="settings"/>
  </config

For each dialog, menu view requests a dedicated ROM session labeled after
the dialog name. The corresponding GUI session is also labeled as such.
Note that only one hover report is generated responding to all dialogs.
The hover report can be correlated with the hovered dialog by inspecting
the the 'name' attribute of the hover report's <dialog> sub node.

The former global config attributes 'xpos', 'ypos', 'width', 'height',
'opaque', and 'background' have become attributes of the <dialog> node.

Fixes #5170
2024-04-12 15:08:00 +02:00
Norman Feske
a3f04d2b4d sculpt: remove GPU routes to outside the runtime
GPU drivers always reside in the runtime subsystem now.
This patch eliminates the risk of requesting a GPU session at the
drivers subsystem, which never gets established.

Issue #5150
2024-04-12 15:08:00 +02:00
Josef Söntgen
5f88562263 gems: VFS OSS plugin for Record/Play session
The new VFS OSS plugin utilizes the Record and Play session. For the
time being it is a drop-in replacement for the old plugin and shares
its limitations.

In contrast to the old plugin it is possible to force a client to
use a configured fragment size. Some clients work best with larger
fragments, e.g. VBox, where raising the minimal fragment size is
beneficial.

Please look at the README file for more information.

Issue genodelabs/genode#5167.
2024-04-12 15:08:00 +02:00
Josef Söntgen
489d87c4b0 sculpt: add Play and Record session
Issue genodelabs/genode#5167.
2024-04-12 15:05:46 +02:00
Norman Feske
268a77add1 sculpt: redesigned popup dialog
The new popup dialog mirrors the concept of the software add and option
dialogs of the phone version.

Fixes #5168
2024-04-12 15:05:46 +02:00
Norman Feske
4a1a29b3d0 sculpt: make storage target configurable
This patch lays the selection of the used storage target into the hands
of the config/manager file. By default, Sculpt selects the target by its
built-in heuristics, probing for a Sculpt partition. However, by
specifying a <target> node, one can explicitly select a storage target.

E.g., for using the 2nd partition of the SATA disk connected to port 1
of the AHCI controller, one can now specify:

  <target driver="ahci" port="1" partition="2"/>

For selecting the ram_fs as target:

  <target driver="ram_fs"/>

The latter case is particularly useful for custom Sculpt scenarios
deployed entirely from RAM. For such scenarios, add two lines to
your .sculpt file:

  ram_fs:  depot
  manager: use_ram_fs

The first line configures the ram_fs such that the depot is mounted
as a tar archive. The second line configures the sculpt manager to
select the ram_fs as storage target. You can find this feature
exemplified in default-linux.sculpt scenario.

  build/x86_64$ make run/sculpt_test KERNEL=linux BOARD=linux

It is worth noting that the configuration can be changed at runtime.
This allows for switching between different storage targets on the fly.

Issue #5166
2024-04-12 15:05:46 +02:00
Norman Feske
b78b2c7ac9 sculpt_manager: use Rom_handler
This patch replaces the dynamic use of Attached_rom_dataspace by a
new Rom_handler utility, which implicitly covers the initial import of
content (safely using 'local_submit'), the registration of the signal
handler, passes the Xml_node to the handler function (no need to
manually call 'update'), and provides scoped access to the content via a
'with_xml' method. The latter reinforces a programming style that does
not need to copy Xml_node objects.

Issue #5150
2024-04-12 15:02:45 +02:00
Norman Feske
f96cea8151 sculpt: remove notion of system 'block_devices'
This patch removes the remains of the original block-device discovery as
done by the former driver manager. Block sessions are now always
provided by components hosted in the runtime subsytem. The storage node
of the graph is no more.

Issue #5150
2024-04-12 15:02:45 +02:00
Norman Feske
0cf12c6778 gems: use C++20 function template syntax 2024-04-12 15:02:45 +02:00
Norman Feske
4dc1014bfb gems: coding style (avoid superfluous '()' pairs) 2024-04-12 15:02:45 +02:00
Norman Feske
6cabc85ac8 sculpt: group driver management in 'Drivers' class
This patch harmonizes the driver management between the sculpt manager
and the phone manager by hosting the individual drivers in a new
'Drivers' class with a narrow interface towards 'Sculpt::Main'. The
patch also introduces a clean separation of the 'Board_info' between
features detected at runtime (on PC hardware), statically
known/managed features (phone hardware), and options that can be
toggled at runtime.

With common patterns for managing drivers in place now, this commit
also moves the former runtime/wifi_drv.cc and runtime/nic_drv.cc
code to driver/wifi.h and driver/nic.h. The _drv suffix of the wifi
and nic driver components have been dropped.

Issue #5150
2024-04-12 15:02:45 +02:00
Norman Feske
d8acc3a9f4 sculpt: host MMC driver in runtime
Issue #5150
2024-04-12 15:02:45 +02:00
Norman Feske
d13b8e1937 sculpt: host soc touch and fb drivers in runtime
This patch moves SoC-specific framebuffer and touchscreen drivers
(PinePhone) to the runtime subsystem. They are enabled for the
phone_manager.

Issue #5150
2024-04-12 15:02:45 +02:00
Norman Feske
85e020b8e1 gems: remove driver_manager
The former pkg/drivers_managed-pc has been replaced by the
pkg/sculpt_drivers-pc, which is merely a collection of archives.

Issue #5150
2024-04-12 15:02:45 +02:00
Norman Feske
99da68183f sculpt: abbreviate .part_block suffix to .part
This slightly reduces the horizontal space of the component graph.
2024-04-12 15:02:45 +02:00
Norman Feske
fe596f2219 sculpt: host NVMe driver in runtime
As the NVMe driver was the last remaining driver controlled by the
driver manager, this patch removes the 'drivers -> dynamic' subsystem
along with the driver manager from sculpt/drivers/pc.

Issue #5150
2024-04-12 15:02:45 +02:00
Norman Feske
206bf856bb sculpt: host AHCI driver in runtime
This patch moves the AHCI driver from the 'drivers -> dynamic'
subsystem to the runtime, managed by the sculpt_manager. One
implication of this change is the new need to supplement a device
port number to the 'Storage_target', in addition to the existing
label and partition. Previously, each block device was addressed by
merely a label specified for a parent session. The meanings of the
'Storage_target' elements are now as follows.

- The label corresponds to the driver component providing the storage.
- The port is used as block-session label when opening the session
  at the driver.
- The partition(s) denote the partition information contained in
  the block session.

Components operating as clients of the AHCI driver (e.g., a file system)
refer to their storage target as <label>-<port>.<partition> when a port
is defined (for AHCI). For drivers w/o ports, like USB storage where
each USB-block driver correponds to only one device, the storage target
is denoted as <label>.<partition>. When no partition table is present,
the '.<partition>' part is omitted.

Issue #5150
2024-04-12 15:02:45 +02:00
Norman Feske
e3803fb861 sculpt: host PS/2 driver in runtime
Issue #5150
2024-04-12 15:02:44 +02:00
Norman Feske
556a7b8b17 sculpt: host PC USB driver in runtime
This commit moves the USB and USB HID driver from the drivers subsystem
into the runtime. The former special USB node of the graph corresponds
now to the USB host-controller driver (named "usb"). The management
options for USB storage devices are available inside this component
node now.

Issue #5150
2024-04-12 15:02:44 +02:00
Norman Feske
3580bb6e17 sculpt: move event_filter to static system
By moving the event_filter and the numlock_remap_rom from the drivers
subsystem to the static system, the filtering can be applied to drivers
hosted in the runtime and drivers hosted in the drivers subsystem.

This is a preparatory step for moving the USB host and HID drivers to
the runtime.

Issue #5150
2024-04-12 15:02:44 +02:00
Norman Feske
06c4b0248b sculpt: upper limit for automatic quota upgrading 2024-04-12 15:02:44 +02:00
Martin Stein
5907307af6 file_vault: re-enable support for 32-bit platforms
Ref #5148
2024-04-12 15:00:46 +02:00
Martin Stein
b903ddeea7 tresor: fix and test handling of minimal trees
* add testing of trees with minimal and maximal dimensions to tresor_tester.run
* replace tresor_init-local configuration type with simpler and more conformant
  configuration type in tresor/types.h that does also XML-parsing and
  XML-generation of configurations
* raise min degree to 2 because a degree of 1 is not practical und would
  require additional logic
* fix overflow with num_blocks=0 in Superblock_control::Read|Write_vbas
* fix off-by-one bug regarding the number of levels in Vbd_initializer
* improve sanity checks in Tree_configuration constructors
* document level indices in tresor_init/README
* fix size of some arrays in order to be able to handle the maximum number of
  tree levels

Ref #5077
2024-04-12 15:00:46 +02:00
Martin Stein
067a8a35cd tresor: fix faults on failed free-tree requests
* fixes two places, where the free tree module used to continue to process a
  request after actually having determined that the request fails
* moves the functionality of checking the hash of a read block and decoding it
  to a dedicated method in order to improve readability

Ref #5077
2024-04-12 15:00:46 +02:00
Martin Stein
81b17ba1e4 tresor_tester: check uninitialized vba data
Adds a new command attribute "uninitialized_data" to the Tresor Tester
configuration. If a <request op="read"> command has this attribute set to "yes"
it assumes the read blocks to be uninitialized and therefore contain only 0's.
Note, that a command that has "uninitialized_data" set to "yes" cannot have the
attribute "salt".

Ref #5077
2024-04-12 15:00:46 +02:00
Martin Stein
4a68f6bf75 tresor: discard snapshots only when writing the sb
Snapshots must only be removed when securing the superblock. Otherwise, the
last secured superblock might get corrupted. The Free Tree allocation algorithm
would not consider the deleted snapshots anymore although they are still active
in the secured superblock and re-use their blocks. This would render the tresor
container unusable if the superblock with the deleted snapshots is not secured
in the end (driver crash, power down, ...).

Ref #5077
2024-04-12 15:00:46 +02:00
Martin Stein
518c32e1af tresor: don't decode superblock before hash check
Superblock_control::Initialize used to decode a read superblock before checking
its hash. This is not necessary but may cause the operation to end up in a
decoding error on a superblock that is not the desired one anyway.

Ref #5077
2024-04-12 15:00:45 +02:00
Martin Stein
016a769605 tresor: check only the last secured superblock
Instead of iterating over all superblocks and checking each valid one,
check only the one whose hash matches the hash stored in the trust anchor.
I.e., the last one that was secured to the trust anchor. We must assume that
the other superblocks were corrupted in the meantime by operating the Tresor
container and, anyway, these Superblocks are not used anymore.

Ref #5077
2024-04-12 15:00:45 +02:00
Martin Stein
d2af024349 tresor: don't halt on extension beyond limits
The request of extending a tree used to halt when it found that
it could not add more levels to the tree because the maximum level index was
reached. Now, the library simply marks the request as failed, leaving it to
the user to handle the error condition.

Ref #5077
2024-04-12 15:00:45 +02:00
Martin Stein
b4c4681733 tresor: streamline design further
* differentiates request types that where merged formerly per module;
  e.g. instead of type Superblock_control::Request, there are now types
  * Superblock_control::Read_vbas
  * Superblock_control::Write_vbas
  * Superblock_control::Rekey
  * Superblock_control::Initialize
  * ...
  each holding only the state and functionality that is required for exactly
  that request

* removes all classes of the Tresor module framework and adapts all
  Tresor- and File-Vault- related libs, apps, and tests accordingly
  * the former "channel" state is merged into the new request types, meaning, a
    request manages no longer only the "call" to a functionality but
    also the execution of that functionality; every request has a lifetime
    equal to the "call" and an execute method to be driven forward
  * state that is used by a request but has a longer lifetime (e.g. VFS file
    handles in Tresor::Crypto) is managed by the top level
    of the user and handed over via the execute arguments; however, the
    synchronization of multiple requests on this state is done by the module
    (e.g. Tresor::Crypto)
  * requests are now driven explicitly as first argument of the (overloaded)
    execute method of their module; the module can, however, stall a request
    by returning false without doing anything (used for synchronization on
    resources)

* introduces Request_helper, Generated_request and Generatable_request in the
  Tresor namespace in order to avoid the redundancy of sub-request generation
  and execution

* moves access to Client-Data pointers up to Tresor::Virtual_block_device in
  order to simplify Tresor::Block_io and Tresor::Crypto

* removes Tresor::Client_data and introduces pure interface
  Client_data_interface in order to remove  Tresor::Client_data and
  move management of Client Data to the top level of a Tresor user

* introduces pure interface Crypto_files_interface in order to move management
  of Crypto files to the top level of a Tresor user

* moves management of Block-IO and Trust-Anchor files to the top level of a
  Tresor user

* adapts all execute methods, so, that they return the progress state
  instead of modifying a reference argument

* removes Tresor::Request_and Tresor:Request and instead implements
  scheduling at the top level of the Tresor user
  * the Tresor Tester uses a list as schedule that holds Command objects; this
    list ensures, that commands are started in the order of configuration
    the Command type is a merge of the state of all possible commands that can
    be configured at the Tresor Tester; the actual Tresor requests (if any) are
    then allocated on-demand only
  * the Tresor VFS plugin does not use a dynamic data structure for scheduling;
    the plugin has 5 members that each reflect a distinct type of operation:
    * initialize operation
    * deinitialize operation
    * data operation
    * extend operation
    * rekey operation
    consequently, of each type, there can be only one operation in-flight at a
    time; at the user front-end each operation (except "initialize") can be
    controlled through a dedicated VFS file; for each of these files, the VFS
    expects only one handle to be open at a time and only one file operation
    (read, write, sync) active at a time; once an operation gets started it is
    finished without preemtion (except of the interleaving at rekey and
    extend); when multiple operations are waiting to be started the plugin
    follows a static priority scheme:

      init op > deinit op > data op > extend op > rekey op

    there are some operation-specific details
    * the initialize operation is started only by the plugin itself on startup
      and will be driven as side effect by subsequent user calls to file
      operations
    * the data file is the only contiguous file in the front end and the file
      operations work as on usual data files
    * the other 3 files are transactional files and the user is expected to
      follow this scheme when operating on them
      1) stat (to determine file size)
      2) seek to offset 0
      3) read entire file once (this will be queued until there is no operation
         of this type pending anymore and return the last result:
         "none" | "failed" | "succeeded"; used primarily for synchronization)
      4) write operation parameters (this returns immediately and marks the
         operation as "requested")
      5) read entire file once (the same as above but this time in order to
         determine the operation result)
    * the rekey op and deinitialize op are requested by writing "true"
    * the extend op is requested by writing "tree=[TREE], blocks=[BLOCKS]"
      where TREE is either "vbd" or "ft" and BLOCKS is the number of physical
      4K blocks by which the physical range of the tresor container expands
      (the physical range always starts at block address 0 and is always
      expanded upwards)

* replaces the former <trust-anchor op="initialize"> command at the Tresor
  Tester with <initialize-trust-achor> as there are no other trust anchor
  operations that can be requested through the Tester config anyway

* removes the "sync" attribute from all commands at the Tresor Tester except
  from <request op="rekey">, <request "extend_ft">, <request op="extend_vbd">;
  as the Tester controls scheduling now, requests are generally synchronous;
  at the rekeying and extension commands, the "sync" attribute determines
  wether subsequent commands are interleaved with the execution of these
  commands (if possible)

* removes "debug" config attribute from Tresor VFS plugin and reworks "verbose"
  attribute to generate more sensible output

* removes NONCOPYABLE macro and instead uses Genode::Noncopyable and in-place
  Constructors deletion

* introduces types Attr and Execute_attr where a constructor or execute method
  have many arguments in order to raise readability

* renames the "hashsum" file that is provided by the Tresor Trust-Anchor VFS
  plugin to "hash" in order to become conformant with the wording in the Tresor
  lib

* makes the VFS Tresor test an automated test by merging in the functionality
  of vfs_tresor_init.run and removing the interactive front end; removes
  vfs_tresor_init.run as it is not needed anymore; adds consideration for
  autopilot file structure in the Test and adds it to autopilot.list

* removes all snapshot controls and the progress files for rekeying and
  extending from the Tresor VFS plugin; both functionalities were tested
  only rudimentary by the VFS Tresor test and are not supported with the only
  real user, the File Vault

* use /* .. */ instead of // ..
* use (..) instead of { .. } in init lists

Ref #5148
2024-04-12 15:00:45 +02:00
Martin Stein
ef0c3f9d2c tresor_tester.run: fix asynchronous rekeying test
The virtual block device module used to hand over the wrong VBA as
parameter "rekeying VBA" to the Free Tree when allocating PBAs for data
access during rekeying. In certain constellations, this caused the Free
Tree to alloc PBAs that were still in use. The Free Tree PBA selection
algorithm, however, is just fine. When fixing the call parameter, it works
as desired. This re-enables the async rekeying test.

Ref #5075
2024-04-12 15:00:45 +02:00
Martin Stein
fb2d153c92 tresor: check hash of all read vba data
During one of the many re-factorization steps that were applied to the Tresor
library and its predecessor, the CBE library, one of the main features of the
project, the integrity check, accidentally received a grave regression. The
most recent version of the Tresor still used to check all hashes of meta-data
blocks but ignored the hashes of the actual data blocks.

With this commit, the hashes of all but yet uninitialized data blocks get
checked. The reason for ignoring uninitialized blocks is that they are not
actually read from disc but simply generated as an all-zeros block in the
driver in order to prevent having to initialize them all to zero in
Tresor-Init. That said, the integrity of these blocks cannot be compomised.
The according hashes in the meta data remain unset until the data block gets
written for the first time.

Ref #5062
2024-04-12 15:00:45 +02:00
Martin Stein
cf72499919 tresor: unused args at "R/W client data" at blk IO
The request classes Block_io::Read_client_data and Block_io::Write_client_data
used to receive a block reference for no reason. This commit removes these
args.

Ref #5062
2024-04-12 15:00:45 +02:00
Martin Stein
bcd82b7e75 tresor: revive and test app/tresor_check
The tresor_check tool became outdated back when the Tresor project was created
by re-writing its predecessor, the CBE, in C++. At this time, the check tool
was merely renamed but not updated. As there was also no autopilot test for the
tool, the tool remained outdated.

This commit rewrites the tool for the most recent Tresor version and adds an
autopilot test.

Ref #5062
2024-04-12 15:00:45 +02:00
Martin Stein
d8a71e5978 tresor: improved module framework and clean-up
* Make command pool a proper module
  * The command pool used to be kind of a module but it was driven via custom
    tresor-tester specific code. Now, it becomes a proper module that
    is driven by the module framework instead.
  * Move the code for creating and handling the module-execution progress flag
    into Module_composition::execute_modules as the function is always used with
    this code surrounding it.

* Reorganize files, remove deprecated files

* A new class Module_channel is introduced in the module framework and all
  channel classes inherit from it. With that class in place, the formerly
  module-specific implementations of the following methods are replaced by
  new generic implementations in the Module framework:

  * ready_to_submit_request
  * submit_request
  * _peek_completed_request
  * _drop_completed_request
  * _peek_generated_request
  * _drop_generated_request
  * generated_request_complete

* Module requests are now held for the duration of their lifetime at the
  module they originate from and not, like before, at their target module. As
  a result, modules can generate new requests inline (without having to wait
  for the target module), making code much simpler to read, reducing the amount
  of channel state, and allowing for non-copyable request types.

* Introduce a sub-state-machine for securing a superblock in the
  superblock_control module in order to reduce redundancy.

* Some modules, like free_tree, were completely re-designed in order to make
  them more readable.

* Replace all conditional exceptions by using the macros in
  tresor/assertion.h .

* Move methods that are used in multiple modules but that were implemented
  redundantly in each module to tresor/types.h.

* Remove verbosity node and all that was related to it from tresor tester
  config as the targeted verbosity can be achieved with the
  VERBOSE_MODULE_COMMUNICATION flag in tresor/verbosity.h .

* Extract the aspect of translating the byte-granular I/O-requests to
  tresor-block requests from the tresor VFS-plugin and move it to a new module
  called splitter.

* Rename the files and interface of the hashing back-end to not reflect the used
  hashing algorithm/config anymore, while at the same time making the hashing
  interface strict regarding the used types.

* Introduce the NONCOPYABLE macro that makes marking a class noncopyable short
  and clear.

* Replace the former tresor/vfs_utilities.h/.cc with a new tresor/file.h
  that contains the classes Read_write_file and Write_only_file. These classes
  significantly simplify the modules crypto, block_io, and trust_anchor by
  moving the details of file access to a sub-state machine.

* The former, rather trivial block allocator module is replaced by a normal
  object of type Pba_allocator that must be provided by the client of the
  Sb_initializer (reference in the Sb_initializer_request).

Ref #5062

tresor: read uninitialized vbas as all zeroes

Virtual addresses in a Tresor container that were not yet written by the user
should always return a data block that is all-zeroes. This was the concept
right from the beginning of the project. However, somehow this aspect either
never got implement or got lost along the way.

Some context for understanding the commit: The Tresor doesn't initialize the
payload data blocks of a container when creating a new container as this would
be rather expensive. Instead, it marks the leaf metadata nodes of the
virtual-block-device tree (those that reference the payload data blocks in
physical address space) with generation 0.

Now, this commit ensures that, whenever the virtual-block-device module reads
such a generation-0 leaf, instead of asking the block_io and crypto to deliver
data from disc, it directly provides the user with 4K of zeroes.

Ref #5062
2024-04-12 15:00:45 +02:00
Martin Stein
801a779a88 tresor: support and test snapshot management
* Implement requests "create snapshot" and "discard snapshot" in tresor lib.
* Adapt tresor tester in order to test the new feature.
  * Remove temporary code from tresor tester that skipped such requests with
    the hint that they were not supported yet.
  * Add mandatory "id" attribute to <request op="create_snapshot"/> and
    <request op="discard_snapshot"/> tag. A "discard snapshot" command always
    refers to the snapshot created by the "create snapshot" command with the
    same "id" value.
  * Clean-up command pool a bit.

Fix #4971
2024-04-12 15:00:45 +02:00
Martin Stein
417fb4e108 tresor: fix bad hash update during rekeying in vbd
The re-keying state machine in the VBD module would use block data of the wrong
block for the hash update of an inner node in a certain circumstance.

On re-keying, the VBD iterates for a given VBA over all snapshots, beginning
with the newest and re-keys the VBA in each of the snapshots. At each snapshot
it therefore loads the branch of the VBA top-down, and then updates the branch
bottom-up. However, if loading a certain level of the branch of a certain
snapshot runs into the same physical block as with the last snapshot on this
level, the algorithm turns around and updates the branch from this point
upwards instead of going further down the whole way to the leaf. This is
because everything below this point has already been re-keyed in the course of
a newer snapshot.

The case where this turning around is not right above the leaf (i.e., the first
shared physical block is a metadata block) that's were the bug was located. In
this situation, we have to re-encode the highest shared metadata block into a
buffer again before starting to update. The update code acts as if the
mentioned block was just written back (which is true when going down all the
way to the leaf before updating) and consequently is present in the encoded
buffer.

Ref #4971
2024-04-12 15:00:45 +02:00
Martin Stein
f8332ce587 tresor: fix <initialize> config constraints
Until now, it was possible to use bad Free-Tree/VBD configurations with the
<initialize/> command. The tresor tester didn't complaining about it but the
tresor lib crashed or, worse, corrupted the tresor container. Now, the tresor
tester checks things, like for instance, that "nr_of_children" must be a power
of 2.

Ref #4971
2024-04-12 15:00:45 +02:00
Martin Stein
b44ffc9361 tresor: snap garbage collection on each request
The Superblock Control module now issues a snapshot garbage collection on each
incoming request. In return for that, the commit removes all calls to the
garbage collection from other modules.

Ref #4971
2024-04-12 15:00:45 +02:00
Martin Stein
3eb5302ab0 tresor: no local impl. of snap garbage collection
Move the implementation of the snapshots garbage collection to the Snapshots
class and remove module-local duplicates.

Ref #4971
2024-04-12 15:00:45 +02:00
Martin Stein
9605a60eac tresor: no local copy of snapshots in vbd module
The Virtual Block Device module used to create a local copy of the Snapshots
array respectively Snapshot root it received with an incoming request. After
finishing the VBD operation on the copy, the source module of the request
used to back-copy the resulting Snapshot array resp. Snapshot root. This is
not only less efficient than referencing but also allowed a bug to sneak into
the new C++ implementation.

In contrast to the old Ada/SPARK implementation (CBE), the new design doesn't
allow for global objects that can be accessed by any module without receiving a
reference in a module request. Therefore, the Free Tree module has to receive a
reference to a Snapshots array with each request in order to be able to use it.
In our case, these requests are allocations for a "Write" operation from the
VBD. However, the VBD itself receives only the one Snapshot required for
writing and therefore causes the Free Tree to make bad decisions on whether or
not a block can be re-allocated or not.

With this commit, the VBD always receive a reference to the whole Snapshots
array and also propagates it this way to the Free Tree.

Ref #4971
2024-04-12 15:00:45 +02:00
Martin Stein
b49f052051 tresor: improve verbosity modes
* make array classes printable
* pba filter for block io verbosity
* streamline read/write/rekey verbosity

Ref #4971
2024-04-12 15:00:45 +02:00
Christian Helmuth
e0fe046ad3 Update tiled_wm test for tiled-console scenario
- always assign apps/overlay to targets (visible=true/false) to
  prevent 0x0 geometry, which is interpreted as close
- add QMenu as exampel to panel button
- use usb-tablet on Qemu
2024-04-12 15:00:44 +02:00
Christian Helmuth
c27d04e338 window_layouter: "visible" assign-node attribute
Per default, windows assigned to targets are visible, which can be
changed with the new boolean "visible" attribute. Thus, window can be
hidden without changing their geometry.
2024-04-12 15:00:44 +02:00
Norman Feske
b36a49dfc2 sculpt: host PC framebuffer drivers in runtime
Issue #5150
2024-04-12 12:57:30 +02:00
Norman Feske
27e0500452 sculpt_manager: Pci_info -> Board_info
This is a preparatory commit for issue #5150. Board_info is designated
for the selection of device drivers. It is not specific to PCI devices.
2024-04-12 12:57:30 +02:00
Stefan Kalkowski
7ec08af6d9 usb: session renewal & new client API
Replace the USB session API by one that provides a devices ROM only,
which contains information about all USB devices available for this client,
as well as methods to acquire and release a single device.

The acquisition of an USB device returns the capability to a device session
that includes a packet stream buffer to communicate control transfers
in between the client and the USB host controller driver. Moreover,
additional methods to acquire and release an USB interface can be used.

The acquisition of an USB interface returns the capability to an interface
session that includes a packet stream buffer to communicate either
bulk, interrupt, or isochronous transfers in between the client and the
USB host controller driver.

This commit implements the API changes in behalf of the Genode C API's
USB server and client side. Addtionally, it provides Usb::Device,
Usb::Interface, and Usb::Endpoint utilities that can be used by native
C++ clients to use the new API and hide the sophisticated packet stream API.

The adaptations necessary target the following areas:

* lx_emul layer for USB host and client side
* Linux USB host controller driver port for PC
* Linux USB client ports: usb_hid_drv and usb_net_drv, additionally
  reduce the Linux tasks used inside these drivers
* Native usb_block_drv
* black_hole component
* Port of libusb, including smartcard and usb_webcam driver depending on it
* Port of Qemu XHCI model library, including vbox5 & vbox6 depending on it
* Adapt all run-scripts and drivers_interactive recipes to work
  with the new policy rules of the USB host controller driver

Fix genodelabs/genode#5021
2024-04-12 12:57:30 +02:00
Christian Prochaska
6e437674f7 gems: add dbg_download
Fixes #5143
2024-04-12 12:57:28 +02:00
Josef Söntgen
449a72d8a2
trace_recorder: get session arguments from config
This commit adds support for setting the TRACE session parameters via
the configuration.

Fixes #5123.
2024-03-04 11:49:26 +01:00
Norman Feske
b370591e64 Mobile version of Sculpt OS
This patch contains the mobile variant of Sculpt OS, which evolved
at the genode-allwinner repository until now. In consists of the
following parts:

- gems/src/app/phone_manager  plays the role of the sculpt manager
- sculpt/phone-linux          allows for test driving the mobile
                              variant on base-linux
- gems/src/app/dummy_modem    mockup of a modem's behavior, used for
                              GUI development and testing

The parts targeting a specific device (PinePhone) remain local to
the genode-allwinner repository.

To give it a try:

  make run/sculpt_test KERNEL=linux BOARD=linux \
                       SCULPT=phone LOG=core DEPOT=tar

Fixes #5125
2024-02-28 16:31:46 +01:00
Christian Prochaska
cda48b4a49 sculpt: add base binary archive path to build_info ROM
Fixes #5118
2024-02-28 16:31:45 +01:00
Norman Feske
07669ac991 os: record-and-play session interfaces and mixer
- New session interfaces:
  - os/include/play_session   (for audio playing   / mic-input driver)
  - os/include/record_session (for audio recording / audio-output driver)
- Mixer at os/src/record_play_mixer providing both play and record services
- Simple waveform player at os/src/app/waveform_player
- Simple audio-signal capturing component at os/src/app/record_rom
- Simple oscilloscpe at gems/src/app/rom_osci (using record_rom)
- Simple test-audio_play for playing raw stereo f32 data

The _gems/run/waveform_player.run_ script illustrates the use of the new
components and interfaces.

Issue #5097
2024-02-28 16:31:45 +01:00
Christian Prochaska
080d3b6b63 vfs: support watch handlers on application signal level
Fixes #4092
2024-02-26 08:59:10 +01:00
Christian Prochaska
a1b5ebeb09 depot_query: add support for bin and dbg archives
Fixes #5110
2024-02-26 08:59:09 +01:00
Johannes Schlatow
d23e1a87dd vfs_import: truncate files before writing
genodelabs/genode#5107
2024-02-26 08:59:08 +01:00
Norman Feske
7c76ec897c sculpt: add "http" and "telnet" nic_router domains
These domains allow for the hosting of plain http and telnet servers
reachable from the outside. The change is designated for the goa
testbed.

Issue #5092
2024-02-26 08:31:03 +01:00
Norman Feske
f57da7e645 trace: remove parent_levels session argument
The argument was originally designated to restrict the reach of the
trace monitor but the idea remained unimplemented. It is now superseded
by the use of the trace-session label as trace-subject filter.

Issue #847
2023-12-13 12:28:52 +01:00
Norman Feske
12b89852e0 sculpt: add "runtime" and "global" TRACE options
Issue #847
2023-12-13 12:28:52 +01:00
Martin Stein
49dd55313a sculpt_manager: select correct launcher in + menu
The sculpt manager views only launchers in the + menu that are not present in
the runtime already. However, this check was missing when finding the right
launcher on a click event inside that menu. This could cause the manager to
try deploying an already deployed launcher a again (without any effect)
instead of deploying the launcher that was actually clicked.

Ref #5064
2023-11-28 14:46:28 +01:00
Alexander Boettcher
ff740e300a wm: free window id on destroy_view
Issue #5048
2023-11-28 14:44:29 +01:00
Norman Feske
cb10fe1d77 decorator: add missing initial call _handle_mode
This call is needed whenever the mode has settled before the decorator
has started up.
2023-11-28 14:44:29 +01:00
Norman Feske
769a6ce987 touch_keyboard: use dialog API
Fixes #5059
2023-11-28 14:44:28 +01:00
Norman Feske
4a5632ab6d dialog: support view attribs in sandboxed_runtime
This patch mirrors the interface of Sculpt's distant_runtime to the
sandboxed_runtime variant, allowing the configuration of xpos, ypos,
min_width, min_height, opaque, and background color.

Issue #5008
2023-11-28 14:44:28 +01:00
Norman Feske
0f54ad8e26 dialog: add text-area widget
This patch moves the text-editing facility of app/text_area to a
text-area widget as part of the dialog library. This has two benefits.
First, it simplifies app/text_area by using the dialog API. Second, the
editor can now easily be reused by other dialog-API-based applications.

Fixes #5058
2023-11-28 14:44:28 +01:00
Norman Feske
e326371762 gems: make gems/dynamic_array.h publicly available
The 'Dynamic_array' utility is used by the text_area as internal
representation of text. As a prerequisite step of making the text
editing features generally available as a text-area widget, the
utility must become public.

Issue #5008
2023-11-28 14:24:26 +01:00
Norman Feske
9fae8a7532 dialog: support Sandboxed_runtime::Event_handler
This allows applications to get hold of the raw input events,
in particular keyboard input.

Issue #5008
2023-11-28 14:24:26 +01:00
Norman Feske
0a71c8f3e1 sculpt_manager: use dialog API
Issue #5053
2023-11-28 14:24:26 +01:00
Norman Feske
1aba8182a4 dialog: pass value to Select_button::click
This eliminates the need to distinguish enum values in the body of the
handler, easing the forwarding of the selected value.

Issue #5008
Issue #5053
2023-11-28 14:24:26 +01:00
Norman Feske
0f686a774d list_model.h: retire 'update_list_model_from_xml'
This transition vehicle to the modern interface has now been replaced by
the new 'List_model::update_from_xml' method.

Issue #4317
2023-11-28 14:24:24 +01:00
Norman Feske
6e0d44397f depot_autopilot: use modern list-model interface
Issue #4317
2023-11-28 14:24:24 +01:00