Since the recent move of the process creation into core, the original chroot trampoline
mechanism implemented in 'os/src/app/chroot' does not work anymore. A
process could simply escape the chroot environment by spawning a new
process via core's PD service. Therefore, this patch moves the chroot
support into core. So the chroot policy becomes mandatory part of the
process creation. For each process created by core, core checks for
'root' argument of the PD session. If a path is present, core takes the
precautions needed to execute the new process in the specified chroot
environment.
This conceptual change implies minor changes with respect to the Genode
API and the configuration of the init process. The API changes are the
enhancement of the 'Genode::Child' and 'Genode::Process' constructors to
take the root path as argument. Init supports the specification of a
chroot per process by specifying the new 'root' attribute to the
'<start>' node of the process. In line with these changes, the
'Loader::Session::start' function has been enhanced with the additional
(optional) root argument.
g++ 4.4.5 outputs the following warnings in our code using the loader
session:
.../base/include/base/capability.h: In member function 'typename Genode::Trait::Call_return<typename IF::Ret_type>::Type Genode::Capability<RPC_INTERFACE>::call() const [with IF = Loader::Session::Rpc_view_geometry, RPC_INTERFACE = Loader::Session]':
.../base/include/base/capability.h:207: warning: 'ret.Genode::Capability<Loader::Session>::Return<Loader::Session::Rpc_view_geometry>::_value.Loader::Session::View_geometry::width' may be used uninitialized in this function
.../base/include/base/capability.h:207: warning: 'ret.Genode::Capability<Loader::Session>::Return<Loader::Session::Rpc_view_geometry>::_value.Loader::Session::View_geometry::height' may be used uninitialized in this function
.../base/include/base/capability.h:207: warning: 'ret.Genode::Capability<Loader::Session>::Return<Loader::Session::Rpc_view_geometry>::_value.Loader::Session::View_geometry::buf_x' may be used uninitialized in this function
.../base/include/base/capability.h:207: warning: 'ret.Genode::Capability<Loader::Session>::Return<Loader::Session::Rpc_view_geometry>::_value.Loader::Session::View_geometry::buf_y' may be used uninitialized in this function
This is easily fixed with providing a default constructor.
Because of the C++ rules regarding initialer lists code that used
them for View_geometry had to be modified to use a normal construction
call. In my tests only Nitpicker had to be changed.
Driver definitions which are used by kernel/core in base-hw, and also by other
drivers (e.g. from the os repository) have to reside in the generic
base-repository, for instance some uart drivers. All drivers which are
interesting for one of the sites only (sp804 for timer driver, or
cortex_a9 cpu driver for base-hw) should reside in the respective repos.
Factorize cpu context out of Cortex A9 specific definitions. Moreover, there
is already a Cpu_state object containing all common ARM registers. We use
this as a base for the cpu context switching done by the base-hw kernel.
The Cpu_state class get extended by a cpu-exception field, that stores the kind
of exception raised when the corresponding context got interrupted. This
information is used not only by the base-hw kernel, but also by the TrustZone
VMM that is build currently.
By adding a "mac=XX:XX:XX:XX:XX:XX" attribute/value pair to the nic_bridge's
configuration one can define the first MAC address from which the nic_brigde
will allocate MACs for it's clients. Note: that the least relevant byte will
be ignored, and ranges from 0-255. Fixes#424.
Missing parantheses around the calculation of last byte address in a UDP
Packet led to dereferencing the wrong value, thereby the UDP checksum
calculation failed, whenever an odd byte-count UPD packet was calculated.
Many thanks to Markus Partheymueller who discovered this issue and its
resolution.
By allocating the packet-stream dataspace for block sessions as
uncached, we can use DMA to directly read and write into the client
buffer. Currently, the OMAP4 SD-card driver is using this feature.
The enable the use of 'Attached_ram_dataspace' objects as DMA buffers,
we need to pass the 'cached' flag to the constructor. By default, the
dataspace is cached, which corresponds to the original behaviour.
This patch replaces the first attempt to resolve the ambiguity of using
the size_t type that occurred when 'loader_session.h' was included
alongside libc headers. Instead of explicitly qualifying each occurrence
of the type, the new solution defines 'size_t' within the 'Loader' namespace.
Fixes#253
The compiler complained about ambigous references when compiling a
lx_hybrid program using the loader session. Here are some error
messages:
genode/os/include/loader_session/loader_session.h:72: error: reference to 'size_t' is ambiguous
/usr/lib/gcc/i486-linux-gnu/4.4.5/include/stddef.h:211: error: candidates are: typedef unsigned int size_t
genode/base/include/base/stdint.h:25: error: typedef unsigned int Genode::size_t
genode/os/include/loader_session/loader_session.h:72: error: reference to 'size_t' is ambiguous
/usr/lib/gcc/i486-linux-gnu/4.4.5/include/stddef.h:211: error: candidates are: typedef unsigned int size_t
genode/base/include/base/stdint.h:25: error: typedef unsigned int Genode::size_t
...
This commit qualifies size_t using the Genode namespace which fixes
the compilation.
This patch implements a simple Qt-based media player which is actually a
graphical user interface for the SDL-based 'avplay' media player from
'libav'. It starts 'avplay' as a child and shows its graphical output in a
'QNitpickerViewWidget'. The widgets for controlling the player state send
the according keyboard and mouse input events to 'avplay'.
The 'qt_avplay' player supports the following configuration options:
<mediafile name="..."/>
-> name of the media file to play
<framebuffer_filter name="..." ram_quota="..."/> (may appear multiple times)
-> name of a framebuffer filter service to filter the video output
Fixes#222.
The new 'dde_linux' repository will host device drivers ported from the
Linux kernel. In contrast to the original 'linux_drivers' repository,
'dde_linux' does not contain any 3rd-party source code. To download the
Linux kernel source code and extract the drivers, execute the 'make
prepare' rule of the top-level Makefile. The initial version of the
'dde_linux' repository comes with an USB driver. The porting methodology
follows the path of the Intel GEM port. Instead of attempting to provide
a generic Linux environment that works across drivers, each driver comes
with a specially tailored DDE.
The DDE consists of Genode-specific implementations of Linux API
functions as declared in 'lx_emul.h'. Most of these functions are
dummies that must merely be provided to resolve dependencies at the
linking stage. They are called by unused code-paths.
As of now, the USB driver support UHCI, EHCI on the x86_32 platform. I
exposes USB HID devices and USB storage devices via Genode's input-session
and block-session respectively.
The USB driver is accompanied with two run scripts 'run/usb_hid.run' and
'run/usb_storage.run'.
This patch introduces the file-system-session interface, provides an
implementation of this interface in the form of an in-memory file
system, and enables the libc to use the new file-system facility.
The new interface resides in 'os/include/file_system_session/'. It
uses synchronous RPC calls for functions referring to directory
and meta-data handling. For transferring payload from/to files, the
packet-stream interface is used. I envision that the asynchronous design
of the packet-stream interface fits well will the block-session
interface. Compared to Unix-like file-system APIs, Genode's file-system
session interface is much simpler. In particular, it does not support
per-file permissions. On Genode, we facilitate binding policy (such as
write-permission) is sessions rather than individual file objects.
As a reference implementation of the new interface, there is the
new 'ram_fs' service at 'os/src/server/ram_fs'. It stores sparse
files in memory. At the startup, 'ram_fs' is able to populate the
file-system content with directories and ROM modules as specified
in its configuration.
To enable libc-using programs to access the new file-system interface,
there is the new libc plugin at 'libports/src/lib/libc-fs'. Using this
plugin, files stored on a native Genode file system can be accessed
using the traditional POSIX file API.
To see how the three parts described above fit together, the test
case at 'libports/run/libc_fs' can be taken as reference. It reuses
the original 'libc_ffat' test to exercise several file operations
on a RAM file-system using the libc API.
:Known limitations:
The current state should be regarded as work in progress. In particular
the error handling is not complete yet. Not all of the session functions
return the proper exceptions in the event of an error. I plan to
successively refine the interface while advancing the file-system
implementations. Also the support for truncating files and symlink
handling are not yet implemented.
Furthermore, there is much room for optimization, in particular for the
handling of directory entries. Currently, we communicate only one dir
entry at a time, which is bad when traversing large trees. However, I
decided to focus on functionality first and defer optimizations (such as
batching dir entries) to a later stage.
The current implementation does not handle file modification times at
all, which may be a severe limitation for tools that depend on this
information such as GNU make. Support for time will be added after we
have revisited Genode's timer-session interface (issue #1).
Fixes#54Fixes#171
The 'Session_policy' helper could not cope well with configurations that
contain nodes of a type other than '<policy>'. This patch improves the
policy matching by skipping non-policy nodes.
The original loader service was primarily motivated by the
browser-plugin scenario presented on our live CD. The new version
implements a more general session interface, which widens the
application scope of the service and, at the same time, reduces its
implementation complexity.
The complexity reduction is achieved by removing the original limitation
of supplying the new sub system as a single binary blob only. The server
used to implement heuristics and functionality for dealing with
different kinds of blobs such as ELF images or TAR archives. This has
been replaced by a session-local ROM service, which can be equipped with
an arbitrary number of ROM modules supplied by the loader client prior
starting the new sub system. Even though the TAR support has been
removed, a separate instance of the 'tar_rom' service can be used within
the subsystem to provide the formerly built-in functionality.
This patch introduces support for ROM sessions that update their
provided data during the lifetime of the session. The 'Rom_session'
interface had been extended with the new 'release()' and 'sigh()'
functions, which are needed to support the new protocol. All ROM
services have been updated to the new interface.
Furthermore, the patch changes the child policy of init
with regard to the handling of configuration files. The 'Init::Child'
used to always provide the ROM dataspace with the child's config file
via a locally implemented ROM service. However, for dynamic ROM
sessions, we need to establish a session to the real supplier of the ROM
data. This is achieved by using a new 'Child_policy_redirect_rom_file'
policy to handle the 'configfile' rather than handling the 'configfile'
case entirely within 'Child_config'.
To see the new facility in action, the new 'os/run/dynamic_config.run'
script provides a simple scenario. The config file of the test program
is provided by a service, which generates and updates the config data
at regular intervals.
In addition, new support has been added to let slaves use dynamic
reconfiguration. By using the new 'Child_policy_dynamic_rom_file', the
configuration of a slave can be changed dynamically at runtime via the
new 'configure()' function.
The config is provided as plain null-terminated string (instead of a
dataspace capability) because we need to buffer the config data anyway.
So there is no benefit of using a dataspace. For buffering configuration
data, a 'Ram_session' must be supplied. If no 'Ram_session' is specified
at construction time of a 'Slave_policy', no config is supplied to the
slave (which is still a common case).
An example for dynamically reconfiguring a slave is provided by
'os/run/dynamic_config_slave.run'.
The new 'swap' and 'realloc' functions are needed in scenarios where
'Attached_ram_dataspace' is used to implement double buffering. The
particular use case is the implementation of dynamic ROM sessions.
Separate spin-lock implementation from lock-implementation and put it into a
non-public header, so it can be re-used by the DDE kit's and Fiasco.OC's
capability-allocator spin lock. Fixes issue #123.
This patch makes use of the recently added support for const RPC
functions by turning 'Framebuffer::Session::mode()' and
'Input::Session::is_pending()' into const functions.
Linux DDE used to implement Linux spin locks based on 'dde_kit_lock'.
This works fine if a spin lock is initialized only once and used
infinitely. But if spin locks are initialized on-the-fly at a high rate,
each initialization causes the allocation of a new 'dde_kit_lock'.
Because in contrast to normal locks, spinlocks cannot be explicitly
destroyed, the spin-lock emulating locks are never freed. To solve the
leakage of locks, there seems to be no other way than to support the
semantics as expected by the Linux drivers. Hence, this patch introduces
a DDE Kit API for spin locks.
The new 'Slave_policy' and 'Slave' classes are built upon the existing
child framework. They support the implementation of scenarios where a
service is started as a child of the client. This is usefull for
employing an existing service implementation as a local utility or
plugin.
The 'mode_sigh' function allows the client to receive notifications
about server-side display-mode changes. To respond to such a signal, the
client can use the new 'release' function, which acknowledges the mode
change at the server and frees the original framebuffer dataspace. Via a
subsequent call of 'dataspace', a framebuffer dataspace corresponding to
the new mode can be obtained. Related to issue #11.
As a preliminary step for working on issue #11, this patch revisits the
'Framebuffer::info' RPC call. Instead of using C-style out paramters,
the new 'mode()' RPC call returns the mode information as an object of
type 'Mode'. Consequently, mode-specific functions such as
'bytes_per_pixel' have been moved to the new 'Framebuffer::Mode' class.
