/* * \brief Protection domain (PD) session interface * \author Christian Helmuth * \author Norman Feske * \date 2006-06-27 * * A pd session represents the protection domain of a program. */ /* * Copyright (C) 2006-2013 Genode Labs GmbH * * This file is part of the Genode OS framework, which is distributed * under the terms of the GNU General Public License version 2. */ #ifndef _INCLUDE__PD_SESSION__PD_SESSION_H_ #define _INCLUDE__PD_SESSION__PD_SESSION_H_ #include <base/exception.h> #include <thread/capability.h> #include <session/session.h> #include <signal_source/signal_source.h> namespace Genode { struct Pd_session; struct Parent; struct Signal_context; } struct Genode::Pd_session : Session { static const char *service_name() { return "PD"; } virtual ~Pd_session() { } /** * Bind thread to protection domain * * \param thread capability of thread to bind * * \return 0 on success or negative error code * * After successful bind, the thread will execute inside this * protection domain when started. */ virtual int bind_thread(Thread_capability thread) = 0; /** * Assign parent to protection domain * * \param parent capability of parent interface * \return 0 on success, or negative error code */ virtual int assign_parent(Capability<Parent> parent) = 0; /** * Assign PCI device to PD * * The specified address has to refer to the locally mapped PCI * configuration space of the device. * * This function is solely used on the NOVA kernel. */ virtual bool assign_pci(addr_t pci_config_memory_address, uint16_t bdf) = 0; /******************************** ** Support for the signal API ** ********************************/ typedef Capability<Signal_source> Signal_source_capability; class Out_of_metadata : public Exception { }; class Invalid_signal_source : public Exception { }; /** * Create a new signal source * * \return a cap that acts as reference to the created source * * The signal source provides an interface to wait for incoming signals. * * \throw Out_of_metadata */ virtual Signal_source_capability alloc_signal_source() = 0; /** * Free a signal source * * \param cap capability of the signal source to destroy */ virtual void free_signal_source(Signal_source_capability cap) = 0; /** * Allocate signal context * * \param source signal source that shall provide the new context * * * \param imprint opaque value that gets delivered with signals * originating from the allocated signal-context capability * \return new signal-context capability * * \throw Out_of_metadata * \throw Invalid_signal_source */ virtual Capability<Signal_context> alloc_context(Signal_source_capability source, unsigned long imprint) = 0; /** * Free signal-context * * \param cap capability of signal-context to release */ virtual void free_context(Capability<Signal_context> cap) = 0; /** * Submit signals to the specified signal context * * \param context signal destination * \param cnt number of signals to submit at once * * The 'context' argument does not necessarily belong to this PD session. * Normally, it is a capability obtained from a potentially untrusted * component. Because we cannot trust this capability, signals are not * submitted by invoking 'cap' directly but by using it as argument to our * trusted PD-session interface. Otherwise, a potential signal receiver * could supply a capability with a blocking interface to compromise the * nonblocking behaviour of the signal submission. */ virtual void submit(Capability<Signal_context> context, unsigned cnt = 1) = 0; /*********************************** ** Support for the RPC framework ** ***********************************/ /** * Allocate new RPC-object capability * * \param ep entry point that will use this capability * * \throw Out_of_metadata if meta-data backing store is exhausted * * \return new RPC capability */ virtual Native_capability alloc_rpc_cap(Native_capability ep) = 0; /** * Free RPC-object capability * * \param cap capability to free */ virtual void free_rpc_cap(Native_capability cap) = 0; /***************************************** ** Access to kernel-specific interface ** *****************************************/ /** * Common base class of kernel-specific PD interfaces */ struct Native_pd { }; /** * Return capability to kernel-specific PD operations */ virtual Capability<Native_pd> native_pd() = 0; /********************* ** RPC declaration ** *********************/ GENODE_RPC(Rpc_bind_thread, int, bind_thread, Thread_capability); GENODE_RPC(Rpc_assign_parent, int, assign_parent, Capability<Parent>); GENODE_RPC(Rpc_assign_pci, bool, assign_pci, addr_t, uint16_t); GENODE_RPC_THROW(Rpc_alloc_signal_source, Signal_source_capability, alloc_signal_source, GENODE_TYPE_LIST(Out_of_metadata)); GENODE_RPC(Rpc_free_signal_source, void, free_signal_source, Signal_source_capability); GENODE_RPC_THROW(Rpc_alloc_context, Capability<Signal_context>, alloc_context, GENODE_TYPE_LIST(Out_of_metadata, Invalid_signal_source), Signal_source_capability, unsigned long); GENODE_RPC(Rpc_free_context, void, free_context, Capability<Signal_context>); GENODE_RPC(Rpc_submit, void, submit, Capability<Signal_context>, unsigned); GENODE_RPC_THROW(Rpc_alloc_rpc_cap, Native_capability, alloc_rpc_cap, GENODE_TYPE_LIST(Out_of_metadata), Native_capability); GENODE_RPC(Rpc_free_rpc_cap, void, free_rpc_cap, Native_capability); GENODE_RPC(Rpc_native_pd, Capability<Native_pd>, native_pd); /* * Manual definition of 'Rpc_functions', see the comment in cpu_session.h. */ typedef Meta::Type_tuple<Rpc_bind_thread, Meta::Type_tuple<Rpc_assign_parent, Meta::Type_tuple<Rpc_assign_pci, Meta::Type_tuple<Rpc_alloc_signal_source, Meta::Type_tuple<Rpc_free_signal_source, Meta::Type_tuple<Rpc_alloc_context, Meta::Type_tuple<Rpc_free_context, Meta::Type_tuple<Rpc_submit, Meta::Type_tuple<Rpc_alloc_rpc_cap, Meta::Type_tuple<Rpc_free_rpc_cap, Meta::Type_tuple<Rpc_native_pd, Meta::Empty> > > > > > > > > > > Rpc_functions; }; #endif /* _INCLUDE__PD_SESSION__PD_SESSION_H_ */