Prevent errors like follows.
error: invalid cast from type ‘size_t’ {aka ‘long unsigned int’} to type ‘__u64’ {aka ‘long long unsigned int’}
Issue #5431
Instead of freezing, return corresponding libusb error code if the
USB device got disconnected. Therefore, components using the library
can continue to work otherwise.
Fixgenodelabs/genode#5434
In Child::deliver_session_cap a signal to wakeup a service after
altering its session ROM was missing when the requesting client
that does not longer exist.
Fixgenodelabs/genode#5435
While implementing TSC calibration in #5215, the issue of properly serializing
TSC reads came up. Some learnings of the discussion were noted in #5430.
Using `cpuid` for serialization as in Trace::timestamp() is portable,
but will cause VM exits on VMX and SVM and is therefore unsuitable to
retain a roughly working calibration loop while running virtualized.
On the other hand on most AMD systems, dispatch serializing `lfence`
needs to be explicitly enabled via a non-architectural MSR.
Enable setting up dispatch serializing lfence on AMD systems and always
serialize rdtsc accesses in Hw::Tsc::rdtsc() for maximum reliability.
Issues #5215, #5430
Upto now, bootstrap used the Programmable Interval Timer to set a
suitable divider and determine the frequency of the Local APIC.
The PIT is not available on recent x86_64 hardware anymore.
Move Local APIC calibration to bootstrap and use the ACPI timer as a
reference. Clean up hw's timer implementation a little and disable the
PIT in bootstrap.
Fixes#5215
To get the Time Stamp Counter's frequency, hw relied on a complex and
incomplete algorithm.
Since this is a one-time initialization issue, move TSC calibration to
bootstrap and implement it using the ACPI timer.
Issue #5215
The accounting of caps for the UTCB allocation on base-hw puts pressure
on the out-of-ram/caps handling of Create_thread_result in the CPU
sampler. This patch implements the formerly missing error handling.
Issue #5408
* Move all Kernel::Signal_* structures to kernel/signal.*
* Remove return value of kill_signal_context, which wasn't evaluated
* Remove Kernel::Signal_context::can_kill
* Remove Kernel::Signal_context::can_submit
* Remove Kernel::Signal_receiver::can_add_handler
* Turn nullptr into cxx nullptr instead of just zero
* Turn boolean values into true/false instead of one/zero
* Always add to signal FIFO also if submit counter
cannot get increased enough
Fixgenodelabs/genode#5416
Instead of blocking in case of exceptions and MMU faults, delegate
the faulter's scheduling context to the assigned pager thread.
Fixgenodelabs/genode#5318
Instatiate a separate pager thread for each cpu core. Every time a pager
object gets managed by the Pager_entrypoint, assign it to the pager thread
on the same cpu core.
Ref genodelabs/genode#5318
* Rename Kernel::Cpu_job to Kernel::Cpu_context (alias Kernel::Cpu::Context)
* State first Cpu affinity of Cpu::Context at construction time
* Move cpu affinity argument from kernel syscall create_thread to start_thread
* Ensure that Cpu pointer is always valid
Fixgenodelabs/genode#5319
In case invalid IRQ numbers are used (255 on x86), the IRQ session creation
request may be denied and the platform driver is killed because of the
uncatched exception, which must be avoided.
Issue #5406
This was a relic from a time where we dumped the page tables from NOVA
and therefore needed to attach the corresponding dataspaces.
genodelabs/genode#5066
On x86, the `Vm_session_component` obscured the differences between SVM
and VMX.
Separate the implementations, factor out common functionality and
address a number of long-standing issues in the process:
- Allocate nested page tables from Core_ram_allocator as a more suitable
abstraction and account for the required memory, subtract the
necessary amount of RAM from the session's `Ram_quota` *before*
constructing the session object, to make sure that the memory
allocated from the `Core_ram_allocator` is available from the VMM's
RAM quota.
- Move the allocation of Vcpu_state and Vcpu_data into the Core::Vcpu
class and use the Core RAM Allocator to allocate memory with a known
physical address.
- Remove the fixed number of virtual CPUs and the associated reservation
of memory by using a Registry for a flexible amount of vCPUs.
Issue #5221
This patch allows for the construction of 'Xml_node' objects from a
'Const_byte_range_ptr' argument as a safer alternative to the pair
of addr, max_len arguments.
Issue #5411
The pointer returned by '_logger()' can be a nullptr, in particular
while tracing is (temporarily) inhibited. This patch ensures that
the 'Thread::trace' accessors never operate on a nullptr.
Fixes#5410
If the memory for the designated object is allocated as char[sizeof(T)],
the size of 'Placeable' is expected to equal the size of T. However, in
principle, the compiler has the freedom to inflate the 'Placeable'
object. The static assertion gives us the assurance that the compiler
does not violate our assumption.
This exposes makes the dialog API usable for users of Goa. It turns the
former static dialog library to a shared object and accompanied symbols
file, and adds depot recipes for the library and API.
Issue #5409
To enable a global key handler to implement motion gestures while a
global key is held, it needs to know the current pointer position at the
time when the global key sequence starts. This is prerequisite for
the window layouter's ability to drag windows by clicking anywhere
within the window while holding a global key.
Issue #5403
This allows the window layouter to ensure that input entered after
switching to an empty screen won't be routed to the old focused but
no longer visible window.
Issue #5390
This patch enforces the invariant that absolute motion events are
delivered to the hovered client only. If no client is hovered, the event
is discarded.
Otherwise, in a situation where no client is hovered (i.e., due to a
background that does not cover the entire screen) but a focus is
defined, absolute motion events would be delivered to the focused
session. From a client's perspective, when moving the pointer from the
client to emptiness, the client would observe a leave event followed by
absolute motion. This, in turn, confuses the window manager, which
expects that the receiver of an absolute motion event is hovered.
Fixes#5375
This patch adjusts the last remaining callers of 'core_env' and removes
the 'Core_env' interface.
- Core's RAM/cap accounts are now represented by 'Core_account'
implementing the 'Pd_account' interface.
- The former parts of 'Core_env' are now initialized in sequence
in 'bootstrap_component'.
- 'Core_child' has been moved to a header to reduce the code in
'main.cc' to a bare minimum. This as a preparation for the
plan of making 'main.cc' specific for each kernel.
Fixes#5408
Core uses an instance of 'Pd_session_component' as a representative
for RAM/cap quota accounts used whenever session resources are
donated to core's services. All other facets of 'Pd_sesson_component'
remain unused. Core's instance of 'Pd_session_component' is hosted
at 'Core_env'. Upon its construction, all unused facets of
'Pd_session_component' are initialized by dummy arguments in 'Core_env'.
To overcome the need for dummy arguments, this patch splits the
accounting part of the PD-session interface into a separate
'Pd_account' interface. This gives us the prospect of narrowing
core's current use of 'Pd_session_component' by 'Pd_account',
alleviating dead code and the need for any dummy arguments.
Issue #5408
This patch replaces the use of 'core_env()' in 'platform_services.cc' by
the function arguments 'core_ram', 'core_rm', and 'io_port_ranges'.
It also removes the 'Pd_session' argument from 'Io_port_root' and
'Irq_root' to avoid the reliance on the 'Pd_session' interface within
core,
Issue #5408
Replace the use of the global 'core_env()' accessor by the explicit
delegation of interfaces.
- For allocating UTCBs in base-hw, 'Platform_thread' requires
a way to allocate dataspaces ('Ram_allocator') accounted to the
corresponding CPU session, a way to locally map the allocated
dataspaces (core's 'Region_map'), and a way to determine the
physical address (via 'Rpc_entrypoint') used for the initial
UTCB mapping of main threads. Hence those interfaces must be
passed to 'Platform_thread'.
- NOVA's pager code needs to look up 'Cpu_thread_component'
objects using a map item as key. The lookup requires the
'Rpc_entrypoint' that hold the 'Cpu_thread_component' objects.
To make this 'Rpc_entrypoint' available, this patch adds
the 'init_page_fault_handing' function.
- The 'Region_map_mmap' for Linux requires a way to look up
'Linux_dataspace' objects for given dataspace capabilities.
This lookup requires the 'Rpc_entrypoint' holding the dataspaces,
which is now passed to 'platform.cc' via the new Linux-specific
'Core_region_map::init' function.
Issue #5408
Make preferred microphone configurable when a headset is plugged in by
introducing the 'mic_priority' attribute for the <config> node. Values
can be "internal" and "external".
Prevent erratic runtime behavior stemming from accidentally passing a
copy to a `Ram_allocator` by making the interface noncopyable.
In consequence, we had to provide an explicit copy constructor for
`Session_env` in server/nic_router, which will be reconsidered in
issue #5405.
Issue #5221
`Vm_session_component::create_vcpu()` is present across all supported
kernels, yet until now it was not part of the `Vm_session` interface.
Add the method to the `Vm_session` interface. This unifies calls in the
base library and is the basis to remove the need for a common base class
for separate `Vm_session` implementations for SVM and VMX on x86_64.
Issue #5221
Instead of repeatedly printing error messages when a device is not
available anymore, print an error once and then sleep forever.
There is no dynamic behaviour with respect to device availability
implemented in the libusb yet. Instead, you can manage libusb
components externally.
Ref genodelabs/genode#5401
Nitpicker used to notify GUI clients about an updated GUI info only when
the total panorama size changed. However, in situations where two
capture clients are swapped, the total size may stay the same whereas
the relation of displays to different parts of the panorama is no longer the
same. Such changes are interesting to some clients like the window layouter,
which needs to update the assignement of screens to displays.
This patch changes nitpicker so that each panorama change is reflected
to GUI clients as a mode-info update.
Issue #5390
This patch fixes the following error message printed by the wm upon the
restart of a decorator.
Error: freeing non-empty slab block"
Error: ID space not empty at destruction time
Fortunately, the error is not critical as the backing store is released
along with the session.
The 'label_suffix=" -> decorator"' rule is weaker than the
more generic 'label_prefix="runtime -> wm"' rule, to the effect that the
decorator is assigned to the "desktop" domain instead of the "decorator"
domain. Replace the 'label_prefix' by the decorator's concrete label
to resolve this ambiguity.
The 'size_changed' handling remained without effect when the (last)
display re-appears (e.g., back from screen blank) because
'Capture_root::bounding_box()' delivered the '_fallback_bounding_box'
in the intermediate phase where no display was present. Unfortunately,
'Capture_root::visible()' failed to apply the same logic. This patch
makes 'visible()' consistent with 'bounding_box()'. It has the
welcome effect that nitpicker remembers the pointer position during
the dark phase.
Fixes#5397
GCC 12 tree-loop-distribute-patterns generates false warnings of
-Warray-bounds, -Wstringop-overflow, or -Wstringop-overread in memcpy()
and memcpy_cpu() in static/inline cases for code that obviously prevents
its execution by invariant checking. On -O3, even more warnings are
produced.
This patch fixes the corner case where a call of 'trigger_gui_sync'
unexpectedly did not result in the execution of '_handle_gui_sync'.
When sporadically called (w/o having installed a period sync handler)
in a time window shortly after a previous '_handle_gui_sync' that just
switched back to sporadic mode, the situation was considered as !idle.
So the 'local_submit' was skipped.
The patch fixes the issue by always issuing a 'local_submit' except when
operating in period mode. The '_gui_sync_enabled' state is now driven
only by '_handle_gui_sync' to make the intent more clear.
Fixes#5396
When constructing an Usb::Interface and implicitly corresponding
Usb::Endpoint instances only select endpoints relevant for the
given alternate setting.
The libusb has to be changed to delegate the correct alternate
setting to the constructor too.
Fixgenodelabs/genode#5394
On hotplug, the C++ side of the driver now gets just notified,
without any further detection.
On the C++ side, now specific actions are scheduled explicitly, which will be
executed step by step. New appearing actions will be queued and are
not eligible to run before the former actions of the list are processed.
Fixe #5392
config node gracefully. If no mirror is set, ever claim one entry
as the mirrored one. Without this change, the current effect is that
the UI does not allow to merge one of the discrete modes.
Issue #5392
Foster the Genode books as a single point of reference for Genode's
documentation. E.g., the Getting-Started section of the "Genode
Foundations" book has long obsoleted doc/getting_started.txt. This
patch also remove long orphaned texts like gsoc_2012.txt. The approach
described in the porting guide has now been replaced by the Goa SDK.
The Genode books can be downloaded at the genode.org website. Like
Genode, they are open source. All text is licensed as CC-BY-SA and
can be found at https://github.com/nfeske/genode-manualFixes#5393
Our new U-BOOT for the imx8mp_iot_gate complains about the size
of the device tree being zero bytes. This is because it no longer
provides the kernel boot arguments via ATAGS, but passes them via
by injecting them in the flattened device tree..
This commit adds a minimal dtb file to the FIT image to satisfy U-BOOT.
Issue #5354
Instead of directly process URBs whenever a USBPacket arrives from
the Qemu ported XHCI layer, send a local signal to the I/O handler,
which will process the requests after leaving certain sensible
code pathes like usb_packet_complete. Otherwise, it might happen
that a packet, which was still marked as being queued gets already
completed, which leads to an assertion and hang of the library.
Fixgenodelabs/genode#5389
This prevents the potential corner case where the terminal receives input
at a time when the window has no valid size and _text_screen_surface is
not constructed.
If one of core's threads is causing an MMU fault, dump the
register state and stack backtrace of the faulting stack to
aid debugging.
Fixgenodelabs/genode#5387
When building ELF binaries of core and bootstrap for a run scenario,
also create the *.core.debug file to be able to use the tool/backtrace
utility.
Ref genodelabs/genode#5387
- add a check to detect if a different thread has
initialized the internal object in the meantime
- remove ENOMEM error since the 'Libc::Allocator'
is not supposed to throw exceptions
- remove init mutex from 'pthread_condattr_init()'
since there is no implicit initialization which
could happen in parallel like with mutex/cond/rwlock
Issue #5386
The VFS server used to respond to any invalid config by exiting.
By disregarding such configurations instead, this patch makes the VFS
server robust against temporary malconfiguration.
Replace the unconditional sleep "until the board comes up" by the
detection of the fastboot-driver message. This shortens the total boot
time and reveals U-boots initial output, e.g., messages reporting
trouble with bringing up the fastboot driver.
The success messages of different versions of the fastboot tool
are printed in different upper/lower case. Tolerate both.
The patch also removes a few superfluous semicolons.
When trying to open a file in the Files view with font size set to
Large on 4k screens, the editor's / `text_area`'s `view` child fails to
bump its RAM quota when the editor's default quota is too small.
To mitigate the issue, bump the editor's default quota to 80MiB.
The long-term fix would be for the editor to request more RAM from the
runtime to satisfy the `view` RAM request.
Issue #5356
Issue #5383
When using the Files view with font size set to Large, the boosted
runtime_view limit of 64MiB is still not enough for 4k screens.
Double the RAM boost limit to 128MiB.
Issue #5356
With this commit the fb driver is started on the second CPU on the
MNT Pocket Reform to decouple it from the other components started
on the first CPU during the system's boot-up and mitigates bring-up
issues with this driver that result in an often non-working display.
Issue #5378.
As the initial output of picocom is hardly ever needed, disable it by
default to reduce the log noise. Whenever needed, the output can still
be enabled by specifying the run tool's --log-serial-cmd.
This patch removes the only residual C++ exception from the kernel part
of core, eliminating the risk of the kernel thread trying to enter the
kernel itself via the C++ exception-handling path. When throwing an
exception, __cxa_allocate_exception invokes the cxx_heap, which
synchronizes accesses via a Genode::Mutex. In the contention case,
the blocking of the mutex issues a syscall to pause the caller.
The patch fixes the problem by replacing the exception with a return
value.
Fixes#5382
Issue #5245
When using the depot/build tool with the 'REBUILD=' argument as done by
the run tool's --depot-auto-update feature, the depot/build tool now
checks that an existing bin archive was indeed created via the src and
api archives present in the depot for the given version. This addresses
consistency issues when switching between different git branches that
refer to the same depot versions but with different content.
Fixes#5379
This patch records the content hashes of the src and api ingredients
used for creating a bin archive. This information allows for the
detection of possible inconsistencies between a bin archive and its
corresponding src archive within the depot.
Issue #5379
When extracting depot archives from the source tree, retain the content
hash of the extracted information along the archive in <version>.hash
file. The .hash files of src and api archives become thereby usable for
checking the consistency of bin archives with their ingredients.
Issue #5379
With --depot-auto-update enabled, the run tool calls the depot/create
tool, which in principle may fail. In this case, print a diagnostic info
instead of a backtrace.
Issue #5379
This commit adapts the aperture splitting between the GPU multiplexer
and the display driver where the former now always tries to reserve
32 MiB of aperture space for itself instead of limiting the space
for the display driver. In case the aperture is not large enough
the display driver takes precedence and the GPU service has to make
do with remaining space. In the worst case that renders the GPU
service unusable.
Issue #5377.
Don't try to decide based on the hardware state, in which mode a
connector is used. If a previous configuration failed, e.g. -ENOSPC,
the detection whether the mirrored framebuffer is in use may fail
and the connectors are reported wrongly as discrete.
During modeset traversal take the appropriate lock to synchronize irq and
user task, which may be de-scheduled by Linux code when invoking contrib
code.
Issue #5377
The driver code may allocate framebuffers which do not fit in the aperture.
Trying to use such framebuffer may lead to only partial visible content
on the screen and the rest either black or garbage.
Instead check for this circumstance and deny to use such framebuffers and
release them, since the user would get an unusable/hard to interpret state.
Additionally, release the vma mappings earlier in order to reduce the likelihood
of such un-mappable framebuffers.
Issue #5377
When updating a dialog after a prolonged idle time with no active
animatons, the next _handle_gui_sync would wrongly fast-forward
animations for all the frames passed since the last _handle_gui_sync. On
the PinePhone, this effect is clearly visible when switching between the
main section. The GUI jumps from one state to another instead of
transitioning. This patch solves the issue be resetting '_previous_sync'
when waking up from idle.
Related to issue #5347
Large deployments (e.g., using the Falkon browser) can significantly
inflate the RAM quota of depot_rom. When switching the Sculpt storage
target (using the "Use" buttons), depot_rom is restarted. Right now,
however, it retains its (inflated) quota. It is better to reset the
quota to its initial value to free up RAM that thereby becomes usable
for a different deployment. Otherwise, the depot_rom's resources can be
deflated only by rebooting.
This patch fixes focus-follows-mouse problem reported for Sculpt 24.10
when using no (operational) backdrop.
In the absence of a background, nitpicker wrongly delivered absolute
motion events to the most recently hovered client even after leaving the
client's area to a area occupied by no client. These motion events, in
turn, confused the internal consistency of the window managers
enter/leave tracking.
Fixes#5375
When using the fonts_fs, the geometry of individual glyphs can change
potentially at any time, after having obtained font-global constraints
once. In particular, a glyph can exceed the bounding box of the font
cell. The VFS font utility must take safety precautions against such
violations.
Fixes#5374
Board-specific repositories must appear before generic repositories
(i.e., gems) in 'REPOSITORIES' to select board-specific sculpt/
configuration snippets over the defaults provided by gems. When listing
the board-specific repositories last, Sculpt images for the PinePhone or
MNT Reform may wrongly include launchers and presets of the PC version.
Swapping a 4k monitor between discrete and mirror mode will consume
temporarily at least 32M * 2 (3840 * 2160 * 4 Bytes), so that the
default value of 64M for the aperture is insufficient in addition to
interal display on a notebook. The commit mitigates that the
i915_gem_evict_for_node unimplemented error does not trigger immediately.
Issue #5356
In setups with 3 or more displays, allow the un-merging of connectors
only for the last mirrored connector. Otherwise, the operation would
implicitely change the order of connectors because the new discrete
connector needs appear after all merged connectors.
Issue #5286
The access-point-list hovered state prevents preseting the available
scan results, which currently can happen unintentionally. This commit
hot-wires the hover handling and thus will always show and update the
list. New scan results are received every few seconds and it could
happen that the list changes while the user selects a network (that's
what the original implementation guards against).
Issue #5369.
Since the panorama depends on the config, nitpicker needs to re-evaluate
the validity of the pointer position after each reconfiguration. If the
pointer position is no longer visible, pick a new visible one.
Issue #5352
This patch explicitly handles the unplugging of displays, avoiding the
use of stale connectors for defining the panorama. It also makes the
import of the connectors model robust against intermediate states
reported by the driver (a connector reported as connector but without
any mode), and discards the use of any information of non-present
connectors as merge info.
Issue #5286
The minimum width/height of a dialog is not specified in the dialog ROM
but in the menu_view configuration. So the regular dialog-ROM update
handling fails to captures dynamic changes of the minimum w/h. In
Sculpt, the panel would not always adjust immediately to a new screen
size.
This patch triggers a dialog update when detecting such configuration
changes (min w/h, opaqueness, background color).
Issue #5370
This patch places the leitzentrale GUI always at the pointer-at display
instead of filling the entire panorama. This ensures that the complete
leitzentrale GUI is always visible.
Fixes#5370
If the fb driver is configured to use discrete displays, sculpt now
automatically generates a panorama configuration for nitpicker that
shows all displays side by side. The effective nitpicker config is
now located at config/managed/nitpicker.
The automatism takes effect only when nitpicker's <capture> node
in config/nitpicker is empty. Hence, the managed panorama can be
overridden by a manually managed panorama.
Issue #5286
This patch handles the case where a mode change happens in-between
session creation and the registration of the mode-signal handler,
which can result in a sporadic loss of response to mode changes.
Noticed while working on issue #5286.
This patch add a configuration dialog in the intel_fb node of the
component graph. The dialog displays a list of present displays labeled
after their respecive connectors. A mode can be selected for each
connector when clicking on the connector entry.
In-between the entries there are two buttons. The connect button is
toggle that defines whether the two adjacent entries are mirrored.
It is enabled by default so that all new connectors participate in
the mirroring. By untoggling the last enabled connect button, the
entry below the button becomes a discrete (non-mirrored) display.
A swap button allows for changing the order of the list, which has
to effects. First, the resolution of the very first entry defines
the size for mirrored display. So be changing the order of mirrored
displays, one can pick the preferred screen size. Second, the order
of discrete displays defines the layout of the panorama from left to
right. (the panorama config is not part of this commit though)
Note that there is currently no safety net against locking oneself
out of all displays. E.g., one can make Sculpt unusable by manually
disabling each display, or by selecting modes not properly handled by
the connected monitor. In the future, we may add a confirm button with
a timeout to roll back such unfortunate settings.
Fixes#5286
In VirtualBox 7 and recent 6.1 versions, the VMMDev is used to report
all mouse events if guest additions are used. Therefore, the
implementation aggregates these events, notifies the guest. and passes
the state on guest request. Unfortunately, the protocol does not support
to report consecutive button press and release events that may happen
between two guest requests, which results in events getting lost.
This commit patches the contrib sources to track pending mouse-button
events and notifies the guest if further state changes are pending after
updates are delivered.
Also, mouse-wheel events (dw, dz) are now accumulated between two guest
updates.
Fixes#5333
With the change of "gui_session: provide mode info as XML", the
client-side window-close handling became dysfunct because the
window-close state got wrongly interpreted as initial window state, to
the effect that a client's initial-window size policy got applied
instead of closing the window.
This patch makes the inital state of running a windowed application
(when no window size is defined yet) clearly distiguishable from the
state after which the user closed the window. Prior this patch, both
conditions were reflected by an empty <capture/> node in the panorama.
Now, the latter condition is reported as <capture closed="yes"/>, which
alleviates the need to track the life cycle of a window at the client
size.
Issue #5353
Because the implemantations for Lima and Vivante are linked into a
single library we cannot have two Gpu::Vram classes in the same
namespace. In case this happens any methods using the same signature are
weak symbols and the first one found by ld will be used = undefined
behavior.
issue #5356
issue #5369
If a <domain> is constrained by 'width' or 'height' attributes, clip
the capture rects of the panorama info reported to the client. So the
client observes the constraint as window size.
Issue #5356
When shriking the terminal window, the view must be shrinked before
shriking the pixel buffer. Otherwise, when the buffer becomes smaller
than the view, nitpicker fills the excess view area with tiled content
of the buffer, which looks funny.
Related to issue #5350
Commit 75e1f1797d increased runtime_view's initial RAM quota from 4MiB
to 52MiB, but failed to adjust the boost limit. Therefore, when
addtional RAM was requested, the limit would actually be degreased to
32MiB.
Adjust the RAM boost limit to 64MiB to make the runtime_view work on 4k
screens.
Issue #5356
Since #5352, the 'screen_size' RPC function returns a rectangle clipped
against the client's bounding box, which unfortunately prevents
screen-capturing applications from determining the actual screen size.
This patch restores the original behavior by clipping the panorama
against client-specific constraints w/o clipping against the client's
buffer size.
Fixes#5365
A system shell that works in a small window stops working when maximized
on a 4k screen, because the terminal component runs out of RAM.
With the adjusted RAM quotas the system shell works on 4k displays.
Issue #5356
Following the rework of the graphics stack, the decorator inside
Leitzentrale needs more capabilities. This manifests in a log message:
```
[leitzentrale] child "decorator" requests resources: cap_quota=18
```
and the Leitzentrale contents execpt for the log window disappearing
from the display. The Leitzentrale layer can still be toggled using F12.
Increasing the decorator's capability quota appears to solve the issue.
Issue #5356
This patch resets the pixel buffer shared with the capture client
whenever the capture policy is modified and reports the whole buffer as
affected rectangle on the next client call of 'capture_at'. It also
clips the dirty rectangles tracked via 'mark_as_dirty' against the
bounding box of the capture session to avoid the interference of
out-of-view parts of the panorama with a capture client.
Fixes#5368
Increase the RAM quota of the top-level nitpicker instance to support
the flicker-free resizing of large buffers, e.g., when changing screen
resolutions. Otherwise, nitpicker warns as follows:
[init -> nitpicker] Warning: Gui (runtime -> wm -> wm -> decorator)
not enough RAM to preserve buffer content during resize
Issue #5356
Sometimes when removing the popup window in Sculpt's Leitzentrale, a few
residual pixels remained. This is caused by the too strict coupling of
drawing and sync handling, effectively executing the fb-sync handler
repeatedly via 'Main::mark_as_damaged' during 'refresh_view' calls.
This tight coupling has two unwelcome effects. First, the sync handling
is executed more often than needed. Second, the sync handling (and fb
flushing) happens at intermediate states when view-stack changes are
applied (like changing a view geometry).
This patch uses a local signal handler to defer the execution of the
sync code until all drawing has finished.
Issue #5347
Issue #5356
When nitpicker is used as nitpicker client as is the case for Sculpt's
Leitzentrale, the time to sleep was tracked wrongly. The fb sync stays
alive only if a refresh operation is actually issued.
Issue #5347
Issue #5356
This commit removes the initial dignostic message from the log. The
message is harmless because the sculpt manager upgrades the quota on
demand but its best to avoid the noise.
child "runtime_view" requests resources: cap_quota=4
Issue #5356
This commit alignes the implementation to the intention of dismissing
invalid '<network>' entries. We only accept entries when they contain
a valid SSID and additionally a valid PSK if the network is protected.
Issue #5356.
Instead of publishing the old audio mixer, refer to the recent
record_play_mixer providing the audio API that is used by almost
all components now.
Ref genodelabs/genode#5356
The changes "intel/display: report connectors w/o modes as off" still
need improvements to detect mode-less connectors in intermediate states.
Until then, don't report connector_status_unknown as connected with
modes.
On capture creation for discrete usage, use the connector values
if display mode does not provide values. For mirror capture ever
report no width_mm/height_mm.
Instead of forwarding the whole devices ROM of the platform driver to the
display driver, report only Intel devices and additionally adjust the
reported IOMEM size to the reduced aperture size.
Related #5207
Issue #5345
Issue #5356
Commit ac42ade introduced a regression that triggered an assertion in
`Dhcp_server::free_ip()` because the DHCP allocation was not properly
removed during a domain update. The underlying issue was that
`with_dhcp_server()` silently landed in the `no_dhcp_server_fn`.
Fixes#5364
Register Global_irq_controller as Device so interrupts get forwarded to
irqchip.c code. Otherwise, pin-controller interrupts will get lost.
Fixed#5363
Related #5356
This commit patches the DDE Linux contrib code to remove IRQ coalescing
from the R8169 driver that for reason not yet known leads to interrupts
occurring irregularly.
Issue #5356.
This commit does away with controlling the join-intent via an attribute
but couples it to the existence of a '<network>' node. With this change
all '<network>' nodes within the configuration are always
unconditionally considered for joining.
Issue #5356.
This commit splits the intent to scan for a hidden network and the
actual configuration of a network itself by introducing
'<explicit_scan>' nodes. Like the '<network>' node these also feature
a 'ssid' attribute and each node is incorporated into the SCAN request
if its SSID is valid.
For more information please consult 'repos/src/driver/wifi/README'.
Issue #5356.
With the recent Wifi::Manager changes setting an invalid SSID will
lead to a diagnostic warning. Since disconnecting is handled by
removing the existent '<network>' there is no reason to generate
an invalid node in the first place.
Issue #5356.
Inform all GUI clients of a new version of the mode information whenever
the nitpicker configuration is modified. This is needed because changed
capture policies influence the panorama observable by the GUI clients.
Issue #5352
Fixes the following misbehavior: If a global key is pressed (e.g., Caps
Lock in Sculpt) and the mouse is clicked before release, the global-keys
handler receives the global-key press but no further events of the
sequence, especially *no Caps-Lock release*.
A more reasonable fix may address the "else branch" that deletes the
_input_receiver in case of mouse events without a hovered client too,
which is beyond the narrow scope of this fix.
This patch implements the following policy for applications requesting
exclusive input (relative motion): The pointer is grabbed as soon as the
user clicks inside the application window. It is forcibly ungrabbed on
any window-focus change or when tapping the KEY_SCREEN. An application
can always enable (transient) exclusive input during a key sequence,
e.g., when dragging the mouse while holding the mouse button. Transient
exclusive input is revoked when releasing the last button/key.
Fixes#5355
While the focused client has enabled exclusive input, nitpicker does
not translate relative motion to absolute motion but routes relative
motion directly to the client. Additionally, the pointer origin is
forcibly moved to a position outside the screen boundaries, making the
pointer invisible.
Issue #5355
The recent changes of the GUI stack (proper accounting of cap and RAM
resources by the window manager and nitpicker, output buffered at the
server side) require quota adjustments at various GUI-related places.
Issue #5356
This interface allows a GUI client to express the intent to exclusively
observe relative motion events while locking the absolute pointer
position. This patch merely extends the interface without implementing
it.
As this change touches os/include/input/component.h, it moves the
manage/dissolve operations into the class, ensuring the call of
dissolve at destruction time.
Issue #5355
In multi-monitor scenarios, the mode is no longer a single rectangular
area but a panorama with potentially many captured rectangles. This
patch replaces the former 'mode' and 'mode_sigh' RPC by a new 'info'
ROM accessor.
Issue #5353
Capture clients used to always capture the view stack at the origin of
the coordinate system. So each capture client obtained a mirror of the
same picture. This patch allows for the placement of capture clients on
larger panorama using Genode's usual label-based policy-selection
approach. Thereby, each monitor in multi-monitor scenario can display a
different portion of the panorama.
The patch takes special care to always keep the pointer in a visible
position. The pointer cannot be moved to any area that is not captured.
Should the only capture client displaying the pointer disappear, the
pointer is warped to the center of (any) remaining capture client.
Fixes#5352
The operators == and != make the 'Rect' consistent with 'Point' and
'Area'. The patch also adds the 'Rect::clamp' method, which is generally
useful for sanitizing input.
Issue #5352
The new Framebuffer::Session::sync_source RPC function allows for the
selection of a specific source of sync signals in the presence of
multiple capture clients at the GUI server.
This patch contains only the extension of the interface. The information
is not evaluated by the GUI server yet.
Issue #5347
This patch adds central and safe utilities for accessing the distinct
parts of the virtual framebuffer to relieve clients from pointer
calculations.
Issue #5351
This patch eases the vertical organization of multiple surfaces within
one larger surface, which is the case when keeping front/back buffers
within one compounding GUI buffer.
Issue #5351
The new bytes() accessor returns a Byte_range_pointer as an alternative
to the 'local_addr' for accessing the content of the dataspace. This
facilitates the safe practice of passing (and validating) the buffer
bounds along with the pointer.
Issue #5351
Propagate the want of an alpha channel as attribute of Framebuffer::Mode
instead of passing this property as a separate bool argument.
This clears the way for adding useful accessors for pixel/alpha/input
surfaces to the Mode type as a subsequent step.
Issue #5351
This patch ensures that the displayed pixel buffer is always consistent
by applying intermediate drawing steps on an invisible back buffer,
which is blitted to the front buffer by the GUI server.
Note that the addition of the back buffer increases the decorator's RAM
demand by 4*w*h (4 bytes per pixel) whereas w and h are the screen size.
Issue #5350
By enhancing the Framebuffer::Session interface by the new RPC functions
'blit' and 'panning', GUI clients become able to attain tearing-free
output. Two modes of operations are supported.
1. Atomic back-to-front blitting
GUI clients that partially update their user interface like regular
application dialogs, can now implement double buffering by placing
both the back buffer and front buffer within the GUI session's
framebuffer and configuring a view that shows only the front buffer.
The 'blit' operation allows the client to atomically flush pixels
from the back buffer to the front buffer.
2. Atomic buffer flipping
GUI clients that always update all pixels like a media player or
a game can now use the 'panning' feature to atomically redirect the
displayed pixels to a different portion of the GUI session's virtual
frame buffer. The virtual framebuffer always contains two frames,
the displayed one and the next one. Once the next frame is complete,
the client changes the panning position to the portion containing
the next frame.
Issue #5350
Call lx_emul_setup arch after kmem_cache_init, because
unflatten_device_tree requires 'memblock_alloc' which does not work
when using native slub.c/memblock.c on ARM platforms.
issue #5264
Limit the use of Reg_list::for_each that caches a next pointer
of its items to allow destruction of items in its lambda body.
Instead provide an Reg_list::apply function in addition, which
takes a condition lambda to find the matching item, and a lambda
processed on it. In most use-cases where for_each was used, only
one item was searched for. Here we can use apply now., without
the need for a cached pointer, nor too many iterations.
Fixesgenodelabs/genode#5349
Unless nitpicker is used in 'request_framebuffer' mode, it no longer
depends on a periodic timer but merely acts as a broker between capture
clients and GUI clients. Sync signals as delivered to GUI clients are
now wired to Capture::Session::capture_at calls. So the display driver
defines the occurrence of those signals.
Note that sync signals are only delivered while a driver actively calls
'capture_at'. If a driver stops capturing, GUI clients no longer receive
any sync signal. This is a change from the previous situation where GUI
clients could depend on the periodicity of sync signals.
Issue #5347
This patch changes the precision of the configuration's motion attribute
to a multiple of 10 ms (centi-seconds). The previous version used steps
of 20 ms. Hence, one needs to adjust existing configurations by doubling
the motion attribute values of the themed decorator.
Issue #5347
This patch removes the use of sync signals as time source. The animation
phase is now timed using a timer connection as tick source while sync
signals are used for scheduling the redraws.
Issue #5347
- touch all memory before time measurements, to reduce lazy paging jitter
- diff of 100us between 2 memset runs are now considered a failure (before 10us)
- add refrence measurements of same region size which is not write-combined
- make the output easier parse able of write-combined test
Fixes#5342
With this change, a client (i.e., display driver) can register
a wakeup signal handler to be notified on the arrival of new data to
capture. The signal is delivered only when the client has stopped
capturing. The client propagates this condition to the server using
the new 'capture_stopped' RPC call.
This change in principle enables a display driver to suspend its
periodic mode of operation after a few frames without capturing any
new data. As the first driver, the fb_sdl driver has been adapted to
the new protocol. This change not only eliminates the driver's CPU
load when idle, it also reduces the latency of sporadic output
because the response to such GUI updates is no longer bound by a
fixed periodic interval.
Issue #5344
This patch is a preparatory step for relaxing the strictly periodic
operation of fb_sdl. With the new design, the SDL event loop can block
for events while Genode's main entrypoint stays receptive for I/O.
The main entrypoint can interact with the SDL thread by injecting
SDL user events.
The patch also replaces the full-screen clearing and update of the
SDL window by an update of the captured bounding box only. This reduces
the CPU load of fb_sdl when idle. When updating a small part of the
screen (e.g., when moving the mouse only), the load is still rather
heavy though.
Issue #5344
This patch enhances the Capture::Connection::Screen such that the
bounding box of the affected pixels can be tracked by the caller,
which can use this information to adjust its behavior to the
activity/inactivity of the capture server.
Issue #5344
This patch adds the physical screen size as argument to the
Capture::Session::buffer RPC function, which allows drivers to
propagate DPI information to the GUI server. While changing the
the interface, the patch replaces the former use of C++ exceptions
by a result type. The 'Buffer_result' is handled transparently by the
Capture::Connection. The client.h code is now integrated in
connection.h.
Issue #5344
This commit streamlines the interaction between the Wifi::Manager
and the wpa_supplicant's CTRL interface.
As user-facing changes it alters some default settings and introduces
new features:
* Every configured network now needs to explicitly have its
'auto_connect' (to be considered an option for joining) attribute
set to 'true' whereas this was previously the default value if the
attribute was not set at all.
* The 'log_level' attribute is added and configures the supplicant's
verbosity. Valid values correspond to levels used by the supplicant
and are as follows 'excessive', 'msgdump', 'debug', 'info', 'warning'
and 'error'. The default value is 'error' and configures the least
amount of verbosity.
* The 'bgscan' attribute may be used to configure the way the
supplicant performs background-scanning to steer or rather optimize
roaming decision within the same network. The default value is set
to 'simple:30:-70:600'. It can be disabled by specifying an empty
value, e.g. 'bgscan=""'.
* The 'verbose_state' attribute was removed alltogether and similar
functionality is now coverted by 'verbose' attribute.
Implementation-wise the internals changed significantly and are
outlined in the following paragraphs.
Formerly the interaction between the manager and the supplicant
was handled in an apparent way where the internal state of each
interaction was in plain sight. This made the flow cumbersome to
follow and therefor each interaction is now confined to its own
'Action' object that encapsulates the ping-pong of commands and
responses between the manager and the supplicant. All actions are
processed in an sequential way and thus there is no longer any
need to defer pending actions depending on the interal state of
the current interaction. Configuration changes as well as events
issued by the supplicant where new actions can be created are
handled in this fashion. Of note are both signal-handlers,
'_handle_cmds' and '_handle_events' respectively.
The state report, which provides the information about the current
state of connectivity to a given wireless network, was dealt with
in the same vein and its handling was spread across the manager
implementation. Again, to make it easier to follow, the generation
of the state report is now purely driven by the 'Join_state' object.
This object encapsulates the state of connectivity and is normally
updated by events issued from the supplicant (see '_handle_events').
It is also incorporated when handling command responses (see
'_handle_cmds').
Handling of timed-actions, like scan and signal quality
update requests, was done by setting a timeout at the Timer session
directly and thus only one timed-action could be pending at any time.
This excluded dealing with timed-actions like connected-scanning
and signal quality polling concurrently. This was changed and now
a One_shot_timeout is used to programm each concurrent timed-action.
For implementing the communication channel for the CTRL interface the
manager and supplicant use a shared memory buffer, the Msg_buffer.
Since the CTRL interface for Genode was implemented using C, some
shenanigans were performed to access the memory buffer. Now the
CTRL interface implementation uses C++ and only exports the functions
required by the supplicant as C. This simplifies the usage of the
Msg_buffer and allows for removing the global functions needed for
synchronizing the Msg_buffer access as those are now part of the
object itself via the 'Notify_interface'.
Fixes#5341.
The 'convert_errno_from_linux' function was already used internally to
convert the Linux errno values to the matching FreeBSD libc ones when
calling socket functions.
It will now also be used to convert the error values included in
netlink messages as those, naturally, also correspond to the Linux
ones.
Issue #5341.
When starting testnit with the wm, the child views briefly appear at a
position relative to the top-left corner of the screen until the
top-level view has been positioned by the layouter. This patch keeps
child views invisible until their respective parent views are
positioned.
When restacking a top-level view, execute the top-level restacking
before updating the child views. Otherwise, child views may wrongly
refer to the old stacking position of the top-level view.
Issue #5242
Use Genode namespace, indicate 'Main' members as being private,
use Session_object, remove unused '_focus_request_reporter',
use Id_space for Window_registry, replace lookup by with pattern.
This is a follow-up commit to "gui_session: manage view ID at the client
side", which missed to invalidate the neighbor view of a window but
instead wrongly assigned the (now always valid) view ID 0 as neighbor.
In situations where a window disappears and re-appears (e.g., repeatedly
launching testnit in the wm.run scenario), the new window could not
always be topped.
Issue #5242
- only mark framebuffer dirty if necessary
-> gives the hardware chance to save longer power
- remove extra timer connection on Genode component side
-> use Linux time primitives
Issue #5339
With this patch, the wm accounts RAM and caps consumed on behalf of its
clients to the respective client's session quota instead of paying out
of its own pocket. This should make the wm resilient against resource
exhaustion and lowers the quota requirements.
Issue #5340
The current default session RAM quota of 36 KiB reflects the needs of
the nitpicker GUI server. However, in most commonly used scenarios, a
GUI client connects to nitpicker indirectly via the wm. The low value
worked so far because the wm did not account RAM and cap usage per
client so far but paid out of its own pocket and faithfully forwarded
all resource upgrades to nitpicker.
When adding resource accounting to the wm, the old default value has the
effect that a new client has to repeatedly attempt the session creation -
each time offering sligthly more session quota - until both nitpicker and
the wm are satisfied.
By roughly doubling the default to 80 KiB, a wm client immediately
succeeds with opening a GUI session without repeated attempts.
By specifying a custom 'cap_quota' amount to the 'Genode::Connection',
the Gui::Connection now donates enough caps for both the wm and
nitpicker.
Issue #5340
By default, a 'Connection' donates an amount of caps as declared in
SESSION_TYPE::CAP_QUOTA to the server at session-creation time.
In some situations, however, a client may deliberately want to donate a
larger amount. For example, when opening a GUI session at the wm, the
total amount of needed caps is the sum of those consumed by the wm plus
those consumed by nitpicker. Using this knowledge, the Gui::Connection
may specify a sufficient amount to avoid iterative session-creation
retries. The new 'Connection' constructor accommodates this use case by
accepting an explicit 'cap_quota' argument.
Issue #5340
This patch deduces the caps needed for the framebuffer and input RPC
objects from the resources accounted locally within the session. It also
takes precautions for the situation where a client offers too little
resources, prompting the mid-way cancelling of the 'Session_component'
creation. With the patch, the 'ep.manage' operations are rolled back
by the corresponding 'ep.dissolve' operations.
Issue #5340
This patch moves the eager allocation of view capabilities from the
'view' and 'child_view' RPC functions to the 'view_capability' RPC
function, reducing the consumption of capabilities in all scenarios
where views don't need to be shared between GUI sessions.
Issue #5340
over rsdp v1. The multiboot2 provided rsdp_v1 version may not contain the
xsdt pointer, but may have the very same acpi revision as the acpi rsdp v2
version of multiboot2.
Fixes#5332
.../repos/libports/src/test/pthread/main.cc:539:76: warning: ‘++’ expression of ‘volatile’-qualified type is deprecated [-Wvolatile]
.../repos/libports/src/test/pthread/main.cc:1104:32: warning: ‘test’ may be used uninitialized [-Wmaybe-uninitialized]
The gui_fb client may have installed a custom sync_sigh and mode_sigh.
Reset those signal handlers at the GUI server should the client
disappear. Otherwise, the GUI server (nitpicker) continues to attempt
transmitting sync signals to the no-longer existing component, spamming
the log with "Warning: invalid signal-context capability" messages.
Don't use client-provided view IDs as IDs for the wrapped nitpicker
views. There is no 1:1 relation of IDs and physical views. So if a wm
client re-uses an ID, the physical view is expected to stay in tact.
If the corresponding view object within the wm is not destroyed, however,
its ID remains allocated, which may then conflict the ID of a new view
if the ID is reused by the client. This scenario resulted in the
following error:
Error: Uncaught exception of type 'Genode::Id_space<Gui::View_ref>::Conflicting_id'
This patch handles the situation by keeping the allocator of physical
views (_real_view) decoupled from the client's ID allocator.
Issue #5242
This patch enables basic use cases of the POSIX 'alarm' function, which
schedules the delivery of a SIGALRM signal after a specified amount of
seconds.
Issue #5337
This update uses a -current (that will become 7.6 later this year)
snapshot from 2024-08-16 that includes fixes for MSI support on
AMD systems.
Fixes#5331.
This commit replaces the current vbox5 based USB HID raw test, which
runs a Genode guest to test USB passthrough with a USB human interface
device, with one using vbox6.
Fixes#5330.
This commit adds support for TIOCSETA and TIOCFLUSH in a dummy fashion
that is enough to allow vbox6's serial-port implementation to print
lines to the log.
Issue #5330.
This commit allows for suppressing failed extract operations by
setting the 'ignore_failures' attribute in the 'config' node.
It is intended for operating the component in batch-mode where
multiple archives need to be extracted but failing to extract
some of them can by ignored. The default value of this option
is 'false'.
It also adds the 'stop_on_failure' attribute that instructs
the component to stop processing any following archives after
it already has failed to do so. The default value of this
option is 'true' to preserve the current behavior.
Issue #5326.
Now, we schedule before unblocking the rx_task. This is done in order to
execute a potentially ready ksoftirqd before unblocking the rx_task,
which in turn may execute soft-interrupt handlers through bottom half
code leading to double lock attempts of the socket spinlock.
Issue #5264
Since the preset contains mesa_gpu-intel, it is specific to the pc
platform. Other platform-specific repos (such as allwinner) may contain
their own preset with the same name. To prevent that Sculpt images use
the wrong preset due to the particular order in the build.conf, we move
the preset into the pc repo.
Fixes#5322
Avoid double allocation of alternative stack. Genode's sigaltstack variant
allocates the stack with alloc_secondary_stack. Disable the warning of
sigaltstack by using explicitly the nullptr in ss_sp.
Issue #5305
This interface change gives GUI servers the freedom to allocate view
capabilities at the time of request instead of the creation time of the
view. This is useful because view capabilities are rarely needed.
Issue #5242
This patch moves the management of view IDs from the server to the
client side. The former 'create_view' and 'create_child_view'
operations do no longer return a view ID but take a view ID as
argument. While changing those operations, this patch takes the
opportunity to allow for initial view attributes. Combined, those
changes simplify the window manager while accommodating typical
client use cases with less code.
To ease the client-side ID management, the Gui::Connection hosts
a 'view_ids' ID space for optional use. E.g., the new 'Top_level_view'
class uses this ID space for ID allocation. This class accommodates the
most typical use case of opening a single window.
The 'alloc_view_id' RPC function is no longer needed.
Issue #5242
This patch reworks the view-ID handling within the nitpicker GUI server
and the window manager. The namespace of view handles are now represented
as an Id_space. In constrast to the former "handles", which could be
invalid, IDs cannot be semantically overloaded with anything other than
an actual view reference. There is no notion of an invalid handle.
IDs are like C++ references (which cannot be a nullptr).
This change requires the code to be more explicit. E.g., the stacking of
a few at the front-most position can no longer be expressed by passing
an invalid handle as neighbor.
Issue #5242
Express the allocation of a new view handle by a dedicated RPC function
instead of passing an invalid view handle to the existing 'view_handle'
function.
This eliminates the notion of invalid view handles at the GUI session
interface, clearing the way for managing view handles via an Id_space.
Issue #5242
This patch eliminates the use of invalid view handles as special
Session::Command arguments. The TO_FRONT and TO_BACK operations
interpreted as invalid neighbor as top-most or back-most position.
Those corner cases are now expressed via dedicated commands. The
new stacking commands are FRONT, BACK, FRONT_OF, and BEHIND_OF.
While changing the command interface, the patch removes the OP_
prefix from the opcode values.
Issue #5242
- Rename framebuffer_session to framebuffer and
input_session to input as those RPC interfaces are no longer
meant to be used as stand-alone sessions.
- Host Connection::input and Connection::framebuffer as public
members, thereby removing the use of pointers. This simplifies
the client-sized code. E.g., '_gui.input()->pending()' becomes
'_gui.input.pending()'.
Issue #5242
To maintain ease of use at the client side, the OUT_OF_RAM and
OUT_OF_CAPS results are handled at the 'Gui::Connection' now.
Gui::Connection does not inherit the Gui::Session interface any longer,
which allows for the use of different result types.
Issue #5242
Issue #5245
This patch replaces the optional parent argument of the create_view
RPC function by a dedicated create_child_view RPC function. This
is a preparatory step of removing the notion of an invalid handle
as a special case.
Issue #5242
The fd event handling uses the fd to directly access the array slot and
expects the fds to be contiguous and capped.
Since the returned fds from our libc were much larger than expected,
because the libc itself consumes multiple fds when managing sockets,
using the fd in this manner leads to memory corruption.
This commit limits the maxfds to 63 and always allocates 1024 slots
in the fd-array.
Fixes#5320.
Add extended FPU state detection and handling (via xsave and friends) to the
kernel, which has to store/load more FPU state (~512 -> 2k++) during context
switching of threads. Additional the referenced nova branch contains various
optimization during VM destruction and cross core IPC resource caching.
This FPU work is based upon upstream NOVA kernel and Hedron commits.
Issue #5314Fixes#3914
some more adjustments are needed for xsave support, but this port is scheduled
to be removed. Just disable xsave for the time being to make nightly test
happy.
Issue #5314
The commit that added firmware loading via the VFS (see #4861)
introduces a double-free bug where the memory that contains the
image is freed twice, once from the callback and once from the
work function.
As alle examined drivers call 'release_firmware' from the callback
function themselves, remove the erroneous 'kfree' call from the
work function.
Issue #5264.
The 'update_quality_interval' instructs the wifi driver to update
the approximated link quality to the currently connected AP every
30 seconds.
Issue #5262.
This commit introduces support for querying and updating the signal
quality of the established connection to the current accesspoint.
By setting the 'update_quality_interval' to a non-zero value specified
in seconds the 'state' report will be updated to incorporate the
current signal quality. It uses the same approximation as is already
in use by the scan results.
Fixes#5262.
Now, USB audio class devices become available in Sculpt, e.g., for vbox
passthrough, and are not automatically grabbed by the usb_hid class=3
policy. In the future, interface/endpoint level policies will enable
driving the HID interface only from usb_hid while a usb_audio driver
controls the rest of the device.
This commit adds the firmware image for the AX200 device as found
in the Tuxedo Pulse 15 Gen1, the 9560 as found in the Starlite and
the for devices found in the T430/T530.
Fixes#5282.
Turn some of the current assertions into warnings/error messages and
continue boot. Print the messages as soon as core_log is initialized,
so that on live/release systems (Sculpt OS) it may be inspected later on.
Related to issue #5307
The code to group together SMT threads of one CPU and to move P-Core to
the beginning of Genode's affinity-space, did not consider to run on
SOCs with only E-Core CPUs.
Re-structure the code to support e-Core only SOCs.
Additionally, provide a fallback mapping in case of CPU id reordering problems.
Track faulty re-mapping and delay the reporting until core_log is initialized,
so that the warnings is visible to consumers, e.g. on Sculpt OS.
Related to discussion of #5304Fixes#5307
Unmasking of a pending interrupt did not lead to immediate IRQ handler
execution in all cases.
This commit also addresses some style concerns risen during the issue
discussion.
- Replace multi-boolean IRQ state by state enum
- EOI and ACK should be same in DDE context
- Unify x86 and ARM irqchip.c
- Remove Pending_irq type
- Remove dde_irq_set_wake()
Fixes#5164
The use of the Linux-internal SLUB allocator is supported by lx_emul and
drivers may now decide between the Linux implementation or our emulation
of kmem_cache. Drivers for pc and virt already use SLUB, while other
drivers still use the emulation and may be adapted step-by-step incl.
the testing on the devices.
Fixes#5236
Allocate a Genode known stack via alloc_secondary_stack and register it
as alternative stack via Signal:use_alternative_stack().
The original semantic of Posix, where the caller may choose arbitary stack
pointers is currently not possible. Warn about the fact.
Issue #5305
The Fn key on keyboards should never be reported as real scancode event,
as it is just a hardware switch that changes the reported scancodes of
other keys. The behavior of Linux hid-apple.c is wrong as it on one hand
reports different scancodes for the same hard key depending on the Fn
state but sends the Fn press and release events too. Thus from now on,
we just drop KEY_FN events for all drivers as otherwise, scancodes
generated generated by Fn+key combinations would never be single-key
events on upper layers, for example KEY_FN + KEY_F12 on the Matias Apple
keyboard clone in the fixed issue.
Fixes#5288
By calling run_genode_until twice, we take into account that the boot
time on some boards might long than on others, while still verifying
that the second "set_rtc" is reported within about 1min (+10s).
Fixes#5306
Since page tables might need to be allocated during
insert_translation(), Out_of_ram or Out_of_caps exceptions might occur.
Entries that have already been added by insert_translation() must thus be
removed once one of those exceptions occurred.
Fixes#5254
Add TAR_OPT to global.mk that defaults to user and group 1, while
setting mtime to 0 for tar archives. This can be used in components to
produce consistent (reproducible) tar archives.
issue #5255
This patch replaces the former Child::Process and
Child::Process::Loaded_executable classes by static functions that
return failure conditions as return values.
Issue #5245
By using GCC's --debug-prefix-map argument, we can make sure that debug
archives always refer to source files at /depot. With this change, GDB
can be pointed to the correct source-file location by using the `set
substitute-path /depot /path/to/local/depot`.
Fixes#5260
This patch tightens the coupling of the 'Platform_thread' objects
with their corresponding 'Platform_pd' objects by specifying the
'Platform_pd' as constructor argument, keeping the relationship
as a reference (instead of a pointer), and constraining the
lifetime of 'Platform_pd' objects to the lifetime of the PD.
It thereby clears the way to simplify the thread creation since all
PD-related information (like quota budgets) are now known at the
construction time of the 'Platform_thread'.
The return value of 'Platform_thread::start' has been removed because it
is not evaluated by 'Cpu_thread_component'.
Related to #5256
Fix the wrong assumption about isochronous packets being always send
with maximum EP's packet size. Instead the isochronous cache now contains
a sizes array to deal with arbitrary packet sizes.
Fixgenodelabs/genode#5257
For consistency reasons, remove the cortex_a8, cortex_a9, and cortex_a15
spec directories. Such SPEC variables do not exist since a while.
Also rename remaining translation_table.h header to page_table.h to
stay consistent with the class names inside.
Fixgenodelabs/genode#5253
- Remove exceptions
- Use 'Attr' struct for attach arguments
- Let 'attach' return 'Range' instead of 'Local_addr'
- Renamed 'Region_map::State' to 'Region_map::Fault'
Issue #5245Fixes#5070
The 'Thread_creation_failed' error is now reflected as
'Thread::Start_result' return value. This change also removes the
use of 'Invalid_thread' within core as this exception is an alias
of Cpu_session::Thread_creation_failed.
Issue #5245
For each packet that got stuck with an ARP-cache miss, the router used to send
one ARP request and create one ARP waiter. However, in situations where many
packets target the same IP at one destination domain and during a short period
of time, this causes unnecessary session-quota consumption and network traffic.
This issue becomes especially pressing when taking malicious source peers,
absent destination peers, and packet batching into account.
Therefore, with this commit, the router can accumulate multiple source packets
with the same destination IP at one ARP waiter. This means, that only the first
packet with an ARP-cache for a certain IP sends an ARP request and creates an
ARP waiter. For situations where the ARP request is not answered, this
essentially rate-limits ARP requests for one IP at one destination domain
according to the lifetime of ARP waiters (default: 10s)
Ref #4534
The router used to send an ARP request for a packet before allocating the
corresponding ARP waiter. If the ARP waiter could not be allocated due to
resource exhaustion plus emergency free failed, the packet got dropped and the
router had produced unnecessary network traffic. The commit fixes this by
sending only after successful allocation.
Ref #4534
The previous default packet-batch count of 150 (<config
max_packets_per_signal>) was choosen with the only goal of preventing
starvation by huge amounts of packets from one session.
However, there is something else to keep in mind. A packet that is found to
require ARP sends an ARP request and becomes blocked after having consumed
resources. This means, that, in the worst case, the router used to send 150 ARP
requests and consume resources 150 times before making it even possible for the
outer world to react and cause resources to be freed.
With this additional scenario in mind, the default batch size should be
significantly lower.
Ref #4534
poll(2) needs to handle invalid file descriptors in the pollfd struct,
specifically -1 as it may be used to disable entries in the fds[] array.
Fix a possible nullptr dereference by checking the File_descriptor
pointer returned by find_by_libc_fd() for validity and skip processing
of any unresolved FDs, effectively implementing standard POSIX
semantics.
Fixes#5249
This patch removes the exception formerly thrown by 'Cpu_thread::state'
and turns the 'Thread_state' structure into a plain compound type w/o a
constructor.
Issue #5245Fixes#5250
With libxml2 >= 2.13, the `-path` argument can no longer be used for
setting search paths for xsd files. Instead, we use an XML catalog to
replace genode:// URIs with absolute paths.
Fixes#5248
This patch replaces exceptions of the PD session RPC interface with
result types.
The change of the quota-transfer RPC functions required the adaptation
of base/quota_transfer.h and base/child.h.
The 'alloc_signal_source' method has been renamed to 'signal_source'
to avoid an exceedingly long name of the corresponding result type.
The Pd_session::map function takes a 'Virt_range' instead of basic-type
arguments.
The 'Signal_source_capability' alias for 'Capability<Signal_source>' has
been removed.
Issue #5245
So far, this test used dynamic_rom for the re-configuration of the nic router
and tested for the expected ping results by inspecting the log with the run
tool. However, this approach had two issues:
* Timing differs significantly on different targets and so the dynamic_rom had
the difficult task of compensating with heuristics without bloating the test
duration too much.
* In case of a failing test, it was difficult to determine the cause as the
test kept running and produced output for quite some time and there was also
no specific error message but only a generic timeout.
These two issues are now fixed by introducing a test component that listens to
the ping-result report and manages the nic router configuration. The new
component exits early on failure and provides information on the error
circumstances. Furthermore, the component advances to the next test step only
after having seen the expected result of the active test step and thereby
removes the need for heuristics about target timing.
Fixes#5192
This patch updates the signal API to avoid raw pointers, and
replaces the Context_already_in_use and Context_not_associated
exceptions by diagnostic messages.
Fixes#5247
The router used to ignore the value of the <report quota=".."/> attribute when
it came to determining whether an interface's report is empty or not.
Therefore, merely configuring <report quota="yes"/> didn't cause interfaces
(and their quota) to show up in the report. Instead, interface quota was
reported as side effect of <report stats="yes"/>. The commit fixes this
inconsistency with the README.
The only object that is dynamically allocated by a network interface and that
was not equipped with a self-destruct timeout was the ARP waiter. This commit
closes this gap by adding a timeout to each ARP waiter that is set to 10
seconds by default but can be configured via the new <config> attribute
'arp_request_timeout_sec'.
Ref #4729
RFCs recommend to keep TCP connections for a certain time even after they
finished a close handshake, AFAIK, in order to be able to recognize astray
packets when they arrive later. This seems overambitious especially when in
the context of the router where session quota is pretty limited. Therefore,
this commit drops this final timeout and drops closed connections immediately.
Ref #4729
The previous value of 60 seconds was never observed in real-time scenarios and
UDP, for instance always used a timeout of 30 seconds without causing issues.
Note that this applies only to TCP connections in a state other than
ESTABLISHED, i.e., while it is still safe to early-drop the connection.
Ref #4729
The TCP connection state "ESTABLISHED" (in the router "OPEN") is a privileged
one for peers because it lasts very long without any peer interaction (in the
NIC router it's only 10 minutes, but RFCs recommend not less than 2 hours and
4 minutes). Furthermore, TCP connections in this state are normally not
available for early-drop on resource exhaustion. This means that this state
binds resources to a connection potentially for a long time without the option
of regaining them under stress. Therefore, this state should be entered with
care.
Up to now, the router marked a TCP connection with this state as soon as it had
seen one matching packet in both directions, which is rather quick. However,
implementing a very precise tracking of the exact TCP states of both peers and
only marking the connection "ESTABLISHED" when both peers are "ESTABLISHED" is
a difficult task with lots of corner cases.
That said, this commit implements a compromise. The router now has two flags
for each peer of a TCP connection - FIN sent and FIN acked - and sets them
according to the observed TCP flags. The "ESTABLISHED" state is entered only
when FIN acked is set for both peers (without having observed an RST or FIN
flag meanwhile).
Ref #4729
The Reference and Const_reference utility were introduced in order to express
that something is a reference (no null value) but can be changed dynamically
(not possible with built-in C++ references). However, the idea of preventing
every possibility for null pointer faults, with which the router was built
initially, has not prevailed and using pointers instead of the utility saves
logic and makes the code more readable to other C++ developers.
Ref #4729
The deinitialization method of Domain used to rely on Domain::with_dhcp_server
in order to dissolve and destroy a present DHCP server. However, this method
skipped calling its functor argument also when there was a DHCP server but an
invalid one. This commt replaces the with_dhcp_server with a pointer null-check
in order to fix the leak.
Ref #4729
Re-implements an emergency freeing of resources on exhaustion of session quota.
In contrast to the past one, the new algorithm is executed directly where the
exhaustion occurs. Instead of interupting the packet handling and restart it
from the beginning after the freeing action, packet handling is now continued
at the point of exhaustion (if enough resources could be freed). Furthermore,
the new algorithm frees only 100 objects (instead of 1024) at a max as we found
this to better match real-life observations. And finally, the router now drops
ICMP first, then UDP, then TCP - as this better reflects priorities - and
refrains from dropping TCP connections in the ESTABLISHED state. If the router
cannot free a sufficient amount of resources, the packet that caused the
exhaustion is dropped with a warning (verbose_packet_drop="yes").
Ref #4729
Remove the use of C++ exception as much as possible from the router as C++
exception handling can be resource intensive and can make code hard to
understand.
This also removes the garbage collection that the router used to do when a
session ran out of quota. This is motivated by the fact that the garbage
collection was rather simple and removed connection states regardless of their
current state, thereby causing broken connections. The change is part of this
commit as the approach to integrating garbage collection relied strongly on
exception handling.
The user story behind removing garbage collection: The router emergency-dropped
an established TCP connection (with NAPT) and on the next matching packet
re-created it with a different NAPT port, thereby breaking the connection. With
this commit, existing connections are prioritized over new ones during resource
exhaustion and the packets that attempt to create a new connection in such a
state are dropped with a warning in the log (verbose_packet_drop="yes").
Note that the state resolves itself with time as existing connections time out
or are closed by peers.
Ref #4729
Reserved memory regions must be excluded from the corresponding DMA
allocators irrespective of whether the device is in use. Otherwise, an
early allocation of DMA buffers may use the reserved memory regions of a
late acquired device.
Fixes#5232
Add special handling for root bridge access for
12th Gen Framework laptop and Thinkpad X1 Nano Gen2
to avoid bogus MMIO memory accesses as seen in #5234 and #4643.
Fixes#5234
Based on not emulated and therby wrong values, acpica calculates a
physical address which points to somewhere. Remove this hack from core and
try to emulate accesses inside acpica where necessary.
Issue #4643
Issue #5234
This exception got introduced as a mere convenience for implementers of
'Child_policy' but required a special case in the base library.
Following the goal of eliminating exceptions from the base system,
this patch removes it by making a server_id_space mandatory.
Issue #5245
as setup by firmware after boot. The information will/can be used by the
platform driver to re-program bridges after a system suspend/resume cycle.
Issue #5241
This patch allows the use of the 'Id_space' utility without catching
'Unknown_id' exceptions. Instead, the new 'apply' overload takes a
second functor 'missing_fn' as argument, which is called whenever the
lookup fails.
Issue #5244
- Replace 'typedef' by 'using'
- Avoid plain pointers
- Import Genode namespace into Gui::
- Use enum class
- Use Attr struct for passing multiple attributes
- Turn testnit into proper Genode::Component
- Use distinct types for top-level and child views
- Remove dependency from timer
- Use util/geometry.h
- Move header to base/include to make it applicable for base types
like 'Affinity' down the road.
- Represent 'Rect' as typle of point and area, which is the most
common form of initialization, creates in valid 'Rect' by default.
- Turn Point, Area, and Rect into compound types, making x, y, w, h, at,
area accessible without a method call
- 'Rect::Compound' function for constructing a 'Rect' from two points,
replacing a former constructor
- Use result type 'Rect::Cut_remainder' instead of out parameters.
Fixes#5239
This patch turns 'Color' from a class to a POD type by replacing
the constructors by the named create functions 'rgb', 'clamped_rgb',
and 'clamped_rgba'. It thereby enables the initialization of Color
values using { .r = ... } syntax and makes the type usable in const
expressions.
It also narrows the type for color components and alpha values to
uint8_t. So possible integer overflows of computed values are detected
by -Wconversion.
As 'Color::rgb(0, 0, 0)' is repeatedly used as a default value, the
patch adds the 'Color::black()' function.
Fixes#5238
- Move C++ sources from lib/wireguard to app/wireguard, which require
Genode include paths (that conflict with linux)
- Rename lib/wireguard_lx_inc_dirs to lib/wireguard, which builds linux
sources with linux include paths
In '_generic_syncobj_wait' check if sync-objetcs exist, return error
otherwise. Do not wait because the execution model is synchroneous,
meaning no batch buffers are in execution when this function is called
(_drm_mutex).
issue #5224
Use pthread_mutex because the EP can block while the thread executing a
batch buffer and waiting for a completion signal in the VFS-GPU plugin
can still make progress.
Also return to coarser locking until we support Sync-Object Wait
semantics.
issue #5224
Freshly allocated BOs from libdrm have to be zeroed. Since the libdrm/iris
caches VRAM allocations, we don't want to attach/detach parts of dataspaces at
every allocation. Some objects are used long (through caching in the iris
Gallium driver). Therefore, zero object on release where the region might
already be mapped.
issue #5224
This commit adds a weak dummy implementation to a compilation unit
that is referenced by all DDE Linux based driver components to
prevent adding a dummy to every driver.
The upstream implementation is used to allocate order-0 pages in
a batch and users, e.g. page-pool allocator, may rely on that
behaviour and thus it is implemented with this commit.
This commit remedies the somewhat lazy attempt to address unique names
for drivers where the name is directly derived from KBUILD_MODNAME,
e.g. rtlwifi, and also modifies the name accordingly to the rules
of Linux' build-system. The last part becomes necessary as driver
matching tables may rely on that as has already happend with the
ti-sn65dsi86 driver.
This enables the combination of the nic_uplink component with any driver
pkg featuring a runtime file. This is already the case of the pc_nic
driver.
This is a preparatory step for issue #4420.
When having a maximized terminal window, a suspend was causing an
invalid mode change at nitpicker. This triggered a huge resource request
in nitpicker because the RAM-quota check was rendered ineffective by a
wrap-around during unsigned multiplication.
Issue genodelabs/genode#5180Fixesgenodelabs/genode#5201
On systems with the option `use-keyboxd` enabled in config, option
`--no-keyring` in gpg command line doesn't work. The result of the
pubkey_id function will be the first key in the keybox keyring instead
of the id of pubkey from the depot user.
Fixesgenodelabs/genode#5235genodelabs/goa#92
The test reverts the platform drivers' config at the end of the test
to an empty state. However, this state should still contain a default
policy (analogyously to the initial state). Otherwise, the platform
session of the test program will (sometimes) become invalid just before
successfully finishing the test.
The original use cases of the loader have long been covered by the
dynamic init. The only substantial client of the loader remained to be
the qpluginwidget. However, the qpluginwidget was supported only by the
Arora web browser. But the blending of plugins with websites ultimately
remained a tech demo, and Arora has been replaced by Falkon.
Fixes#5229
When more than one thread are accessing the DRM interface it is not wise
to use global locking, especially when a pthread is executing a batch
buffer and waits for a completion signal in the VFS-plugin. In case the
EP gets stuck in the global lock, no progress is made. Therefore:
* use _drm_mutex only where strictly necessary
* use special _exec_mutex to protect buffer execution (per context)
* print warning when two threads try to execute a buffer in the same
context
isse #5224
Default disabled initialization prevents follow-up errors if one
capability is already enabled on boot, but platform_drv decides to
enable the other one. The PCI spec explicitly states that "Behavior is
undefined if both MSI and MSI-X are enabled simultaneously".
Fixes#5228
A launched child only becomes present in the runtime when it has been
configured. This must be considered when checking for missing servers.
Fixesgenodelabs/genode#5226
Using a segment to reserve the AP (application processor) code page does not
work if the region overlaps with other non-memory types, e.g. bender checks
for the overlapping and denies to boot on such machines.
Without bender, the system boots up fine. So, partially remove the nova commit
"Add segment to reserve AP startup page" and instead apply the idea of
Cyberus's version. Place the AP boot code later during boot and save and
restore the memory before/after SMP bootstrap.
Prerequisites for Mesa 24.0.1
* generic:
* add patch to retrieve PCI/Platform information from Genode side of the DRM
interface (in drmGetDevice2)
* add generated 'fourcc' file
* iris:
* report back-end (currently 'i915', 'xe' is unsupported)
* add various I915_CONTEXT_PARAM* and I915_PARAM*
* allocate 'Buffer's starting with ID 1 (0 is invalid)
* enforce 48-bit-address limit on unmap also
* disable I915_EXEC_FENCE_ARRAY array check, because we do not support
sync objects right now and rendering in synchronous
* etnaviv:
* create 'Fenceobj' only *once* for each GPU context
issue #5224
The initial SVM implementation (correctly) just used another standard
x86_64 page table for nested paging. The EPT implementation is for Intel
VMX only. Since we don't know the underlying virtualization technology
at compile time, we need to pick the correct page table implementation
at runtime.
Add add a AMD-compatible HPT page table implementation using the same
base implementation and (more importantly) allocator as the EPT
implementation. Add a Vm_page_table implementation that determines the
used virtualization technology at runtime and internally defers insert
and remove operations to the correct page table implementation.
Issue #5218
To make the x86 page table base implementation compatible with the
function signatures used in hw, make the Intel IOMMU specific arguments
optional:
- Make the `flush` parameter default to false.
- Make the `supported_sizes` parameter default to 1GB + 2MB + 4k.
Issue #5217
The Intel IOMMU page table implementation in the pc platform driver uses
a page table allocator that is adapted from the implementation in the hw
kernel.
Move the allocator to base as a first step to consolidate
implementations, fix an Array constructor and re-add the Allocator
constructor working on addresses instead of tables.
Issue #5217
On hw, `Page_flags` is used throughout architectures. At the same time,
it is used by the Intel IOMMU page table implementation in the pc
platform driver.
Consolidate the definition in base so it is available for all users.
Issue #5217
separately. The "iommu" option is now split up into "iommu_intel" and
"iommu_amd" and thereby can be disabled easily if required for one of the CPU
vendors.
Fixes#5206
- no need to explicitly switch off vga anymore
- use vPID for VMs which improves TLB usage if multiple vCPUs on same
pCPU is used, which happens to happen on Sculpt.
- support for mwait by nova kernel, which is off by default
Issue #5206
Create a generic interface for x86 virtualization.
Split the VMCB data structure in `Vmcb_buf` to represent the physical
VMCB page and `VMCB` as a control interface.
Issue #5113
So far, the VMCB data structure was generated from it's parts (most
prominently VMCB Control Area and VMCB State Save Area) with the VMCB Control
Area accessed via the Mmio framework, while the VMCB State Save Area
struct used directly defined members.
Unify the VMCB structure and uniformly use the Mmio framework to access
the VMCB. Separate the controlling structure from the VMCB page.
Issue #5113
The SVM implementation did not lend itself to a runtime selection of the
x86 virtualization technology.
Encapsulate functionality in the VMCB class to facilitate adding support
for Intel's VMX.
Issue #5113
The initial algorithm ported to hw seems to be correct in principle,
however it does not work with nested virtualization.
Clean up the code to make the different methods of obtaining the TSC
frequencies more clear, and add warnings if a particular
method has failed although it should be available.
Fixes#5210
for other VMMs beside Virtualbox, e.g. Seoul or potentially arm/vmm. The
webcam model depends on libyuv, which uses stdcxx + full libc, which is not
desired or required for all VMM implementations.
Fixes#5208
We discovered this relocation, which does nothing, in pre-compiled
libraries. It is easy to implement because it has the same
relocation-type number (0) for all supported ABIs.
Also adjust error message from "Unsupported PLT relocation" to
"Unsupported translation table address format" to not confuse the
relocation type with the translation table type.
Fixes#5209
During resume the waiting for Cmd::St takes ~2s on a T460p with Intel
AHCI SSD attached. According to the Serial ATA AHCI Spec. wakeup can take
seconds, e.g. chapter 8.2 Power State Mappings of the Serial ATA AHCI spec
(1.3.1).
Issue #5203
Restore the reporting in situations where all capture sessions are gone.
This fixes the webcam package that disables the USB webcam driver when
nitpicker report no active displays.
Issue #5187
- Avoid geometry animation at boot time
- Assign CPU quantum to higher prioritized GUI components
- Defer touch_keyboard start to reduce boot time
Issue #5174
Instead of using one default policy when creating an mmc driver's
configuration, produce some more static policy items to support
boards with more than one card per driver (mnt_reform2).
Both keys are physically the same on available keyboards (with varying
labeling). Unfortunately, PS/2 scancode sets and USB HID spec seem to
differ slightly in their interpretation. Therefore, we keep the
driver-level reporting as is but report both as KEY_PRINT in Sculpt,
which allows to use the key(s) for screenshoter rules most prominently.
Also, unify sculpt/event_filter/pc with sculpt_manager.
The run tool overrides the 'exit'-procedure to make sure that a loaded
run_power_off procedure is always executed. However, a failing
run_power_off lead to false-positives: 'make run/...' exited with 0 even
tough the run script was not even executed because of a failed
power-on/off cycle. In this case, if the run_power_off is the exit code
producer, the new exit definition does not finish as intended. As a
result, the first exit code is re-written, and errors are not propagated
accordingly.
The solution is to catch possible errors from power-off within the exit
procedure.
Fixes genodelabs#5102
With the current RAM setting, opening the inspect window fails on a
display with 4K resolution.
Adjust the inspect window's RAM quota to make it work.
Issue #5174
When a new signal arrives, which means a formerly non-pending one,
we should ignore old signal numbers of that context, but only
evaluate newly received data by the last kernel-call.
Fix#5193
The ported i2c_hid driver contains driver code for the "Intel
Tigerlake/Alderlake PCH pinctrl/GPIO" device. Unfortunately, acpica
driver also accesses the same device on Lid open/close via ACPI AML code
of the DSDT table to read out the state of a GPIO pin connected to the
notebook lid. This would fail as I/O memory is handed out only once and
cannot be shared. The workaround disables the region check for the
specified GPIO I/O memory regions and provides both drivers shared
access to the regions.
This is a preliminary workaround. A general solution should separate the
GPIO driver into a component (e.g., platform driver) that regulates
accesses by i2c_hid and acpica.
Issue #5195
During audio and video playback at a high rate by a VMM, nitpicker on the
boot CPU may interfere with the mixer clients, letting them not finish the
schedule RPC at the mixer in time. Moving nitpicker to the same CPU as
leitzentral mitigates the effect at moment.
Issue genodelabs/genode#5174
At least on x86_64/x86_64/pc/hw|nova, the test used to fail because the net
setup sometimes required more than the 3 seconds that the test was giving each
step. This commit raises the step timeout to 5 seconds and the test timeout
from 70 to 90 seconds in order to be on the safe side.
Ref #5192
The default mixer launcher limits the volume to 50%, so raise the
driver's volume to the max to be audible on certain systems where
otherwise audio is barely recognizable.
While there, fix the wrong reporting attribute as well.
Issue #5174.
The version in ui_report and ui_config were merely used for making test output
more readable. However, there are other ways to achieve this goal.
Ref #5190
The File Vault used to sporadically fail to complete Extend or Rekey operations
when it was locked during the operation. The cause was an insufficient state
model that has been fixed with this commit.
Ref #5190
* adds rekeying and resizing controls to config+report api of file vault
* moves common types of file vault to file_vault/include/file_vault/types.h
to be included by other components
* fixes wrong type of nr_of_clients fields in file_vault
* introduces the file_vault_gui component that is a minimal graphical front end
for the file vault based on the dialog lib and that uses the
config+report api of the file vault as back end
Ref #5190
This patch addresses corner cases not considered so far. In particular,
it avoids placing the Add/Options tabs of an unscrollable popup under
the panel. This could happen in the presence of many options. The patch
includes the panel height into the calculation to rule out such
situations. It also tightens the scrolling boundaries to the visible
content.
Issue #5183
This patch handles intermediate situations where the screen mode may
become 1 x 1 (absence of any capture clients). In this case, the
decoration of a maximized window would legitimately exceed the screen
boundary.
Thanks Johannes for the investigation.
Issue #5187
Issue #5180
The blanking state is evaluated by the intel_fb driver, which will switch
off all connectors. When done, the intel_fb driver will exit and the
sculpt_manager will continue with the next step, stopping all drivers.
Issue #5180
This commit adds missing routes to I2c for the framebuffer driver of the
MNT Reform. If build for this concrete board the Board_info::Soc variable
within the sculpt_manager is initialized according to the properties of
this device. The `update_soc` routine is called in the initialization of
the sculpt_manager, otherwise it won't be called at all, if no PCI devices
changes are detected. Missing driver binaries and device-tree-binaries are
add to the run-script.
Issue #5174
A network card can be provided by PCI, and the SoC as well. Therefore,
add an additional state variable in the Board_info::Soc, and check it
appropriatedly.
Issue #5174
Commit "sculpt: safeguard the offering of suspend/resume" was too lax
about the detection of acpi support. In situations where acpi support
is selected but not yet installed, the menu would offer the features
already. This patch restricts the condition such that acpi support must
be running, not merely selected.
Issue #5174
This patch retains the buffer size of the last capture client as mode as
long as no capture client exists. This avoids intermediate mode changes
in situations like suspend/resume where the display driver is restarted.
Issue #5187
In contrast to platforms, like the PC, where the fb driver selection
is a dynamic decision depending on the available hardware, on current
ARM-based SoC machines this configuration is part of the static board
information.
Issue #5174.
This patch disables latency warnings by default. The warnings can be
enabled by setting the 'warning_rate_ms` value to the desired
maximum rate.
Fixes#5186
Issue #5174
The USB host controller gets restarted during the suspend-resume cycle.
Hence, don't offer suspend while any USB storage device is in use, in
particular when deploying Sculpt from a USB stick.
Suspend/resume is not supposed to work with any framebuffer driver other
than intel_fb. Therefore, offer the suspend feature only when using intel_fb.
Issue #5174
The automatic restart of intel_fb got lost during the transition from
the driver manager. This commit restores the heartbeat monitoring of
this driver.
Issue #5174
This patch enhances the sculpt manager to drive the system state
and manage the lifecycle of driver components during suspend-
resume cycles.
The new Power options can be found in the System menu. The suspend
and power-off controls are presented only when the acpi-support
option is activated.
Note that the USB controller is hard restarted when resuming from
suspend. Hence, all components that depend on USB are restarted
implicitely.
Issue #5180
Issue #5174
on display client close (intel_fb). The former code constructed a
temporary object on the stack, which sets up the scratch pages for the
closed client. However, the scratch page backing store (dma_buffer) gets
freed on destruction of the temporary stack object, which leads to DMA faults
with visual noise on the screen. Instead, use the already in use ggtt object
and add the scratch pages explicitly.
Issue #5180
This disambiguates the boot images installed for base-hw from those
installed for base-nova.
Note that the image.elf file for other kernels (i.e., NOVA) is not
named image-<kernel>.elf at this point because this would prevent the
update from a pre-24.04 Sculpt system to a later one as the grub.cfg
is not touched by the old update mechanism. So after a system update,
grub would keep loading the last installed image.elf.
Issue #5182
This commits updates the contrib sources to version 8.7.1.
This version requires more random entropy as it queries OpenSSL
about the current random state and will bail if it is not sufficient.
Doubling the content of the '<inline>' VFS plugin as used in static
configurations seems satisfactory.
Furthermore DNS resolving needs a configured '<pipe>' plugin to work
properly.
Fixes#5184.
Instead of returning an invalid capability whenever an interface is
requested that does not exist, create a disconnected interface component.
It is also possible that a client requests an interface that got removed
at the same time. When an invalid capability gets returned, a client
can stumble about invoking it.
Moreover, this commit marks either invalid interface or device components
as disconnected objects to optimize their handling.
Ref genodelabs/genode#5021
This is an intermediate solution for accommodating overly long
text lines that can appear in report/runtime/usb/devices in the
presence of long product strings.
Issue #5174
In the scheduler's implementation preserve the consumed slack-time
over periods of activation/deactivation, but instead of appending
activated jobs to the end of the slack queue, insert it as new head.
Thereby, the extreme discrimination of threads with short execution
times and frequent blocking behaviour against long running computations
gets avoided.
Fixgenodelabs/genode#4796
The check handles the case when the user clicks right of the
radio-button text, yielding an invalid "matching" id. This should not
result in any action.
Issue #5174
When the "system" ROM state turns to "suspend",
the S3 state information of the sleep_states ROM are determined and
are used to invoke the privileged Pd::system_control call.
Issue #5180
triggered by the "system" ROM change. With this information the consumers
of the sleep_states report can determine, when the operation is finished.
Issue #5180
This commit raise various quota to accommodate using a display
resolution of up to '3840x2160' in the static parts, e.g. the
leitzentrale, of Sculpt.
Issue #5174.
This commit introduces the means to configure the framebuffer memory
used by the driver for sizing its buffers.
Originally the avail memory was derived from the avail ram in the PD
session, which roughly corresponds to configured RAM quota.
However, since it is only used in a virtual capacity, we can decouple
it from the actual memory and set to a value that accommodates larger
framebuffer resolutions like 3840x2160. If the configured RAM quota
is not enough to satisfy an allocation request the client will issue
a resource request.
Issue #5174.
This patch complements "sculpt: make component graph scrollable" with
the ability to scroll the popup dialog, which is sometimes needed in the
presence of many services as routing options.
Fixes#5183
Commit 'wifi_drv: re-arm scan timer when enabled again' allowed for
re-arming the scan timer but still uses the old timer value the first
time around. If the timer was disabled, by setting the interval to 0,
it was not enabled again.
We now check if the interval has changed beforehand and potentially
arm the scan timer afterwards.
Fixes#5178.
To differentiate between the legacy and the current VFS OSS plugin both
plugins will feature a 'plugin_version' field in its info file. This
is used for enabling features provide by the current version that are
not supported in the legacy one.
Issue #5167.
The audio launcher configures the 'bsd_audio_drv' component for normal
use where the micrphone selection should work on most Thinkpads.
The mixer launcher configures the 'record_play_mixer' component for
use with the 'audio' launcher and provides also examplary rules for
vbox6 launchers.
This commit prefixes the Play sessions of the audio driver so that
these can be matched differently in the 'record_play_mixer' config.
The same could be archived with re-labling but naming the sessions
differently at the source prevents accidental mis-configuration.
Issue #5167.
The IHD500 is almost a gen9 (skylake) GPU with subtle differences. Linux
maintains a separate feature set `GEN9_LP_FEATURES` for this GPU.
However, foisting the GPU as skylake on the GPU drivers seems to work
quite fine.
genodelabs/genode#5177
Executing a clflush operation on MMIO memory freezes embedded
platforms such as the Celeron N3450 used on the ZimaBlade. Looking into
the current linux code confirms that clflush is only used for ppgtt
entries and not on MMIO memory.
Fixes#5176
Since "sculpt: adjust nitpicker priority", the nitpicker GUI server no
longer runs at the highest priority, yet the runtime_view of the
leitzentrale UI continued to operate at the highest priority.
On slower machines, this results in a visible interference of the CPU-
heavy rendering of the runtime_view with the (now) lower-prioritized
nitpicker, in particular laggy pointer movements.
This commit subordinates the leitzentrale components below the priority
of nitpicker to prevent this interference.
It also simplifies the priority scheme at the static system init: The
timer has the highest priority whereas all other components use the
priority band -1.
Issue #5174
The hard resource limit introduced by "sculpt: upper limit for automatic
quota upgrading" is too conservative for typical use cases of the RAM
fs. This commit makes the limit adjustable per managed component and
relaxes the limit for the RAM fs and depot_rom from 256 MiB to 2 GiB.
Issue #5174
Because all operations in lxip are non-blocking, return
WRITE_ERR_WOULD_BLOCK for data writes as done by read.
Note: This was not the case in the old plugin because 'write' was blocking
operation there.
issue #5165
These generated dummies slipped in when the commit
'pc_linux: enable gpio, audio' got merged and mainly concern old devices
from the 6xxx series.
The functions are normally guarded via 'CONFIG_IWLWIFI_LEDS' but due to
the olddefconfig step when generating our pc_linux config using
LX_DISABLE has no effect.
Issue #5066.
Allow tweaking the driver selection using the manager config:
- The new attribute 'ps2="no"' suppresses the selection of the PS/2 driver.
- The new attribute 'intel_gpu="no"'suppresses the selection of the
Intel GPU and fb drivers, letting Sculpt fall back to VESA or boot-fb.
Note that the dynamic change of those attributes is handled in principle
but not advisable. E.g., disabling the intel driver after startup leaves
the hardware in a state that the VESA driver cannot cope with. However,
when statically defining the attributes in sculpt/manager/default, it is
now possible to build an image that uses VESA on an intel machine.
Issue #5174
The nightly Qemu tests that don't use KVM require more time for completing the
unlock-and-access phase of the test. If the lock phase starts to early, the
file access is interrupted and the output isn't as expected.
Furthermore, on FOC, the cap quota was insufficient.
Ref #5148
The existing allocation scheme of window IDs has the unwelcome effect
that a re-appearing window would not always result in a visible change
of the window list. In such cases, the layouter and decorator would not
be prompted to do their job. This effect could be observered with the
multi-dialog version of menu view in Sculpt OS when manually enforcing
the restart of the runtime_view. Sometimes the panel would not re-appear
after the restart.
This patch changes the allocation of window ID such that new windows get
fresh IDs instead of reusing an ID of a recently disappeared window.
Issue #5170
Rarely. it might happen that events got received shortly before the complete
set of relevant USB devices got recognized. Filter more output in test metric
to stay robust.
This substantially slims down the test in order to reduce the number nightly
tests that fail due to timeouts. Now, the extended test steps (maximum trees
and benchmarks) are only run on Linux. The synchronous access, snapshot
management, rekeying, and resizing tests were removed.
Ref #5148
This patch replaces the former use of one menu-view component per dialog
by a single menu view presenting all dialogs. This change reduces the
runtime config by about 20%, improves the boot time, and lowers RAM and
CPU usage at runtime.
Issue #5170
The font pointers cached in labels can become dangling when the style
database is updated, as happens when changing the font size dynamically.
This patch orderly updates the cached pointers before removing
out-of-date font entries from the style database.
Related to issue #5170
This patch equips the menu-view component with the ability to present
more than one dialog at a time. The dialogs must be declared in the
<config> node as follows.
<config>
...
<dialog name="settings"/>
</config
For each dialog, menu view requests a dedicated ROM session labeled after
the dialog name. The corresponding GUI session is also labeled as such.
Note that only one hover report is generated responding to all dialogs.
The hover report can be correlated with the hovered dialog by inspecting
the the 'name' attribute of the hover report's <dialog> sub node.
The former global config attributes 'xpos', 'ypos', 'width', 'height',
'opaque', and 'background' have become attributes of the <dialog> node.
Fixes#5170
GPU drivers always reside in the runtime subsystem now.
This patch eliminates the risk of requesting a GPU session at the
drivers subsystem, which never gets established.
Issue #5150
The new VFS OSS plugin utilizes the Record and Play session. For the
time being it is a drop-in replacement for the old plugin and shares
its limitations.
In contrast to the old plugin it is possible to force a client to
use a configured fragment size. Some clients work best with larger
fragments, e.g. VBox, where raising the minimal fragment size is
beneficial.
Please look at the README file for more information.
Issue genodelabs/genode#5167.
On some platforms like qemu/x86_64/sel4, accessing the file system is so
slow that it used to hit the timeout of this phase in the run script.
Ref #5148
This patch lays the selection of the used storage target into the hands
of the config/manager file. By default, Sculpt selects the target by its
built-in heuristics, probing for a Sculpt partition. However, by
specifying a <target> node, one can explicitly select a storage target.
E.g., for using the 2nd partition of the SATA disk connected to port 1
of the AHCI controller, one can now specify:
<target driver="ahci" port="1" partition="2"/>
For selecting the ram_fs as target:
<target driver="ram_fs"/>
The latter case is particularly useful for custom Sculpt scenarios
deployed entirely from RAM. For such scenarios, add two lines to
your .sculpt file:
ram_fs: depot
manager: use_ram_fs
The first line configures the ram_fs such that the depot is mounted
as a tar archive. The second line configures the sculpt manager to
select the ram_fs as storage target. You can find this feature
exemplified in default-linux.sculpt scenario.
build/x86_64$ make run/sculpt_test KERNEL=linux BOARD=linux
It is worth noting that the configuration can be changed at runtime.
This allows for switching between different storage targets on the fly.
Issue #5166
The new 'manager' config allows for the passing of configuration data the
sculpt manager without the need to modify the config/leitzentrale subsystem.
Issue #5166
Unlike the previous return value of
`Genode::Packet_allocator::need_size_for_free()` indicated, it does need
the size of the object it has to free to work properly.
The plugin used to call open with the create flag set at rump without file
permissions for create leading to undefined behavior regarding the file
permissions.
Ref #5148
All errors (as in the legacy version) are now propagated as WRITE_ERR_IO
(see Lxip_vfs_file_handle::write), which ultimately will lead to EPIPE
in libc's socket_fs. This also counts for EAGAIN leading to the fact
that partial writes are not supported for blocking sockets in libc, also
libc will not try a second time in case not all data has been written.
issue #5165
The IP stack checks "user" pointer access, for example, for iov's using
'access_ok' which in turn calls '__access_ok'. The function checks if the
pointer is below TASK_SIZE_MAX, which is usually a big value on 64 bit
systems, but 3GB on 32 bit systems. Because the IP stack is mostly used with
Genode's libc, where pointers on some kernels (base-linux) can be >3GB and we
don't want to make an additional copy of each buffer/iov interacting with the
IP stack, we short circuit the function
issue #5165
This patch replaces the dynamic use of Attached_rom_dataspace by a
new Rom_handler utility, which implicitly covers the initial import of
content (safely using 'local_submit'), the registration of the signal
handler, passes the Xml_node to the handler function (no need to
manually call 'update'), and provides scoped access to the content via a
'with_xml' method. The latter reinforces a programming style that does
not need to copy Xml_node objects.
Issue #5150
This patch removes the remains of the original block-device discovery as
done by the former driver manager. Block sessions are now always
provided by components hosted in the runtime subsytem. The storage node
of the graph is no more.
Issue #5150
This patch harmonizes the driver management between the sculpt manager
and the phone manager by hosting the individual drivers in a new
'Drivers' class with a narrow interface towards 'Sculpt::Main'. The
patch also introduces a clean separation of the 'Board_info' between
features detected at runtime (on PC hardware), statically
known/managed features (phone hardware), and options that can be
toggled at runtime.
With common patterns for managing drivers in place now, this commit
also moves the former runtime/wifi_drv.cc and runtime/nic_drv.cc
code to driver/wifi.h and driver/nic.h. The _drv suffix of the wifi
and nic driver components have been dropped.
Issue #5150
The move of block, USB, and input drivers from the drivers subsystem to
the runtime alleviates the need for routing those sessions between the
subsystems.
Issue #5150
This patch moves SoC-specific framebuffer and touchscreen drivers
(PinePhone) to the runtime subsystem. They are enabled for the
phone_manager.
Issue #5150
As the NVMe driver was the last remaining driver controlled by the
driver manager, this patch removes the 'drivers -> dynamic' subsystem
along with the driver manager from sculpt/drivers/pc.
Issue #5150
This patch moves the AHCI driver from the 'drivers -> dynamic'
subsystem to the runtime, managed by the sculpt_manager. One
implication of this change is the new need to supplement a device
port number to the 'Storage_target', in addition to the existing
label and partition. Previously, each block device was addressed by
merely a label specified for a parent session. The meanings of the
'Storage_target' elements are now as follows.
- The label corresponds to the driver component providing the storage.
- The port is used as block-session label when opening the session
at the driver.
- The partition(s) denote the partition information contained in
the block session.
Components operating as clients of the AHCI driver (e.g., a file system)
refer to their storage target as <label>-<port>.<partition> when a port
is defined (for AHCI). For drivers w/o ports, like USB storage where
each USB-block driver correponds to only one device, the storage target
is denoted as <label>.<partition>. When no partition table is present,
the '.<partition>' part is omitted.
Issue #5150
This commit moves the USB and USB HID driver from the drivers subsystem
into the runtime. The former special USB node of the graph corresponds
now to the USB host-controller driver (named "usb"). The management
options for USB storage devices are available inside this component
node now.
Issue #5150
By moving the event_filter and the numlock_remap_rom from the drivers
subsystem to the static system, the filtering can be applied to drivers
hosted in the runtime and drivers hosted in the drivers subsystem.
This is a preparatory step for moving the USB host and HID drivers to
the runtime.
Issue #5150
Remove the "excellent" idea to re-open /dev/stdout etc. for redirection as
cmake uses open(O_TRUNC) and, thus, truncates log output of outer
redirections.
When the kernel does interrupt remapping, we cannot get a non-remapped MSI
for fault event interrupts. We therefore let the kernel do the fault
reporting in this case.
genodelabs/genode#5066
pci_channel_offline() checks if this member is set to
pci_channel_io_normal (which is 1). The former value of 0 is invalid.
This change fixes pc_nic_drv link down-up in cases that require an e1000
reset.
lx_emul_trace_msg() uses Genode::trace() as message function for
lightweight trace points, but also supports Linux format-string
attributes by using vsnprintf().
Only with high-resolution timers enabled timouts can fire between two
jiffies. The option is enabled on all relevant platforms but
unfortunately disabled by tinyconfig.
This option also permits the use of CONFIG_SND_HRTIMER.
* add testing of trees with minimal and maximal dimensions to tresor_tester.run
* replace tresor_init-local configuration type with simpler and more conformant
configuration type in tresor/types.h that does also XML-parsing and
XML-generation of configurations
* raise min degree to 2 because a degree of 1 is not practical und would
require additional logic
* fix overflow with num_blocks=0 in Superblock_control::Read|Write_vbas
* fix off-by-one bug regarding the number of levels in Vbd_initializer
* improve sanity checks in Tree_configuration constructors
* document level indices in tresor_init/README
* fix size of some arrays in order to be able to handle the maximum number of
tree levels
Ref #5077
* fixes two places, where the free tree module used to continue to process a
request after actually having determined that the request fails
* moves the functionality of checking the hash of a read block and decoding it
to a dedicated method in order to improve readability
Ref #5077
Adds a new command attribute "uninitialized_data" to the Tresor Tester
configuration. If a <request op="read"> command has this attribute set to "yes"
it assumes the read blocks to be uninitialized and therefore contain only 0's.
Note, that a command that has "uninitialized_data" set to "yes" cannot have the
attribute "salt".
Ref #5077
Snapshots must only be removed when securing the superblock. Otherwise, the
last secured superblock might get corrupted. The Free Tree allocation algorithm
would not consider the deleted snapshots anymore although they are still active
in the secured superblock and re-use their blocks. This would render the tresor
container unusable if the superblock with the deleted snapshots is not secured
in the end (driver crash, power down, ...).
Ref #5077
Superblock_control::Initialize used to decode a read superblock before checking
its hash. This is not necessary but may cause the operation to end up in a
decoding error on a superblock that is not the desired one anyway.
Ref #5077
Instead of iterating over all superblocks and checking each valid one,
check only the one whose hash matches the hash stored in the trust anchor.
I.e., the last one that was secured to the trust anchor. We must assume that
the other superblocks were corrupted in the meantime by operating the Tresor
container and, anyway, these Superblocks are not used anymore.
Ref #5077
The request of extending a tree used to halt when it found that
it could not add more levels to the tree because the maximum level index was
reached. Now, the library simply marks the request as failed, leaving it to
the user to handle the error condition.
Ref #5077
* differentiates request types that where merged formerly per module;
e.g. instead of type Superblock_control::Request, there are now types
* Superblock_control::Read_vbas
* Superblock_control::Write_vbas
* Superblock_control::Rekey
* Superblock_control::Initialize
* ...
each holding only the state and functionality that is required for exactly
that request
* removes all classes of the Tresor module framework and adapts all
Tresor- and File-Vault- related libs, apps, and tests accordingly
* the former "channel" state is merged into the new request types, meaning, a
request manages no longer only the "call" to a functionality but
also the execution of that functionality; every request has a lifetime
equal to the "call" and an execute method to be driven forward
* state that is used by a request but has a longer lifetime (e.g. VFS file
handles in Tresor::Crypto) is managed by the top level
of the user and handed over via the execute arguments; however, the
synchronization of multiple requests on this state is done by the module
(e.g. Tresor::Crypto)
* requests are now driven explicitly as first argument of the (overloaded)
execute method of their module; the module can, however, stall a request
by returning false without doing anything (used for synchronization on
resources)
* introduces Request_helper, Generated_request and Generatable_request in the
Tresor namespace in order to avoid the redundancy of sub-request generation
and execution
* moves access to Client-Data pointers up to Tresor::Virtual_block_device in
order to simplify Tresor::Block_io and Tresor::Crypto
* removes Tresor::Client_data and introduces pure interface
Client_data_interface in order to remove Tresor::Client_data and
move management of Client Data to the top level of a Tresor user
* introduces pure interface Crypto_files_interface in order to move management
of Crypto files to the top level of a Tresor user
* moves management of Block-IO and Trust-Anchor files to the top level of a
Tresor user
* adapts all execute methods, so, that they return the progress state
instead of modifying a reference argument
* removes Tresor::Request_and Tresor:Request and instead implements
scheduling at the top level of the Tresor user
* the Tresor Tester uses a list as schedule that holds Command objects; this
list ensures, that commands are started in the order of configuration
the Command type is a merge of the state of all possible commands that can
be configured at the Tresor Tester; the actual Tresor requests (if any) are
then allocated on-demand only
* the Tresor VFS plugin does not use a dynamic data structure for scheduling;
the plugin has 5 members that each reflect a distinct type of operation:
* initialize operation
* deinitialize operation
* data operation
* extend operation
* rekey operation
consequently, of each type, there can be only one operation in-flight at a
time; at the user front-end each operation (except "initialize") can be
controlled through a dedicated VFS file; for each of these files, the VFS
expects only one handle to be open at a time and only one file operation
(read, write, sync) active at a time; once an operation gets started it is
finished without preemtion (except of the interleaving at rekey and
extend); when multiple operations are waiting to be started the plugin
follows a static priority scheme:
init op > deinit op > data op > extend op > rekey op
there are some operation-specific details
* the initialize operation is started only by the plugin itself on startup
and will be driven as side effect by subsequent user calls to file
operations
* the data file is the only contiguous file in the front end and the file
operations work as on usual data files
* the other 3 files are transactional files and the user is expected to
follow this scheme when operating on them
1) stat (to determine file size)
2) seek to offset 0
3) read entire file once (this will be queued until there is no operation
of this type pending anymore and return the last result:
"none" | "failed" | "succeeded"; used primarily for synchronization)
4) write operation parameters (this returns immediately and marks the
operation as "requested")
5) read entire file once (the same as above but this time in order to
determine the operation result)
* the rekey op and deinitialize op are requested by writing "true"
* the extend op is requested by writing "tree=[TREE], blocks=[BLOCKS]"
where TREE is either "vbd" or "ft" and BLOCKS is the number of physical
4K blocks by which the physical range of the tresor container expands
(the physical range always starts at block address 0 and is always
expanded upwards)
* replaces the former <trust-anchor op="initialize"> command at the Tresor
Tester with <initialize-trust-achor> as there are no other trust anchor
operations that can be requested through the Tester config anyway
* removes the "sync" attribute from all commands at the Tresor Tester except
from <request op="rekey">, <request "extend_ft">, <request op="extend_vbd">;
as the Tester controls scheduling now, requests are generally synchronous;
at the rekeying and extension commands, the "sync" attribute determines
wether subsequent commands are interleaved with the execution of these
commands (if possible)
* removes "debug" config attribute from Tresor VFS plugin and reworks "verbose"
attribute to generate more sensible output
* removes NONCOPYABLE macro and instead uses Genode::Noncopyable and in-place
Constructors deletion
* introduces types Attr and Execute_attr where a constructor or execute method
have many arguments in order to raise readability
* renames the "hashsum" file that is provided by the Tresor Trust-Anchor VFS
plugin to "hash" in order to become conformant with the wording in the Tresor
lib
* makes the VFS Tresor test an automated test by merging in the functionality
of vfs_tresor_init.run and removing the interactive front end; removes
vfs_tresor_init.run as it is not needed anymore; adds consideration for
autopilot file structure in the Test and adds it to autopilot.list
* removes all snapshot controls and the progress files for rekeying and
extending from the Tresor VFS plugin; both functionalities were tested
only rudimentary by the VFS Tresor test and are not supported with the only
real user, the File Vault
* use /* .. */ instead of // ..
* use (..) instead of { .. } in init lists
Ref #5148
The virtual block device module used to hand over the wrong VBA as
parameter "rekeying VBA" to the Free Tree when allocating PBAs for data
access during rekeying. In certain constellations, this caused the Free
Tree to alloc PBAs that were still in use. The Free Tree PBA selection
algorithm, however, is just fine. When fixing the call parameter, it works
as desired. This re-enables the async rekeying test.
Ref #5075
The script tests the use of an encrypted file system that is created and
provided via the File Vault.
Furthermore the script can be used for test-driving existing File-Vault
containers (created with potentially older File-Vault versions) under the
current File-Vault version. This is done via the "LX_FS_DIR_TEMPLATE"
env variable.
Ref #5062
During one of the many re-factorization steps that were applied to the Tresor
library and its predecessor, the CBE library, one of the main features of the
project, the integrity check, accidentally received a grave regression. The
most recent version of the Tresor still used to check all hashes of meta-data
blocks but ignored the hashes of the actual data blocks.
With this commit, the hashes of all but yet uninitialized data blocks get
checked. The reason for ignoring uninitialized blocks is that they are not
actually read from disc but simply generated as an all-zeros block in the
driver in order to prevent having to initialize them all to zero in
Tresor-Init. That said, the integrity of these blocks cannot be compomised.
The according hashes in the meta data remain unset until the data block gets
written for the first time.
Ref #5062
The request classes Block_io::Read_client_data and Block_io::Write_client_data
used to receive a block reference for no reason. This commit removes these
args.
Ref #5062
The tresor_check tool became outdated back when the Tresor project was created
by re-writing its predecessor, the CBE, in C++. At this time, the check tool
was merely renamed but not updated. As there was also no autopilot test for the
tool, the tool remained outdated.
This commit rewrites the tool for the most recent Tresor version and adds an
autopilot test.
Ref #5062
* Make command pool a proper module
* The command pool used to be kind of a module but it was driven via custom
tresor-tester specific code. Now, it becomes a proper module that
is driven by the module framework instead.
* Move the code for creating and handling the module-execution progress flag
into Module_composition::execute_modules as the function is always used with
this code surrounding it.
* Reorganize files, remove deprecated files
* A new class Module_channel is introduced in the module framework and all
channel classes inherit from it. With that class in place, the formerly
module-specific implementations of the following methods are replaced by
new generic implementations in the Module framework:
* ready_to_submit_request
* submit_request
* _peek_completed_request
* _drop_completed_request
* _peek_generated_request
* _drop_generated_request
* generated_request_complete
* Module requests are now held for the duration of their lifetime at the
module they originate from and not, like before, at their target module. As
a result, modules can generate new requests inline (without having to wait
for the target module), making code much simpler to read, reducing the amount
of channel state, and allowing for non-copyable request types.
* Introduce a sub-state-machine for securing a superblock in the
superblock_control module in order to reduce redundancy.
* Some modules, like free_tree, were completely re-designed in order to make
them more readable.
* Replace all conditional exceptions by using the macros in
tresor/assertion.h .
* Move methods that are used in multiple modules but that were implemented
redundantly in each module to tresor/types.h.
* Remove verbosity node and all that was related to it from tresor tester
config as the targeted verbosity can be achieved with the
VERBOSE_MODULE_COMMUNICATION flag in tresor/verbosity.h .
* Extract the aspect of translating the byte-granular I/O-requests to
tresor-block requests from the tresor VFS-plugin and move it to a new module
called splitter.
* Rename the files and interface of the hashing back-end to not reflect the used
hashing algorithm/config anymore, while at the same time making the hashing
interface strict regarding the used types.
* Introduce the NONCOPYABLE macro that makes marking a class noncopyable short
and clear.
* Replace the former tresor/vfs_utilities.h/.cc with a new tresor/file.h
that contains the classes Read_write_file and Write_only_file. These classes
significantly simplify the modules crypto, block_io, and trust_anchor by
moving the details of file access to a sub-state machine.
* The former, rather trivial block allocator module is replaced by a normal
object of type Pba_allocator that must be provided by the client of the
Sb_initializer (reference in the Sb_initializer_request).
Ref #5062
tresor: read uninitialized vbas as all zeroes
Virtual addresses in a Tresor container that were not yet written by the user
should always return a data block that is all-zeroes. This was the concept
right from the beginning of the project. However, somehow this aspect either
never got implement or got lost along the way.
Some context for understanding the commit: The Tresor doesn't initialize the
payload data blocks of a container when creating a new container as this would
be rather expensive. Instead, it marks the leaf metadata nodes of the
virtual-block-device tree (those that reference the payload data blocks in
physical address space) with generation 0.
Now, this commit ensures that, whenever the virtual-block-device module reads
such a generation-0 leaf, instead of asking the block_io and crypto to deliver
data from disc, it directly provides the user with 4K of zeroes.
Ref #5062
The order of execution inside the Tresor lib slightly changed compared to the
previous CBE lib. AFAICT, this is nothing to worry about and related to the
now cleaner structuring. However, it can produce higher peak requirements
regarding the allocation pool in the Free Tree. Therefor, this commit extends
the dimensions of the Free Tree used in the test.
Ref #4971
* Implement requests "create snapshot" and "discard snapshot" in tresor lib.
* Adapt tresor tester in order to test the new feature.
* Remove temporary code from tresor tester that skipped such requests with
the hint that they were not supported yet.
* Add mandatory "id" attribute to <request op="create_snapshot"/> and
<request op="discard_snapshot"/> tag. A "discard snapshot" command always
refers to the snapshot created by the "create snapshot" command with the
same "id" value.
* Clean-up command pool a bit.
Fix#4971
The re-keying state machine in the VBD module would use block data of the wrong
block for the hash update of an inner node in a certain circumstance.
On re-keying, the VBD iterates for a given VBA over all snapshots, beginning
with the newest and re-keys the VBA in each of the snapshots. At each snapshot
it therefore loads the branch of the VBA top-down, and then updates the branch
bottom-up. However, if loading a certain level of the branch of a certain
snapshot runs into the same physical block as with the last snapshot on this
level, the algorithm turns around and updates the branch from this point
upwards instead of going further down the whole way to the leaf. This is
because everything below this point has already been re-keyed in the course of
a newer snapshot.
The case where this turning around is not right above the leaf (i.e., the first
shared physical block is a metadata block) that's were the bug was located. In
this situation, we have to re-encode the highest shared metadata block into a
buffer again before starting to update. The update code acts as if the
mentioned block was just written back (which is true when going down all the
way to the leaf before updating) and consequently is present in the encoded
buffer.
Ref #4971
Until now, it was possible to use bad Free-Tree/VBD configurations with the
<initialize/> command. The tresor tester didn't complaining about it but the
tresor lib crashed or, worse, corrupted the tresor container. Now, the tresor
tester checks things, like for instance, that "nr_of_children" must be a power
of 2.
Ref #4971
The Superblock Control module now issues a snapshot garbage collection on each
incoming request. In return for that, the commit removes all calls to the
garbage collection from other modules.
Ref #4971
The Virtual Block Device module used to create a local copy of the Snapshots
array respectively Snapshot root it received with an incoming request. After
finishing the VBD operation on the copy, the source module of the request
used to back-copy the resulting Snapshot array resp. Snapshot root. This is
not only less efficient than referencing but also allowed a bug to sneak into
the new C++ implementation.
In contrast to the old Ada/SPARK implementation (CBE), the new design doesn't
allow for global objects that can be accessed by any module without receiving a
reference in a module request. Therefore, the Free Tree module has to receive a
reference to a Snapshots array with each request in order to be able to use it.
In our case, these requests are allocations for a "Write" operation from the
VBD. However, the VBD itself receives only the one Snapshot required for
writing and therefore causes the Free Tree to make bad decisions on whether or
not a block can be re-allocated or not.
With this commit, the VBD always receive a reference to the whole Snapshots
array and also propagates it this way to the Free Tree.
Ref #4971
This is function gets called by some libssh applications using vms_lxip.
For the dummy implementation I looked at the old port.
Issue genodelabs#5161
Issue gapfruit#1976
- always assign apps/overlay to targets (visible=true/false) to
prevent 0x0 geometry, which is interpreted as close
- add QMenu as exampel to panel button
- use usb-tablet on Qemu
Per default, windows assigned to targets are visible, which can be
changed with the new boolean "visible" attribute. Thus, window can be
hidden without changing their geometry.
Before, the current back-most window was not restacked if it was part of
the already, which lead to partially inconsistent view of the window
stack between decorator and nitpicker.
The added hook 'OBJ_POSTPROC_SRC' gives us a way to post-process object
files for generating supplemental code. By using this hook, the
initcall_table.c generated by import-lx_emul_common.inc gets reliably
executed after all object files are built.
Fixes#5159
The option is used during the generation of initcall_table.c.
However, it happens to strip the first argument following the option.
The long option --defined-only works as expected.
Issue #5155
Due to a bug in the original implementation, the size of the MMIO
range covering the 'Request_sense_response' data was set too large
during the MMIO boundary change. This rendered devices that were not
yet ready and required an 'Request_sense' command unusable.
The commit also adapts all other commands where the MMIO size does
not match the expected one.
Fixes#5133.
The commit adds support to throttle the rate of the RX IRQs to a specified
value. The effect is, that no RX IRQs below the time threshold will fire and
therefore the CPU load gets reduced on the host. Trade-off gaming between
cpu load, throughput, overload.
Modular Sculpt 23.10 on S938 as testcase. In brackets the CPU affinity is
denoted.
ipxe (0,0) -> nic_router (1,0) -> Debian VM vbox6 (3,0) and (3,1)
VM: iperf -C X.X.X.X -t 60 -R
iperf server X.X.X.X is outside Sculpt and sends data due to '-R' to VM
Non representative measure points:
cpu load - ipxe - nic_router - iperf throughput
--------------------------------------------------
w/o patch - ~80% - ~50% - ~706 MBit/s - 0 -> throttling off by default on S938
patch 651 - ~20% - ~35% - ~763 MBit/s - 651 -> 0.166ms throttle RX IRQ
patch 5580 - ~15% - ~25% - ~650 MBit/s - 5580 -> 1.4ms throttle RX IRQ
Issue #5149
A bunch of transmit requests received by the Uplink server (nic_router)
are currently added one by one to the ring buffer and every time the hardware
is notified to process each single request.
Instead, add as many as possible transmit requests in the ring buffer of
the hardware and when done trigger the hardware to process the ring.
Additionally, don't receive an "processed" TX IRQ for each element in the
ring, which causes high CPU load.
With this commit the TX IRQs in the ipxe driver for a
iperf -c X.X.X.X -t 60
from within a VM to the outside iperf server is reduced from about
~2'600'000 IRQs to about ~200'000. The overall CPU load for the driver
(when executed alone on CPU 0) is reduced from ~85 percent load to ~45 percent
load.
Issue #5149
during receive the nic_ep may block as long as the guest does not provide
another receive network descriptor. In the meantime, all Genode signals
regarding the network interface, e.g. tx, will be postponed, which may
effect the throughput.
Instead use the nic_ep for rx packets unblocking. Add an notification mechanism
to the e1000 vbox network model, to notify us as soon as the guest added new
receive descriptors in the model.
Issue #5146
For pbxa9, Qemu is started with only 256 MiB for foc but with 768 MiB
for base-hw. By reducing the RAM quota for all start nodes within the
remote scenario, each component gets enough RAM quota to breathe.
When wrongly invoking the run script by specifying a skipped test
as its only TEST_PKGS argument, the run script fails due to a wrong
tar argument order. Let's better reflect this condition to the user
ahead of invoking tar.
With `MAP_FIXED` absent from the mmap(3p) flags, "the implementation uses
addr in an implementation-defined manner to arrive at pa", which may
lead to a mapping at an address diffent to the requested `addr`.
Add `MAP_FIXED` to the mmmap flags to force mapping to the specified
address.
Fixes#5147
Such messages can occur by chance when killing 'echo' while the program
blocks in an IPC call. It gets killed nevertheless. So the message does
not hint at a failure of the test.
In the context of #5138, the timer drivers for NOVA and base-hw had been
changed to support timeouts at a precision of 250 us (from formerly 1 ms).
Adjust the test to the new expected lower bound.
The dynamic buffer allocation increases the RAM demand slightly beyond
1M on seL4. Use 2M, as is already the default in pkg/terminal_crosslink.
Issue #5135
Replace the USB session API by one that provides a devices ROM only,
which contains information about all USB devices available for this client,
as well as methods to acquire and release a single device.
The acquisition of an USB device returns the capability to a device session
that includes a packet stream buffer to communicate control transfers
in between the client and the USB host controller driver. Moreover,
additional methods to acquire and release an USB interface can be used.
The acquisition of an USB interface returns the capability to an interface
session that includes a packet stream buffer to communicate either
bulk, interrupt, or isochronous transfers in between the client and the
USB host controller driver.
This commit implements the API changes in behalf of the Genode C API's
USB server and client side. Addtionally, it provides Usb::Device,
Usb::Interface, and Usb::Endpoint utilities that can be used by native
C++ clients to use the new API and hide the sophisticated packet stream API.
The adaptations necessary target the following areas:
* lx_emul layer for USB host and client side
* Linux USB host controller driver port for PC
* Linux USB client ports: usb_hid_drv and usb_net_drv, additionally
reduce the Linux tasks used inside these drivers
* Native usb_block_drv
* black_hole component
* Port of libusb, including smartcard and usb_webcam driver depending on it
* Port of Qemu XHCI model library, including vbox5 & vbox6 depending on it
* Adapt all run-scripts and drivers_interactive recipes to work
with the new policy rules of the USB host controller driver
Fixgenodelabs/genode#5021
For now this import file is solely there to satisfy the mechansim
in Goa that collects and incorporates import files for used APIs.
Issue genodelabs/goa#81.
The kernel timer used to truncated timeouts to the next lower
millisecond, which not only limits the wakeup accuracy but also results
in situations where a user-level timeout is triggered earlier than
expected. The latter effect results in the observation of a spurious
timeouts and the subsequent programming of another timeout.
The patch solves the problem by preserving the sub-milliseconds bits
in the 'us_to_ticks' implementation(s).
Issue #5142
This patch modifies the mixer's time window allocation by modelling the
drift of the period length over time. This yields a much better
stability of the detected sample rates in the presence of jitter.
Issue #5132
This patch caps the busyness of the rump kernel, which normally calls
sleep with timeouts between 0 and 10 ms even when idle. On Sculpt
running on a x250 laptop, this patch saves 0.4% CPU load, which is
almost the half of the idle load.
Issue #5140
This data structure uses an AVL tree to maintain a time-sorted set of
alarm objects. It supports the use of circular clocks of an bit width.
Issue #5138
The format library is required, otherwise the binary isn't build. This
regression was introduced in
acpica: provide verbose config (issue #5083)
Fixes genodelabs#5136
The package depends on two resources.
- A Nic session should be routed to the nic_router "http" domain make
the HTTP server available from the outside on forwarded port 80.
- A File_system session labeled "webroot" can be routed to any server
by relabeling the session, e.g., to "report" or "config" in parent.
Sculpt deploy exmaple exporting report_fs via HTTP.
<start name="lighttpd" pkg="lighttpd">
<route>
<service name="Nic">
<child name="nic_router" label="http"/>
</service>
<service name="File_system" label="webroot">
<parent label="report"/>
</service>
</route>
</start>
Newer Qemu variants quit with an error about already existing devices
if the same device-id is add and removed in a loop fast. To circumvent
this strange behaviour, simply use consecutive device id numbers.
Ref genodelabs/genode#5021
This patch was back ported from upstream Mesa and generalizes the memory
management of buffer objects used by the binder. Before this patch the
binder was treated as a special case where buffer objects were allocated
with a simple "next block or wrap" allocator. With this commit the
binder now uses the vm_heap allocators as done by all other buffer
allocations which leads to issues with reference counting and object
destruction being resolved.
Original commit message:
We're moving towards a path where all contexts share the same virtual
memory - because this will make implementing vm_bind much easier - ,
and to achieve that we need to rework the binder memzone. As it is,
different contexts will choose overlapping addresses. So in this patch
we adjust the Binder to be 1GB - per Ken's suggestion - and use a real
vma_heap for it. As a bonus the code gets simpler since it just reuses
the same pattern we already have for the other memzones.
This patch contains the mobile variant of Sculpt OS, which evolved
at the genode-allwinner repository until now. In consists of the
following parts:
- gems/src/app/phone_manager plays the role of the sculpt manager
- sculpt/phone-linux allows for test driving the mobile
variant on base-linux
- gems/src/app/dummy_modem mockup of a modem's behavior, used for
GUI development and testing
The parts targeting a specific device (PinePhone) remain local to
the genode-allwinner repository.
To give it a try:
make run/sculpt_test KERNEL=linux BOARD=linux \
SCULPT=phone LOG=core DEPOT=tar
Fixes#5125
- monitor system ROM changes
- stop processing of new Jobs before suspend
- destruct platform device before suspend, but keep platform DMA buffers
- re-construct platform device and reinit resources (mmio, irq) on resume
- re-start block job scheduling on resume
Fixes#5101
- monitor system ROM changes
- stop processing of new Jobs before suspend
- destruct platform device before suspend, but keep platform DMA buffers
- re-construct platform device and reinit resources (mmio, irq) on resume
- re-start block job scheduling on resume
Issue #5101
This commit is a preparation commit for suspend/resume. The commit
refactors the code in order to consolidate all Platform resources into one
instance. All users within the driver should access the resources with
with_* functions, which checks whether the device resource is usable. The
callers are not allowed to store any references to the provided resources.
Issue #5101
- monitor system ROM changes
- stop processing of new Jobs before suspend
- destruct platform device before suspend, but keep platform DMA buffers
- re-construct platform device and reinit resources (mmio, irq) on resume
- re-start GPU job scheduling on resume
Fixes#5081
This commit replaces the mapping of DMA buffers and gets rid of the
bounce-buffer handling, which was introduced to prevent data
corruption noticed when utilizing USB storage with Windows 10 guests,
with accessing the buffers directly.
Due to the way Windows 10 at times manages its DMA memory (many small
pieces instead of few larger ones) the unbounded registry becomes a
problem when containing stale entries.
Changing the 'qemu-usb' implementation allows for using 'read_dma'
and 'write_dma' directly.
Fixes#5121.
This patch enhances the audio driver with the option to operate as a
client of the record and play services instead of providing the audio-in
and audio-out services. The record/play mode can be enabled by setting
the 'record_play="yes"' config attribute.
The audio_in.run and audio_out.run scripts support the selection of the
mode via the 'use_record_play_sessions' hook function.
Issue #5097
A read with MSG_PEEK returns -1 and EGAIN/EWOULDBLOCK in case the socket
is connected. Zero is only returned if the socket is disconnected.
isuee #5104
In case the socket is non-blocking, a read with the MSG_PEEK flag set
has to return -1 and EWOULDBLOCK/EAGAIN in case no data is availble and
the socket is connected. Returning zero implies the socket is in
non-connected state. Therefore, check the connection state in this
situation and return accordingly.
issue #5104
With the following changes, the hypervisor binary from bin/ as well as
from depot archives is taken as is and not unnecessarily turned inside
out.
- Remove objcopy -O elf32-i386 as our grub boots 64-bit binaries
very well
- Remove strip as bin/hypervisor is already stripped
- New session interfaces:
- os/include/play_session (for audio playing / mic-input driver)
- os/include/record_session (for audio recording / audio-output driver)
- Mixer at os/src/record_play_mixer providing both play and record services
- Simple waveform player at os/src/app/waveform_player
- Simple audio-signal capturing component at os/src/app/record_rom
- Simple oscilloscpe at gems/src/app/rom_osci (using record_rom)
- Simple test-audio_play for playing raw stereo f32 data
The _gems/run/waveform_player.run_ script illustrates the use of the new
components and interfaces.
Issue #5097
* Move Kernel::Cpu_scheduler to Kernel::Scheduler
(we only have that one scheduler)
* Move Kernel::Cpu_share to Kernel::Scheduler::Context
* Move Kernel::Cpu_priority to Kernel::Scheduler::Priority
* Rename all functions and variables refereing to `claims` to
`prioritzed`, because claims is not that common
* Rename occurrences of `fill(s)` to `slack` to name the time portions
outside of the prioritized quantum
* Get rid of some two-liner sub-functions with only one occurrence
(like `_quota_introduction`, `_quota_revokation`,...)
Ref genodelabs/genode#5115
This private, internal function is used only in one scope,
and therefore not neccessary. But it has nasty side-effects as
it takes the parameter `duration` as reference and changes its
value. Just remove it completely.
Ref genodelabs/genode#5115
The name head is already extensively used in the context of the lists
managed by the scheduler. This terminology duplications does not simplify
reading the code. Instead we keep head for the first item in the list,
but use `current` in the variable name and API of the `Cpu_scheduler`
class to refer to the current scheduled share.
Moreover, the `_head_quota` is now `_current_time_left`, because it does
not denote quota but time left for the current schedule. The boolean
variable `_head_claims` gets removed at all. It duplicated the state of
whether a current share ist set, and whether it has so-called claim time
left.
Ref genodelabs/genode#5115
Give certain scheduler class wide variables and functions clear names:
* quota => super_period_length
* residual => super_period_left
Ref genodelabs/genode#5115
Replace double linked list by normal Genode::List with an additional
pointer to last list member to efficiently handle the scheduler share lists.
Moreover, move it into the private part of the Cpu_scheduler class,
the only scope where it is used anymore.
Ref genodelabs/genode#5115
Minor changes that should not change any semantics:
* Remove `_next_fill()` its short and only used in one context,
in which it is good to know what that code actually does
* Turn boolean values into actual boolean values
* Remove some brackets around one-liner pathes
Ref genodelabs/genode#5115
The `_head_was_removed` variable got introduced in solving #4710, but it
reflects only whether `_head` is a valid pointer or not, thereby it
duplicates state.
Ref genodelabs/genode#5115
Check if controllers port count matches number of ports found in the
port implemented register. In case counts don't match print a diagnostic
message for debugging purposes.
issue #4081
The key element of the improvement is differentiated processing of
events of the following device types.
Mouse: relative motion
Pointer: absolute motion (Qemu usb-tablet and IP-KVM devices)
Touchpad: relative motion via absolute touchpad coordinates
Touchtool: absolute motion (e.g., stylus)
Touchscreen: absolute motion and finger (multi-) touch
Processing is done in two stages for one "input packet". First, all
events of the packet are recorded into the current evdev state with
device-type specific operations. Then, appropriate Genode input events
are generated from the accumulated evdev state in the submission stage
(again by device-type specific functions).
A simple version of tap-to-click was added to the touchpad support.
Fixes#5105
The <transform> filter configurably transforms touch and absolute-motion event
coordinates by a sequence of translation (move), scaling, rotation, and flipping
primitives in sub-nodes.
Issue #5105
Per default, only key presses and releases are logged. The optional
'motion' attribute (boolean) enables logging of motion and touch events.
Issue #5105
This commit enables generic Linux multi-touch support as well as support
for the Wacom Intuos/Graphire tablets as found in the previous version
of the USB HID driver. Events are not properly propagated through
Genode's Event C-API, yet, which will be a follow up.
Issue #5105
When SMP is enabled multicore specific instructions (e.g., pldw) are
generated. These are not supported and lead to invalid instruction
faults on uni-processor systems (like Cortex-A8). Therefore, we disable
SMP for arm_v7 in Linux code. This requires also a switch from the RCU
tree implementation to RCU tiny, which we shadow and dummy implemented.
issue #5104
Until now, in case 'jent_entropy_init' failed an error has been produced
and the following jitterentropy functions (i.e.,
'jent_entropy_collector_alloc') where called nevertheless. In case we
received a bad time source error, for example because the performance
counters are not working on the platform, the entropy collector did not return (endless
loop).
Therefore, this commit treats the failed jitterentropy initialization
not as an error but prints a warning about poor randomness quality and
stops using the jitterentropy library from this point on. The
'Jitterentropy::gen_random_u64' will in this case return the address of
a stack variable * some counter.
This is only a interim solution to make platforms work where performance
counters or TSC values do not exist/work.
issue #5104
The IP for the connect timeout test should be in another nic_router
domain, so ARP request are only processed be the nic_router and no other
IP stacks.
issue #5104
Adjust the plugin to use the socket C-API found under
dde_linux/src/lib/lxip/include/genode_c_api/socket.h'.
This is the first minor step in generalizing the plugin.
isse #5104
The lxip_raw.run script will spawn a client/server scenario that tests
Genode C-API calls. The scenario can be used standalone, meaning no
actual network card is required.
issue #5104
This commit updates lxip from version 4.4.3 to 6.1.20. It uses the
current lx_kit approach and is a shared library again. The stack has
been tested for x86_32/x86_64/arm_v6/arm_v7/arm_8.
The C-interface of the IP stack can be found under
lxip/include/genode_c_api/socket.h.
issue #5104
CONFIG_X86_USE_PPRO_CHECKSUM is a 'def_bool y' and gets re-enabled by
'make olddefconfig'. The PPRO version contains text relocations which we cannot
have in binaries (e.g., 'lea 45f(%ebx ...).').
issue #5104
add bottom half enable/disable to functions with suffix "_bh" were
missing, because some functions release the bottom half separately
(__neigh_event_send).
issue #5104
Add the possibility to execute a module-init call by name using
'lx_emul_init_call', this is used, for example, by lxip to configure and
re-configure the IP address through 'ip_auto_config'.
issue #5104
The classes Genode::Mmio, Genode::Register_set, Genode::Attached_mmio, and
Platform::Device::Mmio now receive a template parameter 'size_t SIZE'. In each
type that derives from one of these classes, it is now statically checked that
the range of each Genode::Register::Register- and
Genode::Register_set::Register_array-deriving sub-type is within [0..SIZE).
That said, SIZE is the minimum size of the memory region provided to the above
mentioned Mmio classes in order to avoid page faults or memory corruption when
accessing the registers and register arrays declared inside.
Note, that the range end of a register array is not the end of the last item
but the end of integer access that is used for accessing the last bit in the
last item.
The constructors of Genode::Mmio, Genode::Attached_mmio, and
Platform::Device::Mmio now receive an argument 'Byte_range_ptr range' that is
expected to be the range of the backing memory region. In each type that derives
from on of these classes, it is now dynamically checked that 'range.num_bytes
>= SIZE', thereby implementing the above mention protection against page faults
and memory corruption.
The rest of the commit adapts the code throughout the Genode Labs repositories
regarding the changes. Note that for that code inside Core, the commits mostly
uses a simplified approach by constructing MMIO objects with range
[base..base+SIZE) and not with a mapping- or specification-related range size.
This should be fixed in the future.
Furthermore, there are types that derive from an MMIO class but don't declare
any registers or register arrays (especially with Platform::Device::Mmio). In
this case SIZE is set to 0. This way, the parameters must be actively corrected
by someone who later wants to add registers or register arrays, plus the places
can be easily found by grep'ing for Mmio<0>.
Fix#4081
I2C EEPROMs of the type at24xxx are really slow (ca. 10 kHZ).
This adds the `bus_speed_khz` attribute to the config of the driver and
adapts the i.MX8 driver to support the feature.
Issue gapfruit#1996
Fixes genodelabs#5090
The physical address of the memory used for the guest VMCB is already
present in Vcpu_data. Use the information there instead of storing the
physical address in the host data area, thereby freeing up 8 bytes for
a bigger Mmio class.
Issue #4081
Hitting a BOSD in a Windows guest in Virtualbox 6 leads to calling
`DBGFR3ReportBugCheck`, which leads to the following error since it is
unimplemented in our port:
```
Error: DBGFR3ReportBugCheck: DBGFR3ReportBugCheck called, not implemented, eip=0x1a5c4e4
```
Including the actual method from Virtualbox 6 enables logging
diagnostics for the Windows Blue Screen of Death (BSOD).
To see Blue Screen logging output, enable "dbgf" and "gim" logging
via the `VBOX_LOG` following environment variable in the vbox6 runtime
config.
When manually triggering a BSOD in the Windows guest, this should
produce the following logging diagnostics:
```
GIM: HyperV: Guest indicates a fatal condition! P0=0xe2 P1=0x0 P2=0x0 P3=0x0 P4=0x0
GIMHv: BugCheck e2 {0, 0, 0, 0}
MANUALLY_INITIATED_CRASH
```
Fixes#5099
The libc's internal calculation of the tv_sec and tv_nsec fields must be
based on the same ms value. Otherwise, tv_sec is not always immediately
incremented whenever tv_nsec wraps. For applications, this inconsistency
can result in observed jumps in time.
Fixes#5098
Functions registered with 'module_init' (i.e., '__define_initcalls'),
'OF_DECLARE', and 'DECLARE_PCI_FIXUP_CLASS_FINAL' used to be static
constructors and had be explicitly registered using
'exec_static_constructors' before executing any Linux code.
With this commit we remove the constructor attributes from these
functions and create a global function pointer in the form of
__initptr_<name>_<id>_<counter>_<line number of macro>
'import-lx_emul_common.inc' will collect these '__initptr' symbols after
the compile step and generate a 'lx_emul_register_initcalls' function
that executes the functions pointed to. This step is now automatically
performed in 'lx_emul_start_kernel'. This way a call to
'exec_static_constructors' can be omitted in case there are no other
constructors in place.
issue #5096
The former implementation relied on input drvdata always pointing to
struct hid_device, which is not true for Wacom touch devices (at least).
Now, we implement the input handler for devices providing LEDs
(evbit[EV_LED] set) only and use input_inject_event() to set the LED
states.
This commit brings the etnaviv back end implementation in line
with the one from lima. Since the etnaviv driver itself handles
different contexts implicitly rather explicitly like lima and
iris for the moment only a main-context is used for all operations.
Issue genodelabs/genode-imx#8.
Uploading large files via HTTP PUT failed when the file system was
accessed via a file system session because lighttpd opened the
destination file with O_NONBLOCK and the write operation stalled
at some point.
genodelabs/genode#5093
These domains allow for the hosting of plain http and telnet servers
reachable from the outside. The change is designated for the goa
testbed.
Issue #5092
The commit is a preparation commit for suspend/resume. It prepares the GPU
structures relying on gmadr.cap() (MMIO) to be re-constructible by applying
the with* pattern to context, ring_buffer and ggtt mmio map. It removes
the managed dataspace handling of gmadr subsets to make the with_* pattern
possible.
Issue #5081
This commit is a preparation commit for suspend/resume. The commit
refactors the code in order to consolidate all Platform resources into one
instance. All users within the GPU driver should access the resources with
with_* functions, which checks whether the device resource is usable. The
callers are not allowed to store any references to the provided resources.
With this change, it will be possible in follow up commits, to release
the platform device and to re-acquire it and its resources, e.g. mmio, irq,
gmadr.
Issue #5081
- add PS/2 input drivers
- add GPU client test case - glmark2
- remove display driver before suspend
- route log output via terminal on display to gather information, since in
most cases serial/AMT is not available after ACPI resume
Issue #5081
Clearing very large RAM dataspaces could fill up core's page table,
because the dataspaces are locally mapped to clear them.
This would manifest in a loop where exhausting the local page table
leads to its flushing (which does not work for core) and a retry that
again fills up the page table and so on.
To prevent this, flush RAM dataspaces in chunks of at most 128MiB.
Fixes#5086
If "verbose" is set to true in the config, AcpiOsPrintf etc. are enabled
to log to a dedicated LOG session using the Format:Console utility.
Issue #5083
Prevent errors if precision and left alignment are part of the string.
String precision is applied to limit access to the configured number of
characters but ignored for other types.
Issue #5083
The axis IDs correspond to 2x analog sticks with 2 axes and 2x triggers.
While being at it, the commit changes the Axis_id type to Axis::Id.
Fixes#3669
Failed allocations were still denoted with a successful return value
to the caller. This situation was triggered by artificial testing and
has not been observed yet in practice. In case the 'LIMA_GEM_CREATE'
I/O control fails Mesa will dereference invalid pointers anyway.
Issue genodelabs/genode-allwinner#27.
The frame-pointer-based backtrace does not work without enabling
-fno-omit-frame-pointer explicitly and in most cases leads to page
faults because non-pointer stack values are dereferenced during the
walk. The best we can do is to limit the backtrace walk to the stack of
the current thread to prevent page faults unrelated to the system state
without the use of the backtrace utility.
This commit introduces a printable Backtrace class usable in
Genode::log(), Genode::trace(), etc. The class is based on the new
function for_each_return_address(auto const &fn) that walks the stack in
its limits and calls fn() for each discovered return address on the
stack in the new os/include/os/backtrace.h. Archtecture-specific
stack-pointer retrieval and walk loops are implemented in dedicated
os/include/spec/<arch>/os/for_each_return_address.h files. Also, the
well-known Genode::backtrace() function (which logs the return-address
values) is provided for backwards compatibility.
Fixes#5078
The number of hash entries for TCP/UDP corresponds to the number of
sockets managed by the stack. In case there are more sockets than
entries available, buckets will be created to compensate for the lack of
space. The default values for TCP (524288) and UDP (65536) are meant for
the in kernel that manages all sockets of the user land and leads
to very large hash table allocations (>20MB) during initialization.
Since on Genode a component has its own instance of the IP stack or uses
the VFS server, we do not need these kind of large default settings.
issue #2181
This patch changes the unlink operation of the ram fs to defer the
destruction of a file until it is no longer referenced by any VFS handle.
When unlinked, the file no longer appears in the directory. But it can
still be opened and accessed.
With this change, a parent process of a Unix-like subsystem becomes able
to pass the content of an unlinked file to a forked child process. This
mechanism is required when using the 'exec' command in Tcl scripts.
Another use case is the 'tmpfile()' function.
Fixes#3577
The traced top instance was configured to be active every two seconds
whereas the trace test uses a grace time of only 1.5 seconds before
raising the FOREIGN state of a trace subject as an error.
The state of a trace subject can change only whenever the traced thread
passes a trace point. Hence, with the original configuration, the
release of top as trace subject can take up to two seconds. The patch
reduces the rate to 0.5 seconds to satisfy the expectation of
test-trace.
According to RFC 1812 ICMP Destination unreachable (Network unreachable)
does not quite our case of clients directly behind the router.
If a packet is to be forwarded to a host on a network that is directly
connected to the router (i.e., the router is the last-hop router) and
the router has ascertained that there is no path to the destination
host then the router MUST generate a Destination Unreachable, Code 1
(Host Unreachable) ICMP message.
Issue #4729
By using `mktime()`, which assumes local time, we render the `TZ`
environment variable ineffective. Instead, `timegm()` should be used to
set the real-time clock to UTC.
genodelabs/genode#5074
The management of Linux page structs is now tied to the life time of DMA
buffers. Thus, page structs are created when a buffer is allocated and
deallocated only when a buffer is freed - not on lx_emul_mem_free()
because DMA buffers are cached. Page struct refcounting was entirely
reworked in lx_emul/shadow/mm/page_alloc.c.
Fixes#4809
When multiple threads (EMT-0..X + nic_ep) enter the very same
critical section, the use of RTCritSectTryEnter may reflect the contention
case to the Network Model (E1000). Since no one notifies the model, when the
critical section is free again, solely the next packet/event triggered by the
guest will resume the former operation. This may lead to long delays until
packets are sent actually.
Instead of using the RTCritSectTryEnter use RTCritSecEnter to avoid the
situation. All of our network code is non blocking, so the network backend
will only be contented a short time.
Follow up commit to
Issue #5045
The devio API in the Linux kernel promised to be a stable layer for our
USB host controller drivers, but the additional bookkeeping and dynamic
allocations increase CPU overhead in a way that we do not accept further.
Therefore, we go a step back and process DMA transactions directly in and
out of the packet stream from the clients.
Fixgenodelabs/genode#5071
Per default Tslab checks that 8 slabs incl. overhead fit into one block.
If this is not desired the template parameter 'MIN_SLABS_PER_BLOCK' can
be used to control the minimum number of blocks.
Fixes#3834
The argument was originally designated to restrict the reach of the
trace monitor but the idea remained unimplemented. It is now superseded
by the use of the trace-session label as trace-subject filter.
Issue #847
This patch changes core's TRACE service to expose trace subjects only if
their PD label matches the label of the TRACE monitor. Hence, by default,
a trace monitor can only observe itself and its child components. Only
if the trace monitor's parent rewrites the trace-session's label, the
view of trace monitor can become broader. For example, when rewriting
the trace label to an empty string "", the trace monitor becomes able to
observe the sibling components hosted in the same init instance as the
trace monitor.
To grant a trace session the special privilege of obtaining a global
system view (including the kernel's trace subjects), the top-level init
has to rewrite the session's label to an empty string. At core, this
specific label "init -> " is handled as a special case that discharges
the filtering/namespacing of trace subjects.
Note that the trace-subject label as reported as subject info is now
given relative to the label of the trace session. As a nice side effect
of this change, the pkg/test-trace_logger works now when executed by the
depot_autopilot as well as via the test.run script.
Issue #847
This option is useful in cases where batching is configured and
failing to fetch a resource should not influence the over-all
result.
Issue genodelabs/genodians.org#32.
In the scope of alloc_dma_buffer(), Out_of_* exceptions might be thrown
at different stages. By adding a Guard object, we make sure to rollback
already created objects accordingly.
genodelabs/genode#5002
As a consequence of the adding IOMMU support to the platform driver,
additional RAM and CAPs are needed for setting up IO page-table
structures.
genodelabs/genode#5002
The platform driver needs additional 2MB of RAM for managing IO page
tables (root table and context tables) that are shared among sessions.
genodelabs/genode#5002
By adding the `irq_type` argument, one can explicitly specify whether to
use LEGACY, MSI or MSI-X interrupts. We formerly used the
`device_phys_config` to implicitly select MSI, however, with the
addition of IOMMU support to the platform driver there is at least one
instance where we need an MSI for a non-PCI device.
Yet, by adding another session argument to the Irq session, we exceed
the character limit for session args. Since not all arguments are
relevant for LEGACY interrupts resp. MSI, we can split the Irq_connection
constructor to handle the two cases separately and omit unneeded
arguments.
genodelabs/genode#5002
DMA buffer allocations are always performed as full pages. However, they
got mapped into the IOMMU domain using the requested size, which may not
be a multiple of the page size. This behaviour was introduced as a regression
by #4761 and is corrected by this commit.
genodelabs/genode#5002
The virtual add_range()-method must not be called from the base-class
constructor since the derived class is not be fully initialized at
this point.
genodelabs/genode#5002
The sculpt manager views only launchers in the + menu that are not present in
the runtime already. However, this check was missing when finding the right
launcher on a click event inside that menu. This could cause the manager to
try deploying an already deployed launcher a again (without any effect)
instead of deploying the launcher that was actually clicked.
Ref #5064
This is a follow-up commit to the adaptation of the run scripts to the
consistent use of [build_artifacts] (issue #4860).
The missing build of libm remained undetected until the recent removal
of implicit shared-library builds (issue #5061).
This patch removes the implicit build of all shared libraries a target
depends on. Targets only depend on the respective ABIs instead. This
alleviates the need to locally build complex shared libraries (think of
Qt) when developing applications. Instead, application developers can
use binary depot archives.
The implementation splits the mk/lib.mk file into three files:
- mk/a.mk for building one static library (.lib.a)
- mk/so.mk for building one shared object (.lib.so)
- mk/abi.mk for building one ABI stub (.abi.so)
Furthermore, the commit moves messages and the collection of build
artifacts to var/libdeps, triggers the build of kernel-specific
ld-<kernel>.lib.so, and prunes the lib-dependency tree at ABIs.
Fixes#5061
- finished tx ack queue should be checked before new allocations
- packets which got not sent must be released in packet stream,
otherwise the network packet stream gets filled up and starves after a while
- rRegister for ack avail packets and process them concurrently to EMT-* threads
by nic_ep thread (thanks @Peter for the findings) + add synchronization.
- add sigh_ready_to_submit to network adapter to improve latency by notifying
the network model explicitly in case we had a full packet stream error case
(_retry resp. VERR_TRY_LATER)
Fixes#5045
This patch mirrors the interface of Sculpt's distant_runtime to the
sandboxed_runtime variant, allowing the configuration of xpos, ypos,
min_width, min_height, opaque, and background color.
Issue #5008
This patch moves the text-editing facility of app/text_area to a
text-area widget as part of the dialog library. This has two benefits.
First, it simplifies app/text_area by using the dialog API. Second, the
editor can now easily be reused by other dialog-API-based applications.
Fixes#5058
The 'Dynamic_array' utility is used by the text_area as internal
representation of text. As a prerequisite step of making the text
editing features generally available as a text-area widget, the
utility must become public.
Issue #5008
This method allows for the inquiry of the current hovering state,
e.g., to suppress an update of the Wifi accesspoint list while
the list is hovered.
Issue #5008
Issue #5053
Several DMA pools of the EHCI/UHCI USB host controller driver declare
that buffers should not cross 4K boundaries. If this property is not met
fatal errors like NMIs may happen during USB operation.
Discussed in issue #5000
Certain USB devices do not react anymore after an endpoint reset
in the use case of USB devices passed through to a virtual machine.
When investigating the only USB session client that needs the
flush transfers request - namely the Qemu xhci model used in
VirtualBox - there seems to be no need to reset the endpoint in fact.
Fixgenodelabs/genode#5050
USB devio splits large transaction into 16 KiB buffers in scatter-gather
lists. Unfortunately, this mechanism seems unreliable most certainly because
of issue #4809 "DDE Linux struct page object aliasing".
Issue #5036
Currently, running ripgrep on Genode emits
"Warning: sysconf(71) not implemented".
Return -1 without setting errno, which is a valid return value according
to getpwnam(3) and silence the warning.
Fixes#5043
This patch replaces the original policy-based 'update_from_xml' by a new
method that takes three functors for creating, destroying, and updating
elements as arguments. XML nodes are associated with their corresponding
internal data models by annotating the element type with the
'type_matches' class function and the 'matches' method.
The patch also improves safety by enforcing that list-model elements can
never be copied.
Fixes#4317
This commit adds support to initialize the timekeeping for
the Linux subsystem with the value from the RTC.
Only the seconds part of timespec64 is supported.
Issue genodelabs/genode#4957
FreeBSD libc code uses only a single spinlock instance and, thus there
is no obvious reason why it would need to be implemented as an actual
spinlock. _spinlock() and _spinunlock() functions are implemented with a
static pthread mutex.
Issue #725
Changes needed after merging `uboot` and `uboot_fit` modules into a
single module.
Additionally `image.elf` file is removed when either `image.itb` or
`uImage` is created, so it cannot be processed when `image/uboot` module
is loaded. Therefore `image.elf` processing is done conditionally now.
Fixes#5037
This commit adds a new configuration option, `dst_addr` to the
'sntp_client' that accepts either an IP address or a DNS hostname. If a
DNS hostname is provided, the 'sntp_client' will resolve the IP address
before each SNTP request. The 'dst_ip' configuration option is
deprecated but kept for compatibility until 'dst_addr' is fully adopted.
xsd/net_types.xsd: add Net_address type
sntp_dummy_rtc: adjust configuration to use pool.ntp.org
Fixesgenodelabs/genode#5003
`Expandind_pd_session_client::try_alloc` is an overriden virtual method
of `Ram_allocator::try_alloc`. The latter specifies the default Cache
argument as CACHED. The overriden method should either do the same or
not even specify a default argument at all.
genodelabs/genode#5000
On x86, DMA buffers are actually always mapped as cached. We should
therefore actually ask for a cached buffer in order to avoid confusion.
genodelabs/genode#5000
On x86, DMA buffers are actually always mapped as cached. We should
therefore actually ask for a cached buffer in order to avoid confusion.
genodelabs/genode#5000
On x86, DMA buffers are actually always mapped as cached. We should
therefore actually ask for a cached buffer in order to avoid confusion.
genodelabs/genode#5000
Feed the high-frequent fetchurl reports into a list model to speed up
the subsequent evaluation of the data.
Also limit the rate of state reporting during updates to visible changes
in percent such that most fetchurl reports do not cause any UI activity
(status updating) any longer.
This patch noticeably speeds up the installation of complex packages
(i.e., the morph browser) on the PinePhone.
Issue #5038
The execution of global-static constructors in Genode is optional for
native components or determined in the libc for libc components. By
convention, we avoid static constructors wherever possible but in rare
cases the component can tweak the point when constructors are executed
and initialize an environment beforehand. The wifi_drv applies this
pattern for the uplink initialization, but is a libc component on the
other hand, and, thus, statics in the Genode C API for uplink are
constructed later by the libc. So, the prior initialization is reverted,
i.e. the signal-handler capability becomes invalid.
This addresses a regression exposed by the following commit.
drivers/wifi: perform multi-staged construction
Related to #3509Fixes#5024
Component names can be larger than widget IDs, which are capped at 20
characters. To uniquely correlate the component depicted in the graph
with clicks, this patch uses a dedicated graph ID for each runtime
component instead.
Fixes#5034
This patch allows for the interactive assignment of the system-control role
to a new component via the resource dialog. This is useful for integrating
low-level components like the Intel frequency/power monitoring tool.
Fixes#5033
Commit "menu_view: ignore zero-sized widgets in box layout" introduces
zero-sized child widgets as a special case but defined zero-sized as
zero covered pixels (w*h == 0). However, for layouting, a widget with a
non-zero height and zero width is not zero-sized.
This patch refines the zero-size condition such that only widgets with
both zero width and zero height are considered as zero-sized.
It thereby solves the missing display of empty lines in the text_area
component.
The 'Xml_node::differs_from' method takes the constructor arguments
(addr, size) for a byte-wise comparison whereas 'with_raw_node'
restricts the byte range to the actual XML tags. In cases where
the XML start tag is preceeded by whitespace, both ranges can differ.
Since the 'differs_from' method is meant for comparing actual XML
nodes - not any whitespace around them - whitespace should be ignored
on both operands.
Issue #5029
This is a follow-up fix for commit "sculpt: apply Dialog API to diag,
panel, and graph", which happened to render the legacy dialogs (network
and settings) inaccessible.
The patch avoids the use of clack seq numbers for the 'popup_opened'
condition (which happens on click, not clack). It also overrides old
click information on the arrival of a new click, avoiding the evaluation
of stale click sequence numbers in distant_runtime.cc. Furthermore, it
reduces the rate of 'Distant_runtime::_try_handle_click_and_clack'.
Issue #5008
On WPA3 encrypted networks the AP picker does not indicate encryption
and does not prompt for a passphrase.
Also indicate an encrypted network when "protection=WPA3", remedying
both issues.
Fixes#5022
Up to now, when using force_*, all other configured modes of a connector
got overwritten and the force_* got enforced. With the commit,
the connector mode is considered (if below max_*) and the resulting
framebuffer may be larger then the dimension of force_*.
Without this change gpg aborted with
gpg: Sorry, no terminal at all requested - can't get input
and after adding --batch onlye with
gpg: signing failed: File exists
Differences in TAR archive member metadata results in unstable depot
hashes. The following properties have to be fixed: modification time
(incl. time zone), numeric owner and group, permission modes.
Releated to #2842
This change allows for the hosting of system-management components
in Sculpt's runtime. The special role must be declared either as
<launcher managing_system="yes"> attribute or in the deploy
configuration's <start managing_system="yes"> attribute.
Issue #5009
Rename locally extended VCPU state from State to Vcpu_state for clarity.
The local namespace only adds two accessor methods, which does not
justify a local generic name.
Ref #4968
Make naming across architectures coherent by renaming Vm_state to
Vcpu_state, to reflect that it contains the state of a Vcpu and not that
of an entire VM.
Ref #4968
Per Affinity::Location a system control cap can be requested. The capability
provides an RPC interface to request and set Cpu_state, as provided by the
former Pd::managing_system(Cpu_state) method. Invocation of those system
control capabilities then *can* (see below) be executed on the desired CPU
as described by Affinity::Location.
The system control cap will be invalid for kernels that don't support
system_control/managing_system functionality at all.
The system control cap will be ever by the same, e.g. ignoring the
Affinity::Location parameter, if the used kernel doesn't support or doesn't
require the feature to execute the system control per CPU.
The commit is a preparation step to add guarded and selective x86 MSR
access per CPU.
Fixes#5009
This patch partially converts the Sculpt manager to the dialog API.
At this stage, both the old utilities and the new dialog API are still
used simultaneously.
Issue #5008
The so-called 'Distant_runtime' implements GUI dialogs via menu_view
components hosted at a distant init instance as opposed to child
components (as implemented by the 'Sandboxed_runtime'). This is
particular the case in Sculpt OS where the sculpt manager is not the
parent of the menu_view instances.
Issue #5008
By renaming 'Dialog' to 'Deprecated_dialog', we become able to use the
name 'Dialog' for the new API while temporarily keeping the original
interface in tact.
Issue #5008
- Increase default timeout to one minute
- Ignore power-button events during display-driver startup to avoid
entering another forced blank when pressing the power button twice.
- Prevent wakeup from user activity except for the power button.
So the volume can be adjusted without leaving the screensaver.
Issue #4950
The new API at gems/include/dialog/ aids the creation of simple GUI
applications based on the menu-view widget renderer. Its use is
illustrated by the simple test application at src/test/dialog/
that is accompanied with the dialog.run script.
Issue #5008
Each hover change of the character position within a label results in a
new hover report, which needs to be evaluated by the application. For
the common cases where labels are used as button texts or for presenting
passive information, the level of detail is not needed while the
recurring hover reports induce overhead at the application side.
This patch mitigates this overhead by excluding labels from the hover
reporting by default.
For use cases that actually depend of precise hover reporting of labels,
for example an editable text area, the hover reporting can be enabled by
setting the 'hover="yes"' attribute of the label.
The 'Widget::_version' attribute was meant to allow the deliberate
replacement of a widget by a same-named widget by changing the version
while keeping the name, thereby suppressing any geomety animation.
However, the implementation missed to populate the attribute with the
value provided by the dialog ROM, prompting the unconditional
re-creation of the widget whenever a 'version' attribute was specified.
Even though this had the (desired) effect of preventing geometry
animations, it could cause feedback loops between hover reports and
dialog ROMs because the 'hover_changed' condition in 'Menu_view::Main'
would always stay true while a versioned widget is hovered.
To prevent exessive allocations the bounce buffers are allocated
once and afterwards re-used. The DMA buffers are provided by an
range allocator whose backing store increases in 4 MiB chunks.
The range allocator might not merge the ranges as those chunks
are not necessarily allocated continously. Allocations larger
than the static chunk size are therefor treated as error.
Internally libyuv uses malloc & free for short time dynamic memory
allocation during image transformation. The converted images are
such large, that the Libc allocator will create and destroy new Genode
dataspace per image. In time sensitive code paths, the overhead can be
noticeable by the caller of the image transformation.
The patch adds the option to register callbacks in the libyuv library to
implement the image allocation by users of the library. They may implement
caching strategies to avoid the overhead, e.g. as seen with qemu-usb and
the webcam model.
and not before. On Windows guest with more than 1 vCPU, the packets
seem to arrive and/or seem to be handled too late in the Webcam model.
An intermediate state, to due the late packet, has been used to decide to
close the Capture session too early.
In SDL2, support has been added for multiple windows.
As such, prior to this commit, invoking _sdl_screen.construct
would create a new window each time the original window was
resized.
To avoid this, refactor to only construct the window once, and
upon resize events, reconstruct the SDL_Surface and SDL_Texture
of Sdl_screen to the new window dimensions.
Issue identified by @chelmuth in https://github.com/genodelabs/genode/pull/4993#issuecomment-1729530634Fixes#4993
Following the official migration guide of SDL [1], the
fb_sdl framebuffer driver was update from SDL1 to SDL2.
The sdl2 port in world/src/lib/sdl2 is used.
Since SDL1 is in maintenance mode [2], support for other
display servers than X11 will never be implemented. In
particular, support for Wayland is missing from SDL1.
Fortunately, a port of sdl2 is maintained in genode-world.
As SDL2 is actively developed, it will provide support for
modern hardware architectures, and has mature support for
Wayland [3].
[1]: https://wiki.libsdl.org/SDL2/MigrationGuide
[2]: https://wiki.debian.org/Wayland#SDL1_.28unsupported.29
[3]: https://wiki.debian.org/Wayland#SDL2_.28supported_since_2.0.2.2B-.29
Issue #4993
The new API emphasizes control over the vCPU data by granting access
through the Vcpu::with_state() method, which makes sure that the vCPU is
stopped, invokes the supplied function with a reference to the VM state
and resumes the vCPU if the function returns true.
The old Vcpu::run(), Vcpu::pause() and Vcpu::state() methods are removed
in favor of the new API. Execution of the vCPU is now interrupted by
sending a native Genode Signal to its Vcpu_handler, which will run the
VMM's exit handling method. When this method retrieves the vCPU state by
calling Vcpu::with_state(), the outside interruption is detected and on
x86 a recall exit is injected into the state to signal the vCPU
interruption / pause request to the VMM's vCPU handler.
Ref #4968
instead via the hardware registers of the FPU. On Genode all components and
so VMMs are built such, that the compiler may generate optimized code by
using the FPU at any time. We had to make sure to save the
FPU state as early as possible before the VMM component touches the FPU,
to avoid corrupting & losing guest FPU state. This caused headache again
and again. To avoid the uncertainty, we remove this feature and explicitly
transfer the FPU state via the UTCB.
Depending on the client and use-case the current minimal timeout
value of 5 ms could be too high, lowering it to 1 ms stays within
the limit imposed by most timer drivers.
Issue #4990.
When the wait value is too small the HALT attempt turnes into
busy-polling in the VMM. To prevent that always wait a minimal
amount of time.
Issue #4990.
This patch removes the obsolete 'io_progress_elem', which was wrongly
enqueued to the 'read_ready_waiters' fifo and not dequeued at
destruction time.
Fixes#4987
GNU Make 4.4 will pass TARGET to the sub-make of UNDEF_REFS where it can
be later used as link TARGET by Genode's build system. Before 4.4 TARGET
was undefined in the sub-make leading to the correct result.
Remove 'usb_hid', 'usb_net', 'usb_modem' from dde_linux port. These
versions have been updated to Linux 6.1.20 which uses the 'linux.port'
file.
issue #4958
The driver is superseded by the USB network driver (usb_net) which also
contains MBIM support for LTE modems previously provided by this
driver.
issue #4958
The drivers uses the 'virt_linux' api and the current lx_kit
implementation. It is a drop-in replacement for the Linux 4.16.3 based
version.
issue #4958
NCM tries to batch TX packets using timeouts (500us) and does not send packets
before 3 packets are in the submit queue. Timeouts take milliseconds on
dde_linux which leads to delayed ACKs and poor performance for the RX case.
Therefore, we send small packets (<100 Bytes) immediately without batching (it
might be an ACK or last packet of a larger transfer).
issue #4958
The PinePhone Modems' CDC Ethernet Interface does not respond if RX/TX queue size
is greater 12 (experimentally determined), the default would be 60, meaning 60
RX Bulk URBs are sent at once to the device.
issue #4958
A WRITE_ERR_WOULD_BLOCK may occur when large reports are written to a file
system because this fills up the submit queue of the packet-stream interface.
Fixesgenodelabs/genode#4988
This commits introduces changes to test number 4, so it must keep
more than one PKG. Also, it introduces a 5th test to verify that the
<remove_all/> functionality does delete everything in the depot.
Issue genodelabs#4866
This commits introduces improvements to the test functions to avoid
code duplication, and renames these functions to reflect better what they
are used for.
Issue genodelabs#4866
The last character should only be skipped if a `\0` or `\n` is found. If
the string ends without such a character or the maximum line length is
hit, we do not skip the last character.
Fixesgenodelabs/genode#4985
Dynamically loading the `compat-libc` breaks `fork(2)` on Genode.
Switch `compat-libc` to a special api package that provides a source
file for statically linking the library, analogous to the `blit`
package. This also requires a quirk in Goa but should prevent breaking
`fork()` and removes the runtime and archive dependencies for Rust
packages using `compat-libc`.
Ref genodelabs/goa#61
Implement FBSD_1.0 versions of libc functions ('stat', 'fstat'). The
functions are versioned with @FBSD_1.0, and therefore, will not clash
with libc during linking. However, to be called by our dynamic linker,
the library must be before libc in the NEEDED section of the binary
using it. This requires the lib to be in front of libc in the LIBS
variable. The library currently will call libc 'stat' and 'fstat' by
looking up the symbols via 'dlsym'.
Ref genodelabs/goa#61
Some Ubuntu installations (e.g., 20.04) create installation disks with
strange C/H/S MBR partitions like 3988/255/2. Normally, VirtualBox reads
the MBR to guess disk geometry information for the virtual BIOS.
Unfortuantely, the strange values from Ubuntu lead to a heavy
virtual-disk activity on boot. Therefore, this commit forces the use of
calculated values based on the assumption that large disks use LBA
addressing anyway.
Fixes#4978
Adds Genode::Hex_dump class to the formatted_output.h header. This class can be
used to print a hexadecimal dump of a byte range. The data is printed in a
format similar to that used by Linux's 'xxd'. In addition to the 'xxd' format,
consecutive duplicate lines are replaced with a single "*\n" as done also by
Linux's 'hexdump'.
Ref #4966
The DHCP client implementations of Ping originally is a copy of the NIC router
implementation adapted for Ping. The two versions diverged further over the
years. This issue should be solved by should merging them into a centralized
implementation. However, this commit treats only a recent issue with the
nic_uplink.run test on pbxa9 qemu but does this by re-aligning the two
implementations partially. The final merge should be done in a separate commit.
Ref #4966
The Depot Autopilot used to filter out tabs and color sequences before
forwarding the test log to the own log. This commit prevents this and further
cleans up the string-filters code.
Ref #4922
The new 'log_prefix' attribute is effective when used in a tests runtime in
<succeed> or <fail> tags that have a non-empty content string. When matching
the log against the pattern given in the affected <succeed> or <fail> tag, the
Depot Autopilot will consider only those test-log lines that start with the
given prefix.
Ref #4922
* Removes the <event> tag from all test package runtime files and replaces the
contained <timeout> and <log> sub-tags with the new tags <succeed> and
<fail>. If a <succeed> or <fail> tag has a content, it defines a log pattern
that should be recognized and render the test failed or successful. If a
<succeed> or <fail> tag has an attribute after_seconds that is not set to 0,
it defines a timeout after which the test should be rendered failed or
successful.
* Adapts the Depot Autopilot to support the new syntax in the test-package
runtime files. However, for now, the Depot Autopilot is kept compatible to
the old syntax as well. If the <events> tag is present, it is prioritized
over the new syntax.
Fixes#4922
Several nightly network-related tests fail currently on sel4/pc because the
new e1000 NIC driver requires more capabilities. The "drivers nic" package
was already adapted to the new requirement but some tests fail to provide
enough caps to the corresponding sub system. This commit tries to fix all
remaining tests.
Ref #4923
* During a session-close, the device-specific usb task and driver data
gets freed. Part of it was the RPC data. To prevent use-after-free
turn it into a pointer and leave it on the stack of the caller thread
* During a device release, URBs discards, and reset operation the Linux task
might get blocked, and then a RPC caller task might return if the RPC
operation was marked as finished already, although it hasn't succeeded yet
* USB devio RESET has to be done before a device release to be effective
Fixgenodelabs/genode#4969
* Within flush_transfer of the USB session a given entrypoint gets
resetted, to be effective al related URBs need to be discarded first
* Discarding URBs shall be done in reverse order, like libusb is doing it,
where it warns about potential races otherwise
Ref genodelabs/genode#4969
* Adds a new component server/nic_uplink that forwards packets unmodified
between one Uplink session at one side and potentially multiple Nic sessions
at the other side.
* Adds a new run script nic_uplink.run that does a basic test with multiple
Nic clients on this component and adds it to the autopilot list.
* Adds a new depot recipe src/nic_uplink for this component.
* Adds a new depot recipe pkg/pc_nic for deploying the pc_nic_driver together
with a nic_uplink server. This allows for raw access to the network connected
to the Nic of the system in contrast to the commonly used routed and NAT'd
access via NIC router. That said, it enables the use of network protocols
not yet supported by the NIC router at the cost of less protection.
Ref #4966
Introduces a new class that does the clean-up if some exception is
thrown while creating the session. This reduces redundancy and overall
lines of code.
Ref #4966
by just test the migration feature, without relying on load measured on the
CPUs. On Qemu (and depending on other load in the Linux system), the migration
feature gets not triggered in time reliable.
* Allow support for kernel configurations without CONFIG_IRQ_DOMAIN_HIERARCHY
* Export `irq_domain` instantiated for driver-specific extensions of the irqchip
Fixgenodelabs/genode#4964
This change allows a monitored VBox instance to specify a distinct
(lower) priority to the VM session to ensure that the VMM is always
prioritized higher than the VCPUs. This is important because host
I/O at the VMM should always be able to preempt a busy guest.
Issue #4917
Decreasing the internal buffer size will implicitly limit the number
of blocks provisioned for recording and brings them in line with
the number of blocks used for playback (2).
Note that this patch also sets an upper-bound on the number of
samples in 'Audio_*::PERIOD'.
If all connectors are set to disabled by configuration, the connectors
stayed enabled since the new configuration reveals no preferred or minimal
resolution/mode. Instead, use the last set resolution in order to get to the
disabling code.
The memory barriers where introduced with commit "test-timeout: fix build
errors with -std=gnu++20" presumably in order to prevent GCC optimization from
removing the empty for loops the test is using because using a volatile index
variable was no longer an option.
However, the memory barriers seem to have a negative effect on the measurements
performed with the affected loops. The commit caused the timeout test to fail
at least on imx53_qsb.
This commit fixes the issue by using a simple empty for loop without volatiles
or memory barriers but protected inside a function that is compiled with
optimization disabled.
Ref #4959
This commit extends the Lx_kit initialization function by passing in
a signal handler that is used to perform the normally occurring
scheduler execution and is a follow-up change for the decoupling
scheduler execution commit.
Instead of burying the signal handler in the 'Lx_kit::Scheduler'
object it is provided by the main object where the driver is free
to perform any additional step before or after executing the scheduler.
Issue #4927Fixes#4952
Since the wireless LAN driver is actually a 'Libc::Component' due to
its incorporation of the 'wpa_spplicant' application, we have to
intercept its construction because we have to initialize the Lx_kit
environment before any static ctors are executed. Most Linux initcalls
are implemented as ctors that will be otherwise implicitly executed
before the controll is given to us in 'Libc::Component::construct'.
Issue #4927.
The timer used to read the counter first and then the IRQ status. This
could cause a non-wrapped counter value to be considered a wrapped
counter value, leading to bogus timeout durations.
This commit fixes the bug and documents the used timer mode in the
driver in order to make future debugging of the driver easier.
Ref #4959
Prevent missing new RPC calls handed over to a Linux task
of a corresponding usb-device, while that task blocked
during enqueuing of asynchronous URBs.
Fixedgenodelabs/genode#4955
* add a sensible priority setup into the test script in order to protect
drivers and stack components from the demanding net clients
* delay the starting of the net clients by 5 seconds in order to give the
drivers and stack components some time to startup in peace
* use only explicit service routing and caps values
Ref #4923
This patch replaces the exception-based error propagation by the use of
'Attempt' return values, which eliminates side effects of the exception
handling - cxx_heap allocations - from code paths that are used by the
the cxx_heap itself (when growing the cxx_heap).
It thereby fixes the failure of the sub_rm test at the "attach RAM ds to
any position at sub rm - this should fail" step.
Fixes#4953
This patch enhances Sculpt with the ability to detect user inactivity
for driving a screensaver by combining nitpicker's hover and focus
reports with a timer.
Issue #4950
Nitpicker's hover and focus reports contain an 'active' attribute, which
can be inspected for the detection of user activity, e.g., as trigger
for a screensaver or for dynamic clipboard policies.
When using the 'Event' session, the reporting code updated the reports
only on incoming events. This patch adds the periodic reporting as used
when using the old 'Input' session.
Issue #4950
Decoupling the scheduler execution can lead to missed interrupts
because the current implementation only handles one pending
interrupt and requires immediate processing.
This commit introduces a helper object that is used to capture
any occuring interrupts that are then handled consecutively.
Issue #4927.
Prior to this commit, whenever an external event occurred, for example
timer or interrupt, the corresponding I/O signal handler was triggered.
This handler unblocked the task waiting for the event and initiated the
immediate execution of all unblocked tasks. Since these tasks may hit
serialization points, e.g. synchronously waiting for packet stream
operations, that require handling of other I/O signals this leads to
nested execution. This, however, is not supported and mixes application
and I/O level signal handling.
The flagging of the scheduling intent is now decoupled from its
execution by using an application level signal handler that is run in
the context of the components main entrypoint. The I/O signal handler
now triggers the scheduling execution by sending a local signal to
the EP.
Since it might be necessary to execute a pending schedule from the EP
directly the scheduler is extended with the 'execute' member function
that performs the check that the scheduler is called from within the
EP and triggers the execution afterwards.
Issue #4927.
On disconnect of displays, e.g. seen with Type-C connectors, the encoder was
not properly disabled due to a missing drm_client_modeset_commit. In order that
the commit succeed, however a fb must be assigned to the modeset. Missing to
do so leads to an -EINVAL by the drm_client_modeset_commit.
Fixes#4948
Fixes alignment faults that occured in the AES256 implementations while
wrapping or unwrapping keys on imx53_qsb, imx6q_sabrelite, and imx7d_sabre.
The problem was that the unwrap_key/wrap_key functions did reinterpret casts
from unsigned char pointers to uint64_t pointers and then directly used the 64
bit values of referenced by the latter. Most probably this caused the compiler
to optimize operations in the assumption that the pointer is 8-byte aligned
which then created alignment faults.
As a solution, this commit changes the interface of the wrap_key/unwrap_key
functions to take uint64 pointers as arguments instead of unsigned char
pointers and then adapts the function users to ensure that they refer to
appropriately aligned memory regions.
Fixed#4932
The initial memory backend implementation was brought over from DDE
Linux and was geared towards use-cases where a high-performing
allocator is useful. In case of the audio driver this is overkill
and since no other driver that could benefit from such an
implementation was ported in the meantime rather use a simpler
implementation that keeps the overhead down.
Fixes#4946.
Since component.cc is no longer linked to core, we can also remove
entrypoint.cc, which was merely a dependency of component.cc.
Related to issue #4784
This patch replaces the global '_wait_for_exit_sem' object by a local
static variable, which does not rely on the global ctors. It thereby
fixes the fault_detection test after the removal of the global ctors
execution from core ("base: remove component.cc from core").
Issue #4784
With these options enabled comparative testing between pc_linux drivers
and bzImages becomes much easier on EFI-only machines. The impact on the
actual Genode drivers is minimal.
This patch removes the use of the Entrypoint::schedule_suspend mechanism
and the call of glibc's exit from the lx_hybrid tests, for two reasons.
First, the interplay of atexit handlers executed by the glibc and
Genode's lx_hybrid library is complicated while bringing no benefits in
practice as lx_hybrid applications are usually servers that don't exit
anyway.
Second, the Entrypoint::schedule_suspend mechanism in not used by any
other component. By removing its use from the lx_hybrid tests, we can
remove this mechanism from the base library.
Issue #4940
By supplying only the parts of the Env that are actually relevant for
initializing the cxx heap, we avoid the need for the 'Env' interface.
The patch also moves the call of 'init_ldso_phdr' to the outside
of the cxx library because it does not belong there.
Issue #4784
USB devices that are never associated to client sessions lack
usb_per_dev_data (and a kernel thread). Therefore, the devices should be
discontinued directly on unplug as no URBs can be pending.
Issue genodelabs/genode#4795
This commits enables the R8169 driver and was tested with two
RTL8168h/8111h (10ec:8168 rev 0x15 sub 1462:7a38 / 1d05:109f) and
two equal RTL8125B (10ec:8125 rev 0x5 sub 1458:e000) devices
running Sculpt.
Firmware loading is for now not implemented but specific Linux
commits suggest it could be necessary. However, doing so will be
post-poned until we have gathered more experience with the driver.
Restarting the driver might lead to the following IOMMU error
messages but the device seems to work anyway:
[ 0] IOMMU:0xffffffff817ec040 FR:0x8a00000000002500 FI:0xfffffffdf8d30000 type:0x8 BDF:25:00.0
[ 0] IOMMU:0xffffffff817ec040 FR:0x2000004200002500 FI:0x000c21b0 type:0x2 BDF:25:00.0
[ 0] IOMMU:0xffffffff817ec040 FR:0x2020004200002500 FI:0x000c21a0 type:0x2 BDF:25:00.0
[ 0] IOMMU:0xffffffff817ec040 FR:0x2020004200002500 FI:0x00138000 type:0x2 BDF:25:00.0
[…]
[ 0] IOMMU:0xffffffff817ec040 FR:0x8a00000000002500 FI:0xfffffffdf8d30000 type:0x8 BDF:25:00.0
[ 0] IOMMU:0xffffffff817ec040 FR:0x2020004300002500 FI:0x00124000 type:0x2 BDF:25:00.0
Issue #4921.
While this approach still scans "holes" in the bus range, it stops
scanning at the maximum subordinate bus number reachable from the base
PCI bus at the host bridge. Startup under Qemu no longer takes about 12
seconds for scanning 256 buses.
By splitting the 'init_capability_slab()' implementation to a separate
compilation unit 'capability_slab.cc', base-hw no longer needs a
customized version of 'lib/base/platform.cc'.
Related to issue #4784
This patch replaces the internal use 'env_deprecated()' from the
implementation of the thread API in the base library. It also
replaces the global accessor 'main_thread_cap' by the explicit
propagation of the main-thread's capability to the single point of
use via a new 'init_thread_bootstap' function.
Issue #4784
This back end can be used in place of the existing jitterentropy based
on in case random is not strictly needed by the component but one
wants to use the available 'shadow/drivers/char/random.c'
implementation.
Issue genodelabs/genode-allwinner#21.
The implementation was already part of the Zynq's sd_card driver and
since other ARM drivers need it as well, promote it to the common
shadow library.
Issue genodelabs/genode-allwinner#21.
* Removes all previous structs that represented an on-disc block layout
and were therfore subject to a number of layout restrictions (packed,
padding members, enum representations, etc.).
* Adds a replacement struct without any layout restrictions for each of the
removed structs. The new structs are named similar to the old structs.
* Adds block encoding and decoding utilities for easily converting from the
new structs to on-disc blocks and vice-versa (Block_scanner, Block_generator,
T::decode_to_blk, T::encode_from_blk)
* Adapts all affected places in the library to encode and decode proberly
instead of simply casting pointers.
* Thereby cleans up the hashing utilities to use typed-reference args instead
of void pointers.
* Re-enables run/tresor_tester and test-file_vault_vonfig_report for platforms
rpi, imx53_qsb, imx53_qsb_tz, imx6q_sabrelite, imx7d_sabre.
Ref #4819
* Replaces bool access types with uint8_t access types
* Ensures, that the framework always uses the smalles possible uint type
for the return value wherever a bitfield is read and returned to the user.
Ref #4924
In some instances, the fetchurl progress determined by
depot_download_manager will be empty when the download fails (e.g. due
to a 404), this commit fixes a bug where this would be interpreted as
the download having completed which would subsequently start hash
verification of a package that has never actually been downloaded.
Fixes#4919
The depot_remove component can delete PKG archives with
automatically resolving dependencies and deleting archives that are not
required on the system anymore.
Issue genodelabs#4866
On some platforms (x86_32/pistachio, x86_64/sel4) system startup is slow
and the previously configured 30 seconds not sufficient. With this commit, the
timeout is raised to 60 seconds only when running on such a platform.
Ref #4923
This test was originally a copy of ping.run and therefore unnecessarily
inherited all its complexity for testing ping component behavior. Additionally,
ping.run was more actively maintained and evolved over time whereas
nic_dump.run didn't receive the same care. Now, the test fails on certain
platforms although NIC dump works just fine. Therefore, this commit reduces the
test behavior to what is really necessary for testing nic_dump and by doing so,
also fixes the failing targets.
Fixes#4926
On x86_32 okl4, the test timed out although the test timeout was already at
240 seconds for this platform. Instaed of raising it further, this commit
reduces the number of ping rounds for all platforms that are considered as
slower by the test.
Ref #4923
If this file is called from a Makefile via
! $(shell <path>/tool/ports/current qt5-host)
'shell' will return
"Entering directory '' <path-to-libc> Leaving directory '' Stop.",
and thus, producing multiple targets in the 'tool_chain_qt5' case.
issue #4725
This patch restricts 'Region_map::attach_executable' to create read-only
mappings, while offering the option to map the full rights using a new
'attach_rwx' method.
The 'attach_rwx' method is now used by the dynamic linker to explicitly
attach the linker area with full rwx rights. With the old page-fault
handling code, the execute flag was evaluated only for leaf dataspaces,
not for managed dataspaces while traversing region-map hierarchies.
With the new page-fault handling code, the execute bit is downgraded
to no-execute when passing a managed dataspace that is not attached
as executable.
Issue #4920
The change "core: allow offset-attached managed dataspaces" addressed a
corner case of the use of nested region maps. Apparently, this change
negatively affects other scenarios (tool_chain_auto).
In order to confidently cover all the differnt situations, this patch
reworks the page-fault resolution code for improved clarity and safety,
by introducing dedicated result types, reducing the use of basic types,
choosing expressive names, and fostering constness.
It also introduces a number of 'print' hooks that greatly ease manual
instrumentation and streamlines the error messages printed by core.
Those messages no longer appear when a user-level page-fault handler
is reistered for the faulted-at region map. So the monitor component
produces less noise on the attempt to dump non-existing memory.
Issue #4917Fixes#4920
The new monitor component at os/src/monitor is the designated successor
of the gdb_monitor. This initial version, however, implements only the
subset needed to inspect the memory of the monitored component(s).
In contrast to the gdb_monitor, the new component supports the monitoring
of multiple components, leveraging the sandbox API. It can therefore be
used as a drop-in replacement for the init component. Like the gdb_monitor,
the new monitor speaks the GDB protocol over Genode's terminal session.
But the protocol implementation does not re-use any gdbserver code,
sidestepping the complexities of POSIX.
There exist two run scripts illustrating the new component. The
os/run/monitor.run script exercises memory inspection via the 'm' command
by letting a test program monitor itself. The os/run/monitor_gdb.run
script allows for the interactive use of GDB to interact with monitored
components.
Issue #4917
Let the sandbox library disregard all unknown config sub nodes so that
supplemental information - like the monitor policy configuration - is
not interpreted as a misconfiguration ("unknown config element type ...").
Issue #4917
This patch moves the destruction of the child's PD session after the
closing of all other sessions because the PD session's role as resource
container might still be needed for orderly reverting the session quotas
when closing the other remaining sessions.
Issue #4917
By default, the sandbox uses the Env::pd() as reference PD session of
the sandbox children.
However, to accomodate use cases where the interplay of the reference
PD session and the child's address space needs to be intercepted, this
patch adds a constructor that takes an interface for the controlled
access of PD intrinsics as argument.
Issue #4917
This patch replaces the former 'address_space' accessor by a new
'with_address_space' interface that grants access to the region map of
the child's address space, but limits the interface lifetime to the
scope of the caller.
Issue #4917
This patch adds the missing application of the region offset to the
resolution of page faults inside managed dataspaces, which resulted in
an unexpected "invalid mapping" message after attaching a managed
dataspace with an offset.
This limitation could be observed during the implementation of the debug
monitor that locally maps a portion of the debugging target's address
space, e.g., a view port of 16 MiB. All traditional uses of managed
dataspaces (e.g., stack area, linker area) happened to attach the
managed dataspaces from their beginning.
Issue #4917
* add semaphore command to ring in order to be able to stop ring
execution before reset (Wa KabyLake)
* implement reset sequence as done by the Linux driver
* reset ring and cancel job of vgpu causing hang
* lower watchdog timeout 1000ms -> 200ms
* improve scheduling of vgpus so progress after reset is made
* improve the generation chaos a little
* tested on Skylake, Kaby Lake, Tiger Lake
issue #4916
* Use jitterentropy only if supported.
On certain targets like pbxa9 or zynq_qemu, the performance counter always
yields 0, which renders jitterentropy unusable. On these platforms, the
Tresor tests now use a static value as entropy source instead.
* Adds a new package test-file_vault_config_report_no_entropy that is used by
the Depot Autopilot on targets without jitterentropy support instead of
test-file_vault_config_report. The only difference between the two packages
is the value of the above described new config attribute of the File Vault.
* Circumvent alignment fault.
The Tresor lib for now has the deficiency of using on-disc data structures
directly in code instead of decoding them first to unpacked, naturally
aligned structures. This causes problems with memory-access alignment on
several platforms (rpi, imx6q_sabrelite, imx53_qsb, imx7d_sabre). As fixing
this properly is a bit of work, the commit disables the tresor_tester and
file_vault_config_report test on the affected platforms in autopilot mode for
now.
* Further adjustments
* Make benchmarks optional
* Use a smaller tresor for rekeying
* Clean up image parameters
* No use implicit routes/resources
* Reduce ram consumption
* Reduce test timeout
* Raise cap quota, required for sel4 x86_64.
Ref #4819
The debug mode turned out to be unnecessry because the plugin can be simply
replaced with an <inline> file VFS plugin that has a content size of 32 bytes.
Ref #4819
* relaxes the timing and reduces the test steps because pistachio is quite
slow and would otherwise trigger problems with our easy approach of using a
dynamic rom instead of a proper manager
* provide IO_PORT and IRQ session to timer driver
Ref #4819
With the update to sel4 and the gcc 12, assembly instructions are generated
and used, like POPCNT. The instruction is available on our native hardware,
but not emulated by the default cpu model necessarily, which leads to
undefined opcode exceptions (Qemu 4.2.1 && seL4). Additionally, the features
of the default Qemu cpu model may vary between Qemu releases and makes it
harder to correlate effects.
The attachment removal is triggered actually on _ds member destruction time,
but after the io_mem representation for the specific base-<platform> possibly
vanished already during _unmap_local in the ~Io_mem_dataspace. This creates
on base-sel4 several kernel warnings about invalid capabilities.
Issue #4913
Using $(shell find $(REP_DIR)/patches -name *.patch) fails if the
current working directory contains *.patch files due to shell wildcard
expansion before execution. Additionally, the patch list was unstable
because it was not sorted resulting in divergent hashes.
On platforms different than x86 the subsys initcall `pci_subsys_init`
is not available. Therefore, we choose an alternative one here.
Fixgenodelabs/genode#4907
In our binaries, the .note.GNU-stack section is missing, which is okay
as we do not interpret these sections anyway and map stack pages
non-executable per default.
Issue #4827
The main user of libsparkcrypto in the past was the CBE block encryption
ecosystem. However, the CBE was replaced with the Tresor block encryption that
uses libcrypto instead.
Ref #4819
This commit introduces preliminary support for joining networks secured
via WPA3-personal. So far it was only tested with the one OpenWRT AP
configured for WPA3 (see excerpt below) where it WPA3-only as well as
WPA2/WPA3 mixed worked fine.
Scan results excerpt:
00:11:22:33:44:55 5180 -45 [WPA2-SAE-CCMP][SAE-H2E][ESS][UTF-8] PewPew
00:11:22:33:44:55 2412 -67 [WPA2-PSK+SAE+PSK-SHA256-CCMP][SAE-H2E][ESS][UTF-8] PewPew2
Issue #4861.
It turns out solely relying on the name of the compilation-unit
is not enough. In at least one multi-device driver, e.g. rtlwifi,
an equally called compilation-unit is found in several different
directories. There KBUILD_MODNAME is used to name the driver,
which fails later on as the driver framework refuses to register
an equally named driver twice.
Instead of only considering the name of the compilation-unit also
include the last element of the path to generate differentiating
KBUILD_MODNAME value.
Issue #4861.
The supplicant is updated to the current release and is now downloaded
as archive rather than pulled from git. For the time being 'libnl' is
still kept at 3.2.25 as the current 3.7.0 release relies on more Linux
infrastructure that our integration does not provide.
Issue #4861.
This commit changes the firmware handling from requesting each
firmware file as a ROM module that is checked against a list of
known images (including their size) to requesting each file via
the local VFS of the 'wifi_drv'. This allows for using the original
probing mechanism that tries to select a matching firmware version.
The 'repos/dde_linux/src/drivers/wifi/README' file contains more
detailed information on how to configure the driver.
Issue #4861.
This function is called when decrypting RX frames on the CPU on 32 bit
platforms. Since the frames are normally decrypted by the wireless LAN
device and this code path is triggered rather infrequently the byte-wise
implementation should not pose a performance risk.
So far it was only encounter with a 7260 device when running netperf.
Issue #4861.
The bulk of the driver code now lives in the 'dde_linux' repository,
which is available on all platforms, from where it can be referenced by
other repositories.
The 'wifi_drv' binary was delegated to a generic harness that includes
all configuration and management functionality shared by all wireless
device driver components, e.g., the wpa_supplicant. The code of the
device driver emulation environment is located in 'src/lib/wifi'. It
is referenced by the platform-specific driver library that resides in
the corresponding platform repository. The runtime configuration needs
to point the driver to proper driver library.
The platform-specific library is in charge of orchestrating the contrib
source utilized by the driver as well as providing the 'source.list'
and 'dep.list' files. It must include the generic library snippet
'repos/dde_linux/lib/wifi.inc' that deals with managing the emulation
environment code.
The 'repos/dde_linux/src/drivers/wifi/README' file contains more
detailed information on how to deploy the driver.
Issue #4861.
* ARM support and detaching from Ada/SPARK
* Remove all CBE-related code - especially the Ada/SPARK-based CBE library.
* We have no means or motivation of further maintaining big projects in
Ada/SPARK (the core Genode team is native to C++).
* The Genode Ada/SPARK toolchain and runtime don't support ARM so far - an
important architecture for Genode. This would mean extra commitment in
Ada/SPARK.
* We realize that block encryption more and more becomes a fundamental
feature of Genode systems.
* Implement a new block encryption library named Tresor that is inspired by
the design and feature set of the former CBE library and that is entirely
C++ and part of the Genode gems repository.
* The Tresor block encryption is backwards-compatible with the on-disk
data layout of the former CBE block encryption.
* Except from the snapshot management and the "dump" tool, the Tresor
block encryption provides the same feature set as the former CBE block
encryption and accepts the same user requests at the level of the
Tresor library API.
* So far, the Tresor block encryption does not support the creation of
user-defined snapshots.
* In contrast to the former CBE, the Tresor ecosystem has
no "dump" tool beause with the CBE library it turned out to be rarely of
use.
* In contrast to the Block back-end of the CBE "init" tool, the Tresor
"init" tool uses a File System back-end.
* The former CBE VFS-plugin is replaced with a new Tresor VFS-Plugin.
* The Tresor-VFS plugin in general is similar to the former CBE VFS but
has a slightly different API when it comes to re-keying and re-sizing.
Each of these operations now is controlled via two files. The first
file is named <operation> and the user writes the start command to it.
The user must then read this file once in order to drive the operation.
The read returns the result of the operation, once it is finished.
The second file is named <operation>_progress and can be watched and
read for obtaining the progress of the operation as percentage.
* The file vault is adapted to use the new Tresor ecosystem
instead of the former CBE ecosystem and thereby also gains ARM support.
* The former CBE tester and CBE VFS-tests are replaced by equivalent
Tresor variants and are now run on ARM as well (testing with a persistent
storage back-end is supported only when running on Linux).
* So far, the new Tresor block encryption has no internal cache for meta
data blocks like the former CBE.
* Add config/report user interface
* Add a second option for the administration front end to the file vault
named "config and report". With this front end the File Vault communicates
with the user via XML strings. A ROM session is requested for user input
and a Report session for user output. The front end type must be set at
startup via the component config and is a static setting. The graphical
front end that was used up to now is named "menu view" and remains the
default.
* The File Vault can now reflect its internal state and user input ("config
and report" mode only) at the LOG session via two new static config
attributes "verbose_state" and "verbose_ui_config" (both defaulting to
"no").
* The Shutdown button in "menu view" mode is replaced with a Lock button. The
new button doesn't terminate the File Vault but merely lock the encrypted
container and return to a cleared passphrase input. The same transition is
also provided in "config and report" mode.
* The file_vault.run script is replaced with file_vault_menu_view.run and
file_vault_cfg_report.run that address the two front end modes. In contrast
to the former script, which is interactive, the latter script is suitable
for automatic testing.
* There is a new recipe/pkg/test-file_vault_cfg_report that essentially does
the same as file_vault_cfg_report.run but uses the File Vault package and
can be executed with the Depot Autopilot. The new test package is added to
the default test list of depot_autopilot.run
* The File Vault README is updated to the new version of the component and
has gained a chapter "functional description".
* Fixes a regression with the cbe_init_trust_anchor component that prevented
reacting to a failed unlock attempt in the File Vault.
* The new Tresor software Trust Anchor has an optional deterministic mode in
which it replaces the normally randomized symmetric keys with 0. This mode
comes in handy for debugging. However, it should never be activated in
productive systems. When activated, the user is warned extensively on the
LOG that this system mode is insecure.
Ref #4819
Changes to the platform driver triggered a map() error while mapping an
address block at 0x3000 of size 0x800. Since the mapped size was larger, the
loop continued and tried mapping address 0x4000 where no dataspace was
found.
genodelabs/genode#4761
By transforming the Device_pd into an Io_mmu::Domain, we implement an
IOMMU device that uses the kernel API for controlling the IOMMU. This
device gets special treatment and is used by default for every device
that has no <io_mmu/> child.
genodelabs/genode#4761
Every session component manages a registry of Io_mmu::Domain objects
that it creates on demand depending on the acquired devices (i.e. the
IOMMU devices referenced by the acquired devices). Via the domain
objects, a session component adds/removes the address ranges of the
allocated DMA buffers. Additionally, domain objects provide an interface
for enabling/disabling pci devices.
Domain objects get destroyed with the corresponding control device.
Moreover, on devices/policy ROM updates, domain objects of control
devices that are not referenced by any acquired device anymore get destroyed.
genodelabs/genode#4761
This allows referencing an arbitrary number of IOMMU devices within a
<devices> node, e.g.:
<device>
<io_mmu name="foobar"/>
</device>
The specified name is supposed to refer to an existing device in the
devices ROM. The platform driver automatically acquires known IOMMU
devices whenever they become available so that the device object can be
looked up from the platform-driver-owned devices.
genodelabs/genode#4761
With this change, platform-specific code is able to define factories that
acquire IOMMU devices to be used by the platform driver.
genodelabs/genode#4761
The method did not handle device changes properly. When a new policy
does not contain an owned device any more, we must consider this device
as changed and release it. Moreover, the warning messages were interchanged.
genodelabs/genode#4761
"-cpu phenom" does not support all CPU instructions necessary with
gcc 12 toolchain update issuing more SSSE3, e.g. pshufb.
Additionally, remove good/bad Qemu version check of outdated versions.
Issue genodelabs/genode-world#329
In 'SUPR3InitEx' (SUPLib.cpp) a 'SUPQUERYFUNCS' structure is allocated
with
! (PSUPQUERYFUNCS)RTMemAllocZ(SUP_IOCTL_QUERY_FUNCS_SIZE(CookieReq.u.Out.cFunctions));
where 'CookieReq.u.Out.cFunctions' is 0. To determine the size of the
allocation
! #define SUP_IOCTL_QUERY_FUNCS_SIZE(cFuncs) \
! RT_UOFFSETOF_DYN(SUPQUERYFUNCS, u.Out.aFunctions[(cFuncs)])
is used with cFuncs = 0 (SUPDrvIOC.h) leading to an allocation up to the
arrow below
! typedef struct SUPQUERYFUNCS
! {
! /** The header. */
! SUPREQHDR Hdr;
! union
! {
! struct
! {
! /** Number of functions returned. */
! uint32_t cFunctions;
! /** Array of functions. */
==> end of allocation
! SUPFUNC aFunctions[1];
! } Out;
! } u;
==> sizeof(SUPQUERYFUNCS)
! } SUPQUERYFUNCS, *PSUPQUERYFUNCS;
In sup.cc (Genode) 'ioctl(SUPQUERYFUNCS &request)' will lead to
'with_out_ioctl'
! auto &out = request.u.Out;
where auto is 'SUPQUERYFUNCS' and finally
! out = { };
will zero out 'SUPQUERYFUNCS' up to the second arrow above. Because
'RTMemAllocZ' will call 'calloc' to allocate the memory 'out = { };'
will corrupt the slab block after the allocation. Therefore, it is
reasonable to allocate at least 'sizeof(SUPQUERYFUNCS)'.
Note there might be other 'ioctl' cases like this. A better way might be
to use 'SUPQUERYFUNCS.Hdr.cbOut' to determine the 'out' size.
fixes#4675
In case the meta data (or more) got zeroed upon 'free', print error
message. The offset in the meta data can never be zero. This does not
help on other memory corruptions, but at least gives a hint in the too
much zeroed out case.
issue #4675
GPU device access is hard to achieve in run scripts and even harder to
implement generic.
Use the "Modularize Sculpt OS image creation"
(commit b723b11b30)
approach instead.
issue #4900
The XHCI model reserves 0x4000 of IO memory but uses only 0x530.
Implement read (0) and write (nop) for these regions as real hardware
does.
fixes#4902
Triggered by the toolchain update to GCC 12 certain pragmas lead to
a build error as those are now unknown. As quick-fix add '-gnatwG',
which suppresses warnings on unrecognized pragmas.
Issue #4880.
When a GPU session is destroyed, remove vgpu of session from scheduling
and as possible active vgpu. Otherwise, page faults might occur in case
already destroyed vgpu object is referenced during interrupt handling.
fixes#4881
Apparently we need to save the floating point arguments when entering
the linker in case "-fno-tree-vectorize" is at work. Otherwise this
registers get corrupted during jump slot relocation.
Fixes#4879
Either enable strict-alignment or disable FPU code generation by gcc
regarding bootstrap code, which cannot handle alignment faults during
initialization properly.
Ref genodelabs/genode#4827
/data/genode/repos/os/src/server/lx_fs/directory.h: In member function ‘virtual Genode::size_t Lx_fs::Directory::read(char*, Genode::size_t, File_system::seek_off_t)’:
/data/genode/repos/os/src/server/lx_fs/directory.h:224:53: error: ‘dent’ may be used uninitialized [-Werror=maybe-uninitialized]
224 | .type = type(dent->d_type),
| ~~~~~~^~~~~~
/data/genode/repos/os/src/server/lx_fs/directory.h:197:40: note: ‘dent’ was declared here
197 | struct dirent *dent;
| ^~~~
Issue genodelabs/genode#4827
Eliminate the creation of 'Genode::String's before the linker has been
self relocated, because 'Genode::String's will call 'Genode::strlen' on
construction from C-Strings, which has now become a GOT relative call,
while the GOT contains only zeros before relocation -> page fault at
IP 0.
fixes#4867
related to #4827
Downloading non-existent archives from 'depot.genode.org' leads to
files in the 'public' directory containing the 404 error website
delivered by the HTTP server. Specifying the '--fail' option results
in curl generating an exit-code that leads to the appropriate action
by the tool, e.g.:
Error: failed to download 'https://depot.genode.org/user/pkg/x/version.tar.xz'
Issue #4865.
error: 'void operator delete(void*, Genode::Deallocator&)' called on pointer returned from a mismatched allocation function [-Werror=mismatched-new-delete]
Issue #4827Fixes#4850
error: ‘void operator delete(void*, Genode::Deallocator&)’ called on pointer returned from a mismatched allocation function [-Werror=mismatched-new-delete]
Issue #4827Fixes#4848
An early version of nitpicker used a pointer as 'owner' with the null
pointer representing nitpicker's built-in views, which are nowadays
represented by 'Main::_global_view_ower'. The null-pointer check is a
left-over from the earlier days.
Fixes#4847
Since repos/base/board/pc/devices is empty, the run script no longer
works on PC. Nobody noticed because the use case of this run script -
as development test loop for the ps2 and fb_sdl - are better served by
other scenarios nowadays, e.g., using declaring 'build: ps2' for a
custom Sculpt OS build.
Removed in the context of issue #4860.
If GPG signing is aborted, e.g., by pressing CTRL-C, an empty .sig file
remained in PUBLIC_DIR because the file was created by the Bash
redirection. By using '--output $@', gpg maintains the .sig file.
Bit 0:3 indicate which of the (up to) 16 supported LBA formats is
used for this namespace. Instead of only looking at those bits the
driver looked at the complete 0:7 bits. Those, however, also include
information on how metadata may be transferred. That leads to using
the wrong index for reading the LBA format.
Fixes#4832.
This patch solves keyboard-focus issues with the wifi dialog that were
caused by making the focus update conditional. However, since the update
is not expensive, we can unconditionally re-evaluate the focus atfer
each user interaction.
Issue #4820Fixes#4856
This patch solves the false-negative error message "failed to open file"
referring to an ioctl info file during an ioctl call. The message is
now avoided by checking for the existence of the file before reading it.
However, the observed symptom uncovered an actual bug that was
introduced in commit "libc vfs: open OSS 'info' file only once" with
the attempt to cache the content of ioctl info files. When called
multiple time for different paths, 'Vfs_plugin::_with_info' would
wrongly return the info from the first call as cached in a local
static variable.
The patch fixes the problem by a new added 'Cached_ioctl_info'
implementation in the scope of the 'Vfs_plugin'.
Issue #4372Fixes#4852
This patch includes the system dialog in the global keyboard focus
handling, supports hovering of the "Edit" and "Add" buttons,
allows the use of the enter key to finish URL editing, and
triggers a re-scan of depot users after adding a new one.
Issue #4820
Should the selected depot user not be present in the depot - for example
after switching the sculpt partition to another - unfold the selection
of all present depot users so that the one can pick an existing one.
Issue #4820
If the DMA memory allocation alignment is unfortunate (not natural size
aligned), the IOMMU (AMD/INTEL) may not use larger(super) pages with effects
on the page table walk frequency and TLB caching.
Issue #4820
We repeatedly experience issues with XHCI handoff in the USB host driver
at runtime on modern systems. Mostly, these issues manifest as
initialization delays with very high CPU load. Investigations show that
during this time the handoff MMIO write does not return, which hints the
firmware driver enters some spinning loop. I suspect the enabled IOMMU
does not play well with the firmware due to insufficient RMRR
information.
Therefore, we disable USB handoff in Sculpt via the driver manager (as
we do for dedicated devices already in other contexts). Note, UHCI and
EHCI handoff is still done in the platform driver and succeeds on all
our test hardware.
Issue #4820
This split allows us to cross-compile all arm_v8a packages needed for
'goa build' by creating pkg/arm_v8a/goa.
The components featured on pkg/goa-linux are solely needed for 'goa
run'. As they contain a number of lx/hybrid components, pkg/goa-linux
must be complied on Linux running on the target architecture.
Fixes a regression with the cbe_init_trust_anchor component that prevented
reacting to a failed unlock attempt in the File Vault. The regression was
caused by new semantics in the vfs that did not allow for using the file
operation result as indicator for whether the unlock attempt failed or
succeeded. The correct and hereby applied approach is to check for the data
read from the file after having written the unlock command. The data reads
either "ok" or "failed".
Before scheduling we check if the execlist is empty. When many clients
are present, the bits might not be cleared by hardware yet. Before the
watchdog timer would trigger, because we scheduled nothing. Now we try
serval times, even if this fails, we still schedule because in the worst
case only a preemption would happen.
issue #4820
Commit "vbox: avoid uncaught nic Empty_ack_queue exception" introduced a
performance regression due to packet retransmission because of faulty
GSO segment handling. As fixing the GSO handling is fairly complex, we
disable GSO until a fix was developed.
Issue #4820
Issue #4821
This patch mitigates potential busy feedback effects when evaluating the
reports produced by 'depot_deploy' in a closed control loop. Reports
are now generated only if the deployment state has changed.
Issue #4818
This patch marks a child as incomplete if one of the ROM modules listed
in its blueprint is missing. This, in turn, triggers the update system
in Sculpt, which then tries to download the missing pieces.
Issue #4818
By managing downloads issued by the deploy subsystem via the
'Download_queue', failed downloads (e.g., due to HTTP error 404) are
properly tracked and don't cause infinite re-attempts.
Issue #4818
This patch promotes the event of an exiting child to become immediately
reported, reducing delays for management components that watch the exit
status of children.
Fixes#4814
This patch replaces the former 'nic_drv' and 'nic_drv_dtb' functions
by a more general 'nic_driver_routes' function that can return one or
multiple platform-specific ROM routes for NIC-driver binaries and dtb
files. This allows for supplying customizations for the wifi driver
as well. E.g., on the PinePhone, this hook can be used to handle the
renaming of the 'wifi_drv' to 'a64_wifi_drv'.
Related to issue #4813 and issue genodelabs/genode-allwinner#17.
The wifi VFS plugin is solely there to provide a hook for calling
'Lx_kit::initialize()' prior to the static ctors. As the corresponding
symbol can be resolved at run-time there is no need to add the
library as a build-time dependency.
Issue #4813
The device-tree binary is normally required on ARM-based platforms
where as on x86 it is omitted. The platform-specific DTB helper
provides a generic interface for accssing the DTB and needs to be
implemented on each platform.
Issue #4813
The SDIO connected wireless device on the PinePhone is not available
on start-up, which leads to the supplicant failing to initalize
'wlan0'. Normally the supplicant would be used in a way that handling
devices that appear at run-time happens gracefully.
Rather than supporting this behavior we defer the start-up of the
supplicant until the device could be openend successfully for now.
Issue #4813
The MAC address device report should be published once the device is
available. Since this may happen at a later time we have to check the
call.
Issue #4813
This commit introduces support for building the WLAN driver for ARM
platforms. It makes the WPA supplicant and its support libraries
available for all platforms. It also seperates the PCI parts to
accommodate platforms where other bus protocols are used.
Issue #4813
The driver was only tested with an "Atheros AR9462 Rev:2" [168c:0034]
device using the 'wifi.run' run script.
Note: for it to work MSI may not be used as otherwise interrupts do not
work. Using an IOMMU leads to the following fault:
[ 0] IOMMU:0xffffffff817eb0b0 FRR:0 FR:0x22 BDF:4:0:0 FI:0xb0000000000000 (0)
Issue #4813
The way the 'struct page' management is currently implemented it is
not safe to rely on it in case allocations share the same page. This
is in particular true where the virtual address is obtained by
querying the page object for maintaining the CPU caches.
Issue #4813
Optionally log scheduling-context execution time in addition to the
thread-context. This may be relevant on kernel platforms that do not
schedule threads on their own CPU share only but implement some kind of
donation scheme, for example, NOVA.
Usage
<config sc_time="yes" ...> ... </config>
Fixes#4805
This commit updates the used firmware images for the iwlwifi device
to latest available ones (supported by the current 6.1.x driver).
It also removes old firmware images that by now are not used anymore.
Fixes#4807.
If a content.mk file wrongly refers to a non-existing directory in a
call of the 'port_dir' function, the 'content_env_missing_ports.mk' gets
stuck while invoking 'cat' without argument, which makes such mistakes
difficult to diagnose. This patch adds a sanity check for the existence
of the port hash file at the specified location before attempting to
'cat' the hash-file content.
Unfortunately, the change of "depot: remove empty config from
pkg/nano3d" broke the manual deployment of the nano3d demo because no
<config> is provided in this case.
This patch splits pkg/nano3d into two variants. The regular nano3d pkg
comes with an empty <config/> node as before. The unconfigured_nano3d
pkg does not feature any <config/> node and can thereby be configured
via a ROM route to a dynamic-rom service.
This patch equips the depot_download subsystem with the option to
explicitly skip the signature verification for downloads by specifying
the attribute 'verify="no"' for an <installation> item. This is useful
in scenarios where the lack of integrity of downloaded content does not
pose a risk, e.g., for untrusted applications that are rigidly
sandboxed, or during development.
Note that this option does not entirely discarge the signature checking.
Whenever an download has dependencies that are verifyable - for
which the public key exists in the depot - the dependencies are still
verified. This allows untrusted content to depend of verifyable content
while protecting the integrity the verifyable content.
Issue #4804
This patch adds the 'Verify' argument to all download-related interfaces
in order to control the checking of signatures for downloads. Note that
it does not change the sculpt_manager's existing built-in policy of
always checking signatures.
Issue #4804
This patch moves the interfaces needed for the interactive addition of runtime
components from the 'Popup_dialog' to the 'model/component.h'. So those
interfaces are no longer tied to one specific view implementation.
This free-standing function is meant to gradually replace
'Dialog::match_sub_dialog' interface, which relies on the caching of
the hover state. The new function is more flexible because dialogs do no
longer need to inherit 'Dialog'.
The missing else statements resulted in the addition of a
superfluous <archive> node when installing an <index>, causing
warning messages by the depot-download subsytem.
This patch adds the ability to specify an optional 'as' attribute in a
<rom> module declarion of a runtime file.
<runtime ...>
...
<content>
<rom label="camera-pinephone.dtb" as="dtb"/>
...
</content>
</runtime>
If specified, The depot-deploy tool uses the provided attribute value to
hand out the ROM 'camera-pinephone.dtb' under the label 'dtb' to the
subsystem.
Recent devices are configured with 4096 RX pages that lead to an
increased memory usage. For the moment lower the amount to 2048
and treat in potientially lower throughput for more conservative
memory consumption.
Fixes#4801.
For Windows guests, it's crucial to configure the paravirtualization
provider in .vbox6 like follows. Otherwise, the TSC calibration fails
(issue #4726) and the CPU frequency (in task manager) is bogus.
<Paravirt provider="HyperV"/>
Fixes#4726
The get_cycles() call within the test doesn't apply to RDTSC
access when running on ARM but to arch_timer_read_counter, which
is an empty function pointer. By setting it to a function that
returns Genode::Trace::timestamp() we can enable the test for ARM.
Issue #4775
- move metadata specific to isochronous transfers from the descriptor
into the content of USB-session packets
- restore support for 32 in-flight packets in the USB C API
Fixes#4749
Now, block_devices are reported earliest right after the devices ROM was
parsed and neither AHCI nor NVMe were found. If one or both devices were
found, the report is deferred after all expected reports arrived.
Issue #4791
Previously the 'partitions' report was implicitly generated after
parsing the partition-table by accessing the referenced reporter
object.
Now the report is explicitly created by calling the 'generate_report'
member function. At this point we no longer have access to all
required information so the 'Partition' class was extended to
accommodate for the data needed by MBR as well as GPT reports.
Fixes#4786.
The 'File_content' utility throws an exception whenever a file happens
to get truncated during the reading process. But it silently truncates
the data against the specified limit. In practice, exceeding the limit
is usually an error case. This patch enhances the 'File_content' utility
by throwing 'Truncated_during_read' in the limit-exceeded case as well,
in order to ease the diagnosis of such cases.
Issue #4788
'cap()' will return invalid capability within session destructor, therefore Vram
objects that belong to the session will not be destroyed, leading to danling
references later on. Use '_owner.cap' of session instead.
The new 'init_platform' function performs the platform-specific
component-local low-level initialization. It allows for the
differentiation between core and regular components as well as
kernel-dependent peculiarities.
This patch introduces a consistent notion of a 'Platform'. Within core,
the 'Platform' contains the kernel-specific initialization. Outside
core, the platform sets up the interplay with the parent component. In
all cases, the platform is constructed while running on the initial
stack.
Issue #4784
VirtIO device models can assert interrupts to notify about
buffer and configuration changes. By now, we could only assert
buffer notification interrupts, but no configuration changes.
The latter is needed, e.g. to notify about GPU mode changes.
Ref genodelabs/genode#4783
Depending on the number of partitions the current fixed size of 4096
bytes might not be sufficient for the resulting partitions report.
The use of the expanding reporter allows for accomodating large reports
while still keeping the resource usage down for the common case of
few partitions (with potentially short names).
Fixes#4782.
The implementations of snprintf and vsnprintf are not needed for the
loading of png images by the demo applications. So we can avoid the
dependency from the format library hosted in the libports repository.
Issue #2064
This commit introduces support for the HMB feature and will setup the
buffer during start-up. The host-memory-buffer (HMB) feature is mostly
used on NVMe devices that do not make use of an DRAM cache to store its
translation tables amongst other operational data. Not using HMB can
impair the performance on such devices.
The memory is allocated in 2 MiB chunks of DMA-capable memory and its
total size in bytes is configurable via the 'hmb_size' config attribute.
The driver always checks the minimal and preferred size of the HMB and
issues a warning in case it is not enabled via the configuration.
Moreover, if the configured size is less than the minimal amount
required by the device the HMB is not configured at all and a warning
is issued also. If the configured size is more than the preferred size
it will be capped to that amount.
Fixes#4715.
This patch converts the loader implementation to the 'Session_object'
interface to implement the ability to upgrade the session caps and RAM
after after the session creation. This is needed to accommodate the
change of the Loader::Connection in commit "Remove format strings from
connection types".
Issue #2064
This patch ultimatedly removes format strings from Genode's base API.
Users of the former base/snprintf.h and base/console.h headers may
use the free-standing 'format' library hosted in the ports repository.
Fixes#2064Fixes#3869
This little library implements rudimentary format-string support. It is
useful for porting 3rd-party code that ought not depend on a full libc.
Issue #2064
The new 'Connection' constructor accepts the session label, affinity,
and args as constructor arguments. The session arguments are passed as a
'Genode::String'. This allows for side-stepping the need for rendering a
format string passed to 'Env::session'.
Issue #2064
The additional files provide Chacha implementation in case
may_use_simd() returns false because in_interrupt() returns true.
Related to issue #4778, commit "lx_emul: track irq state changes"
Implement udelay for all architectures within common lx_emul code,
remove driver-specific version.
Always do busy looping in udelay and use cpu_relax()
like the original Linux code. Thereby, we profit from architecture specific
instructions (cpu cool down), and jiffies are updated if irqs are on.
Ref genodelabs/genode#4778
There are rare use-cases where cpu_relax is used inside a busy loop
(i2c bus functions), which only will break when the jiffies counter
reaches a specific value.
Because of the cooperative scheduling done in lx_emul, no timer
interrupt will break such a loop. As a workaround, we check for
necessary jiffies updates inside cpu_relax if interrupts are enabled.
Ref genodelabs/genode#4778
To be able to check for interrupts being on or off,
the enabling and disabling is tracked in lx_emul.
When interrupts get received, they have to be turned off.
Ref genodelabs/genode#4778
Do not start and stop idle ticking within the timer interrupt
routine, but do it around the whole Lx_kit scheduling, which
is always called when Linux code gets active again, either
because of backend signals, interrupts, or timing signals.
This commit implicitly reverts the (incomplete) solution of
issue #4550
Ref genodelabs/genode#4778
Linux kernel static functions usb_string_sub() and usb_get_langid() were
made accessible to implement robust string rerieval.
Fixes#4756Fixes#4757Fixes#4772
The namespace draws a clear line between the base library and the core
component.
It is declared at the new core-local header <types.h>, which is expected
to be included by all code of the core component. It is thereby a
natural place for kernel-agnostic general types like commonly used C++
utilities.
Fixes#4777
Implicitely fixes problems with USB devices having more than 4G blocks.
Formerly the 16-Cmd LBA requests were silently casted to 32-bit.
Fixgenodelabs/genode#4771
In case the packet is erronous the value of 'actual_size' can be
invalid and using it may lead to a page-fault due to out-of-bounce
access.
With this commit access is only performed on successful packets.
Fixes#4763.
Workers are only summoned by the manager or when there are no workers on
a work queue. In case a work in front of a work queue depends on a work
behind it, a deadlock may occur. To solve this Linux spawns a rescue
worker using timers. Timing of Linux based drivers is currently reworked
and not reliable. Therefore, we increase the number of workers that are
spawned from 1 to 3 per work queue in order to resolve possible
deadlocks.
Fixes#4762
Set wakeup pointer in FADT/FACS tables and prepare/place ACPI resume code
at application processors (AP) 16-bit entry. Exclude memory used for AP resume
from RAM range to avoid usage by Genode core in allocators.
Issue #4669
The CPUs are woken all at once and up to now the IDs are assigned depending
on the arrival order, which is unfortunate for the resume case. Keep track
of once assigned IDs for CPUs, so that on resume the very same CPU id is given.
The APIC id is guaranteed to be fixed per CPU on suspend, but unfortunately
not dense packed.
Issue #4669
The ACPI table FACS and FADT are required to support ACPI suspend/resume. The
commits add the lookup of the ACPI table in bootstrap and the general usage
of the ACPI registers via the MMIO framework.
Issue #4669
Add explicit init() to Timer infrastructure to re-initialize the hardware
based on the parameters given during constructing time of the timer object.
Issue #4669
On resume the CPU state must be re-initialized, since all CPUs have been
potentially off (depending on sleep form) and lost state. Handle the halt
and suspend state explicitly by an extra Job implementation which can be
executed without holding the global kernel lock.
Issue #4669
Instead of re-using the register values found in HCR_EL2 and CPTR_EL2
and setting single bits within them, define the complete content to
prevent inconsistent hardware/hypervisor state.
Ref genodelabs/genode#4759
Several explicit casts could not be avoided yet, due to the missing
differentiation in between virtual and physical addresses that leads
to casting problems when using 32-bit ARM, and because the MMIO
register framework does not allow to return narrowed types of bitfields.
Apart from that, this commit fixes a switch-case fallthrough error in
Mmio_register::write.
Fixgenodelabs/genode#4770
The read_config and write_config functions in the generic virtio
headers used by all drivers lead to compiler warnings resp. errors
if effective-c++ switch is enabled. Moreover, the functions require
to define the access width as parameter. We can better turn them
into template functions using the value type to read resp. write to
derive the access width.
Ref genodelabs/genode#4344
The 'file_size' type denotes the size of files on disk in bytes. On
32-bit architectures it is larger than the size_t, which refers to
in-memory object sizes.
Whereas the use of 'file_size' is appropriate for ftruncate and seek, it
is not a suitable type for the parameters of read/write operations
because those operations refer to in-memory buffers.
This patch replaces the use of 'file_size' by size_t. However, since it
affects all sites where the read/write interface is uses, it takes the
opportunity to replace the C-style (pointer, size) arguments by
'Byte_range_ptr' and 'Const_byte_range_ptr'.
Issue #4706
Prior to this change the libdrm Lima implementation supported the
creation of multiple contexts where each context, however, was
treated as the same client like it was done in the Lima driver
itself.
With this commit each context becomes its own client while the
main context always performs all buffer object related allocation
and the other context import each needed BO before submitting.
Fixes#4760.
Sync file-descriptors a purely virtual and are not known by the libc and
should be only accessed by 'drm_poll'. To prevent accidental access move
them to range never used by the libc fd allocator.
Issue #4760.
We determine the owner of a Vram object by the session cap of the
session that created the object. We should not copy this cap to other
places because this increases reference counting, that can become very
large with many objects. Therefore, we pass a wrapper 'Owner' object
containing the cap by reference.
issue #4713
* 'map_buffer', GTT mappings are currently not used by Iris
* 'set_tiling', tiling is currently not used by Iris because there are
no GTT mappings
issue #4713
Change the abstraction from buffers to video RAM (VRAM). The notion of
buffers can be provided at the client side (e.g., Mesa) and multiple
buffers can be there be associated to one VRAM area, thus saving
resources (meta data overhead) when allocating many buffers. A VRAM area
can also be mapped to one single buffer as before for clients or drivers
that do not take advantage of this feature.
issue #4713
by checking for it in core, submitting a signal (if registered) and not
replying instantly. Before this commit, an exception (a non page fault)
caused and endless "unknown exception" loop between originator and core.
This was handled before commit "core: kernel-agnostic 'Mapping' type" by
throwing an exception, which was with that commit not working anymore.
Fixes#4751
Segment assignment stays valid for all sections following .dynamic,
which implies that .got and co also end up in the PT_DYNAMIC segment.
This is not intended. Therefore, we move the .dynamic section before
bss and assign bss to the rw PT_LOAD segment only.
fixes#4750
By default, bender will not report any serial findings anymore, if not
explicitly asked for with the 'serial' option. Without this option, an
invalid ioport is reported, so that neither the kernel nor Genode core
will make serial output.
The screenshot trigger displays a little red dot at the upper-left
corner of the screen. When touched or clicked-on, it generates an
artificial key-press-release sequence for the print key and disappears
for one second. In this time, a separate screenshot component can handle
the print key by capturing the screen without the red dot appearing in
the saved picture.
The touch-keyboard config accepts the new attributes 'opaque="yes"
and 'background=#112233' to control the dialog background. The
attributes are passed unmodified to embedded the menu view.
This patch add the support needed for implementing on-target
system-update functionality. The new 'empty' method is required for the
two-step procedure of updating image-index files - removing the old
index, followed by downloading the most current one. It is used to the
detect the completion of the first step.
Issue #4744
This patch reflects more details such as the percentage value for
downloads maintained in the download queue. This makes this information
easier to display at the GUI.
Issue #4744
This patch replaces the generic "In progress..." message by slightly
more concrete information about the type of operation. This is useful to
distinguish the two steps during the expansion of a partition.
This patch enhances the depot_download subsystem with support for
downloading and querying system images.
The installation ROM support the following two now download types:
<image_index path="<user>/image/index"/>
<image path="<user>/image/<name>"/>
Internally, the depot-download subsystem employs the depot-query
component to determine the missing depot content. This component
accepts the following two new queries:
<images user="..."/>
<image_index user="..."/>
If present in the query, depot_query generates reports labeled as
"images" and "image_index" respectively.
The also tracks the completion of each job depending on the depot-
query results, so that the final report contains a result for each
installation item requested. Prior this patch, the inactivity of the
depot-download manager (indicated by an empty state report) was
interpreted as success. But that prevents the proper association of
results and requested installation items.
Issue #4744
The 'scan' query for depot users used to list the names of depot users.
However, the URL and existence of a pubkey is useful to know when
assembling a GUI menu from this list.
Issue #4744
This patch equips the publish tool to handle system images.
System images reside at <depot-user/image/. The directory contains an
index file that contains the meta information of the available images
in XML form, e.g.,
<index>
<image name="sculpt-pinephone-2023-01-19" board="pinephone">
<info text="initial version"/>
</image>
</index>
To publish a new version of the index:
./tool/depot/publish <depot-user>/image/index
Each system image comes in two forms, a bootable disk image and an
archive of the boot directory. The bootable disk image can be used to
install a new system from scratch by copying the image directly ot a
block device. It contains raw block data. The archive of the boot
directory contains the content needed for an on-target system update to
this version. Within the depot, this archive a directory - named after
the image - that contains the designated content of the boot directory
on target. Depending on the board, it may contain only a single file
loaded by the boot loader (e.g., uImage), or several boot modules, or
even the boot-loader configuration.
To publish both forms:
./tool/depot/publish <depot-user>/image/<image-name>
This results in the following - accompanied by their respective .sig
files - in the public directory:
<depot-user>/image/<image-name>.img.gz (disk image)
<depot-user>/image/<image-name>.tar.xz (boot archive)
<depot-user>/image/<image-name>.zip (disk image)
The .zip file contains the .img file. It is provided for users who
download the image on a system with no support for .gz.
Fixes#4735
Issue #4744
This patch improves the Readonly_file::read method such that the
capacity of the specified buffer is used as upper bound for the read
operation instead of VFS-internal I/O buffer sizes. This relieves the
caller from implementing a read loop in most cases.
As a step away from C-ish use of the API, the patch deprecates the old
'read' method that takes the buffer as char *, size_t arguments.
Fixes#4745
Each time when enlarging the menu view, a new 'Gui_buffer' is
constructed with the new size. At its contruction time, the default
reset background color is in effect, which is evaluated by
'reset_surface' as part of the construction. A custom reset color
takes effect only after the construction. Hence, when the Gui_buffer is
flushed to screen immediately at construction time, the gray default
becomes visible for a short time.
This patch changes the Gui_buffer to accept the reset background color
as construction argument so that it takes immediate effect.
Related to #4592
This patch adjusts the run/image/disk plugin to search for resize2fs in
/usr/sbin, which is not included in the PATH variable on Debian by
default.
Issue #4746
The new utility returns a key code for a passed name and is implemented
by linear search, which is slow but sufficient in situations like config
updates.
Issue #4748
The leading newline in the _capture function confused _filecontent,
which resulted in empty port hashes.
Fixes regression introduced in 437fd21ba0
(issue #4725).
lwip uses a sophisticated reference-counting scheme in chains of pbufs,
which the former manual implementation of read() for TCP data broke.
Using pbuf_free_header() keeps the chain intact and also relieves our
implementation from the burden of "offset" maintenance.
Fixes#4722
Due to lacking hardware access the driver was test with one RTL8188EE
based device, namely [10ec:8179] (rev 01), only. As the access to the
PCI config space is restricted the driver loads the non power-saving
FW and the driver port is therefor only tested with that. The
accesses are documented should we choose to support them one way or
another later on.
The 'wifi.run' run script as well as Sculpt served as testing ground
where the driver worked fine so far.
Fixes#4714.
Check if we are able to submit the Usb packet before attempting to
allocate it. In case the queue is already full we wait until another
pending packet is freed.
Fixes#4701.
Up to now it was only checked if an issued admin command was processed
in a timely fashion. Otherwise it has been treated as failed.
However, the completion-queue entry was not examined and the caller was
not able to access the entry itself. Depending on the command, checking
the completion-queue entry might be necessary, e.g. GET/SET_FEATURE.
Issue #4715.
Since the 'Platform::Device' constructor will defer the creation until
the content of the devices ROM is valid performing the PRP list helper
creation afterwards should be done with valid IOMMU information.
Issue #4715.
Some USB devices (e.g., webcams) fail to deliver their configuration
descriptor early after power-up. Testing revealed that retrying the
requests usually succeeds on second or third attempt.
Fixes#4739
Genode build system allows to easily enable 'ccache' for builds. This
change allows to enable using 'ccache' also for build of reference
Linux kernel used during porting device drivers.
To enable 'ccache' it is enough to pass value of 'CC' variable when
executing Linux build but this build by default depends on time when it
is built which causes 'ccache' misses. To solve this issue additional
flags are passed to make build independent from time, current user and
host on which build is performed.
Issue #4718
With the new 'presets:' tag, .sculpt files can now refer to deploy
configurations to be integrated in the presets/ subdirectory of the
config file system. Those files can thereby be used as preconfigured
system scenarios. Such a preconfigured scenario can be loaded at
runtime by copying the preset file to config/deploy.
Issue #4731
In case of very rapid config ROM change (<300ms), the linux driver may still
be in progress of applying the previous change (e.g. switching connector on/off).
During this progress all tasks may become not runnable (waiting for IRQ/timeouts
until hardware state settles), the newest config ROM change/signal gets
dispatched, which lead to continuing the previous change request, but not
to re-starting/re-applying the new config change. To avoid this situation,
explicitly track whether a previous config change was finished and track if an
interim config change request came in. If so, re-start the lx_user
task with the newest config change.
Fixes#4721
The argument is superfluous because only run/image/uboot evaluated it
anyway, and the argument is always boot/image.elf. With this change, the
official semantics of run_image become: "replace the boot/image.elf file
by platform-specific file(s) at boot/ that can actually be booted".
Issue #4730
* Update links from forward rules only with forward rules and links from
transport-routing rules only with transport-routing rules. Besides raising
the performance of the code, this also fixes a former bug that allowed
forward-rule links to falsely stay active because of a transport-routing
rule that matched the client destination ip and port.
* Don't use good-case exceptions for updating TCP/UDP links on re-configuration
of the router.
* Make conditions when to dismiss a forward rule easier to read.
* Introduces != operator to the public Port class in the net library.
* Fix unnecessary log message that a link was dismissed when only a potentially
matching forward rule turned out to be not matching.
* Apply Genode coding style to if statements with a single body statement.
Fix#4728
This fixes a bug that was introduced by this earlier commit:
"nic_router: find forward rules w/o exceptions"
The NIC router used to falsely dissolve TCP/UDP connection states when
reconfiguring although the connection states were still legal according to the
new config. The reason was that the above mention commit nested lambdas but
missed to return from the last nesting level when having found a configuration
that legitimates the connection state.
Ref #4728
The semantic of .NOPARALLEL has changed in GNU Make 4.4
Quote:
New feature: .NOTPARALLEL accepts prerequisites If the .NOTPARALLEL
special target has prerequisites then all prerequisites of those targets
will be run serially (as if .WAIT was specified between each
prerequisite).
This means that only prerequisites are made sequential. Before
everything within a Makefile would be done in sequential order.
Therefore, we had to add the *.hash target (appears multiple times) to
the .NOPARALLEL prerequisites.
issue #4725
Tests on qemu would fail when started with RAM sizes from 1025MiB to
2048MiB, because the the mapping hole in the page table from 1GiB to
2GiB would interfere with qemu's mapping addresses for ACPI.
Identity-map the complete first 4GiB of memory to catch all early
memory accesses during bootstrap.
Fixes#4724.
This patch simplifies the 'Deploy::update_managed_deploy_config'
interface by keeping an internal copy of the currently used deploy
template inside the 'Deploy' class. The template is updated whenever
the config/deploy file is modified.
This change weakens the coupling between the '_manual_deploy_rom' and
the '_deploy' subsystem, easing the upcoming implementation of the
switching between presets.
Adds befriended test-local wrappers for the classes Cpu_share and Cpu_scheduler
and adds a print method to the scheduler wrapper that prints the internal state
of the scheduler to the given output. Cpu_shares are referenced in the output
via a the IDs that the test uses to organize them. I.e., this corresponds to
how the CPU shares are named when calling the atomic steps the test is made of.
Ref #4151
Ref #4710
This adapts the test to the changes that were applied to the scheduling scheme
by the following commits:
* base-hw scheduler: optimize quota depletion events
* base-hw scheduler: fix bug on removing head
* base-hw scheduler: fix ready method
* base-hw: optimize & cleanup scheduler
Part of that is that the test used to check whether the act of setting a share
ready outdates the head or not. However, with the current version of the
scheduler, this check is not possible anymore. We can merely check whether the
head is outdated after setting the share ready. So, among other adaptions, this
commit adapts the expectations of the test to the new semantics of the check.
Ref #4151
Ref #4710
* Get rid of preprocessor macros.
* Introduce Main as class.
* Exit with -1 instead of endless loops on errors.
* Don't try to deal with error conditions, just print a message and exit
with -1.
* Only one operation per line.
Ref #4151
Ref #4710
This is an optimization for the case that a prioritized scheduling context
needs slightly more time during a round than granted via quota. If this is the
case, we move the scheduling context to the front of the unprioritized schedule
once its quota gets depleted and thereby at least ensure that it does not have
to wait for all unprioritized scheduling contexts as well before being
scheduled again.
Note that this introduces the possibility of undeserved starvation of
unprioritized scheduling contexts to the scheduling scheme. If there are
enough prioritized contexts that deplete their quota during a round,
they may cover up also the rest of the round with their unprioritized time
slices. If this happens every round, contexts without a priority/quota may
never get a turn. In the previous scheduling scheme, this could not occur as
the unprioritized schedule was completely independent from prioritized
schedules and rounds.
Ref #4151
Ref #4710
The scheduler did not consider the consumed quota during a call to "update"
if the head that consumed the quota was removed from the scheduler. When this
occured, the internal round time did not advance as expected but remained at
its previous value untile the next call to "update" (without a removed head)
This commit introduces a new flag that is set only when the head gets removed
in order to detect and handle the situation correctly on the next call to
"update".
Ref #4151
Ref #4710
Setting the _need_to_schedule member in the 'ready' method of the scheduler
was not done correctly. At least, the _need_to_schedule was set true in
situations were the head was not outdated by the 'ready' operation.
Ref #4151
* Remove *request* in context of: wait, reply, send to shorten it.
* Use ready_to_* instead of can_*, which is regularily used in Genode's APIs
* Replace helping_sink with helping_destination, as destination is more common
Ref genodelabs/genode#4704
The IPC protcol violations are:
* Sending to an unknown thread (cap)
* Waiting for messages if a reply hasn't happened yet
This silents threads that otherwise repeatedly cause kernel messages
about the violation.
Ref genodelabs/genode#4704
* Split the internal state into incoming and outgoing message relations
* Avoid fragmenting of one state like formerly '_state' and '_help'
* Remove pointer to caller, use incoming FIFO instead
This commit fixes at least two bugs that were triggered by tests that
destroy threads in many different states, like run/bomb:
* The '_help' data member was not reset reliable in each situation where a
helping relationship came to an end. However, when we fixed this bug alone
in the old state model, the issues remained. The new state model fixes
this bug as well.
* A thread sometimes referenced an already dead thread as receiver. This caused
the kernel IPC code to access the vtable of an object that didn't exist any
longer. Note that the two threads were not in direct IPC relationship while
the receiver was destroyed, so, there must have been an intermediate node
between them. Due to the complexity of this problem, we eventually gave up
pin-pointing the exact reason in the kernel IPC code. The issue disappeared
with the new state model.
Fixgenodelabs/genode#4704
When writing the GPT header, the tool always wrote the GPT entries
belonging to the primary header to LBA following the header. Normally
this is LBA 2 as the header is located in LBA 1. The GPT allows for
up to 128 entries that all in all cover 16 KiB of storage space.
However, on some systems, e.g. ARM-based machines, the bootloader can
be stored in this region. For this reason the GPT entries may be moved
to a different LBA.
This commit changes the tool to adhere to then given GPE LBA in header
when writing out the modified GPT data.
Fixes#4720.
The old 'Io_response_handler::io_progress_response' interface has been
replaced by the 'Vfs::Env::User::wakeup_vfs_user' (issue #4697). The
remaining 'read_ready_response' method is now hosted in the
appropriately named 'Read_ready_response_handler'.
Issue #4706
This patch keeps driving the internal state machines until no progress
can be made. This required fixing the return values of several execute
functions, which used to report progress while being in complete state.
Along the way, the patch removes default switch cases to ensure that all
states are covered.
Issue #4706
This commit supplements the various I/O signal handlers of the VFS
plugins with calls of the new 'Vfs::Env::User::wakeup_vfs_user'
interface, which will subsequently replace the old 'Io_progress_handler'
(issue #4697).
Issue #4706
The 'blocked_handles' queue was used to notify the VFS user via the
'io_progress_response' mechanism. This is now covered by the
'wakeup_vfs_user' interface introduced in issue #4697.
Issue #4706
Information about PS/2 and PIT where moved to app/pci_decode in the
following commit.
pci_decode: report devices from ACPI info
We still provide an empty <devices> node as the file itself is used by
platform agnostic run scripts.
When running on x86, and riscv never enter the kernel for cache maintainance,
but use the dummy implementation of the generic base library instead.
On ARMv8 it is not necessary to enter privileged mode for cache cleaning, and
unification of instruction/data cache, but only for invalidating cache lines
at all levels, which is necessary for the use cases, where this function it
needed (coherency of DMA memory).
Fixgenodelabs/genode#4339
This call is used to query the cache line size of the underlying CPU.
For now it is only implemented and used by 'arm_v8' platforms.
It does not distinguish between D-/I-cache sizes and always uses the
smallest size. Furthermore it does not account for any discrepancy
in 'big.little' CPUs.
Issue #4339.
To prevent the kernel to deadlock, or call itself with a syscall when
using a lock potentially hold by a core thread, the log console's
backend for core (hw) gets replaced by a specific variant that checks
whether it runs in the kernel context before using the mutex.
Fixgenodelabs/genode#3280
When a domain receives a new dynamic router IP address and that domain has
active connection states (TCP/UDP/ICMP) from another domain with NAT applied,
the connection states used to stay active while becoming obsolete. They
become obsolete because their identification and their packet processor
use the old routers IP address due to NAT.
One consequence was that connections became dysfunctional when the server
domain received a new dynamic router IP address. Request packets were still
routed from client to server, but when entering the server, their source IP
address was the outdated router address. Consequently, the server responses
used the outdated address as destination and the router dropped the responses
because it did not know this address anymore.
This commit fixes the problem by letting a domain destroy all its connection
states that were initiated from within other domains whenever it detaches from
its current IP configuration.
Strictly speaking, it is not necessary to destroy all connection states, only
those that the domain applies NAT to. However, the Genode AVL tree is not built
for removing a selection of nodes and trying to do it anyways is complicated.
So, for now, we simply destroy all connection states.
Note that the other way around was handled correctly already. When a domain
detaches from its IP config, all interfaces of that domain destroy all the
connection states they created (towards other domains).
Fixes#4696
If the IP config does not change on updates to the router IP config of a domain
change (a common case on DHCP RENEW), prevent detaching from the old config and
attaching to the new one. Because this would not only create unnecessary CPU
overhead but also force all clients at all interfaces that are listening to
this config (via config attribute 'dns_config_from') to restart their
networking (re-do DHCP).
Ref #4696
Check 'pv == nullptr' in 'ShClSvcImplWriteData' and return
VERR_INVALID_POINTER if invalid (as is done, for example, in the X11
implementation).
issue #4666
By adding a 'write_ready' interface following the lines of the existing
'read_ready', VFS plugins become able to propagate the (de-)saturation
of I/O buffers to the VFS user. This information is important when using
a non-blocking file descriptor for writing into a TCP socket. Once the
application observes EAGAIN, it expects a subsequent 'select' call to
return as soon as new I/O buffer space becomes available.
Before this patch, the select call would always return under this
condition, causing an unnecessarily busy write loop.
Issue #4697
The new interface is meant to replace the 'Vfs::Io_response_handler'.
In contrast to the 'Io_response_handler', which had to be called
on a 'Vfs_handle', the new interface does not require any specific
'Vfs_handle'. It is merely meant to prompt the VFS user (like the libc)
to re-attempt stalled I/O operations but it does not provide any
immediate hint, about which of the handles have become ready for
reading/writing.
Issue #4697
This patch removes the 'Insufficient_buffer' exception by returning the
WRITE_ERR_WOULD_BLOCK result value instead. It also eliminates the
superfluous WRITE_ERR_AGAIN and WRITE_ERR_INTERRUPT codes.
Issue #4697
The original size of 16K impedes the batched processing of network
packets. Changing the value to 256K reduces the number of context
switches when downloading large files and thereby improves the
throughput by more than 25% (base-hw on qemu_x86_64, using fetchurl
to download a file of 100 MiB via the NIC router from lighttpd).
Issue #4697
This patch fosters the batching of network packets transferred by the
lwIP stack over the NIC connection. It replaces the eager submission of
the packet-stream's data-flow signals by explicit wakeup notifications.
The commit also increases the NIC session's buffer size from 128 to 1024
packets.
Issue #4697
...and tighten constness in adjacent code parts.
The VFS-internal synchronization via mutexes is no longer needed because
the access to the VFS is serialized by the VFS client, i.e., the libc.
Issue #4697
Since the lwip library is used only by the vfs_lwip plugin, this patch
moves the Genode-specific support code local to the VFS plugin, easing
further simplification and allowing for a tighter integration with the
VFS plugin.
The recipes for api/lwip and src/vfs_lwip stay separate as both parts
use different licenses.
Issue #4697
This networking scenario is useful for analysing and optimizing the
interplay of the VFS, libc, TCP/IP, and the NIC router. It downloads a
file via fetchurl from lighttpd, both of which are hosted on a virtual
network.
Issue #4697
This patch facilitates the batching of I/O operations in the VFS library
by replacing the implicit wakeup of remote peer (via the traditional
packet-stream interface like 'submit_packet') by explicit wakeup
signalling.
The wakeup signalling is triggered not before the VFS user settles down.
E.g., for libc-based applications, this is the case if the libc goes
idle, waiting for external I/O.
In the case of a busy writer to a non-blocking file descriptor or socket
(e.g., lighttpd), the remote peers are woken up once a write operation
yields an out-count of 0.
The deferring of wakeup signals is accommodated by the new 'Remote_io'
mechanism (vfs/remote_io.h) that is designated to be used by all VFS
plugins that interact with asynchronous Genode services for I/O.
Issue #4697
This test reveals the patters of the batching of consecutive write
operations on a file-system session. It issues 100 writes of one byte
each, which should ideally result in large batches of operations
submitted to the file-system session at once.
The run script performs the write operations through a chain of two VFS
servers, thereby exercising the write batching of both the libc and the
intermediate VFS server.
Issue #4697
By replacing the calls of 'acknowledge_packet' and 'get_packet' with
'try_ack_packet' and 'try_get_packet', we avoid the implicit triggering
of data-flow signals. Instead, the VFS server now relies on explicit
calls of the packet stream's 'wakeup' interface.
Issue #4697
The change of the queue size from 16 to 32 has negligible costs (4 KiB
instead of 2 KiB for the packet-stream queues) while facilitating the
batching of many small consecutive write operations.
Issue #4697
Some signal-heavy scenarios (e.g., libc_integration) produced the
following warning that hinted a data race on signal data in the context
object.
Warning: returning signal with num == 0
The cause was the use of Signal_context::local_submit() in the libc
introduced in
424ed1b79a libc: remove Reconstructible / use local_submit in kernel
in combination with a missing context-mutex aquisition resulting in a
data race on Signal_context::_curr_signal.
Issue #3923
Both modules were quite similar except the the name of the FIT image
(image.itb) and the mkimage command line. FIT images are now produced by
the following RUN_OPT.
RUN_OPT += --include image/uboot --image-uboot-fit
Issue #4693
By making the use of gzip's '--best' option configurable and disabling it
by default, this patch noticably reduces the built-test cycle from 15 to
10 seconds when integrating the Sculpt system image for the PinePhone.
Fixes#4693
The commit "sculpt_manager: relax nic_drv policy label" introduced the use of
the "label_prefix" attribute instead of "label" for the uplink policy in the
NIC router. However, it missed an appropriate adaption of the lookup of that
attribute when the Sculpt manager has to decide which uplink is used in a
manually managed router config. This caused the uplink to disappear whenever a
user created a manually managed router config. This commit fixes the problem.
Issue #4660Fixes#4695
This prevents errors like the following during parallel builds.
MERGE ld-hw.abi.so
/usr/local/genode/tool/21.05/bin/genode-arm-ld:symbol.map:0: syntax error in VERSION script
Replace usb_kill_urb() by usb_unlink_urb() in the timeout handler for
control URBs, as usb_kill_urb() may block and is not allowed to be
called in IRQ/bottom half contexts.
Fixes#4681
Count more accurately how much packets are in flied, and whether
new packets can be handled. Moreover, catch potential exceptions
whenever acknowledging a packet, and warn about the lost acknowledgement.
Fixgenodelabs/genode#4678
There is at least one client that performs DRM calls from multiple
pthreads, which is not supported for now. We guard the concurrent
access by grabbing a pthread_mutex before each operation.
This commit circumvents faulty behaviour of base-pistachio, if
the PCI config space gets requested megabyte-wise. It occurs that
we get a mapping sequence in between sigma0, core and component,
like the following: 0xe1000000 => 0xbf001000 => 0x10b000,
with the consequence that the component stalls when accessing
the latter one. By requesting I/O memory aligned to the size,
the faulty behaviour vanishes.
Ref #4686
This is required for scenarios in which a device appears at a later
point in time. If the ROM is not updated, the device_by_type() method may
operate on an outdated dataspace and never find the device it is waiting for.
Although we do not have the full ACPI information parsed yet, to
announce non-PCI devices derived from the ACPI tables, the device
description of the assumed devices is now integral-part of pci_decode.
Formerly, the information was gained separatedly as boot-module, whereby
we lost synchronization in between ACPI/PCI parsing, BIOS handover, and
PS/2 emulation code already acting.
This recipe combines the dummy_rtc_drv, which consumes a given time,
and provides the "Rtc" service to its clients with the simple NTP client,
which provides the current time to the RTC driver in regular intervals.
Ref genodelabs/genode#4687
Test to trigger periodically ACPI suspend and resume and periodically
trying to restart graphic driver.
Tested successfully with X201 and T420.
Issue #4669
It looks like http://www.elm-chan.org is blocking certain IP ranges,
because downloading the source archive on certain machines fails with
"403 Forbidden".
Fixesgenodelabs/genode#4623
During interrupt handling the driver masked and cleared interrupts as
recommended in the spec to prevent spurious or unnecessary interrupts
from occurring.
Due to the way the current implementation operates new Block requests
got submitted while handling completions for already finished ones.
Since interrupts where masked at this point the controller did not
generate interrupts when the newly submitted requests got completed.
As the mask/clear optimization is apparently not strictly needed and
according to the spec undefined when using MSI-X it is removed.
Fixes#4684
200 TSC ticks for max measurement duration can get too small on platforms
with high TSC frequencies (e.g., >3GHz) and low CPU frequencies often
caused by HWP configurations. Therefore, we express the measurement
duration in NS (not ticks) and calculate max duration ticks using the
TSC frequency. This way the max duration becomes independent of the TSC
frequency.
fixes#4672
This commit enables users of the VMM to define CPU type and count, RAM size,
kernel and initrd ROM names, GIC version, and Virtio devices to be used.
Derived from the configuration values a flattened device-tree blob (DTB) is
generated and transfered to the VM.
Fixgenodelabs/genode#4670
Lack of MSI-X support in DDE Linux causes a timeout when the Intel AX211
tries to call back into the driver while loading the PNVM file while
interrupts are still disabled.
With the patch picked up from QubesOS the card works on an X1 Nano G2:
5fcfe0f19e
Issue #4663
Until now, requesting optional blobs such as 'iwl-debug-yoyo.bin' has
just failed silently. To support desired blobs such as PNVM firmware,
implement the loading of optional firmware while preserving the nowarn
characteristics of the function.
Issue #4663
Try to allocate within constraint area first. In case the area is exhausted,
try allocation at other memory locations.
The motivation for this is to limit DMA allocations to 4GB (since some
devices require addresses below 4GB). On some platforms there is little
physical RAM in this area (<1GB) and the constrainted area exhausts. In
case an IOMMU is present, RAM at higher locations can still be mapped
below 4GB, which is done in the platform drivers.
issue #4665
Consume '<iommu/>' tag from 'devices' report. In case an IOMMU is
present map physical memory to arbitrary locations within IO page table
range 1K-4G. This way every device PD has access to ~4GB of DMA space.
issue #4665
The platform driver configuration is missing the required 'info'
attribute that allows the 'vesa_fb_drv' to map the proper I/O
memory address of the framebuffer. In addition the driver requires
at least '2' more CAPs, so raise the quota to '110'.
Fixes#4668.
There is one binder with one memory zone per OpenGL context. The patch was
needed before because Genode didn't have proper context support (separate page
tables) leading to binders from one or more context being allocated to the same
GPU address with the same page tables. This was clearly an error and is fixed
with context support.
issue #4664
'_env_ram' allocations can lead to
'Expanding_pd_session_client::try_alloc' quota upgrades, which in turn
may lead to a resource request by the platform driver. Therefore, we
check the available quota within the platform driver before allocations.
This is not an optimal solution.
issue #4667
related issue #3767
This patch makes the component graph better reusable for the phone
version of Sculpt. In the phone version, the '+' menu does not exist.
So we need to omit the corresponding button. Furthermore, the storage
dialog is presented in a dedicate section of the GUI instead of
presenting it inside the 'storage' graph node. The phone version
also does not offer the inspect view. So we need to omit the
corresponding buttons.
To prevent caching side-effects of USB DMA memory taken from the packet stream
all allocations of USB packets need to be on separated cachelines at least.
Fixgenodelabs/genode#4655
To complement the GPIO support allow for setting and reading input
pins. So far this is needed by drivers that attempt to perform I2C
bit-banging via GPIO pins.
Fixes#4624.
In case the allocation fails for the largest possible connector mode,
try smaller modes. Additional add option to specify maximal resolution.
Issue #4659
Increase "assumed" internal kernel memory size based on available memory
to support allocation of framebuffer larger than 16M, which was before
hardcoded.
Issue #4659
When using the newer genode_c_api uplink library, an uplink connection uses
the device name as label, which enables integrators to use different policies
resp. routes for different devices driven by one driver. The nic_drv policy
of the nic_roouter configuration generated by the sculpt_manager however uses
an empty label like: "nic_drv -> ". This is the way how existent NIC drivers,
like ipxe_nic_drv requested their uplink session. To support both driver
variants this commit relaxes the policy by checking for a prefix only.
Ref genodelabs/genode#4660
This patch equips the pin-driver framework with support for the
time-multiplexed operation of a pin as output or input. This is needed
when implementing I2C communication via a bit-banging driver.
To operate pin in both directions, a driver obtains both a pin-state and
a pin-control session for the same pin. The pin-state session can be
used to sense the current pin state. The control session allows the
client to set the pin to high or low (using the 'state' method), or to
set it to high-impedance via the 'yield' method. Once switched to
high-impedance, the pin can be used as input.
Issue genodelabs/genode-allwinner#10
The tar.gz archive of version 2.4.9 vanished from sourceforge. As the
project moves to GitHub currently and the archive of 2.4.9 is still
available there, just update the download location.
Content and hashes did not change.
If a device should not be reset, powered off, and its clocks
shall stay untouched when it gets released, the leave_operational
attribute can be set to true in the device node of the related
device inside the devices ROM delivered to the platform driver.
This is useful for drivers, which only enable and initialize
their device, and can be closed afterwards.
Ref genodelabs/genode#4654
To enable other irqchip declarations beyond the lx_emul generic code base,
make the ARM specific initialization routine public.
Ref genodelabs/genode#4651
With "grub2: update to newer grub2 2.06 version" a regression slipped in
which makes the ISO not bootable on real hardware. The commit reverts to
the previous behaviour, to load the GRUB2 modules after boot later one by
one in the ISO format case.
Fixes#4647
Prevents errors like follows.
/bin/bash: arch/arm64/crypto/poly1305-core.S: No such file or directory
make[4]: *** [.../genode/repos/dde_linux/lib/mk/spec/arm_64/wireguard_lx_inc_dirs.mk:17: arch/arm64/crypto/poly1305-core.S] Error 1
Reintroduce:
USB Attached SCSI devices might expose a bulk-only interface
as fall-back at interface 0 and alternate setting 0. This commit
allows for probing all alternate settings of the active interface
to be able to use such devices.
The configuration was extended so that in case the device interface
is known beforehand the driver can be configured accordingly.
Additionally:
Perform configuration reset upon sessions close in order to bring USB
device to a well defined state.
fixes#4494
The NOVA kernel and Genode's roottask core are configured to be runnable
with up to 64 CPUs (MAX_SUPPORTED_CPUS in core resp. NUM_CPU in kernel).
On machines with more CPUs a reset occurred. The commit checks for this
case, bootstraps the first 64 CPUs only, and sends all other CPUs to
sleep.
Also, the platform_info ROM size is increased to host information about
more than 32 CPUs.
Issue #4640
If `select_from_ports` is evaluated lazily, we might miss a port during
the dependency check. A way to prevent this is to use the `:=` operator.
Fixesgenodelabs/genode#4618
Implement the guest code in dedicated assembler source file, assemble
and link the binary to vmm_x86. The resulting guest-code binary
populates one page that is mapped to host the reset vector of the guest.
This approach simplifies future guest code adaption resp. extension,
e.g., to test rdmsr/wrmsr exiting.
Fixes#4638
plain_decorator_theme.tar is not linked to the app but must be generated
as side effect. Therefore, use CUSTOM_TARGET_DEPS to trigger the
generation.
Fixes#4637
# EalánOS — An Operating System for Heterogeneous Many-core Systems
EalánOS is a research operating system, based on the [Genode OS Framework](https://genode.org/), that explores new architectural designs and resource management strategies for many-core systems with heterogeneous computing and memory resources. It is a reference implementation of the [MxKernel](https://mxkernel.org/) architecture.
## MxKernel Architecture
The MxKernel is a new operating system architecture inspired by many-core operating systems, such as [FOS](https://dl.acm.org/doi/abs/10.1145/1531793.1531805) and [Tesselation](https://www.usenix.org/event/hotpar09/tech/full_papers/liu/liu_html/), as well as hypervisors, exokernels and unikernels.
Novel approaches of the MxKernel include the use of tasks, short-lived closed units of work, instead of threads as control-flow abstraction, and the concept of elastic cells as process abstraction. The architecture has first been described in the paper [MxKernel: Rethinking Operating System Architecture for Many-core Hardware](https://ess.cs.uos.de/research/projects/MxKernel/sfma-mxkernel.pdf) presented at the [9th Workshop on Systems for Multi-core and Heterogeneous Architectures](https://sites.google.com/site/sfma2019eurosys/).
## Task-based programming
EalánOS promotes task-parallel programming by including the [MxTasking](https://github.com/jmuehlig/mxtasking.git) task-parallel runtime library. MxTasking improves on the common task-parallel programming paradigm by allowing tasks to be annotated with hints about the tasks behavior, such as memory accesses. These annotations are used by the runtime environment to implement advanced features, like automatic prefetching of data and automatic synchronization of concurrent memory accesses.
## Documentation
Because EalánOS is based on Genode, the primary documentation, for now, can be found in the book [Genode Foundations](https://genode.org/documentation/genode-foundations-22-05.pdf).
## Features added to Genode
EalánOS extends the Genode OS framework by functionality needed and helpful for many-core systems with non-uniform memory access (NUMA), such as
- A topology service that allows to query NUMA information from within a Genode component.
- A port of [MxTasking](https://github.com/jmuehlig/mxtasking.git), a task-based framework designed to aid in developing parallel applications.
- (WiP) A extension of Genode's RAM service that enables applications to allocate memory from a specific NUMA region, similar to libnuma's `numa_alloc_on_node`, and thus improve NUMA-locality of internal data objects.
- (WiP) An interface for using Hardware Performance Monitoring Counters inside Genode components. Currently, performance counters are only implemented for AMD's Zen1 microarchitecture.
### Acknowledgement
The work on EalánOS and the MxKernel architecture is supported by the German Research Foundation (DFG) as part of the priority program 2037 "[Scalable Data Management on Future Hardware](https://dfg-spp2037.de/)" under Grant numbers SP968/9-1 and SP968/9-2.
The MxTasking framework is developed as part of the same DFG project at the [DBIS group at TU Dortmund Universitiy](http://dbis.cs.tu-dortmund.de/cms/de/home/index.html) and funded under Grant numbers TE1117/2-1.
we turned towards enabling bulk-data transfer between the Zynq's CPU and its
FPGA. In a first step, we built a custom hardware design that implements a DMA
loopback device based on Xilinx' AXI DMA IP. Since we were particularly
interested in testing out the Zynq's accelerator coherency port (ACP), we
implemented two loopback devices: one attached to the ACP and one to the
high-performance (HP) AXI port of the Zynq. In order to test the design in
Genode, we added a port of Xilinx' embeddedsw repository that hosts standalone
driver code for the Xilinx IP cores. Based on this port, we implemented the
xilinx_axidma library as a Genode wrapper in order to simplify development of
custom drivers using Xilinx' AXI DMA IP. A newly written test component takes
throughput measurements for varying transfer sizes. A more detailed account of
this story is published in an
[https://www.hackster.io/johannes-schlatow/using-axi-dma-on-genode-6482d2 - article on hackster.io].
Knowing that DMA bypasses any memory protection on the Zynq as it does not
feature an IOMMU, we further spent some development efforts on implementing a
custom IP block, called DMA Guard, for protecting against unintended DMA
transfers from/to the FPGA. The DMA Guard is configured with a limited set of
address ranges for which DMA transfers will be granted. Any out-of-range
transfer will be denied. The configuration of the DMA Guard is conducted by
the Zynq's platform driver based on the allocated DMA buffers. For the time
being, we applied several changes to the platform driver. These modifications
are currently hosted in the genode-zynq repository but are going to find their
way into the generic platform driver for the next release.
More details about the DMA Guard are covered by the dedicated article:
[https://www.hackster.io/johannes-schlatow/taking-control-over-dma-transactions-on-zynq-with-genode-fd60b6 - Taking control over DMA transactions on Zynq with Genode].
Following a regular cycle of two years, we updated our tool chain to recent
versions again, this time in particular to GCC 12.3.0, binutils 2.40, and GDB
13.1 while taking the opportunity to enable C++20 by default.
A noticeable change with GCC 12 is that auto-vectorization with the
'-ftree-vectorize' option is now enabled by default when building with the
'-O2' optimization level. This has the effect that more SIMD instructions are
generated, which required adaptations throughout our code base, for example by
making sure that memory allocations in ported Linux drivers adhere a suitable
address alignment and by saving and restoring ARMv8 FPU registers in the
dynamic linker.
In addition to that, GCC 12 reports new warnings and errors, which we had to
rectify at various places, the most common ones being:
* Deprecated arithmetics between different enumeration types,
* Deprecated use of '++' and '--' operators with volatile variables, and
* Undefined references to 'strlen' inside custom implementations
of 'strlen'-like functions, related to the
'-ftree-loop-distribute-patterns' option.
As an extra feature, we added Genode's library name patterns to the linker so
that the '-l' option has become able to find the corresponding libraries.
This is useful while porting 3rd-party software based on Autoconf, whenever a
'configure' script checks for a library dependency by linking a test program
with this option. This change thereby removes the need for dummy libraries
that were formerly used to satisfy the probing.
API changes
===========
As part of Genode's
[https://genode.org/documentation/release-notes/16.08#Cultivation_of_the_new_text-output_API - great API revision]
in 2016, we largely *abolished* the use of *format strings* throughout the
framework. This is desirable because a code base without format strings cannot
have format-string vulnerabilities. Still, a few occurrences, specifically the
interface for passing session-construction arguments, remained untouched since
then. With version 23.05, we finally attained our initial goal by wrapping up
the transition.
In particular, we revised 'Genode::Connection', which now accepts the session
label, affinity, and session-specific parameters as constructor arguments,
whereas the parameters are passed as a 'Genode::String'. This eliminates the
need for rendering a format string. Given this new interface, we were able to
remove format strings from all connection types, updated all components that
still happened to rely on format strings, and ultimately removed format
strings from Genode's base API.
Format strings still play a role to accommodate 3rd-party code ported
to Genode. Whenever the 3rd-party code targets the C runtime, format
strings are readily available via the libc. For free-standing ports that
avoid the dependency from the full C runtime, e.g., ported device drivers,
a new 'format' library based on Genode's former _base/snprintf.h_ and
_base/console.h_ provides rudimentary format-string support. The library
is hosted in the libports repository.
As another matter of housekeeping, we removed the _util/avl_string.h_ utility.
The use case of organizing objects by using strings as keys is covered by the
_util/dictionary.h_ now.
Towards kernel-agnostic DMA protection
======================================
As sketched in our [https://genode.org/about/road-map - road map], we plan
having a feature-complete PC version of Sculpt OS based on base-hw by the end
of this year. One of the reasons why we are still sticking to base-nova for
the PC version is the fact that we are relying on NOVA's IOMMU support. One
necessary step to decouple Sculpt OS from base-nova is to integrate the IOMMU
handling into the platform driver.
Motivated by our
[https://genode.org/documentation/release-notes/23.02#Custom_IP_block_for_DMA_protection_on_AMD_Xilinx_Zynq - custom IP block for DMA protection on AMD/Xilinx Zynq],
we integrated the notion of IOMMU-like devices into the platform driver with
this release as a preparatory step. The platform driver automatically acquires
known IOMMU-like devices for itself by looking at the device types. Other
devices can then reference these devices by using '<io_mmu>' nodes. This is
best illustrated by looking at the devices ROM for the Zynq's dma_guard IP
block:
! <devices>
!
! <device type="dma_guard" name="dma_guard_0">
! <!-- [...] -->
! </device>
!
! <device type="axi_dma" name="axi_dma_0">
! <io_mmu name="dma_guard_0"/>
! <!-- [...] -->
! </device>
!
! </devices>
This tells the platform driver that, whenever a DMA buffer is allocated/freed
for the session owning the 'axi_dma_0' device, the 'dma_guard_0' must be
configured accordingly in order to allow/deny access to the corresponding
memory ranges. With the structural changes to the platform driver, the support
for dma_guard devices is simply added by implementing specific 'Io_mmu' and
'Io_mmu_factory' objects. You can find the code in the _dma_guard.h_ within
With the current Genode release, we have added general support to the
framework that permits guarded access to selected MSRs via Genode's
system-control RPC of the protection domain (PD) session. If the underlying
kernel supports this feature, presently the NOVA kernel, read and write
requests are forwarded via Genode's 'core' roottask to the kernel. A component
needs the explicit [https://genode.org/documentation/release-notes/22.02#Restricting_physical_memory_information_to_device_drivers_only - managing_system] configuration role to get
access to this functionality, which is denied by default.
The actual knowledge about how to manage Intel HWP and AMD pstate is provided
as a native Genode component, which uses the new 'Pd::system_control'
interface. The component monitors and reports changes of MSR registers for
temperature (Intel), frequency (AMD & Intel), and power consumption (Intel
RAPL). Additionally, it can be instructed - by the means of configuration
changes - to write some of the registers. Besides the low-level MSR component,
a Genode package with a GUI component is provided to make the interactive
usage of the feature more user-friendly. For Sculpt, we added an interactive
dialog to assign the system-control role to a component like the graphical MSR
package via the resource dialog. For a more detailed description please refer
to our [https://genodians.org/alex-ab/2023-10-23-msr - Genodians article]
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
