This patch largely reverts the commit "base: lay groundwork for
base-linux caps change" because the use of 'epoll' instead of 'select'
alleviated the need to allocate large FD sets, which motivated the
introduction of the 'Native_context' hook.
Related to issue #3581
The sandbox library supports the forwarding of session requests from the
outside to one of the hosted children according to a policy. This patch
introduces the distinction between two cases, which previously triggered
the denial of the session request.
- There exists no matching policy for the requested session
- There exists a matching policy but the referred server child
does not exist (yet)
Whereas the proper response to the first case is the denial of the
request, the second case can occur in situation where a dynamic init is
used to implement a staged startup, for example via the deploy
mechanism. In such cases, a policy may exist as a static rule while the
server has not been started yet. This patch changes the behavior such
that such requests are stalled.
The patch is accompanied with test cases for exercising both situations.
Fixes#3733
If trace is enabled for component than an attempt to put message into
trace buffer is performed using log_output policy. If it succeeds than
message is not put to logs using log service.
Fixes#3714
On Linux, Genode used to represent each RPC object by a socket
descriptor of the receiving thread (entrypoint) and a globally-unique
value that identifies the object. Because the latter was transferred as
plain message payload, clients had to be trusted to not forge the
values. For this reason, Linux could not be considered as a productive
Genode base platform but remained merely a development vehicle.
This patch changes the RPC mechanism such that each RPC object is
represented by a dedicated socket pair. Entrypoints wait on a set of
the local ends of the socket pairs of all RPC objects managed by the
respective entrypoint. The epoll kernel interface is used as the
underlying mechanism to wait for a set of socket descriptors at the
server side.
When delegating a capability, the remote end of the socket pair is
transferred to the recipient along with a plaintext copy of the
socket-descriptor value of the local end. The latter value serves as a
hint for re-identifiying a capability whenever it is delegated back to
its origin. Note that the client is not trusted to preserve this
information. The integrity of the hint value is protected by comparing
the inode values of incoming and already present capablities at the
originating site (whenever the capability is invoked or presented to the
owner of the RPC object).
The new mechanism effectively equips base-linux with Genode's capablity
model as described in the Chapter 3 of the Genode Foundations book.
That said, the sandboxing of components cannot be assumed at this point
because each component has still direct access to the Linux system-call
interface.
This patch is based on the extensive exploration work conducted by
Stefan Thoeni who strongly motivated the inclusion of this feature into
Genode.
Issue #3581
Older ARM processors like ARMv6, or Cortex A8 need to write back changes
of the page-tables to physical ram because the MMU does not use the cache.
This naturally needs to be done not only when adding a mapping,
but on removal too.
Fix#3715
The topics are either covered by the Genode Founations book for by our
tools, in particular the integration of the prepare_port mechanism with
the run tool.
- don't use 'qemu -serial mon:stdio' anymore as it no longer works as
expected
- use "bash -l" with [terminal] to read user's profile configuration,
e.g., PATH settings
- added missing boot modules and cap quotas
This commit puts all C++ runtime/support symbols of ld.lib.so in a
dedicated section of base/lib/symbols/ld and mirrors the section to
libports/lib/symbols/libc. So, the libc ABI resolves potential C++
runtime dependencies of base-ABI-agnostic components at link time. The
runtime resolution is done by the linker by symbol lookup in ld.lib.so.
Issue #3720
config_0.xml.tmp:26: element config: Schemas validity error :
Element 'config': Character content other than whitespace is
not allowed because the content type is 'element-only'
Issue #3612
This patch increases the default limit of the maximum number of open
file descriptors to the hard limit of the system. This is needed for
complex scenarios, which require more FDs than the default of 1024
at core.
Related to issue #3581Fixes#3721
This commit fixes a regression introduced by "window_layouter: add
dynamic screen handling", rendering the sub-division of screens in
columns and row unusable. The said commit removed a condition needed
for the correct window placement. This patch restores the condition.
Issues #3646
This patch also introduces the use of the RTC for creating directory
names and increases the rate of snapshot creation from 10 seconds to
one minute to make sure that directories are named differently when
reading the RTC clock at granularity of minutes.
Issue #3696
This patch avoids calls of '__sys_getstatfs' (indirectly via
'getmntinfo'), which does not return any meaningful values in Genode's
libc. Otherwise, the libc's dummy implementation prompts resize2fs to
back out.
Issue #3696
This patch makes the e2fsprogs 'mke2fs' and 'resize2fs' available as
standalone components that can be used by Sculpt OS directly without
a Unix emulation environment.
As a result of the API change the memory handling could be simplified.
Since the Block session dataspace is now directly used for DMA, we
actually only have to provide the memory for setting up PRP lists for
large requests (for the moment more than 8 KiB of data).
As we limit the maximum data transfer length to 2 MiB, we get by with
just a page per request. Those memory is allocated beforehand for the
maximum number of I/O requests, which got bumbed to 512 entries. Since
not all NVMe controllers support such large a maximum data transfer
length and this many entries, especially older ones, the values are
capped according to the properties of the controller during
initialization. (The memory demands of the component are around 3 MiB
due to setting up for the common case, even if a particular controller
is only able to make use of less.)
(Although there are controllers whose maximum memory page size is more
than 4K, the driver is hardcoded to solely use 4K pages.)
In addition to those changes, the driver now supports the 'SYNC' and
'TRIM' operations of the Block session by using the NVMe 'FLUSH' and
'WRITE_ZEROS' commands.
Fixes#3702.
The former scheme left open a race window between
_process_incoming_signals() and wait_and_dispatch_one_io_signal()
resulting in both threads calling block_for_signal() and blocking
forever with one unprocessed signal.
Fixes#3704
This patch adds support for booting base-hw kernel on qemu-arm virt
machines. The arm_virt machine has 2GB of RAM, 2 Cortex A15 cores and
uses GICv2 interrupt controller. The arm_64_virt machine also has 2GB of
RAM, but has 4 Cortex A53 cores and uses GICv3. Both machines use PSCI
to boot additional CPU cores.
Fixes#3673
So far this only exposes two functions allowing the code to turn on
additional CPUs. There is much more functionality defined by PSCI spec
but so far its not needed by Genode.
Fixes#3672
The update modification timestamp is implemented as one-shot where
the caller is expected to try again if the first attempt failed (see
current libc implementation). So the message is misleading as further
attempts might succeed.
Issue #3713.
This patch fixes a regression with run/log_core introduced by
2064ffd64b nova: support multidimensional affinity space
The run tool uses a log message 'run_boot_string' to detect successful
boot as well as to detect unexpected reboots. This message should never
be logged twice and, thus, should not be part of the core_log. The patch
mentioned above moved the former run_boot_string after the core_log
initialization.
This is a follow-up fix for commit 202333c881.
It checks for the diagnostic registers being already setup correctly.
Otherwise on platforms with secure firmware, like Pandaboard it will stuck.
Ref #3639
ASLR collides with the libc's fork mechanism on 32-bit. In particular,
the tool_chain_auto.run scenario would sporadically fail while mirroring
the parent's address space.
Fixes#3710
This is needed to execute the tool-chain scenario on base-nova.
Otherwise, the fork mechanism stumbles upon a region conflict
between ldso allocations and the application heap.
Fixes#3706
This patch reflects the Out_of_caps exception from core to the client,
in addition to the already covered Out_of_ram exception. It thereby
eliminates a potential abort in core, which I observed with the
tool_chain_auto.run script:
Kernel: RPC upgrade_cap_slab
Error: Uncaught exception of type 'Genode::Quota_guard<Genode::Cap_quota>::Limit_exceeded'
Warning: abort called - thread: entrypoint
In addition to propagating the exception, the patch add the client-side
exception-handling code to the base library.
Fixes#3703
This run script is outdated and not regularly tested. In fact, the
tested mechanism (obtaining values from a '.sysctl/' directory) is
nowhere to be found, neither in noux nor the libc. The test still
returns success as it merely checks for the completion of the sequence,
not the printed results. Hence, it is not worth preserving.
Issue #3696
Norman Feske
Christian Helmuth
Christian Prochaska
Alexander Boettcher
Stefan Kalkowski
Tomasz Gajewski
Roman Iten
Ehmry -
Stefan Thöni
Josef Söntgen
Piotr Tworek
Pirmin Duss
Pirmin Duss