- make kata-uart-client use dependent on a new "sparrow_uart_support"
feature; this is needed for headless operation and for platforms
without a working uart driver
- add a mechanism where an "autostart.repl" file is fetched from the
builtins (if present) and passed through the shell; output goes to
the uart if configured, otherwise the kernel or /dev/nnull
- add a new "source" shell command that interprets the contents of a
builtins file as console input
- rework the command interpreter to support autostart & source
- move the logging hookup to kata-debug-console so the system builds
when no uart support is conffigured (need to add fallback to debug
syscalls in case that works when no driver is present)
Change-Id: I5e6725c93488a48d212dfaca425ede37cbdb72e5
GitOrigin-RevId: 6f360cab71ea103af52e3c68ca240fc16e0f20bb
The "ml_support" feature controls MlCoordinator commands are included.
The "TEST_ML_COORDINATOR" feature is now dependent on "ml_support".
Change-Id: I13e3e0b467f006a564bb2cf4839a11ab8a1b04c8
GitOrigin-RevId: 133e8842848c73644e593ebfd4c9115fde1afd3b
We added Debug formatting of the error status to the rcore-os/cpio crate.
Remove use so this code builds with the upstream crate unchanged (it
was mostly useful during development).
Change-Id: Ibc83fc2201c128ec7362c60afaebba584c7eaecd
GitOrigin-RevId: 4af28c4d281e7ff5e74d8c0a21d0f774b9a1eeb0
Setup a connection to the SDKRuntime for each application. To do this
add an SDKManager interface to the SDKRuntime for the ProcessManager to
obtain a badged endpoint and install that in each application's CNode.
SDKRuntime now rejects requests received without a registered badge.
RPC's are handled entirely in Rust (no CAmkES). ProcessManager sets up
RPC resources and delivers them to an application through registers.
The application-side SDK runtime uses the resources to marshal RPC
parameters in a page that is attached to the IPC buffer sent to the
SDKRuntime. Reply parameters are written to the shared page and decoded
on return.
Overhaul the SDKRuntime api to be like SecurityCoordinator to consolidate
parameter marhsaling/unmarshaling and to simplify adding new methods.
Rust applications use the SDKRuntime interface directly. C application
will wrap a C interface around the Rust impl (TBD).
Specific changes:
- add SDKManagerInterface
- sel4bundle now plumbs a connection to the SDKRuntime, the CNode slot
with the capability is passed to the application to future-proof CNode
setup changes (an alternative is to use a global const since we control
the application-side runtime api's)
- add kata-sdk-manager crate with SDKManager client interface support;
the only api's are get_endpoint (to get a badged endpoint to SDKRuntime),
release_endpoint (to remove a badged endpoint), and capscan (to dump
the SDKRuntime's top-level CNode)
- add "capscan sdk" in the shell to inspect the SDKRuntime service
- make SDKRuntime require a registered badge on inbound IPCs
- fill-in ping & log SDK api's
- connect ProcessManager to SDKRuntime for SDKManager api use,
everything else happens outside CAmkES
- make SDKRuntime lock against concurrent requests--the SDKManager
runs concurrently and shares SDKRuntime state
- remove kata-shell test_sdk_* commands (replaced by test applications)
Change-Id: I7810949ad0051ff8eda244e0385f662882a556e4
GitOrigin-RevId: 5fef55428e076f670cff325965047c98d84cfbca
StorageManager (the component) did nothing useful so remove it and plumb
the only user (DebugConsole) directly to the SecurityCoordinator. When
the SDKRuntime is ready it likewise will talk directly to
SecurityCoordinator. The only visible change in this is the "kvread" shell
command displays the raw key value instead of converting it to a string.
Change-Id: I5a285dc083e5f02ecbf0defc83deebb34a7b38d7
GitOrigin-RevId: 70d04d8155167f9bf3f88291363760d91c10a279
This includes adding it to TOML files and CAmkES assembly files.
Change-Id: I263e7a566df91fccc04f9b2186edab13331290c5
GitOrigin-RevId: 48a35b06ca868a0a4d379f881068cc4dad491669
* changes:
kata: LSC: rustfmt with global rustfmt.toml
kata: update global rustfmt flags
kata: Promote rustfmt.toml to all kata crates
GitOrigin-RevId: 452e66fa7231f39cff81dc2fbe37ad1a1fc62fb9
Add support to output the contents of the top-level CNode of a CAmkES
service or KataOS application to the serial console. This is dependent
on kernel support that is enabled with CONFIG_PRINTING. Applications
must be running; otherwise there is no CSpace to dump.
Specific changes:
- add a "capscan" shell command
- add capscan method to each CAmkES interface
- add capscan_bundle method to the ProcessControlInterface
- add Camkes::capscan() to dump the top-level CNode
- add ProcessManager support to dump the CNode for a bundle
TODO: fix syscall wrapper error return
Change-Id: If6ca222decdb4c40a1d3a63e69792eb3feb30f6a
GitOrigin-RevId: 504c0182ccccf287b5d58cd8e33981c11d7539d7
- Use seL4_Untyped_Describe to get an accurate view of each
UntypedMemory slab being managed; this makes mstats reflect
rootserver allocations.
- Track memory allocated before we run as "overhead" (was meant to
track fragmentation but was always zero).
- Add an "mdebug" command to describe each managed memory slab;
this is useful to see whether the kernel's view of memory use is
consistent with MemoryManager.
Change-Id: I53b2738c430ad3356ecd16a1cad29ca92dc74beb
GitOrigin-RevId: 2ad43f9b7760c722a6590ea049a3814c8dcccba7
Bug: 233102476
Writing >CIRCULAR_BUFFER_CAPACITY bytes to the uart will hang because
of a missing unlock of the tx_mutex.
While here add a shell test command that was used to debug the issue
(but don't enable it by default).
Change-Id: I3e35001a653fe2659fb1534e4100727b69f662a1
GitOrigin-RevId: 550b35c88328dcbd1f87dd8e0209b1faabf7f931
Change the fake to behave as the real impl will for LoadModel &
LoadApplication: return a deep copy of the saved package contents as
would happen if the data were pulled from flash. Match this behaviour in
the kata-shell SecurityCoordinator test commands and the MlCoordinator
by taking ownership of the received objects and free'ing them when no
longer needed.
With these changes one can install a bundle and repeatedly load_application
without leaking any memory, capabilities, or slots in the toplevel CNode
of the caller (DebugConsole in this case).
Likewise doing install of a model, test_mlexecute, and then uninstall
of the model's bundle returns all resources.
Specific changes:
- correctly release resources in kata-shell load_application & load_model
- correct release of bundle_frames in seL4BundleImpl::stop
- release resources in MlCoordinator::load_model
- connect the MemoryInterface to the MlCoordinator so it can return memory
- setup two copyregions in the SecurityCoordinator to do the deep copy
- add ObjdDescBundle::cptr_iter for iterating over the set of seL4_CPtr's
- hack kata_frame_alloc_in_cnode to split requests according to the
kernel's config on the max Retype count
- while here switch test_mailbox to use one of the copyregions
TODO:
- deep_copy allocates all frames at once which requires a band-aid;
either hide that in MemoryManager or maybe allocate a page at a time
Change-Id: Ia425976b31ea7a32b1d0e4affc3a0ef9ba966c87
GitOrigin-RevId: 31d5bc99b569a5eab9c33c7e1014793bfe57161e
- fix size_buffer & get_manifest requests to marshal responses
- fix size_buffer marshaling (was always returning zero)
- format fakeimpl manifest string
- add shell test commands that exercise the api's (including the
key api's that were only reachable via the StorageManager)
Change-Id: Ia36906d975fb497e6de81e81fdaf2ff04c7a1e9a
GitOrigin-RevId: cad976c55c99724c2b7c5186b2864f7c44edef13
Adds an architecture-independent api for sel4-sys interfaces similar
to what libsel4 does. For example, instead of seL4_RISCV_Page_Map use
seL4_Page_Map. This is mostly aliases for common types & system calls but
also features like the Grant right implying NoExecute for seL4_Page_Map.
While here fix crate paths to sel4-sys; everything external to
kata-os-common is intended to use kata-os-common::sel4-sys.
Change-Id: I6faa07d41ffd2fbb4182bf2fa7c05a768e4368f3
GitOrigin-RevId: f51e5186b61eab541e9fb4d2d4175adcc3ca8cee
This CL enables multiple outstanding periodic executions. To do so the
MlCoordinator now includes an array of started models and a queue of
models that are ready to be executed immediately. Additionally, each
periodic model has an associated timer. When that timer fires the model
is added to the execution queue. When a model finishes executing, the
next model is popped off the queue and executed. If a model becomes
ready when there's already an execution for it queued, that execution
is dropped and a warning printed. A cancel command is added to remove
periodic or outstanding executions.
A state debug command was also added.
Currently we can only load a single model due to limitations with the
StorageManager, but we can do so multiple times.
Tests:
Single shot: https://paste.googleplex.com/6704629669691392
Two periodic execs: https://paste.googleplex.com/5288292800004096
Overloaded warning: https://paste.googleplex.com/4549962219126784
Debug State:
KATA> state_mlcoord
kata_ml_coordinator::Running model: fubar:mobilenet_v1_emitc_static.model
kata_ml_coordinator::Loaded model: fubar:mobilenet_v1_emitc_static.model
kata_ml_coordinator::Loadable Models:
kata_ml_coordinator:: LoadableModel { bundle_id: "fubar", model_id: "mobilenet_v1_emitc_static.model", rate_in_ms: Some(2000) }
kata_ml_coordinator:: LoadableModel { bundle_id: "fubar", model_id: "mobilenet_v1_emitc_static.model", rate_in_ms: Some(6000) }
kata_ml_coordinator::Execution Queue:
kata_ml_coordinator:: fubar:mobilenet_v1_emitc_static.model
kata_ml_coordinator::Statistics: Statistics { load_failures: 0, already_queued: 0 }
Change-Id: I7637c9c390eb6ffd9ae22088f37b98c056a441c2
GitOrigin-RevId: 18c0d3fe740a37381f7f1eddee8f2224f679fd61
- replace the memory-mapped elf file by a cpio archive of bundle
objects (BundleImages until we fill in what a bundle is)
- add a new "builtins" command to list the contents of the cpio
archive (similar to cpio -t)
- extend the "install" command to load from the builtins archive
- switch the connection to ProcessManager to support the larger
ObjDescBundle's coming from the cpio archive
Change-Id: I5d7c195b58937df3921f925de3637f325f53fa2f
GitOrigin-RevId: 410813e62ae8f38685a1b32deb2e80de538085a4
- change zmodem uploads to get memory from the MemoryManager
- add a "-z" option to the "install" command to start a zmodem upload
to generate the package contents to send to ProcessManager
- increase CNode headroom for loading package contents
Change-Id: I5f329cdd044368e5568ad891245d67a4a13f8468
GitOrigin-RevId: 2853cde48cb8232f3ba75fe7e8efdbd3032bcb66
The MemoryManager service allocates & frees seL4 objects. Requests can be
batched. Capabilities to dynamically allocated objects are moved in CNode
containers attached to IPC requests.
Specific changes:
- Add new CAmkES MemoryManager component.
- Add api's for allocating & freeing singleton objects (e.g.
kata_cnode_alloc) and batches of objects (kata_object_alloc &
kata_object_free).
- Add support to kata-os-rootserver to hand-off UntypedMemory objects
just before terminating. The objects are placed directly in the
MemoryManager's top-level CNode and a BootInfo frame is constructed
that describes where the objects are.
- Switch the rootserver to kata-os-rootserver as the C version lacks
the UntypedMemory hand-off.
- Add test_bootinfo kata-shell command to dump the MemoryManager BootInfo
frame contents (broken for now because it directlry references the
shared page).
- Add test_obj_alloc kata-shell command that exercises the MemoryManager
singleton and batch api's
While here, did some cleanup of arg handling in kata-shell.
TODO: top-level object allocations use a simplistic capability allocator
TODO: move test_bootinfo to the MemoryManager and add an interface rpc
Change-Id: I778b2d5fe7f2f9b65ee642ff905cf56d4b2b02fd
GitOrigin-RevId: 7fc72d1927bba165234955e68f8b9ad1b556f6fb
With logging on, the Rust logger trace messages do indeed cause the
sender to abort near the beginning of the upload.
Change-Id: I9ed150db1ad557034d1aefcc99385d771be3edd5
GitOrigin-RevId: 3815d6b21db1dc4978b19fc9b4307007d03e4b12
Using a buffered reader instead of the byte-at-a-time implementation
avoids doing a syscall for each byte.
Change-Id: Ia7bc42e4836593f358ff964962c910f8c94b6f8e
GitOrigin-RevId: e70697d398b07d6de6f03d1d0a4b5204139bc59a
* changes:
Replace SeL4Debug with direct syscalls.
sel4-sys: fix conditional syscall numbering
sel4-sys: use target_arch &co to select target architecture
kata-os-common: add sel4-sys support for riscv32
kata-os-common: cleanup sel4-sys before bringing in local changes
kata-os-common: pristine import of sel4-sys-0.0.28 (-seL4 submodule)
GitOrigin-RevId: 36ee1d4f9e521b60fdc6b91f2581413b55882fca
This change adds an "rz" command to the shell that calls a function
rz(). It switches the IO from the shell to a ZMODEM receiver that
produces a Rust upload object that collects the uploaded bytes and
computes a CRC32 checksum on the fly.
In a later change, we will retain the most recent payload in a
shell-owned object until it is consumed by an "install" command.
Limitations:
* Sender hangup will cause the receiver to block forever and the
prompt not to come back, since kata-uart-client does reads that
block forever.
* Logging must be set to a level higher than debug or messages from
the zmodem crate itself corrupt the transfer.
* The sender must rate limit to ~150 bytes/sec to avoid running
too far ahead of the Renode UART, which drops bytes when the RX
FIFO is full.
* Uploading too big a payload will cause a kata_panic! unless the
heap size is increased in kata-debug-console/src/run.rs
Demo:
KATA> loglevel error
ERROR
KATA> rz
**B0100000023be50
[Ctrl-C]
$ sz -O ~/random < /tmp/term | pv -L 150 > /tmp/term
Sending: random
Bytes Sent: 15360/ 16384 BPS:26805 ETA 00:00 150 B 0:00:01 [ 146 B/s] [ <=> Bytes Sent: 16384 BPS:144 ]
Transfer complete
16.6KiB 0:01:53 [ 149 B/s] [ <=> ]
$ stty sane -echo -icanon; socat - /tmp/term 2> /dev/null; stty sane;
size: 16384, crc32: 991b1d60
KATA>
[Ctrl-C]
$ crc32 ~/random
991b1d60
Change-Id: I53252b821a829a667a23a9fd072f71c6955fdc1a
GitOrigin-RevId: c818a35f186dcd8c083891bfaa84ad0a9f9fef7d
This fixes a build break that happened without any intervening commit in
our repo. How that could happen is not yet pinpointed, and there has
been no increment in the minor version number of postcard for 2 months.
It appears that postcard was somehow triggering serde to use std, which
is a default feature for serde.
Change-Id: I7ed989976aa1bf75cb440c4070565452571d7306
GitOrigin-RevId: f35b7677e995e5e8245c583ca2c355a04306aea2
- low serialize of request parameters into kata_security_request
- add InstallRequest that passes the package buffer as an opaque ptr
- add EchoRequest for SecurityRequestEcho
- purge (now) unused SecurityRequestData type alias and hide
SECURITY_REQUEST_DATA_SIZE (only used in crate)
- use &str instead of String in serialize requests (from mattharvey@)
- add SreSerializeFailed
Change-Id: Iac1930c0b2fead0f96b87da5d116280865031be2
GitOrigin-RevId: 37df6cd1969b3be2628e2e34f3de8fd129fdbc1b
- add SecurityCoordinator component (needs mailbox support, just
a fake which should be enabled with a feature flag)
- connect to ProcessManager & MlCoordinator - temproarily connect
to DebugConsole to enable scecho test command
- expand Bundle to hold application information (may need more elf)
- connect ProcessManager::{install, uninstall} to SecurityCoordinator
(no application binary yet, needs global page allocator)
Notes:
- SecurityCoordinator depends on camkes for thread synchronization
- private heap is 8KB (and could possible be less; need to tune)
- camkes interface connection uses seL4RPCOverMultiSharedData so ipc
buffers are 4KB; the request & reply serde buffers are 2KB but could
be near 4KB since they are used sequentially and the other params
are a few bytes (but beware of camkes stack allocation)
- the camkes SecurityCoordinator::request rpc is defined so that the
request param has reasonable handling but the reply param requires
a full copy (even if only partly used); haven't found a way to
express the desired handling
Change-Id: I686dc2d501e39bc8c27fe22db40657165a55b472
GitOrigin-RevId: db1536c241e28ddda1dc8f8da341b8c667ed6646
Replace the hand-rolled code to marshal/unmarshal bundle_id's with serde
and postcard. Postcard was selectecd because it works with no_std and has
api's that do not require copying.
Change-Id: I5bec725e42e5f94b4a486669f86e4aeb1322de6c
GitOrigin-RevId: b56e1d39faae0f8705c5d11a62d33db540f2d35c
[NB: this is a step toward adding StorageManager]
- add app_id to Bundle to enable expanding the skeleton framework (for
now this is filled in with the address of the pkg_buffer arg)
- change install api to follow design doc (bundle id comes from manifest)
- mark start & stop api's as needing a mutable self - hide Bundle
internals (more): do not export representation, we will use serde to
pass it through camkes
- remove assumption hashmap of bundles corresponds to StorageManager
contents - use String instead of BundleId and Vec<String> instead
of BundleIdArray in public api's (SmallVec & SmallString are impl
artifacts now pushed down to ProcManager)
- adjust unit tests (ditch kata-proc-manager::tests as it adds nothing)
Change-Id: If3d77b031f43c0c867266dbfa66fa31e4ab67033
GitOrigin-RevId: bbadf0b0b09e7978613d57a816363079642e2a45
- change early logging (pre kata-shell prompt) to trace level so by
default nothing shows up unless kata-debug-console::pre_init sets
log::set_max_level to Trace (default is Debug)
- log allocator init's in caller so log msgs identify per-component heap
setups (all the same for now but at some point may diverge)
- shorten kata-shell prompt to "KATA> " - remove unused camkes control's
and consolidate other early work in pre_init and <component>__init hooks
- cargo fmt components
Change-Id: I010eb5cc5af2e379691cb2e62d82dbab32a06bc3
GitOrigin-RevId: badddf46f5ba50fa60e9cbead9f6d99d5ff3808b
Propagate the ProcessManagerError enum through the
PackageManagementInterface and ProcessControlInterface so the client
has more information about why a request failed.
Change-Id: Ic2d8fcf1401edd6faff85fe821443f720d0b00c4
GitOrigin-RevId: 91d668fc56a352776803392d89aacc034cee1f1e
Components can reduce the number of rpc's if they set_max_level but by
default pass everything and let the DebugConsole decide what is logged.
With this the shell loglevel command now controls logging from all
components.
Change-Id: I72b77bbf02882ffdba0aaf0b9b88126bfd2e62a1
GitOrigin-RevId: d451e72cf67e41d6ee25ea2995098b5009cf8852
