Setup a connection to the SDKRuntime for each application. To do this
add an SDKManager interface to the SDKRuntime for the ProcessManager to
obtain a badged endpoint and install that in each application's CNode.
SDKRuntime now rejects requests received without a registered badge.
RPC's are handled entirely in Rust (no CAmkES). ProcessManager sets up
RPC resources and delivers them to an application through registers.
The application-side SDK runtime uses the resources to marshal RPC
parameters in a page that is attached to the IPC buffer sent to the
SDKRuntime. Reply parameters are written to the shared page and decoded
on return.
Overhaul the SDKRuntime api to be like SecurityCoordinator to consolidate
parameter marhsaling/unmarshaling and to simplify adding new methods.
Rust applications use the SDKRuntime interface directly. C application
will wrap a C interface around the Rust impl (TBD).
Specific changes:
- add SDKManagerInterface
- sel4bundle now plumbs a connection to the SDKRuntime, the CNode slot
with the capability is passed to the application to future-proof CNode
setup changes (an alternative is to use a global const since we control
the application-side runtime api's)
- add kata-sdk-manager crate with SDKManager client interface support;
the only api's are get_endpoint (to get a badged endpoint to SDKRuntime),
release_endpoint (to remove a badged endpoint), and capscan (to dump
the SDKRuntime's top-level CNode)
- add "capscan sdk" in the shell to inspect the SDKRuntime service
- make SDKRuntime require a registered badge on inbound IPCs
- fill-in ping & log SDK api's
- connect ProcessManager to SDKRuntime for SDKManager api use,
everything else happens outside CAmkES
- make SDKRuntime lock against concurrent requests--the SDKManager
runs concurrently and shares SDKRuntime state
- remove kata-shell test_sdk_* commands (replaced by test applications)
Change-Id: I7810949ad0051ff8eda244e0385f662882a556e4
GitOrigin-RevId: 5fef55428e076f670cff325965047c98d84cfbca
- copy_to now take rights
- add dup_to that does a copy with all-rights preserved
- add mint_to
- add mutate_to
- change release to return any assigned slot
- fixup callers
Change-Id: I747c01d426906042e76ba00c19513eae3fa3b03c
GitOrigin-RevId: 7270785dc92ee5ef6b56d330b0076d57dc9374f8
Need to account for gaps between application segments when calculating
the index of the page frame object. This was being handled only for a
gap before the first page/segment.
Bug: 243556006
Change-Id: I0e723a58dc5e2b9c49b29aebe030a546bbe024ac
GitOrigin-RevId: 83e6cad536ffa148c434341fbefdce2dd43667ee
When a CAmkES component lacks an outbound connection to send log msgs
there will be no logger_log symbol. Use a weak ref here to handle that
without resorting to a feature or similar.
Mark logger connections as "maybe" so they are optional.
Change-Id: I6ecd939014d26a612d115741fd2ac673afa40857
GitOrigin-RevId: 0b1bf2611cbb628500cae37889c6547a996d50e9
This hello app uses the logger crate plumbed to the console. Way
bigger than the C version.
Change-Id: I7bf7e8b559fea8e045123d057412493bf7b71a24
GitOrigin-RevId: 97e12e93cc9ebfb4be021cff506417d7434b27f5
This includes adding it to TOML files and CAmkES assembly files.
Change-Id: I263e7a566df91fccc04f9b2186edab13331290c5
GitOrigin-RevId: 48a35b06ca868a0a4d379f881068cc4dad491669
* changes:
kata: LSC: rustfmt with global rustfmt.toml
kata: update global rustfmt flags
kata: Promote rustfmt.toml to all kata crates
GitOrigin-RevId: 452e66fa7231f39cff81dc2fbe37ad1a1fc62fb9
At the moment, the scheduler is wasting 50% of its time in an idle thread for
the application sandbox domain. Until we can figure out how to use these domains
more effectively, we'll reduce to a single domain.
Bug: 238811077
Change-Id: If40d01d5c94e31cc8d522dd5f906f857e363cc42
GitOrigin-RevId: 911f6fe046c61b8ce7e9ba00f8de0ec872997ec3
This updates the kernel configs to setup two domains instead of one,
and also defines a bare-bones domain scheduler that simply round-
robins through the domains.
Bug: 238811077
Change-Id: Ibb49f10265c38dc26235fc246f6147b306055bcb
GitOrigin-RevId: 6b17211d8866bec9207f78dc61c4840c6da9537d
Add support to output the contents of the top-level CNode of a CAmkES
service or KataOS application to the serial console. This is dependent
on kernel support that is enabled with CONFIG_PRINTING. Applications
must be running; otherwise there is no CSpace to dump.
Specific changes:
- add a "capscan" shell command
- add capscan method to each CAmkES interface
- add capscan_bundle method to the ProcessControlInterface
- add Camkes::capscan() to dump the top-level CNode
- add ProcessManager support to dump the CNode for a bundle
TODO: fix syscall wrapper error return
Change-Id: If6ca222decdb4c40a1d3a63e69792eb3feb30f6a
GitOrigin-RevId: 504c0182ccccf287b5d58cd8e33981c11d7539d7
Change the fake to behave as the real impl will for LoadModel &
LoadApplication: return a deep copy of the saved package contents as
would happen if the data were pulled from flash. Match this behaviour in
the kata-shell SecurityCoordinator test commands and the MlCoordinator
by taking ownership of the received objects and free'ing them when no
longer needed.
With these changes one can install a bundle and repeatedly load_application
without leaking any memory, capabilities, or slots in the toplevel CNode
of the caller (DebugConsole in this case).
Likewise doing install of a model, test_mlexecute, and then uninstall
of the model's bundle returns all resources.
Specific changes:
- correctly release resources in kata-shell load_application & load_model
- correct release of bundle_frames in seL4BundleImpl::stop
- release resources in MlCoordinator::load_model
- connect the MemoryInterface to the MlCoordinator so it can return memory
- setup two copyregions in the SecurityCoordinator to do the deep copy
- add ObjdDescBundle::cptr_iter for iterating over the set of seL4_CPtr's
- hack kata_frame_alloc_in_cnode to split requests according to the
kernel's config on the max Retype count
- while here switch test_mailbox to use one of the copyregions
TODO:
- deep_copy allocates all frames at once which requires a band-aid;
either hide that in MemoryManager or maybe allocate a page at a time
Change-Id: Ia425976b31ea7a32b1d0e4affc3a0ef9ba966c87
GitOrigin-RevId: 31d5bc99b569a5eab9c33c7e1014793bfe57161e
Move the container slot release up as it logically belongs with the
seL4BundleImpl construction. This makes clear it's unrelated to the
actual start operation.
Change-Id: Idda2a4a829fe6fae2a4d1dbe99aff495ef10b3b8
GitOrigin-RevId: ba2cdc9f4bfb54cfbeca11888bd31cd5657d0182
Add Camkes::set_request_cap to attach an seL4 capability to an outbound
ipc message. The return value is an RAII wrapper that cleans up state
and must be held until after the CAmkES rpc call completes
Change-Id: I0672c59e0b5e43e39c9ea3fb16809270a33f51ef
GitOrigin-RevId: 56be13a2c05fcc1b4a1aa5c8e0eab47bcd0f2345
In particular this exports the CAP_RELEASE flag so there is a single
source for it's definition and KataOS-specific support in the CAmkES
templates is enabled only for KataOS components.
Specific changes:
- adds cbindgen-generated CamkesBindings.h
- adds include of CamkesBindings.h in component cbindgen files
- add a dep on cbindgen.toml in all Makefiles
- update generated interface files
Change-Id: Ib6239d3ac0036b7a04bb36afccf25a05737b0e56
GitOrigin-RevId: af10117fa253f0c7c67969a5852ced9d992c6274
Move the CopyRegion support to kata-os-common. CopyRegion wraps a
CAmkES copyregion virtual memory window to support virtual access to
physical page frames. There is RAII cleanup to clear any virtual mapping.
Embedding a CopyRegion in struct that may be cloned is not recommeded
(at least for now).
Change-Id: I7fd465fafa4a5d1de9a7e565ecb62c38a3b7e81a
GitOrigin-RevId: f58e973b1c47ec05e48bfedcb9cd5e75b71c212a
Add a new "camkes" submodule that consolidates KataOS CAmkES component
integration boilerplate. Each component is expected to declare:
static mut CAMKES: Camkes = Camkes::new("ProcessManager");
and then (typically) use "pre_init" to setup the logger, heap, and the
slot allocator. More fine-grained control is provided by:
fn init_logger(self: &Cmakes, level: Log::LevelFilter);
fn init_allocator(self: &Camkes, heap: &'static mut [u8]);
fn init_slot_allocator(self: &Camkes, first_slot: seL4_CPtr, last_slot: seL4_CPtr);
When receiving capabilities use "init_recv_path" to setup the IPCBuffer
receive path and "assert_recv_path" & "check_recv_path" calls to verify
noting has clobbered the setting.
The debug_assert_slot_* macros are wrapped in Camkes:: functions and a
"top_level_path" function for constructing seL4_CPath objects. Altogether
this normally allows a component to be written without direct use of the
CAmkES global static identifiers SELF_CNODE*.
Change-Id: Ia1351e411a5355789cf74bc0fcfe0e41a418b7d4
GitOrigin-RevId: fb81a8e0687ed9321c9961410edd5dbd54093ce5
Adds an architecture-independent api for sel4-sys interfaces similar
to what libsel4 does. For example, instead of seL4_RISCV_Page_Map use
seL4_Page_Map. This is mostly aliases for common types & system calls but
also features like the Grant right implying NoExecute for seL4_Page_Map.
While here fix crate paths to sel4-sys; everything external to
kata-os-common is intended to use kata-os-common::sel4-sys.
Change-Id: I6faa07d41ffd2fbb4182bf2fa7c05a768e4368f3
GitOrigin-RevId: f51e5186b61eab541e9fb4d2d4175adcc3ca8cee
Having CSpaceSlot be a submodule of kata-slot-allocator caused an sel-4sys
dependency that broke unit tests. Split it out to it's own crate.
Change-Id: Iea531e36284b58e932eb0cbd84f90abc81823fe3
GitOrigin-RevId: 39abb4510f66cfe026b12fcacf78b429ddd8f0b5
- replace the opaque memory placeholder with MemoryManager integration
(e.g. ObjDescBundle's and BundleImage's)
- set CNode headroom so there is space to construct a 4MB application
- arrange to get capabilities for an ASIDPool, the global SchedController,
and the global DomainController for crafting new TCB's
- arrange for copregions (VSpace holes) for working with BundleImage's
and spilling arguments to the stack of a new TCB
- integrate with the slot allocator
- accept an ObjDescBundle for the pkg_contents of an install request
- add BundleImplInterface traits in suport of mocking/faking the bundle
implementation (unit tests not included)
- new error codes: ObjCapInvalid, SuspendFailed, ResumeFailed
- integrate with the kernel so TCB construction honors settings like MCS
- track kata_security_* wrapper additions
- add seL4BundleImpl (derived from kata-os-rootserver)
TODO: build+test only on RISCV32
TODO: verify seL4BundleImpl features all build at least
TODO: cleanup VSpace layout (is probably arch specific)
TODO: review+cleanup error handling (esp resources)
TODO: fault endpoints are not conencted
TODO: SDK runtime is not setup
TODO: scheduling is likely not the way we want
TODO: security eview
Change-Id: I025b008eeb8b47af2fe3894149da6576642bb8ed
GitOrigin-RevId: 539bf11739a9e756936168a9cbd3e2e2e4b0ba11
Add support for BundleImage, a file format for loading applications and
models from a bundle. BundleImage is simple, compact, and streamable,
BundleImage files are constructed with the prepare_bundle_image tool.
TODO: add compression
TODO: check crc32
Change-Id: I0770608a075cac9754a54e0bb244d75673ae1be6
GitOrigin-RevId: 368dabd3a5af19d47fe7f8084b8a0a0b57b8471d
- kata-allocator, kata-kata-logger, kata-panic, and kata-slot-allocator
are now submodules of kata-os-common
- be more consistent on use stmts (and remove unneeded deps)
- cleanup various deps on kata-panic that no longer seem to be needed
(likely due to using resolver=2)
Change-Id: I5d3f4b399e3be66c09c2f97c75d5e3053993ebdd
GitOrigin-RevId: 393e28fbb975959cba35388bab749b256cda0095
- add Makefile's to re-generate CAmkES interface defs
- move cbindgen.toml files into the interface crate(s)
Note: still need to integrate running make with the build
Change-Id: I16b3e3b831b66ad1c976402e38df6be4a126d923
GitOrigin-RevId: 78b8b9024e4acb89590410a439f121fcb1fdc996
Mark each component that depends on component.kataos.c features with a
"kataos" attribute.
Change-Id: I7e2e3f9010a7aa717d4fe3dfc2f088cbd1a66488
GitOrigin-RevId: 2967036cf4e70edc3f96d2ead45ecfe9e42fd7fa
This is a workaround for gdb complaints of the form:
Dwarf Error: Cannot find DIE at 0x5136b referenced from DIE at 0x57eed
Release builds continue to enable LTO.
BUG: 223253186
Change-Id: I137456045e842b2b93b32e0edd348ff916925c97
GitOrigin-RevId: 8ab2ab4fac615eb2a1a259a5a18aa410a4aae5fb
sel4-config is a build helper for keeping a crate's features in sync
with an seL4 kernel. sel4_config::get_sel4_features parses a gen_config.h
artifact from an seL4 build and returns the intersection of the feature
set with the features listed in the caller's Cargo.toml.
Change sel4-sys to use sel4-config to collect features (instead of
depending only on features from Cargo.toml). sel4-sys finds the directory
with kernel artifacts using an SEL4_OUT_DIR environment variable. If
that's not set it falls back to ${ROOTDIR}/out/kata/kernel.
Change workspace crates to use resolver="2" to deal with cargo's
mishandling of dependent features (target build of serde polluted by
std build-dep indirect through cargo_toml).
While here make sel4-sys fall back to ${ROOTDIR}/kata/kernel when SEL4_DIR
is not set in the environment.
Change-Id: I47cf2eab4aa8cd2e502f741738f587c222e94716
GitOrigin-RevId: b661f0b78c0bfe70861965a420d25add8a128cb7
Over-optimized the marhaling logic--we Need to convert &str's to CString's
to get the trailing \0 (same lesson learned doing StorageManager).
Change-Id: I97e8d35947dcb32989dc68f11dd422433c00aa02
GitOrigin-RevId: c775bfc3c568ee3dcae32928a422c5178495e77f
* changes:
Replace SeL4Debug with direct syscalls.
sel4-sys: fix conditional syscall numbering
sel4-sys: use target_arch &co to select target architecture
kata-os-common: add sel4-sys support for riscv32
kata-os-common: cleanup sel4-sys before bringing in local changes
kata-os-common: pristine import of sel4-sys-0.0.28 (-seL4 submodule)
GitOrigin-RevId: 36ee1d4f9e521b60fdc6b91f2581413b55882fca
This fixes a build break that happened without any intervening commit in
our repo. How that could happen is not yet pinpointed, and there has
been no increment in the minor version number of postcard for 2 months.
It appears that postcard was somehow triggering serde to use std, which
is a default feature for serde.
Change-Id: I7ed989976aa1bf75cb440c4070565452571d7306
GitOrigin-RevId: f35b7677e995e5e8245c583ca2c355a04306aea2
- low serialize of request parameters into kata_security_request
- add InstallRequest that passes the package buffer as an opaque ptr
- add EchoRequest for SecurityRequestEcho
- purge (now) unused SecurityRequestData type alias and hide
SECURITY_REQUEST_DATA_SIZE (only used in crate)
- use &str instead of String in serialize requests (from mattharvey@)
- add SreSerializeFailed
Change-Id: Iac1930c0b2fead0f96b87da5d116280865031be2
GitOrigin-RevId: 37df6cd1969b3be2628e2e34f3de8fd129fdbc1b
- add SecurityCoordinator component (needs mailbox support, just
a fake which should be enabled with a feature flag)
- connect to ProcessManager & MlCoordinator - temproarily connect
to DebugConsole to enable scecho test command
- expand Bundle to hold application information (may need more elf)
- connect ProcessManager::{install, uninstall} to SecurityCoordinator
(no application binary yet, needs global page allocator)
Notes:
- SecurityCoordinator depends on camkes for thread synchronization
- private heap is 8KB (and could possible be less; need to tune)
- camkes interface connection uses seL4RPCOverMultiSharedData so ipc
buffers are 4KB; the request & reply serde buffers are 2KB but could
be near 4KB since they are used sequentially and the other params
are a few bytes (but beware of camkes stack allocation)
- the camkes SecurityCoordinator::request rpc is defined so that the
request param has reasonable handling but the reply param requires
a full copy (even if only partly used); haven't found a way to
express the desired handling
Change-Id: I686dc2d501e39bc8c27fe22db40657165a55b472
GitOrigin-RevId: db1536c241e28ddda1dc8f8da341b8c667ed6646
Replace the hand-rolled code to marshal/unmarshal bundle_id's with serde
and postcard. Postcard was selectecd because it works with no_std and has
api's that do not require copying.
Change-Id: I5bec725e42e5f94b4a486669f86e4aeb1322de6c
GitOrigin-RevId: b56e1d39faae0f8705c5d11a62d33db540f2d35c
[NB: this is a step toward adding StorageManager]
- add app_id to Bundle to enable expanding the skeleton framework (for
now this is filled in with the address of the pkg_buffer arg)
- change install api to follow design doc (bundle id comes from manifest)
- mark start & stop api's as needing a mutable self - hide Bundle
internals (more): do not export representation, we will use serde to
pass it through camkes
- remove assumption hashmap of bundles corresponds to StorageManager
contents - use String instead of BundleId and Vec<String> instead
of BundleIdArray in public api's (SmallVec & SmallString are impl
artifacts now pushed down to ProcManager)
- adjust unit tests (ditch kata-proc-manager::tests as it adds nothing)
Change-Id: If3d77b031f43c0c867266dbfa66fa31e4ab67033
GitOrigin-RevId: bbadf0b0b09e7978613d57a816363079642e2a45
- change early logging (pre kata-shell prompt) to trace level so by
default nothing shows up unless kata-debug-console::pre_init sets
log::set_max_level to Trace (default is Debug)
- log allocator init's in caller so log msgs identify per-component heap
setups (all the same for now but at some point may diverge)
- shorten kata-shell prompt to "KATA> " - remove unused camkes control's
and consolidate other early work in pre_init and <component>__init hooks
- cargo fmt components
Change-Id: I010eb5cc5af2e379691cb2e62d82dbab32a06bc3
GitOrigin-RevId: badddf46f5ba50fa60e9cbead9f6d99d5ff3808b
Propagate the ProcessManagerError enum through the
PackageManagementInterface and ProcessControlInterface so the client
has more information about why a request failed.
Change-Id: Ic2d8fcf1401edd6faff85fe821443f720d0b00c4
GitOrigin-RevId: 91d668fc56a352776803392d89aacc034cee1f1e
Components can reduce the number of rpc's if they set_max_level but by
default pass everything and let the DebugConsole decide what is logged.
With this the shell loglevel command now controls logging from all
components.
Change-Id: I72b77bbf02882ffdba0aaf0b9b88126bfd2e62a1
GitOrigin-RevId: d451e72cf67e41d6ee25ea2995098b5009cf8852
