Setup a connection to the SDKRuntime for each application. To do this
add an SDKManager interface to the SDKRuntime for the ProcessManager to
obtain a badged endpoint and install that in each application's CNode.
SDKRuntime now rejects requests received without a registered badge.
RPC's are handled entirely in Rust (no CAmkES). ProcessManager sets up
RPC resources and delivers them to an application through registers.
The application-side SDK runtime uses the resources to marshal RPC
parameters in a page that is attached to the IPC buffer sent to the
SDKRuntime. Reply parameters are written to the shared page and decoded
on return.
Overhaul the SDKRuntime api to be like SecurityCoordinator to consolidate
parameter marhsaling/unmarshaling and to simplify adding new methods.
Rust applications use the SDKRuntime interface directly. C application
will wrap a C interface around the Rust impl (TBD).
Specific changes:
- add SDKManagerInterface
- sel4bundle now plumbs a connection to the SDKRuntime, the CNode slot
with the capability is passed to the application to future-proof CNode
setup changes (an alternative is to use a global const since we control
the application-side runtime api's)
- add kata-sdk-manager crate with SDKManager client interface support;
the only api's are get_endpoint (to get a badged endpoint to SDKRuntime),
release_endpoint (to remove a badged endpoint), and capscan (to dump
the SDKRuntime's top-level CNode)
- add "capscan sdk" in the shell to inspect the SDKRuntime service
- make SDKRuntime require a registered badge on inbound IPCs
- fill-in ping & log SDK api's
- connect ProcessManager to SDKRuntime for SDKManager api use,
everything else happens outside CAmkES
- make SDKRuntime lock against concurrent requests--the SDKManager
runs concurrently and shares SDKRuntime state
- remove kata-shell test_sdk_* commands (replaced by test applications)
Change-Id: I7810949ad0051ff8eda244e0385f662882a556e4
GitOrigin-RevId: 5fef55428e076f670cff325965047c98d84cfbca
This includes adding it to TOML files and CAmkES assembly files.
Change-Id: I263e7a566df91fccc04f9b2186edab13331290c5
GitOrigin-RevId: 48a35b06ca868a0a4d379f881068cc4dad491669
* changes:
kata: LSC: rustfmt with global rustfmt.toml
kata: update global rustfmt flags
kata: Promote rustfmt.toml to all kata crates
GitOrigin-RevId: 452e66fa7231f39cff81dc2fbe37ad1a1fc62fb9
Add support to output the contents of the top-level CNode of a CAmkES
service or KataOS application to the serial console. This is dependent
on kernel support that is enabled with CONFIG_PRINTING. Applications
must be running; otherwise there is no CSpace to dump.
Specific changes:
- add a "capscan" shell command
- add capscan method to each CAmkES interface
- add capscan_bundle method to the ProcessControlInterface
- add Camkes::capscan() to dump the top-level CNode
- add ProcessManager support to dump the CNode for a bundle
TODO: fix syscall wrapper error return
Change-Id: If6ca222decdb4c40a1d3a63e69792eb3feb30f6a
GitOrigin-RevId: 504c0182ccccf287b5d58cd8e33981c11d7539d7
Add a new "camkes" submodule that consolidates KataOS CAmkES component
integration boilerplate. Each component is expected to declare:
static mut CAMKES: Camkes = Camkes::new("ProcessManager");
and then (typically) use "pre_init" to setup the logger, heap, and the
slot allocator. More fine-grained control is provided by:
fn init_logger(self: &Cmakes, level: Log::LevelFilter);
fn init_allocator(self: &Camkes, heap: &'static mut [u8]);
fn init_slot_allocator(self: &Camkes, first_slot: seL4_CPtr, last_slot: seL4_CPtr);
When receiving capabilities use "init_recv_path" to setup the IPCBuffer
receive path and "assert_recv_path" & "check_recv_path" calls to verify
noting has clobbered the setting.
The debug_assert_slot_* macros are wrapped in Camkes:: functions and a
"top_level_path" function for constructing seL4_CPath objects. Altogether
this normally allows a component to be written without direct use of the
CAmkES global static identifiers SELF_CNODE*.
Change-Id: Ia1351e411a5355789cf74bc0fcfe0e41a418b7d4
GitOrigin-RevId: fb81a8e0687ed9321c9961410edd5dbd54093ce5
- replace the opaque memory placeholder with MemoryManager integration
(e.g. ObjDescBundle's and BundleImage's)
- set CNode headroom so there is space to construct a 4MB application
- arrange to get capabilities for an ASIDPool, the global SchedController,
and the global DomainController for crafting new TCB's
- arrange for copregions (VSpace holes) for working with BundleImage's
and spilling arguments to the stack of a new TCB
- integrate with the slot allocator
- accept an ObjDescBundle for the pkg_contents of an install request
- add BundleImplInterface traits in suport of mocking/faking the bundle
implementation (unit tests not included)
- new error codes: ObjCapInvalid, SuspendFailed, ResumeFailed
- integrate with the kernel so TCB construction honors settings like MCS
- track kata_security_* wrapper additions
- add seL4BundleImpl (derived from kata-os-rootserver)
TODO: build+test only on RISCV32
TODO: verify seL4BundleImpl features all build at least
TODO: cleanup VSpace layout (is probably arch specific)
TODO: review+cleanup error handling (esp resources)
TODO: fault endpoints are not conencted
TODO: SDK runtime is not setup
TODO: scheduling is likely not the way we want
TODO: security eview
Change-Id: I025b008eeb8b47af2fe3894149da6576642bb8ed
GitOrigin-RevId: 539bf11739a9e756936168a9cbd3e2e2e4b0ba11
- kata-allocator, kata-kata-logger, kata-panic, and kata-slot-allocator
are now submodules of kata-os-common
- be more consistent on use stmts (and remove unneeded deps)
- cleanup various deps on kata-panic that no longer seem to be needed
(likely due to using resolver=2)
Change-Id: I5d3f4b399e3be66c09c2f97c75d5e3053993ebdd
GitOrigin-RevId: 393e28fbb975959cba35388bab749b256cda0095
This fixes a build break that happened without any intervening commit in
our repo. How that could happen is not yet pinpointed, and there has
been no increment in the minor version number of postcard for 2 months.
It appears that postcard was somehow triggering serde to use std, which
is a default feature for serde.
Change-Id: I7ed989976aa1bf75cb440c4070565452571d7306
GitOrigin-RevId: f35b7677e995e5e8245c583ca2c355a04306aea2
Replace the hand-rolled code to marshal/unmarshal bundle_id's with serde
and postcard. Postcard was selectecd because it works with no_std and has
api's that do not require copying.
Change-Id: I5bec725e42e5f94b4a486669f86e4aeb1322de6c
GitOrigin-RevId: b56e1d39faae0f8705c5d11a62d33db540f2d35c
[NB: this is a step toward adding StorageManager]
- add app_id to Bundle to enable expanding the skeleton framework (for
now this is filled in with the address of the pkg_buffer arg)
- change install api to follow design doc (bundle id comes from manifest)
- mark start & stop api's as needing a mutable self - hide Bundle
internals (more): do not export representation, we will use serde to
pass it through camkes
- remove assumption hashmap of bundles corresponds to StorageManager
contents - use String instead of BundleId and Vec<String> instead
of BundleIdArray in public api's (SmallVec & SmallString are impl
artifacts now pushed down to ProcManager)
- adjust unit tests (ditch kata-proc-manager::tests as it adds nothing)
Change-Id: If3d77b031f43c0c867266dbfa66fa31e4ab67033
GitOrigin-RevId: bbadf0b0b09e7978613d57a816363079642e2a45
- change early logging (pre kata-shell prompt) to trace level so by
default nothing shows up unless kata-debug-console::pre_init sets
log::set_max_level to Trace (default is Debug)
- log allocator init's in caller so log msgs identify per-component heap
setups (all the same for now but at some point may diverge)
- shorten kata-shell prompt to "KATA> " - remove unused camkes control's
and consolidate other early work in pre_init and <component>__init hooks
- cargo fmt components
Change-Id: I010eb5cc5af2e379691cb2e62d82dbab32a06bc3
GitOrigin-RevId: badddf46f5ba50fa60e9cbead9f6d99d5ff3808b
Propagate the ProcessManagerError enum through the
PackageManagementInterface and ProcessControlInterface so the client
has more information about why a request failed.
Change-Id: Ic2d8fcf1401edd6faff85fe821443f720d0b00c4
GitOrigin-RevId: 91d668fc56a352776803392d89aacc034cee1f1e
Components can reduce the number of rpc's if they set_max_level but by
default pass everything and let the DebugConsole decide what is logged.
With this the shell loglevel command now controls logging from all
components.
Change-Id: I72b77bbf02882ffdba0aaf0b9b88126bfd2e62a1
GitOrigin-RevId: d451e72cf67e41d6ee25ea2995098b5009cf8852
- Split support into three levels:
o kata_proc_manager::process_manager is a single-threaded implementation
of ProcessManagerInterface and PackageManagerInterface that uses an
abstract manager interface to carry out low-level work (used mainly
to inject fakes for unit testing).
o kata_proc_manager is a thread-safe wrapper around process_manager that
has the manager interfaces bound to KataOS; this is the level at which
we integrate with external components.
o kata_proc_component is the top-level glue code for the ProcessManager
camkes component; it has a pre_init function to setup rust support
(logger, allocator, etc), a run function for the component's control
block, and wrapper functions for the camkes ProcessControl and
PackageManagement interfaces.
- Add install, uninstall, start, stop, and bundles shell commands for
exercising ProcessControlInterface & PackageManagementInterface.
Specifics:
- Bundle id's are now treated internally as SmallString's with &str
used for passing bundle id's through api's. The BundleId type is
temporarily used for get_running_bundles() to return information (but
see below about RawBundleIdData).
- ArrayVec's are replaced with a hashbrown::HashMap
- Bundle objects are Box'd instead of holding refs (now that we have an
allocator); this eliminates lifetime constraints.
- The manager interface is Box'd to eliminate lifetime constraints.
- Purge ProcessManager::empty(), it's infeasible with the hashmap and
is not needed with kata_proc_manager support for static decls.
- Add RawBundleIdData support for serialize+deserialize of BundleIdArray;
no more leaking internal data types to client code.
- Remove bounds check on #bundles recorded; set a nominal capacity
and fallback to dynamic allocation of the hashmap.
- Manually update ProcessManagerBindings.h (using cbindgen).
Change-Id: I08deaecc997ea96cb794808036540bedd58b3fa4
GitOrigin-RevId: 6e0826940b43b1295d39769b57812a9494b5a4cb
