Setup a connection to the SDKRuntime for each application. To do this
add an SDKManager interface to the SDKRuntime for the ProcessManager to
obtain a badged endpoint and install that in each application's CNode.
SDKRuntime now rejects requests received without a registered badge.
RPC's are handled entirely in Rust (no CAmkES). ProcessManager sets up
RPC resources and delivers them to an application through registers.
The application-side SDK runtime uses the resources to marshal RPC
parameters in a page that is attached to the IPC buffer sent to the
SDKRuntime. Reply parameters are written to the shared page and decoded
on return.
Overhaul the SDKRuntime api to be like SecurityCoordinator to consolidate
parameter marhsaling/unmarshaling and to simplify adding new methods.
Rust applications use the SDKRuntime interface directly. C application
will wrap a C interface around the Rust impl (TBD).
Specific changes:
- add SDKManagerInterface
- sel4bundle now plumbs a connection to the SDKRuntime, the CNode slot
with the capability is passed to the application to future-proof CNode
setup changes (an alternative is to use a global const since we control
the application-side runtime api's)
- add kata-sdk-manager crate with SDKManager client interface support;
the only api's are get_endpoint (to get a badged endpoint to SDKRuntime),
release_endpoint (to remove a badged endpoint), and capscan (to dump
the SDKRuntime's top-level CNode)
- add "capscan sdk" in the shell to inspect the SDKRuntime service
- make SDKRuntime require a registered badge on inbound IPCs
- fill-in ping & log SDK api's
- connect ProcessManager to SDKRuntime for SDKManager api use,
everything else happens outside CAmkES
- make SDKRuntime lock against concurrent requests--the SDKManager
runs concurrently and shares SDKRuntime state
- remove kata-shell test_sdk_* commands (replaced by test applications)
Change-Id: I7810949ad0051ff8eda244e0385f662882a556e4
GitOrigin-RevId: 5fef55428e076f670cff325965047c98d84cfbca
- copy_to now take rights
- add dup_to that does a copy with all-rights preserved
- add mint_to
- add mutate_to
- change release to return any assigned slot
- fixup callers
Change-Id: I747c01d426906042e76ba00c19513eae3fa3b03c
GitOrigin-RevId: 7270785dc92ee5ef6b56d330b0076d57dc9374f8
Need to account for gaps between application segments when calculating
the index of the page frame object. This was being handled only for a
gap before the first page/segment.
Bug: 243556006
Change-Id: I0e723a58dc5e2b9c49b29aebe030a546bbe024ac
GitOrigin-RevId: 83e6cad536ffa148c434341fbefdce2dd43667ee
This hello app uses the logger crate plumbed to the console. Way
bigger than the C version.
Change-Id: I7bf7e8b559fea8e045123d057412493bf7b71a24
GitOrigin-RevId: 97e12e93cc9ebfb4be021cff506417d7434b27f5
This includes adding it to TOML files and CAmkES assembly files.
Change-Id: I263e7a566df91fccc04f9b2186edab13331290c5
GitOrigin-RevId: 48a35b06ca868a0a4d379f881068cc4dad491669
* changes:
kata: LSC: rustfmt with global rustfmt.toml
kata: update global rustfmt flags
kata: Promote rustfmt.toml to all kata crates
GitOrigin-RevId: 452e66fa7231f39cff81dc2fbe37ad1a1fc62fb9
At the moment, the scheduler is wasting 50% of its time in an idle thread for
the application sandbox domain. Until we can figure out how to use these domains
more effectively, we'll reduce to a single domain.
Bug: 238811077
Change-Id: If40d01d5c94e31cc8d522dd5f906f857e363cc42
GitOrigin-RevId: 911f6fe046c61b8ce7e9ba00f8de0ec872997ec3
This updates the kernel configs to setup two domains instead of one,
and also defines a bare-bones domain scheduler that simply round-
robins through the domains.
Bug: 238811077
Change-Id: Ibb49f10265c38dc26235fc246f6147b306055bcb
GitOrigin-RevId: 6b17211d8866bec9207f78dc61c4840c6da9537d
Add support to output the contents of the top-level CNode of a CAmkES
service or KataOS application to the serial console. This is dependent
on kernel support that is enabled with CONFIG_PRINTING. Applications
must be running; otherwise there is no CSpace to dump.
Specific changes:
- add a "capscan" shell command
- add capscan method to each CAmkES interface
- add capscan_bundle method to the ProcessControlInterface
- add Camkes::capscan() to dump the top-level CNode
- add ProcessManager support to dump the CNode for a bundle
TODO: fix syscall wrapper error return
Change-Id: If6ca222decdb4c40a1d3a63e69792eb3feb30f6a
GitOrigin-RevId: 504c0182ccccf287b5d58cd8e33981c11d7539d7
Change the fake to behave as the real impl will for LoadModel &
LoadApplication: return a deep copy of the saved package contents as
would happen if the data were pulled from flash. Match this behaviour in
the kata-shell SecurityCoordinator test commands and the MlCoordinator
by taking ownership of the received objects and free'ing them when no
longer needed.
With these changes one can install a bundle and repeatedly load_application
without leaking any memory, capabilities, or slots in the toplevel CNode
of the caller (DebugConsole in this case).
Likewise doing install of a model, test_mlexecute, and then uninstall
of the model's bundle returns all resources.
Specific changes:
- correctly release resources in kata-shell load_application & load_model
- correct release of bundle_frames in seL4BundleImpl::stop
- release resources in MlCoordinator::load_model
- connect the MemoryInterface to the MlCoordinator so it can return memory
- setup two copyregions in the SecurityCoordinator to do the deep copy
- add ObjdDescBundle::cptr_iter for iterating over the set of seL4_CPtr's
- hack kata_frame_alloc_in_cnode to split requests according to the
kernel's config on the max Retype count
- while here switch test_mailbox to use one of the copyregions
TODO:
- deep_copy allocates all frames at once which requires a band-aid;
either hide that in MemoryManager or maybe allocate a page at a time
Change-Id: Ia425976b31ea7a32b1d0e4affc3a0ef9ba966c87
GitOrigin-RevId: 31d5bc99b569a5eab9c33c7e1014793bfe57161e
Move the container slot release up as it logically belongs with the
seL4BundleImpl construction. This makes clear it's unrelated to the
actual start operation.
Change-Id: Idda2a4a829fe6fae2a4d1dbe99aff495ef10b3b8
GitOrigin-RevId: ba2cdc9f4bfb54cfbeca11888bd31cd5657d0182
Move the CopyRegion support to kata-os-common. CopyRegion wraps a
CAmkES copyregion virtual memory window to support virtual access to
physical page frames. There is RAII cleanup to clear any virtual mapping.
Embedding a CopyRegion in struct that may be cloned is not recommeded
(at least for now).
Change-Id: I7fd465fafa4a5d1de9a7e565ecb62c38a3b7e81a
GitOrigin-RevId: f58e973b1c47ec05e48bfedcb9cd5e75b71c212a
Adds an architecture-independent api for sel4-sys interfaces similar
to what libsel4 does. For example, instead of seL4_RISCV_Page_Map use
seL4_Page_Map. This is mostly aliases for common types & system calls but
also features like the Grant right implying NoExecute for seL4_Page_Map.
While here fix crate paths to sel4-sys; everything external to
kata-os-common is intended to use kata-os-common::sel4-sys.
Change-Id: I6faa07d41ffd2fbb4182bf2fa7c05a768e4368f3
GitOrigin-RevId: f51e5186b61eab541e9fb4d2d4175adcc3ca8cee
Having CSpaceSlot be a submodule of kata-slot-allocator caused an sel-4sys
dependency that broke unit tests. Split it out to it's own crate.
Change-Id: Iea531e36284b58e932eb0cbd84f90abc81823fe3
GitOrigin-RevId: 39abb4510f66cfe026b12fcacf78b429ddd8f0b5
- replace the opaque memory placeholder with MemoryManager integration
(e.g. ObjDescBundle's and BundleImage's)
- set CNode headroom so there is space to construct a 4MB application
- arrange to get capabilities for an ASIDPool, the global SchedController,
and the global DomainController for crafting new TCB's
- arrange for copregions (VSpace holes) for working with BundleImage's
and spilling arguments to the stack of a new TCB
- integrate with the slot allocator
- accept an ObjDescBundle for the pkg_contents of an install request
- add BundleImplInterface traits in suport of mocking/faking the bundle
implementation (unit tests not included)
- new error codes: ObjCapInvalid, SuspendFailed, ResumeFailed
- integrate with the kernel so TCB construction honors settings like MCS
- track kata_security_* wrapper additions
- add seL4BundleImpl (derived from kata-os-rootserver)
TODO: build+test only on RISCV32
TODO: verify seL4BundleImpl features all build at least
TODO: cleanup VSpace layout (is probably arch specific)
TODO: review+cleanup error handling (esp resources)
TODO: fault endpoints are not conencted
TODO: SDK runtime is not setup
TODO: scheduling is likely not the way we want
TODO: security eview
Change-Id: I025b008eeb8b47af2fe3894149da6576642bb8ed
GitOrigin-RevId: 539bf11739a9e756936168a9cbd3e2e2e4b0ba11
This fixes a build break that happened without any intervening commit in
our repo. How that could happen is not yet pinpointed, and there has
been no increment in the minor version number of postcard for 2 months.
It appears that postcard was somehow triggering serde to use std, which
is a default feature for serde.
Change-Id: I7ed989976aa1bf75cb440c4070565452571d7306
GitOrigin-RevId: f35b7677e995e5e8245c583ca2c355a04306aea2
- low serialize of request parameters into kata_security_request
- add InstallRequest that passes the package buffer as an opaque ptr
- add EchoRequest for SecurityRequestEcho
- purge (now) unused SecurityRequestData type alias and hide
SECURITY_REQUEST_DATA_SIZE (only used in crate)
- use &str instead of String in serialize requests (from mattharvey@)
- add SreSerializeFailed
Change-Id: Iac1930c0b2fead0f96b87da5d116280865031be2
GitOrigin-RevId: 37df6cd1969b3be2628e2e34f3de8fd129fdbc1b
- add SecurityCoordinator component (needs mailbox support, just
a fake which should be enabled with a feature flag)
- connect to ProcessManager & MlCoordinator - temproarily connect
to DebugConsole to enable scecho test command
- expand Bundle to hold application information (may need more elf)
- connect ProcessManager::{install, uninstall} to SecurityCoordinator
(no application binary yet, needs global page allocator)
Notes:
- SecurityCoordinator depends on camkes for thread synchronization
- private heap is 8KB (and could possible be less; need to tune)
- camkes interface connection uses seL4RPCOverMultiSharedData so ipc
buffers are 4KB; the request & reply serde buffers are 2KB but could
be near 4KB since they are used sequentially and the other params
are a few bytes (but beware of camkes stack allocation)
- the camkes SecurityCoordinator::request rpc is defined so that the
request param has reasonable handling but the reply param requires
a full copy (even if only partly used); haven't found a way to
express the desired handling
Change-Id: I686dc2d501e39bc8c27fe22db40657165a55b472
GitOrigin-RevId: db1536c241e28ddda1dc8f8da341b8c667ed6646
Replace the hand-rolled code to marshal/unmarshal bundle_id's with serde
and postcard. Postcard was selectecd because it works with no_std and has
api's that do not require copying.
Change-Id: I5bec725e42e5f94b4a486669f86e4aeb1322de6c
GitOrigin-RevId: b56e1d39faae0f8705c5d11a62d33db540f2d35c
[NB: this is a step toward adding StorageManager]
- add app_id to Bundle to enable expanding the skeleton framework (for
now this is filled in with the address of the pkg_buffer arg)
- change install api to follow design doc (bundle id comes from manifest)
- mark start & stop api's as needing a mutable self - hide Bundle
internals (more): do not export representation, we will use serde to
pass it through camkes
- remove assumption hashmap of bundles corresponds to StorageManager
contents - use String instead of BundleId and Vec<String> instead
of BundleIdArray in public api's (SmallVec & SmallString are impl
artifacts now pushed down to ProcManager)
- adjust unit tests (ditch kata-proc-manager::tests as it adds nothing)
Change-Id: If3d77b031f43c0c867266dbfa66fa31e4ab67033
GitOrigin-RevId: bbadf0b0b09e7978613d57a816363079642e2a45
- Split support into three levels:
o kata_proc_manager::process_manager is a single-threaded implementation
of ProcessManagerInterface and PackageManagerInterface that uses an
abstract manager interface to carry out low-level work (used mainly
to inject fakes for unit testing).
o kata_proc_manager is a thread-safe wrapper around process_manager that
has the manager interfaces bound to KataOS; this is the level at which
we integrate with external components.
o kata_proc_component is the top-level glue code for the ProcessManager
camkes component; it has a pre_init function to setup rust support
(logger, allocator, etc), a run function for the component's control
block, and wrapper functions for the camkes ProcessControl and
PackageManagement interfaces.
- Add install, uninstall, start, stop, and bundles shell commands for
exercising ProcessControlInterface & PackageManagementInterface.
Specifics:
- Bundle id's are now treated internally as SmallString's with &str
used for passing bundle id's through api's. The BundleId type is
temporarily used for get_running_bundles() to return information (but
see below about RawBundleIdData).
- ArrayVec's are replaced with a hashbrown::HashMap
- Bundle objects are Box'd instead of holding refs (now that we have an
allocator); this eliminates lifetime constraints.
- The manager interface is Box'd to eliminate lifetime constraints.
- Purge ProcessManager::empty(), it's infeasible with the hashmap and
is not needed with kata_proc_manager support for static decls.
- Add RawBundleIdData support for serialize+deserialize of BundleIdArray;
no more leaking internal data types to client code.
- Remove bounds check on #bundles recorded; set a nominal capacity
and fallback to dynamic allocation of the hashmap.
- Manually update ProcessManagerBindings.h (using cbindgen).
Change-Id: I08deaecc997ea96cb794808036540bedd58b3fa4
GitOrigin-RevId: 6e0826940b43b1295d39769b57812a9494b5a4cb
Replace LockedHeap with a purpose-built equivalent. This works around
issues where rust_oom was undefined for certain build configs and
facilitates future sel4 integration (e.g. to use dynamically allocated
memory instead of bss).
Change-Id: I54f779ef794104ad1ae95590812d1cd49b4a3734
GitOrigin-RevId: 83474c02e6b6957946fbca4a9aa090bf3c4dbfdc
- add a linked_list_allocator::LockedHeap instance to each component that
might want to allocate memory and init the allocator with a fixed-size
memory block in the component post_init hook
- add an alloc_test shell command that exercises the allocator
This does not dynamically add memory or support sharing memory between
components; this is an intermediate step to simplify bringing in crates
that want to allocate memory (e.g. hashbrown)..
Change-Id: Idaf11fb5d4999218c75bf932133df24de35e3053
GitOrigin-RevId: 7c9b14bf9463239ce030c374b58a140f0835759e
- new ProcessManager component (aka kata-process-manager)
NB: interfaces/ProcessManagerBindings.h is manually generated by cbindgen
for the moment; e.g.
cargo install cbindgen;
cd components/ProcessManager; cbindgen -c cbindgen.toml \
-o ../../interfaces/ProcessManagerBindings.h kata-proc-common
Change-Id: I153c6b193c6ba8e376b87a2563dc8543753f0b42
GitOrigin-RevId: 18c354f14cbec6ce01c020136fe9aefd88248ee9
