logo

drewdevault.com

[mirror] blog and personal website of Drew DeVault git clone https://hacktivis.me/git/mirror/drewdevault.com.git

Status-update-October-2022.md (7000B)

    

  1. ---
  2. title: Status update, October 2022
  3. date: 2022-10-15
  4. ---
  6. After a few busy and stressful months, I decided to set aside October to rest.
  7. Of course, for me, rest does not mean a cessation of programming, but rather a
  8. shift in priorities towards more fun and experimental projects. Consequently, it
  9. has been a great month for Helios!
  11. Hare upstream has enjoyed some minor improvements, such as from Pierre Curto's
  12. patch to support parsing IPv6 addresses with a port (e.g. "[::1]:80") and Kirill
  13. Primak's improvements to the UTF-8 decoder. On the whole, improvements have been
  14. conservative. However, queued up for integration once qbe upstream support is
  15. merged is support for @threadlocal variables, which are useful for Helios and for
  16. ABI compatibility with C. I also drafted up a proof-of-concept for @inline
  17. functions, but it still needs work.
  19. Now for the main event: Helios. The large-scale redesign and refactoring I
  20. mentioned in the previous status update is essentially complete, and the kernel
  21. reached (and exceeded) feature parity with the previous status quo. Since Helios
  22. has been my primary focus for the past couple of weeks, I have a lot of news to
  23. share about it.
  25. First, I got back into userspace a few days after the last status update, and
  26. shortly thereafter implemented a new scheduler. I then began to rework the
  27. userspace API (uapi) in the kernel, which differs substantially from its prior
  28. incarnation. The kernel object implementations present themselves as a library
  29. for kernel use, and the new uapi module handles all interactions with this
  30. module from userspace, providing a nice separation of concerns. The uapi module
  31. handles more than syscalls now — it also implements send/recv for kernel
  32. objects, for instance. As of a few days ago, uapi also supports delivering
  33. faults to userspace supervisor processes:
  35. ![A screenshot of a thread on Helios causing a page fault, then its parent
  36. thread receives details of the fault and maps a page onto the address of the
  37. attempted write. The child thread is resumed and is surprised to find that the
  38. write succeeded (because a page was mapped underneath the write).](https://l.sr.ht/YvMX.png)
  40. ```hare
  41. @test fn task::pagefault() void = {
  42. 	const fault = helios::newendpoint()!;
  43. 	defer helios::destroy(fault)!;
  45. 	const thread = threads::new(&_task_pagefault)!;
  46. 	threads::set_fault(thread, fault)!;
  47. 	threads::start(thread)!;
  49. 	const fault = helios::recv_fault(fault);
  50. 	assert(fault.addr == 0x100);
  52. 	const page = helios::newpage()!;
  53. 	defer helios::destroy(page)!;
  54. 	helios::map(rt::vspace, 0, map_flags::W | map_flags::FIXED, page)!;
  56. 	threads::resume(thread)!;
  57. 	threads::join(thread)!;
  58. };
  60. fn _task_pagefault() void = {
  61. 	let ptr: *int = 0x100: uintptr: *int;
  62. 	*ptr = 1337;
  63. 	assert(*ptr == 1337);
  64. };
  65. ```
  67. The new userspace threading API is much improved over the hack job in the
  68. earlier design. It supports TLS and many typical threading operations, such as
  69. join and detach. This API exists mainly for testing the kernel via Vulcan, and
  70. is not anticipated to see much use beyond this (though I will implement pthreads
  71. for the POSIX C environment at some point). For more details, see [this blog
  72. post][0]. Alongside this and other userspace libraries, Vulcan has been fleshed
  73. out into a kernel test suite once again, which I have been frequently testing on
  74. real hardware:
  76. [0]: https://drewdevault.com/2022/10/02/Kernel-hacking-with-Hare-part-2.html
  78. ![A picture of a laptop showing 15 passing kernel tests](https://l.sr.ht/RMAS.jpg)
  80. [Here's an ISO](https://l.sr.ht/NwsO.iso) you can boot on your own x86\_64
  81. hardware to see if it works for you, too. If you have problems, take a picture
  82. of the issue, boot Linux and [email me](mailto:sir@cmpwn.com) said picture, the
  83. output of lscpu, and any other details you deem relevant.
  85. The kernel now supports automatic capability address allocation, which is a
  86. marked improvement over seL4. The new physical page allocator is also much
  87. improved, as it supports allocation and freeing and can either allocate pages
  88. sparsely or continuously depending on the need. Mapping these pages in userspace
  89. was also much improved, with a better design of the userspace virtual memory map
  90. and a better heap, complete with a (partial) implementation of mmap.
  92. I have also broken ground on the next component of the OS, [Mercury][1], which
  93. provides a more complete userspace environment for writing drivers. It has a
  94. simple tar-based initramfs based on Hare's format::tar implementation, which I
  95. wrote in June for this purpose. It can load ELF files from this tarball into new
  96. processes, and implements some extensions that are useful for driver loading.
  97. Consequently, the first Mercury driver is up and running:
  99. [1]: https://git.sr.ht/~sircmpwn/mercury
  101. ![Demo of a working serial driver](https://l.sr.ht/PKZ6.png)
  103. This driver includes a simple driver manifest, which is embedded into its ELF
  104. file and processed by the driver loader to declaratively specify the
  105. capabilities it needs:
  107. ```hare
  108. [driver]
  109. name=pcserial
  110. desc=Serial driver for x86_64 PCs
  112. [cspace]
  113. radix=12
  115. [capabilities]
  116. 0:endpoint =
  117. 1:ioport = min=3F8, max=400
  118. 2:ioport = min=2E8, max=2F0
  119. 3:note = 
  120. 4:irq = irq=3, note=3
  121. 5:irq = irq=4, note=3
  122. ```
  124. The driver loader prepares capabilities for the COM1 and COM2 I/O ports, as well
  125. as IRQ handlers for IRQ 3 and 4, based on this manifest, then loads them into
  126. the capability table for the driver process. The driver is sandboxed very
  127. effectively by this: it can *only* use these capabilities. It cannot allocate
  128. memory, modify its address space, or even destroy any of these capabilities. If
  129. a bad actor was on the other end of the serial port and exploited a bug, the
  130. worst thing it could do is crash the serial driver, which would then be rebooted
  131. by the supervisor. On Linux and other monolithic kernels like it, exploiting the
  132. serial driver compromises the entire operating system.
  134. The resulting serial driver implementation is pretty small and straightforward,
  135. [if you'd like to have a look][2].
  137. [2]: https://git.sr.ht/~sircmpwn/mercury/tree/master/item/drivers/x86_64/serial
  139. This manifest format will be expanded in the future for additional kinds of
  140. drivers, such as with details specific to each bus (i.e. PCI vendor information
  141. or USB details), and will also have details for device trees when RISC-V and
  142. ARM support (the former is already underway) are brought upstream.
  144. Next steps are to implement an I/O abstraction on top of IPC endpoints, which
  145. first requires call & reply support — the latter was implemented last
  146. night and requires additional testing. Following this, I plan on writing a
  147. getty-equivalent which utilizes this serial driver, and a future VGA terminal
  148. driver, to provide an environment in which a shell can be run. Then I'll
  149. implement a ramfs to host commands for the shell to run, and we'll really be
  150. cookin' at that point. Disk drivers and filesystem drivers will be next.
  152. That's all for now. Quite a lot of progress! I'll see you next time.