redox-os issueshttps://gitlab.redox-os.org/groups/redox-os/-/issues2023-06-25T21:32:00Zhttps://gitlab.redox-os.org/redox-os/kernel/-/issues/126Cannot use spin >= 0.9.22023-06-25T21:32:00ZJacob Lorentzon4ldo2@protonmail.comCannot use spin >= 0.9.2Spin 0.9.2 relaxed memory orderings for Once from SeqCst (I wrote that code) to Acquire/Release, and for some reason this causes unpredictable errors in the kernel. This is most likely the result of UB somewhere in the kernel.Spin 0.9.2 relaxed memory orderings for Once from SeqCst (I wrote that code) to Acquire/Release, and for some reason this causes unpredictable errors in the kernel. This is most likely the result of UB somewhere in the kernel.https://gitlab.redox-os.org/redox-os/syscall/-/issues/33Strict pointer provenance2023-06-27T08:50:59ZniluxvStrict pointer provenanceMuch of the current API violates [strict provenance](https://github.com/rust-lang/rust/issues/95228), for example `syscall::call::fmap` returning a `usize` instead of a pointer. Changing this would obviously be a breaking change, but goo...Much of the current API violates [strict provenance](https://github.com/rust-lang/rust/issues/95228), for example `syscall::call::fmap` returning a `usize` instead of a pointer. Changing this would obviously be a breaking change, but good to keep in mind for the next semver-breaking version bump (i.e. `0.4.0`).https://gitlab.redox-os.org/redox-os/redoxer/-/issues/9rsync is required2023-06-19T03:38:47Zthe ssdrsync is requiredCheck if rsync is installedCheck if rsync is installedhttps://gitlab.redox-os.org/redox-os/rmm/-/issues/3Guarantee L1TF immunity2023-06-14T10:14:43ZJacob Lorentzon4ldo2@protonmail.comGuarantee L1TF immunityL1TF is unconditionally handled on Linux by inverting address bits if PRESENT is cleared. On FreeBSD, it is handled by always reserving page zero, and ensuring the address bits are zeroed for non-PRESENT pages.
RMM probably does this al...L1TF is unconditionally handled on Linux by inverting address bits if PRESENT is cleared. On FreeBSD, it is handled by always reserving page zero, and ensuring the address bits are zeroed for non-PRESENT pages.
RMM probably does this already, but that needs to be properly ensured.https://gitlab.redox-os.org/redox-os/rmm/-/issues/2Remove virt_is_valid?2023-06-14T10:11:15ZJacob Lorentzon4ldo2@protonmail.comRemove virt_is_valid?https://gitlab.redox-os.org/redox-os/rmm/-/merge_requests/7#note_27379https://gitlab.redox-os.org/redox-os/rmm/-/merge_requests/7#note_27379https://gitlab.redox-os.org/redox-os/redox/-/issues/1380Forks status2023-07-08T02:30:22ZRibbonForks statusThis issue will track the forks used by Redox, from GitHub to GitLab and the toolchains.
Forks with pending patches to be merged on upstream or waiting relibc improve its portability (they will be merged once the Redox APIs are stable)....This issue will track the forks used by Redox, from GitHub to GitLab and the toolchains.
Forks with pending patches to be merged on upstream or waiting relibc improve its portability (they will be merged once the Redox APIs are stable).
Mark them when it's merged or don't have patches.
- [ ] binutils
- [ ] openssl
- [ ] mesa
- [ ] sdl2
- [ ] atk
- [ ] bash
- [ ] cairo
- [ ] classicube
- [ ] coreutils
- [ ] cpal
- [ ] curl
- [ ] dash
- [ ] diffutils
- [ ] dosbox
- [ ] duktape
- [ ] eduke32
- [ ] extrautils
- [ ] ffmpeg
- [ ] findutils
- [ ] flycast
- [ ] fontconfig
- [ ] freeciv
- [ ] freedoom
- [ ] freepats
- [ ] game-2048
- [ ] gawk
- [ ] gdbserver
- [ ] generaluser-gs
- [ ] gettext
- [ ] gigalomania
- [ ] git
- [ ] glib
- [ ] glium
- [ ] glutin
- [ ] grep
- [ ] make
- [ ] gstreamer
- [ ] hematite
- [ ] iced
- [ ] jansson
- [ ] libc-bench
- [ ] libcosmic
- [ ] libffi
- [ ] libiconv
- [ ] libogg
- [ ] libretro-super
- [ ] libsodium
- [ ] mednafen
- [ ] mgba
- [ ] miniserve
- [ ] netsurf
- [ ] neverball
- [ ] openttd
- [ ] pango
- [ ] patch
- [ ] pathfinder
- [ ] pcre
- [ ] perl
- [ ] pixelcannon
- [ ] pixman
- [ ] prboom
- [ ] python
- [ ] qemu
- [ ] readline
- [ ] retroarch
- [ ] ripgrep
- [ ] rs-nes
- [ ] rust64
- [ ] rustual-boy
- [ ] schismtracker
- [ ] scummvm
- [ ] sdl1.2
- [ ] sdl_gfx
- [ ] sdl_image
- [ ] sdl_mixer
- [ ] sdl_ttf
- [ ] sdl-player
- [ ] sdl2_mixer
- [ ] sed
- [ ] servo
- [ ] sm64ex
- [ ] spacecadetpinball
- [ ] openssh
- [ ] syobonaction
- [ ] timidity
- [ ] uutils
- [ ] vice
- [ ] vim
- [ ] vttest
- [ ] vvvvvv
- [ ] webrender
### Permanent forks
- gcc
- llvm
- rustc
- cargohttps://gitlab.redox-os.org/redox-os/redox/-/issues/1379Golang port2023-06-12T22:21:36ZRibbonGolang portGolang have its own standard library, thus it will need to use the Redox system calls directly (massive).Golang have its own standard library, thus it will need to use the Redox system calls directly (massive).https://gitlab.redox-os.org/redox-os/redox/-/issues/1378Crates porting status2023-07-07T22:19:38ZRibbonCrates porting statusThis issue will cover important crates that are currently inhibiting porting or need upstream Redox support to ease the development workflow.
- [ ] tokio
- [ ] mio
- [ ] ring
- [ ] crossterm (mio dependency) WIP port: https://github.com...This issue will cover important crates that are currently inhibiting porting or need upstream Redox support to ease the development workflow.
- [ ] tokio
- [ ] mio
- [ ] ring
- [ ] crossterm (mio dependency) WIP port: https://github.com/rw-vanc/crossterm.git
- [ ] acpi (remove Handler generic parameter from types)
- [ ] clap
- [ ] iced (upstream support pending)
- [ ] error_chain (and the list of newer and shinier error handling crates)
- [ ] serde
- [ ] serde_derive
- [ ] serde_json
- [ ] yaml
- [ ] log
- [ ] env_logger
- [ ] url
- [ ] tempdir
- [ ] toml
- [ ] libprochttps://gitlab.redox-os.org/redox-os/redox/-/issues/1377Repositories with missing GitLab CI2023-11-07T17:45:59ZRibbonRepositories with missing GitLab CICI testing is an important industry-standard to enforce mature software, it can cover compilation errors, logic problems, typos, broken links, etc.
- [ ] arg-parser
- [ ] audiod
- [ ] binutils
- [ ] bootloader
- [ ] bootloader-coreboot
...CI testing is an important industry-standard to enforce mature software, it can cover compilation errors, logic problems, typos, broken links, etc.
- [ ] arg-parser
- [ ] audiod
- [ ] binutils
- [ ] bootloader
- [ ] bootloader-coreboot
- [ ] bootloader-efi
- [ ] bootstrap
- [ ] cbitset
- [ ] cbloom
- [ ] chashmap
- [ ] compiler-builtins
- [ ] conc
- [ ] contain
- [ ] cookbook
- [ ] coreboot-fs
- [ ] coreboot-table
- [ ] core_io
- [ ] coreutils
- [ ] dmi
- [ ] drivers
- [ ] dynamic-example
- [ ] escalated
- [ ] event
- [ ] exampled
- [ ] extrautils
- [ ] f80
- [ ] findutils
- [ ] games
- [ ] gdb-protocol
- [ ] gdbserver
- [ ] home
- [ ] hwio
- [ ] init
- [ ] installer
- [ ] installer-gui
- [ ] intelflash
- [ ] kernel
- [ ] libextra
- [ ] netstack
- [ ] netutils
- [ ] nulld
- [ ] pkgar
- [ ] pkgutils
- [ ] ramfs
- [ ] randd
- [ ] ransid
- [ ] redox-daemon
- [ ] redoxer
- [ ] redox-fatfs
- [ ] redox-fatfs
- [ ] redox-input
- [ ] zerod
- [ ] redox-ssh
- [ ] rmm
- [ ] sodium
- [ ] strace-redox
- [ ] termios
- [ ] uefi
- [ ] userutilshttps://gitlab.redox-os.org/redox-os/kernel/-/issues/124Implement x86 security mitigations2024-03-16T08:44:54ZJacob Lorentzon4ldo2@protonmail.comImplement x86 security mitigationsHere's the list based on the x86 CPU vulnerabilities that Linux's lscpu prints. IIRC some of these only require updated microcode (but Redox doesn't currently support microcode updates).
- [ ] Spec store bypass (add IA32_SPEC_CTRL to co...Here's the list based on the x86 CPU vulnerabilities that Linux's lscpu prints. IIRC some of these only require updated microcode (but Redox doesn't currently support microcode updates).
- [ ] Spec store bypass (add IA32_SPEC_CTRL to context state)
- [ ] Spectre v1
- [ ] usercopy lfence barriers
- [ ] swapgs lfence barriers
- [ ] race condition induced Spectre (Ghostrace)
- [ ] etc...
- [ ] Spectre v2
- [ ] Retpolines
- [ ] RSB filling on context switches
- [ ] etc...
- [ ] Meltdown (PTI - unfinished)
- [ ] Retbleed - https://lwn.net/Articles/901834/, https://lwn.net/Articles/907054/
- [ ] Mmio stale data
- [ ] Mds
- [x] L1tf (VMM) - does not affect the Redox kernel... yet (no hypervisor support).
- [x] L1tf (OS) - `Frame`s are statically enforced not to be 0x0, and RMM is clearing page entries to zero (though it could be enforced better: https://gitlab.redox-os.org/redox-os/rmm/-/issues/3)
- [ ] Itlb multihit - does not yet affect the Redox kernel... but once hypervisor support is added, ensure that large/huge pages are not executable on vulnerable CPU models.
- [ ] Srbds - requires microcode update (mitigation can be disabled via MSRs)
- [ ] Tsx async abort - requires microcode update, Linux defaults to disabling TSX entirely in that case
- [ ] Gather data sampling ("DOWNFALL") - requires microcode update. TODO: anything else?
- [ ] RAS overflow ("INCEPTION") - requires microcode update too. TODO: anything else?
- [ ] Register File Data Sampling (only affects Intel Atom though)
Some other useful security-enhancing x86 features less related to side channels:
- [x] UMIP (trivial to add support for)
- [x] SMEP (also trivial) - apparently related to RSB filling
- [x] SMAP (will require [usercopy functions](https://gitlab.redox-os.org/redox-os/kernel/-/issues/115), hard)
- [ ] Protection keys
- [ ] Shadow stacks
It would most likely be wise to prioritize vulnerabilities affecting newer CPUs first, most notably Spec Store Bypass and Spectre V1/V2, then continuing with Retbleed, Meltdown, and lastly, the Intel-specific mostly-patched bugs (MDS, L1TF, TSX, MMIO stale data, SRBDS).
Redox also needs to implement microcode loading, which can probably be done from userspace.https://gitlab.redox-os.org/redox-os/redox/-/issues/1376ion boot on qemu fails with redoxfs panic2023-07-10T11:07:07ZIvan Tanion boot on qemu fails with redoxfs panic![image](/uploads/ab8ceefbcf047f649a84e60961089199/image.png)![image](/uploads/ab8ceefbcf047f649a84e60961089199/image.png)https://gitlab.redox-os.org/redox-os/syscall/-/issues/32Use a safe transmute crate2023-06-08T10:08:00ZJacob Lorentzon4ldo2@protonmail.comUse a safe transmute crateCurrently, many of the redox_syscall structs are repr(C) although using Deref impls to be convertible to regular slices. This has a few downsides, such as requiring explicit unsafe when casting *slices* of structs, as well as unsafe boil...Currently, many of the redox_syscall structs are repr(C) although using Deref impls to be convertible to regular slices. This has a few downsides, such as requiring explicit unsafe when casting *slices* of structs, as well as unsafe boilerplate. Reading padding bytes from a struct is UB, and `Stat` (on x86_64 at least) does contain implicit padding, making its Deref impl unsound (cf. https://gitlab.redox-os.org/redox-os/syscall/-/issues/29).
Some Redox drivers use `plain`, which would be a great improvement, although requiring manual `unsafe impl Plain for Struct`, and only allowing `slice_from_bytes` (as opposed to `slice_to_bytes`, which is impossible since plain does not forbid padding bytes). A better alternative might be `bytemuck`, which uses a derive-macro to safely implement traits, with the addition of being able to safely convert contiguous enums to/from ints (zerocopy would also work, but might not be ideal due to licensing).https://gitlab.redox-os.org/redox-os/redox/-/issues/1375Server room2024-03-18T00:01:18ZRibbonServer roomThis issue cover what is necessary for the server variant of Redox.
- [ ] Port nginx
- [ ] Port NodeJS
- [ ] Port Deno
- [ ] Port MySQL
- [ ] Port PostgreSQL
- [ ] Port MongoDB
- [ ] Audit the kernel for security issues
- [ ] Security m...This issue cover what is necessary for the server variant of Redox.
- [ ] Port nginx
- [ ] Port NodeJS
- [ ] Port Deno
- [ ] Port MySQL
- [ ] Port PostgreSQL
- [ ] Port MongoDB
- [ ] Audit the kernel for security issues
- [ ] Security mitigations for x86 motherboards (https://gitlab.redox-os.org/redox-os/kernel/-/issues/124)
- [ ] Extension of RedoxFS to multiple disks for RAID-style use cases
- [ ] GPGPU support for AI and other compute acceleration (future)https://gitlab.redox-os.org/redox-os/relibc/-/issues/176Rusty error handling2023-11-12T15:41:15ZJacob Lorentzon4ldo2@protonmail.comRusty error handlingCurrently, relibc primarily does C-like error handling (returning -1 and setting errno). A better alternative would be to use `Result<T, Errno>`, which AFAIK currently only the inner pthread implementation does. If `Errno` is defined as ...Currently, relibc primarily does C-like error handling (returning -1 and setting errno). A better alternative would be to use `Result<T, Errno>`, which AFAIK currently only the inner pthread implementation does. If `Errno` is defined as `NonZeroU32`, then the common "zero for success or -1 with errno" can be represented zero-cost as `Result<(), Errno>`. Only the outer C functions would convert the inner OS-abstracted platform functions into "-1 and errno", or other types of error handling (such as pthread's "0 or error code").
Worth noting both Redox and Linux represent syscall errors as negative error numbers (in Linux's case, between -4096 and -1, and currently in Redox's case, all negative numbers), so this change would most likely not lead to performance degradation.https://gitlab.redox-os.org/redox-os/kernel/-/issues/122epoll_pwait returns immediately when waiting on raw tty input2023-06-25T11:23:28ZRon Williamsepoll_pwait returns immediately when waiting on raw tty inputI'm debugging `crossterm` with their `stderr` example. `crossterm` on Unix sets `STDIN` to raw mode (if `isatty`, otherwise it opens `/dev/tty`). Following what is done in `termion`, I modified this so it opens `env("TTY")` in raw mode, ...I'm debugging `crossterm` with their `stderr` example. `crossterm` on Unix sets `STDIN` to raw mode (if `isatty`, otherwise it opens `/dev/tty`). Following what is done in `termion`, I modified this so it opens `env("TTY")` in raw mode, and saved the fd in a static so multiple gets of the fd return the same result. Then `crossterm` uses `mio`, which in turn sets up an `epoll` fd. When it's time to read from the tty, `mio` calls `epoll_wait` in a loop with `timeout = -1`. `epoll_wait` returns immediately with zero events.
I have not looked into `crossterm`'s use of `termios`, but I would assume it's ok.https://gitlab.redox-os.org/redox-os/redox/-/issues/1374aarch64 boot on qemu fails with redoxfs panic2023-06-13T00:40:37ZWill Angenentaarch64 boot on qemu fails with redoxfs panicWhen booting on qemu, redoxfs fails with [redoxfs-crash-log](/uploads/3b53e2fd01431ff0c3a8cc0ab2469675/redoxfs-crash-log).
`ELR_EL1` points at a BRK instruction. `ESR_EL1`, when decoded with something like
```
println!(
"ESR_EL1: {:...When booting on qemu, redoxfs fails with [redoxfs-crash-log](/uploads/3b53e2fd01431ff0c3a8cc0ab2469675/redoxfs-crash-log).
`ELR_EL1` points at a BRK instruction. `ESR_EL1`, when decoded with something like
```
println!(
"ESR_EL1: {:>016X} ISS={:>06X} instr len={:?} class={:>02X}", done in an idiomatic way, hardcode strings?
{ self.esr_el1 },
{ self.esr_el1 & 0xffffff },
{ self.esr_el1 >> 25 & 1 },
{ self.esr_el1 >> 26 & 0x3f }
);
```
in [dump](https://gitlab.redox-os.org/redox-os/kernel/-/blob/master/src/arch/aarch64/interrupt/handler.rs#L99) reveals
```
ISS=000001 instr len=1 class=3C
```
`0x3c` is BRK instruction execution from AArch64 state.
Manually dissecting the backtrace shows that the addresses correspond to the backtrace printing code, not the code that failed.
Early on, a fork happens, and the parent & child both panic. Looks like the child has this in [`src/bin/mount.rs`](https://gitlab.redox-os.org/redox-os/redoxfs/-/blob/master/src/bin/mount.rs#L373).
```
thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: Error { kind: UnexpectedEof, message: "failed to fill whole buffer" }', src/bin/mount.rs:373:39
```
And the parent has
```
thread 'main' panicked at 'called `Option::unwrap()` on a `None` value', /Users/wangenent/code/redox/mac/rust/library/alloc/src/collections/btree/navigate.rs:588:48
```
Some notes from conversations in the chat
- @4lDO2 mentioned that problems the btree is often caused by memory corruption.
- @microcolonel suggested checking the fork/context switching code. Audit the process creation, fork and context switch code. Come up with tests to stress this part. Tests that do not depend on an initfs or a livedisk etc.
- @rw_van suggested it's probably memory corruption or a race condition
An interesting observation, is that if redoxfs is built with `-O0` in a custom profile, e.g.
```
[profile.will-debug]
inherits = "release"
opt-level = 0
```
then the problem doesn't manifest itself and redox boots fine.https://gitlab.redox-os.org/redox-os/cookbook/-/issues/187Add folders to organize recipes/packages2023-12-01T08:51:28ZRon WilliamsAdd folders to organize recipes/packagesProposed:
1. Add organizing directories for packages. e.g `recipes/core/recipe_name`. Packages will still appear in the config file as only their basename, so `cook` and `installer` will need to search for the recipes.
2. Organizing dire...Proposed:
1. Add organizing directories for packages. e.g `recipes/core/recipe_name`. Packages will still appear in the config file as only their basename, so `cook` and `installer` will need to search for the recipes.
2. Organizing directories are optional. e.g. A package can appear as `recipes/recipe_name` or `recipes/core/recipe_name`. If a directory at the base level contains a `recipe.toml` or `recipe.sh`, it cannot also contain package dirs. This allows for migration.
3. If two packages have the same name but are in different organizing directories, e.g. "lib/libx" and "core/libx", (or if one is directly under `recipes`) a build error will occur when that package name is included in the filesystem config file.
4. [Optional - TBD] A special directory named `wip` or something similar is allowed to contain packages that duplicate names of packages in other directories. The package in `wip` takes priority. The "[source]" section of recipes in this directory is ignored, so the source is not updated if the git repo changes. This allows a developer to work with their own fork/branch without concern that it may get updated from `master`.
This requires changes to `installer` as well as `cookbook`.https://gitlab.redox-os.org/redox-os/relibc/-/issues/175Stop depending on core_io2024-01-03T19:19:59ZJacob Lorentzon4ldo2@protonmail.comStop depending on core_ioIt appears to be unmaintained, and we should probably try re-implementing most of the functionality ourselves in relibc.It appears to be unmaintained, and we should probably try re-implementing most of the functionality ourselves in relibc.https://gitlab.redox-os.org/redox-os/kernel/-/issues/121Formally verify the kernel2023-12-15T14:23:21ZJeremy SollerFormally verify the kernel*Created by: ticki*
+assign @me*Created by: ticki*
+assign @mehttps://gitlab.redox-os.org/redox-os/kernel/-/issues/120Eliminate most heap allocations2023-07-13T16:55:47ZMichael Aaron Murphymmstick@pm.meEliminate most heap allocationsI noticed that there's a lot of usage of collections that dynamically allocate on the heap inside the kernel, such as [this](https://github.com/redox-os/redox/blob/6927a4c5cfef4b97a58ba63b4f9d6d01dd8e9824/kernel/scheme/sys/memory.rs). It...I noticed that there's a lot of usage of collections that dynamically allocate on the heap inside the kernel, such as [this](https://github.com/redox-os/redox/blob/6927a4c5cfef4b97a58ba63b4f9d6d01dd8e9824/kernel/scheme/sys/memory.rs). It would be better to pass around stack-allocated arrays or at least take advantage of [stack-allocated vectors](https://docs.rs/arrayvec/0.3.20/arrayvec/). ~~Kernel code should probably attempt to avoid heap allocations entirely.~~