fix(packaging/windows): Windows 11 22H2 floor + tray install task + stale console-port fixes
The OS floor is now enforced at install time (MinVersion=10.0.22621 with an explanatory [Messages] override): pf-vdisplay is built against IddCx 1.10, and on Windows 10 (incl. LTSC) / Win11 21H2 the device fails start with Code 10 STATUS_DEVICE_POWER_FAILURE (field-reported). Docs (site requirements/install/ windows-host pages + README) state the floor; new docs-site Security page. Installer also gains the trayicon task (punktfunk-tray.exe file + HKLM Run key, post-install launch as the signed-in user, upgrade taskkill + uninstall --quit/taskkill choreography before file deletion), and the wizard/cleanup text/port sweeps move off the stale :3000 web-console references to :47992 (cleanups sweep both for upgrades from old installs). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
@@ -82,12 +82,18 @@ query.
|
||||
|
||||
**IDD-push is the universal primary path.** Capture comes straight from the driver's shared keyed-mutex
|
||||
texture ring (`capture/windows/idd_push.rs`) — no Desktop Duplication, no `win32u` reparenting hook. The
|
||||
host creates the ring; the driver opens it (permissive `D:(A;;GA;;;WD)` SDDL). The generation-tagged
|
||||
`latest = gen<<40 | seq<<8 | slot` stale-ring reject kills the HDR-flip garbage frame; a host-owned
|
||||
3-slot `OUT_RING` rotated per frame is the texture-ownership contract that enables `pipeline_depth=2`
|
||||
(convert/copy on the 3D engine overlapping NVENC on the ASIC). It captures the **secure desktop**
|
||||
(Winlogon/UAC/lock) directly (validated 2026-06-25), so there is no separate secure capturer in the
|
||||
primary path.
|
||||
host creates the ring as a **sealed channel** (proto v2, `design/idd-push-security.md`): the header,
|
||||
frame-ready event, and ring textures are **unnamed** (nothing to enumerate, open by name, or squat), and
|
||||
the host `DuplicateHandle`s them into the driver's WUDFHost and delivers the handle *values* over the
|
||||
SYSTEM+admins-only control device (`IOCTL_SET_FRAME_CHANNEL`), so only the two endpoint processes can
|
||||
ever reach a frame — DDA's isolation property in user mode. (The objects keep a `D:(A;;GA;;;SY)(A;;GA;;;LS)`
|
||||
DACL as defense-in-depth; it is no longer the isolation boundary. This supersedes the earlier named-ring
|
||||
scheme, which was world-openable `Global\pfvd-*` (`D:(A;;GA;;;WD)`) then SY+LS-scoped.) The
|
||||
generation-tagged `latest = gen<<40 | seq<<8 | slot` stale-ring reject kills the HDR-flip garbage frame;
|
||||
a host-owned 3-slot `OUT_RING` rotated per frame is the texture-ownership contract that enables
|
||||
`pipeline_depth=2` (convert/copy on the 3D engine overlapping NVENC on the ASIC). It captures the
|
||||
**secure desktop** (Winlogon/UAC/lock) directly (validated 2026-06-25), so there is no separate secure
|
||||
capturer in the primary path.
|
||||
|
||||
- **Open-time fallback:** `IddPushCapturer::open` waits a bounded ~4 s for a *first frame* (not just
|
||||
`DRV_STATUS_OPENED`); on attach failure it returns the keepalive back so `capture.rs` opens **DDA** on
|
||||
@@ -120,10 +126,12 @@ loss-recovery by query (only Windows direct-NVENC overrides it; the GameStream l
|
||||
### 2.5 Host↔driver ABI & the `pf-vdisplay` driver
|
||||
|
||||
`pf-driver-proto` is one `no_std` crate in both build graphs. It owns the **frame plane** (`FrameToken`
|
||||
+ `Global\pfvd-*` names), the **control plane** (a fresh interface GUID — *not* SudoVDA's `e5bcc234`;
|
||||
contiguous `0x900` IOCTL ops; a `GET_INFO` version handshake the host **asserts** + bails on mismatch),
|
||||
and the **gamepad SHM** (`XusbShm`/`PadShm` incl. `device_type`). `bytemuck`-`Pod` + `size_of` **and**
|
||||
`offset_of!` asserts make ABI drift a **compile error**.
|
||||
+ `SharedHeader`; since proto v2 the frame objects are **unnamed** — no `Global\pfvd-*` names — and are
|
||||
delivered by handle duplication over `IOCTL_SET_FRAME_CHANNEL`, the *sealed channel*:
|
||||
`design/idd-push-security.md`), the **control plane** (a fresh interface GUID — *not* SudoVDA's
|
||||
`e5bcc234`; contiguous `0x900` IOCTL ops; a `GET_INFO` version handshake the host **asserts** + bails on
|
||||
mismatch), and the **gamepad SHM** (`XusbShm`/`PadShm` incl. `device_type`). `bytemuck`-`Pod` +
|
||||
`size_of` **and** `offset_of!` asserts make ABI drift a **compile error**.
|
||||
|
||||
The driver (`packaging/windows/drivers/pf-vdisplay/src/`) is an all-Rust UMDF IddCx driver on
|
||||
`windows-drivers-rs` + the `iddcx` `wdk-sys` subset; the STEP 0–8 build is the checklist in §6.3, its
|
||||
@@ -200,8 +208,10 @@ These are expensive empirical wins; keep them intact when touching the code:
|
||||
the hot-loop `KeyedMutexGuard`, and the driver's `pod_init!`; all box-validated, clean `sc stop` in
|
||||
~1 s). The driver already has the deny. Revisit D1-host as a final discipline pass (staged per-module)
|
||||
if desired.
|
||||
5. **M6 scaffolding cleanup** — delete the bring-up diagnostics (`spawn_observer`/`DebugBlock` in
|
||||
`idd_push.rs`) and, once full parity is proven on glass, the host monoliths.
|
||||
5. **M6 scaffolding cleanup** — the bring-up diagnostics (`spawn_observer`/`DebugBlock` in
|
||||
`idd_push.rs`) were deleted with the sealed-channel change (they were the last fixed-name
|
||||
`Global\` objects on the frame path); once full parity is proven on glass, the host monoliths
|
||||
remain.
|
||||
|
||||
**Explicitly NOT doing (stability decision): E1 — driver `DeviceContext` ownership + per-`IDDCX_MONITOR`
|
||||
`EvtCleanupCallback`.** The current process-global design is *sound*: IddCx DDIs receive only an
|
||||
@@ -260,7 +270,7 @@ Local pre-push checks (this Linux box can't compile the Windows paths):
|
||||
cargo test -p pf-driver-proto # the ABI crate (cross-platform)
|
||||
cargo check -p punktfunk-host # Linux paths; win_* mods are #[cfg(windows)]
|
||||
cargo clippy -p punktfunk-host --all-targets -- -D warnings
|
||||
# Windows host clippy (on the box): PUNKTFUNK_NVENC_LIB_DIR=C:\t\nvenc;
|
||||
# Windows host clippy (on the box; NVENC needs no import lib — runtime-loaded):
|
||||
# cargo clippy -p punktfunk-host --features nvenc --target x86_64-pc-windows-msvc -- -D warnings
|
||||
# Driver build (on the box): cd packaging/windows/drivers; Version_Number=10.0.26100.0;
|
||||
# LIBCLANG_PATH='C:\Program Files\LLVM\bin'; cargo build
|
||||
|
||||
Reference in New Issue
Block a user