feat(host/windows): seal the host↔driver channels (frame + gamepad, proto v2)
Frame ring (pf-vdisplay) and both gamepad SHM channels move off named Global\ objects (openable by any sibling LocalService) to UNNAMED sections/events whose handles the host DuplicateHandles into the driver's verified WUDFHost with least access — frame delivery over the SYSTEM+admins-only IOCTL_SET_FRAME_CHANNEL, pads over a 32-byte named bootstrap mailbox (pid + handle value only, DoS-bounded; HID minidrivers have no control device). Driver-validated pad_index kills cross-pad redirects; v1↔v2 mixes fail closed with diagnosis logs on both sides. Sibling-LocalService denial proven empirically (design/idd-push-security.md, design/gamepad-channel-sealing.md). Driver-side raw ops now live behind pf-umdf-util (checked shm accessors, the forbid(unsafe_code) ChannelClient state machine, WDF request tokens) — the pad drivers' logic is 100% safe Rust; whole drivers workspace clippy-gated in CI. driver install --gamepad now sweeps SWD\punktfunk phantom devnodes: a re-created SwDevice REVIVES the old devnode with its previously-bound driver (never re-ranks), so an upgrade otherwise leaves the old driver serving — or, across the v1→v2 fence, a dead pad (found live on the RTX box). On-glass validated on the RTX 4090 box: frame path 7007 frames p50 2.06 ms cross-machine; DualSense + XUSB "sealed pad channel mapped"/proto=2 attach via both the test harness and a real streaming session; phantom-sweep repro. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
@@ -0,0 +1,17 @@
|
||||
# pf-umdf-util - the audited unsafe-primitive layer under the punktfunk UMDF gamepad drivers.
|
||||
# Everything a pad driver does with raw pointers or Win32/WDF FFI lives HERE, behind small safe
|
||||
# (or explicitly-contracted unsafe) APIs, so the driver crates' business logic is 100% safe Rust:
|
||||
# section - MappedView: bounds+alignment-checked shared-memory access (atomics for sync fields)
|
||||
# channel - ChannelClient: the sealed pad channel's driver-side state machine (a SAFE module)
|
||||
# wdf - Request/queue/device-property helpers over call_unsafe_wdf_function_binding
|
||||
[package]
|
||||
name = "pf-umdf-util"
|
||||
edition.workspace = true
|
||||
version.workspace = true
|
||||
license.workspace = true
|
||||
publish = false
|
||||
description = "punktfunk UMDF driver util: safe shared-memory + sealed-channel + WDF request primitives"
|
||||
|
||||
[dependencies]
|
||||
wdk-sys.workspace = true
|
||||
pf-driver-proto.workspace = true
|
||||
Reference in New Issue
Block a user