feat(host/windows): seal the host↔driver channels (frame + gamepad, proto v2)

Frame ring (pf-vdisplay) and both gamepad SHM channels move off named Global\
objects (openable by any sibling LocalService) to UNNAMED sections/events whose
handles the host DuplicateHandles into the driver's verified WUDFHost with least
access — frame delivery over the SYSTEM+admins-only IOCTL_SET_FRAME_CHANNEL,
pads over a 32-byte named bootstrap mailbox (pid + handle value only, DoS-bounded;
HID minidrivers have no control device). Driver-validated pad_index kills
cross-pad redirects; v1↔v2 mixes fail closed with diagnosis logs on both sides.
Sibling-LocalService denial proven empirically (design/idd-push-security.md,
design/gamepad-channel-sealing.md).

Driver-side raw ops now live behind pf-umdf-util (checked shm accessors, the
forbid(unsafe_code) ChannelClient state machine, WDF request tokens) — the pad
drivers' logic is 100% safe Rust; whole drivers workspace clippy-gated in CI.

driver install --gamepad now sweeps SWD\punktfunk phantom devnodes: a re-created
SwDevice REVIVES the old devnode with its previously-bound driver (never
re-ranks), so an upgrade otherwise leaves the old driver serving — or, across
the v1→v2 fence, a dead pad (found live on the RTX box).

On-glass validated on the RTX 4090 box: frame path 7007 frames p50 2.06 ms
cross-machine; DualSense + XUSB "sealed pad channel mapped"/proto=2 attach via
both the test harness and a real streaming session; phantom-sweep repro.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
2026-07-03 12:08:56 +00:00
parent a3e1ea2b44
commit 95a08e99c3
37 changed files with 2985 additions and 1174 deletions
@@ -51,8 +51,9 @@ pub unsafe extern "C" fn parse_monitor_description(
p_in: *const iddcx::IDARG_IN_PARSEMONITORDESCRIPTION,
p_out: *mut iddcx::IDARG_OUT_PARSEMONITORDESCRIPTION,
) -> NTSTATUS {
// SAFETY: framework-provided in/out args, valid for the call.
// SAFETY: the framework supplies a valid, live input-args pointer for the call.
let in_args = unsafe { &*p_in };
// SAFETY: the framework supplies a valid, live output-args pointer for the call.
let out_args = unsafe { &mut *p_out };
// SAFETY: the framework supplies a valid EDID buffer of `DataSize` bytes.
let edid = unsafe {
@@ -100,8 +101,9 @@ pub unsafe extern "C" fn parse_monitor_description2(
p_in: *const iddcx::IDARG_IN_PARSEMONITORDESCRIPTION2,
p_out: *mut iddcx::IDARG_OUT_PARSEMONITORDESCRIPTION,
) -> NTSTATUS {
// SAFETY: framework-provided in/out args, valid for the call.
// SAFETY: the framework supplies a valid, live input-args pointer for the call.
let in_args = unsafe { &*p_in };
// SAFETY: the framework supplies a valid, live output-args pointer for the call.
let out_args = unsafe { &mut *p_out };
// SAFETY: the framework supplies a valid EDID buffer of `DataSize` bytes.
let edid = unsafe {
@@ -156,8 +158,9 @@ pub unsafe extern "C" fn monitor_query_modes(
p_in: *const iddcx::IDARG_IN_QUERYTARGETMODES,
p_out: *mut iddcx::IDARG_OUT_QUERYTARGETMODES,
) -> NTSTATUS {
// SAFETY: framework-provided in/out args, valid for the call.
// SAFETY: the framework supplies a valid, live input-args pointer for the call.
let in_args = unsafe { &*p_in };
// SAFETY: the framework supplies a valid, live output-args pointer for the call.
let out_args = unsafe { &mut *p_out };
let Some(modes) = crate::monitor::modes_for_object(monitor) else {
return STATUS_NOT_FOUND;
@@ -183,8 +186,9 @@ pub unsafe extern "C" fn monitor_query_modes2(
p_in: *const iddcx::IDARG_IN_QUERYTARGETMODES2,
p_out: *mut iddcx::IDARG_OUT_QUERYTARGETMODES,
) -> NTSTATUS {
// SAFETY: framework-provided in/out args, valid for the call.
// SAFETY: the framework supplies a valid, live input-args pointer for the call.
let in_args = unsafe { &*p_in };
// SAFETY: the framework supplies a valid, live output-args pointer for the call.
let out_args = unsafe { &mut *p_out };
let Some(modes) = crate::monitor::modes_for_object(monitor) else {
return STATUS_NOT_FOUND;
@@ -279,7 +283,8 @@ pub unsafe extern "C" fn assign_swap_chain(
drop(crate::monitor::take_swap_chain_processor(monitor));
// The OS target id (stamped on the monitor at creation, after IddCxMonitorArrival) keys the
// per-monitor objects STEP 6's host opens. 0 (default) if the monitor isn't found.
// frame-channel stash STEP 6's worker attaches from (the host addresses its IOCTL_SET_FRAME_CHANNEL
// delivery by this id). 0 (default) if the monitor isn't found — the worker then never attaches.
let target_id = crate::monitor::target_id_for_object(monitor).unwrap_or(0);
if let Some(device) = crate::direct_3d_device::pooled_device(luid) {