feat(host/windows): seal the host↔driver channels (frame + gamepad, proto v2)

Frame ring (pf-vdisplay) and both gamepad SHM channels move off named Global\
objects (openable by any sibling LocalService) to UNNAMED sections/events whose
handles the host DuplicateHandles into the driver's verified WUDFHost with least
access — frame delivery over the SYSTEM+admins-only IOCTL_SET_FRAME_CHANNEL,
pads over a 32-byte named bootstrap mailbox (pid + handle value only, DoS-bounded;
HID minidrivers have no control device). Driver-validated pad_index kills
cross-pad redirects; v1↔v2 mixes fail closed with diagnosis logs on both sides.
Sibling-LocalService denial proven empirically (design/idd-push-security.md,
design/gamepad-channel-sealing.md).

Driver-side raw ops now live behind pf-umdf-util (checked shm accessors, the
forbid(unsafe_code) ChannelClient state machine, WDF request tokens) — the pad
drivers' logic is 100% safe Rust; whole drivers workspace clippy-gated in CI.

driver install --gamepad now sweeps SWD\punktfunk phantom devnodes: a re-created
SwDevice REVIVES the old devnode with its previously-bound driver (never
re-ranks), so an upgrade otherwise leaves the old driver serving — or, across
the v1→v2 fence, a dead pad (found live on the RTX box).

On-glass validated on the RTX 4090 box: frame path 7007 frames p50 2.06 ms
cross-machine; DualSense + XUSB "sealed pad channel mapped"/proto=2 attach via
both the test harness and a real streaming session; phantom-sweep repro.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
2026-07-03 12:08:56 +00:00
parent a3e1ea2b44
commit 95a08e99c3
37 changed files with 2985 additions and 1174 deletions
+10 -1
View File
@@ -10,8 +10,10 @@
//! code — handled at the call site in STEP 5).
#![no_std]
#![allow(non_snake_case, clippy::missing_safety_doc)]
// P0 lint (audit §8): require explicit `unsafe {}` blocks inside `unsafe fn`s.
// P0 lint (audit §8): require explicit `unsafe {}` blocks inside `unsafe fn`s + a `// SAFETY:` proof on
// each (this crate is the IddCx DDI dispatch layer — inherently unsafe, so audited, not unsafe-free).
#![deny(unsafe_op_in_unsafe_fn)]
#![deny(clippy::undocumented_unsafe_blocks)]
pub use wdk_sys::iddcx;
@@ -36,6 +38,7 @@ unsafe fn ddi<T: Copy>(index: i32) -> T {
let table = (&raw const iddcx::IddFunctions).cast::<iddcx::PFN_IDD_CX>();
// SAFETY: `index` is a valid IddCx table slot; the slot holds a `PFN_*` whose layout is `T`.
let slot = unsafe { table.add(index as usize) };
// SAFETY: `slot` points at the `index`th (in-bounds) populated table entry, a `PFN_*` of layout `T`.
unsafe { slot.cast::<T>().read() }
}
@@ -62,7 +65,10 @@ macro_rules! iddcx_ddi {
/// Call only after the driver is loaded by IddCx; pointers must satisfy the IddCx contract.
#[inline]
pub unsafe fn $name( $( $arg: $aty ),* ) -> NTSTATUS {
// SAFETY: `$idx`/`$pfn` are the matched IddCx table index + PFN type (pinned by this macro
// invocation), and the table is populated once the driver is loaded (this fn's contract).
let f: iddcx::$pfn = unsafe { ddi(iddcx::_IDDFUNCENUM::$idx) };
// SAFETY: only reads the stub-provided globals pointer; valid post-load per the contract.
let g = unsafe { globals() };
// SAFETY: dispatching a populated DDI with the stub globals and caller-valid args.
unsafe { (f.unwrap())(g, $( $arg ),* ) }
@@ -79,7 +85,10 @@ macro_rules! iddcx_ddi {
/// Call only after the driver is loaded by IddCx; pointers must satisfy the IddCx contract.
#[inline]
pub unsafe fn $name( $( $arg: $aty ),* ) {
// SAFETY: `$idx`/`$pfn` are the matched IddCx table index + PFN type (pinned by this macro
// invocation), and the table is populated once the driver is loaded (this fn's contract).
let f: iddcx::$pfn = unsafe { ddi(iddcx::_IDDFUNCENUM::$idx) };
// SAFETY: only reads the stub-provided globals pointer; valid post-load per the contract.
let g = unsafe { globals() };
// SAFETY: dispatching a populated DDI with the stub globals and caller-valid args.
unsafe { (f.unwrap())(g, $( $arg ),* ) }