From d3e4ea011888fed1c25a4a328b9668392cec268d Mon Sep 17 00:00:00 2001 From: enricobuehler Date: Wed, 24 Jun 2026 08:33:38 +0000 Subject: [PATCH] feat(windows-drivers): driver workspace + wdk-probe on windows-drivers-rs (M1) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Stand up packaging/windows/drivers/ — the unified driver workspace on crates.io windows-drivers-rs (wdk 0.4.1 / wdk-sys + wdk-build 0.5.1), retiring the dev-box ../../crates/wdk* path-deps. First member: wdk-probe, the smallest UMDF2 driver (DriverEntry -> WdfDriverCreate -> EvtDeviceAdd -> WdfDeviceCreate) that force-links the shared pf-vdisplay-proto ABI crate. It validates on the runner: wdk-sys bindgen + WDF stub link against the WDK + LLVM, the cross-workspace no_std proto path-dep, and the produced DLL's PE FORCE_INTEGRITY bit. windows-drivers.yml gains a driver-build job: cargo build -p wdk-probe (pinning Version_Number=10.0.26100.0) + a PE inspection that prints whether /INTEGRITYCHECK is set — the M0 self-signed-load question. Co-Authored-By: Claude Opus 4.8 (1M context) --- .gitea/workflows/windows-drivers.yml | 37 ++++++++++++- packaging/windows/drivers/Cargo.toml | 33 ++++++++++++ .../windows/drivers/wdk-probe/Cargo.toml | 26 +++++++++ packaging/windows/drivers/wdk-probe/build.rs | 6 +++ .../windows/drivers/wdk-probe/src/lib.rs | 54 +++++++++++++++++++ 5 files changed, 155 insertions(+), 1 deletion(-) create mode 100644 packaging/windows/drivers/Cargo.toml create mode 100644 packaging/windows/drivers/wdk-probe/Cargo.toml create mode 100644 packaging/windows/drivers/wdk-probe/build.rs create mode 100644 packaging/windows/drivers/wdk-probe/src/lib.rs diff --git a/.gitea/workflows/windows-drivers.yml b/.gitea/workflows/windows-drivers.yml index e310868..087bd9d 100644 --- a/.gitea/workflows/windows-drivers.yml +++ b/.gitea/workflows/windows-drivers.yml @@ -26,6 +26,8 @@ on: - 'crates/pf-vdisplay-proto/**' - 'packaging/windows/drivers/**' +# Driver builds need the WDK on the runner (provision once via windows-drivers-provision.yml). + jobs: probe-and-proto: runs-on: windows-amd64 @@ -94,9 +96,42 @@ jobs: - name: Build + test pf-vdisplay-proto (MSVC) run: | # Short target dir to dodge MAX_PATH inside the deep act host workdir (see windows.yml). - "CARGO_TARGET_DIR=C:\t\drv" | Out-File -FilePath $env:GITHUB_ENV -Append -Encoding utf8 $env:CARGO_TARGET_DIR = "C:\t\drv" cargo build -p pf-vdisplay-proto cargo test -p pf-vdisplay-proto cargo clippy -p pf-vdisplay-proto --all-targets -- -D warnings cargo fmt -p pf-vdisplay-proto -- --check + + # Build the UMDF driver workspace (wdk-probe) on windows-drivers-rs: proves wdk-sys bindgen/link works + # on the runner's WDK + LLVM, that pf-vdisplay-proto path-deps into a driver, and exposes the produced + # DLL's FORCE_INTEGRITY (/INTEGRITYCHECK) bit — the M0 self-signed-load question. + driver-build: + runs-on: windows-amd64 + timeout-minutes: 45 + defaults: + run: + shell: pwsh + env: + # wdk-build otherwise picks 10.0.28000.0 (no km/crt) and bindgen fails — pin the WDK SDK version. + Version_Number: '10.0.26100.0' + CARGO_TARGET_DIR: 'C:\t\drvws' + steps: + - uses: actions/checkout@v4 + - name: cargo build wdk-probe (windows-drivers-rs) + working-directory: packaging/windows/drivers + run: cargo build -p wdk-probe -v + - name: Inspect the produced DLL's /INTEGRITYCHECK bit + run: | + $dll = "$env:CARGO_TARGET_DIR\debug\wdk_probe.dll" + if (-not (Test-Path $dll)) { throw "wdk_probe.dll not produced at $dll" } + $b = [IO.File]::ReadAllBytes($dll) + $pe = [BitConverter]::ToInt32($b, 0x3c) + $dllchar = [BitConverter]::ToUInt16($b, $pe + 0x5e) # OptionalHeader.DllCharacteristics + $forceIntegrity = ($dllchar -band 0x0080) -ne 0 # IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY + Write-Host ("wdk_probe.dll built OK ({0:N0} bytes)" -f (Get-Item $dll).Length) + Write-Host ("DllCharacteristics = 0x{0:X4}; FORCE_INTEGRITY(/INTEGRITYCHECK) = $forceIntegrity" -f $dllchar) + if ($forceIntegrity) { + Write-Host '==> /INTEGRITYCHECK IS set -> self-signed load needs the flag suppressed or the PE bit cleared (M0 task).' + } else { + Write-Host '==> /INTEGRITYCHECK NOT set -> a self-signed driver should load with no PE patch.' + } diff --git a/packaging/windows/drivers/Cargo.toml b/packaging/windows/drivers/Cargo.toml new file mode 100644 index 0000000..9b45a4f --- /dev/null +++ b/packaging/windows/drivers/Cargo.toml @@ -0,0 +1,33 @@ +# Unified in-tree workspace for punktfunk's all-Rust UMDF drivers, on microsoft/windows-drivers-rs +# (crates.io wdk/wdk-sys/wdk-build — NOT the dev-box ../../crates/wdk* path-deps). Part of the +# Windows-host rewrite (docs/windows-host-rewrite.md, M1). pf-vdisplay + the gamepad drivers move here. +# +# Separate from the main cargo workspace (own [workspace] root) because driver crates are cdylibs built +# with the WDK toolchain (cargo-wdk / wdk-build) on Windows only. Path-deps the shared ABI crate +# crates/pf-vdisplay-proto from the main tree. +[workspace] +resolver = "2" +members = ["wdk-probe"] + +[workspace.package] +edition = "2024" +version = "0.0.1" +license = "MIT OR Apache-2.0" +publish = false + +[workspace.dependencies] +wdk = "0.4.1" +wdk-sys = "0.5.1" +wdk-build = "0.5.1" +pf-vdisplay-proto = { path = "../../../crates/pf-vdisplay-proto" } + +# windows-drivers-rs marks a driver workspace with this section (per-package driver-model overrides it). +[workspace.metadata.wdk] + +[profile.dev] +panic = "abort" +lto = true + +[profile.release] +panic = "abort" +lto = true diff --git a/packaging/windows/drivers/wdk-probe/Cargo.toml b/packaging/windows/drivers/wdk-probe/Cargo.toml new file mode 100644 index 0000000..2dbfecf --- /dev/null +++ b/packaging/windows/drivers/wdk-probe/Cargo.toml @@ -0,0 +1,26 @@ +# M0/M1 toolchain probe: the smallest possible UMDF2 driver on windows-drivers-rs (crates.io wdk 0.5). +# Purpose: prove on the windows-amd64 runner that (1) wdk-sys bindgen + WDF stub link works against the +# runner's WDK + LLVM, (2) the shared no_std pf-vdisplay-proto ABI crate path-deps cleanly into a driver +# build graph, and (3) what the produced DLL's PE FORCE_INTEGRITY (/INTEGRITYCHECK) bit is. NOT shipped. +[package] +name = "wdk-probe" +edition.workspace = true +version.workspace = true +license.workspace = true +publish = false + +[package.metadata.wdk.driver-model] +driver-type = "UMDF" +umdf-version-major = 2 +target-umdf-version-minor = 31 + +[lib] +crate-type = ["cdylib"] + +[build-dependencies] +wdk-build.workspace = true + +[dependencies] +wdk.workspace = true +wdk-sys.workspace = true +pf-vdisplay-proto.workspace = true diff --git a/packaging/windows/drivers/wdk-probe/build.rs b/packaging/windows/drivers/wdk-probe/build.rs new file mode 100644 index 0000000..0e4d848 --- /dev/null +++ b/packaging/windows/drivers/wdk-probe/build.rs @@ -0,0 +1,6 @@ +//! Emits the WDK link flags for the cdylib (the same call the gamepad drivers use). If wdk-build adds +//! `/INTEGRITYCHECK`, it shows up in the produced DLL's PE DllCharacteristics — which the CI step +//! inspects to answer the M0 self-signed-load question. +fn main() -> Result<(), wdk_build::ConfigError> { + wdk_build::configure_wdk_binary_build() +} diff --git a/packaging/windows/drivers/wdk-probe/src/lib.rs b/packaging/windows/drivers/wdk-probe/src/lib.rs new file mode 100644 index 0000000..70c769f --- /dev/null +++ b/packaging/windows/drivers/wdk-probe/src/lib.rs @@ -0,0 +1,54 @@ +//! Minimal UMDF2 driver — the M0/M1 toolchain + `/INTEGRITYCHECK` probe (see this crate's Cargo.toml). +//! DriverEntry → WdfDriverCreate → (EvtDeviceAdd) WdfDeviceCreate: enough to exercise the wdk-sys WDF +//! stub link without any device logic. Also force-links the shared `pf-vdisplay-proto` ABI crate to +//! prove it compiles + links into a driver (no_std + bytemuck) across the workspace boundary. + +#![allow(non_snake_case, clippy::missing_safety_doc)] + +use wdk_sys::{ + call_unsafe_wdf_function_binding, NTSTATUS, PCUNICODE_STRING, PDRIVER_OBJECT, PWDFDEVICE_INIT, + ULONG, WDFDEVICE, WDFDRIVER, WDF_DRIVER_CONFIG, WDF_NO_HANDLE, WDF_NO_OBJECT_ATTRIBUTES, +}; + +const STATUS_SUCCESS: NTSTATUS = 0; + +/// Force `pf-vdisplay-proto` to actually link into the driver build graph (validates the cross-workspace +/// path-dep + that the no_std bytemuck ABI crate compiles for a UMDF cdylib). `#[used]` keeps it. +#[used] +static PROTO_GUID_LO: u64 = pf_vdisplay_proto::PF_VDISPLAY_INTERFACE_GUID_U128 as u64; + +#[unsafe(export_name = "DriverEntry")] +pub unsafe extern "system" fn driver_entry( + driver: PDRIVER_OBJECT, + registry_path: PCUNICODE_STRING, +) -> NTSTATUS { + // SAFETY: zeroed then Size + the device-add callback set, per the WDF_DRIVER_CONFIG contract. + let mut config: WDF_DRIVER_CONFIG = unsafe { core::mem::zeroed() }; + config.Size = core::mem::size_of::() as ULONG; + config.EvtDriverDeviceAdd = Some(evt_device_add); + // SAFETY: driver + registry_path are the loader-provided pointers; config is valid for the call. + unsafe { + call_unsafe_wdf_function_binding!( + WdfDriverCreate, + driver, + registry_path, + WDF_NO_OBJECT_ATTRIBUTES, + &mut config, + WDF_NO_HANDLE.cast::() + ) + } +} + +extern "C" fn evt_device_add(_driver: WDFDRIVER, mut device_init: PWDFDEVICE_INIT) -> NTSTATUS { + let mut device: WDFDEVICE = core::ptr::null_mut(); + // SAFETY: device_init is the framework-provided init; attributes null; device receives the handle. + let _ = unsafe { + call_unsafe_wdf_function_binding!( + WdfDeviceCreate, + &mut device_init, + WDF_NO_OBJECT_ATTRIBUTES, + &mut device + ) + }; + STATUS_SUCCESS +}