95a08e99c3
Frame ring (pf-vdisplay) and both gamepad SHM channels move off named Global\ objects (openable by any sibling LocalService) to UNNAMED sections/events whose handles the host DuplicateHandles into the driver's verified WUDFHost with least access — frame delivery over the SYSTEM+admins-only IOCTL_SET_FRAME_CHANNEL, pads over a 32-byte named bootstrap mailbox (pid + handle value only, DoS-bounded; HID minidrivers have no control device). Driver-validated pad_index kills cross-pad redirects; v1↔v2 mixes fail closed with diagnosis logs on both sides. Sibling-LocalService denial proven empirically (design/idd-push-security.md, design/gamepad-channel-sealing.md). Driver-side raw ops now live behind pf-umdf-util (checked shm accessors, the forbid(unsafe_code) ChannelClient state machine, WDF request tokens) — the pad drivers' logic is 100% safe Rust; whole drivers workspace clippy-gated in CI. driver install --gamepad now sweeps SWD\punktfunk phantom devnodes: a re-created SwDevice REVIVES the old devnode with its previously-bound driver (never re-ranks), so an upgrade otherwise leaves the old driver serving — or, across the v1→v2 fence, a dead pad (found live on the RTX box). On-glass validated on the RTX 4090 box: frame path 7007 frames p50 2.06 ms cross-machine; DualSense + XUSB "sealed pad channel mapped"/proto=2 attach via both the test harness and a real streaming session; phantom-sweep repro. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
163 lines
9.1 KiB
YAML
163 lines
9.1 KiB
YAML
# Windows driver workspace CI — runs on a self-hosted Windows runner (home-windows-runner-1, host
|
|
# mode; label windows-amd64). Part of the Windows-host rewrite (design/windows-host-rewrite.md, M0).
|
|
#
|
|
# Stage 1 (this file): PROBE the runner's driver toolchain (WDK / EWDK / cargo-make / LLVM / the
|
|
# inf2cat/stampinf/devgen/signtool tools) so we know what's provisioned BEFORE writing driver code,
|
|
# and build+test the owned ABI crate (pf-driver-proto) on MSVC to prove it compiles cross-OS and the
|
|
# CI wiring works. The runner has no RTX GPU — that's fine: builds, the IddCx bindgen/link, the
|
|
# /INTEGRITYCHECK self-sign-load, and (later) IDD-push frame flow on the basic display do not need one;
|
|
# only live NVENC encode does, which defers to the RTX box.
|
|
#
|
|
# shell: pwsh deliberately (PowerShell 5.1's Out-File -Encoding utf8 prepends a BOM that corrupts the
|
|
# first GITHUB_ENV line — see windows.yml).
|
|
name: windows-drivers
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
push:
|
|
branches: [main]
|
|
paths:
|
|
- '.gitea/workflows/windows-drivers.yml'
|
|
- 'crates/pf-driver-proto/**'
|
|
- 'packaging/windows/drivers/**'
|
|
pull_request:
|
|
paths:
|
|
- '.gitea/workflows/windows-drivers.yml'
|
|
- 'crates/pf-driver-proto/**'
|
|
- 'packaging/windows/drivers/**'
|
|
|
|
# Driver builds need the WDK on the runner - the driver-build job below self-provisions it via
|
|
# scripts/ci/ensure-windows-toolchain.ps1, a fast no-op once already present.
|
|
|
|
jobs:
|
|
probe-and-proto:
|
|
runs-on: windows-amd64
|
|
timeout-minutes: 30
|
|
defaults:
|
|
run:
|
|
shell: pwsh
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Probe driver toolchain (informational — never fails the job)
|
|
continue-on-error: true
|
|
run: |
|
|
$ErrorActionPreference = 'Continue'
|
|
function head($t) { Write-Host ""; Write-Host "===== $t =====" }
|
|
|
|
head "Windows Kits roots"
|
|
$kits = @('C:\Program Files (x86)\Windows Kits\10', 'C:\Program Files\Windows Kits\10')
|
|
foreach ($k in $kits) { if (Test-Path $k) { Write-Host "found: $k" } }
|
|
|
|
head "SDK Include versions (um vs km — km => WDK present)"
|
|
foreach ($k in $kits) {
|
|
$inc = Join-Path $k 'Include'
|
|
if (Test-Path $inc) {
|
|
Get-ChildItem $inc -Directory | ForEach-Object {
|
|
$hasUm = Test-Path (Join-Path $_.FullName 'um')
|
|
$hasKm = Test-Path (Join-Path $_.FullName 'km')
|
|
$wdf = Test-Path (Join-Path $_.FullName 'km\wdf\umdf\2.31')
|
|
$iddcx = (Get-ChildItem (Join-Path $_.FullName 'um\iddcx') -Directory -ErrorAction SilentlyContinue | ForEach-Object { $_.Name }) -join ','
|
|
Write-Host ("{0,-16} um={1,-5} km={2,-5} wdf2.31={3,-5} iddcx=[{4}]" -f $_.Name, $hasUm, $hasKm, $wdf, $iddcx)
|
|
}
|
|
}
|
|
}
|
|
|
|
head "Driver tooling (inf2cat / stampinf / signtool / devgen / InfVerif)"
|
|
foreach ($tool in 'inf2cat.exe','stampinf.exe','signtool.exe','devgen.exe','InfVerif.exe','makecat.exe') {
|
|
$hits = @()
|
|
foreach ($k in $kits) {
|
|
$hits += Get-ChildItem -Path $k -Filter $tool -Recurse -ErrorAction SilentlyContinue |
|
|
Where-Object { $_.FullName -match '\\x64\\' } | Select-Object -First 1 -ExpandProperty FullName
|
|
}
|
|
$hits = $hits | Where-Object { $_ } | Select-Object -First 1
|
|
Write-Host ("{0,-14} -> {1}" -f $tool, ($(if ($hits) { $hits } else { 'NOT FOUND' })))
|
|
}
|
|
|
|
head "EWDK"
|
|
Write-Host ("EWDKROOT = " + ($env:EWDKROOT ?? '<unset>'))
|
|
|
|
head "LLVM / clang (bindgen 0.72 builds on the runner default clang)"
|
|
Write-Host ("LIBCLANG_PATH = " + ($env:LIBCLANG_PATH ?? '<unset>'))
|
|
$clang = Get-Command clang -ErrorAction SilentlyContinue
|
|
if ($clang) { & clang --version } else { Write-Host "clang: NOT on PATH" }
|
|
|
|
head "cargo-make (the gamepad drivers' build driver)"
|
|
$cm = & cargo make --version 2>&1; Write-Host $cm
|
|
|
|
head "Rust + targets"
|
|
& rustc -V; & cargo -V
|
|
Write-Host "installed targets:"; & rustup target list --installed
|
|
|
|
head "Env knobs the WDK build cares about"
|
|
Write-Host ("Version_Number = " + ($env:Version_Number ?? '<unset>'))
|
|
Write-Host ("CARGO_HOME = " + ($env:CARGO_HOME ?? '<unset>'))
|
|
Write-Host ("CARGO_TARGET_DIR (daemon) = " + ($env:CARGO_TARGET_DIR ?? '<unset>'))
|
|
|
|
- name: Build + test pf-driver-proto (MSVC)
|
|
run: |
|
|
# Short target dir to dodge MAX_PATH inside the deep act host workdir (see windows.yml).
|
|
$env:CARGO_TARGET_DIR = "C:\t\drv"
|
|
cargo build -p pf-driver-proto
|
|
cargo test -p pf-driver-proto
|
|
cargo clippy -p pf-driver-proto --all-targets -- -D warnings
|
|
cargo fmt -p pf-driver-proto -- --check
|
|
|
|
# Build the UMDF driver workspace (wdk-probe) on windows-drivers-rs: proves wdk-sys bindgen/link works
|
|
# on the runner's WDK + LLVM, that pf-driver-proto path-deps into a driver, and exposes the produced
|
|
# DLL's FORCE_INTEGRITY (/INTEGRITYCHECK) bit — the M0 self-signed-load question.
|
|
driver-build:
|
|
runs-on: windows-amd64
|
|
timeout-minutes: 45
|
|
defaults:
|
|
run:
|
|
shell: pwsh
|
|
# In-tree target dir on purpose: wdk-build's find_top_level_cargo_manifest() walks UP from OUT_DIR
|
|
# to the first ancestor with a Cargo.lock, so a relocated CARGO_TARGET_DIR (C:\t\…) hides the
|
|
# workspace lock and it panics. The driver deps have no deep CMake-from-source crates, so the
|
|
# default in-tree target stays well under MAX_PATH (unlike the SDL3/audiopus client build).
|
|
working-directory: packaging/windows/drivers
|
|
env:
|
|
# wdk-build otherwise picks 10.0.28000.0 (no km/crt) and bindgen fails — pin the WDK SDK version.
|
|
Version_Number: '10.0.26100.0'
|
|
# No LIBCLANG_PATH pin: the vendored bindgen 0.72 builds clean on the runner's default clang 22
|
|
# (the shipping pack proves it). A 0.71-era layout-test overflow once needed LLVM 21; the 0.72 bump
|
|
# retired that — see design/windows-build-and-packaging.md.
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- name: Ensure Windows toolchain (WDK, FFmpeg, Inno Setup, ARM64 target)
|
|
# Shared self-provision step (also used by windows.yml/windows-msix.yml/windows-host.yml) so
|
|
# driver-build is self-sufficient on any windows-amd64 runner and never races a manually
|
|
# dispatched provisioning workflow landing on a different one. Path is relative to the job
|
|
# working-directory (packaging/windows/drivers). Near-noop once the toolchain is present.
|
|
run: ../../../scripts/ci/ensure-windows-toolchain.ps1
|
|
- name: cargo build the driver workspace (wdk-probe + wdk-iddcx + pf-vdisplay + gamepad drivers)
|
|
# Whole workspace: wdk-probe (toolchain/surface-assert probe) + wdk-iddcx (DDI wrappers) +
|
|
# pf-vdisplay (the real IddCx driver) + pf-umdf-util (the safe UMDF primitive layer) + the two
|
|
# gamepad drivers. pf-vdisplay linking proves the IddCx call sites resolve against IddCxStub
|
|
# end-to-end (M1 step 2 gate); the gamepad drivers prove pf-umdf-util's WDF dispatch links.
|
|
run: cargo build -v
|
|
- name: cargo clippy the shipped drivers (-D warnings — enforces the unsafe-audit gates)
|
|
# The gamepad drivers' business logic is 100% safe (it moved onto pf-umdf-util, the audited
|
|
# unsafe layer); pf-vdisplay + wdk-iddcx are inherently FFI-bound but every `unsafe {}` carries a
|
|
# `// SAFETY:` proof. Both invariants are lint-gated (`unsafe_op_in_unsafe_fn` +
|
|
# `undocumented_unsafe_blocks`); this step keeps them from regressing. (wdk-probe is a
|
|
# toolchain-only probe crate and is excluded.)
|
|
run: cargo clippy -p pf-umdf-util -p pf-xusb -p pf-dualsense -p wdk-iddcx -p pf-vdisplay --all-targets -- -D warnings
|
|
- name: cargo fmt --check the safe-layer + gamepad drivers
|
|
run: cargo fmt -p pf-umdf-util -p pf-xusb -p pf-dualsense --check
|
|
- name: Inspect /INTEGRITYCHECK (before) — expect FORCE_INTEGRITY set by wdk-build
|
|
run: |
|
|
# explicit --target (.cargo/config.toml) -> output under the triple subdir.
|
|
$dll = "target\x86_64-pc-windows-msvc\debug\pf_vdisplay.dll"
|
|
if (-not (Test-Path $dll)) { throw "pf_vdisplay.dll not produced at $dll" }
|
|
$b = [IO.File]::ReadAllBytes($dll)
|
|
$pe = [BitConverter]::ToInt32($b, 0x3c)
|
|
$dllchar = [BitConverter]::ToUInt16($b, $pe + 0x5e) # OptionalHeader.DllCharacteristics
|
|
Write-Host ("pf_vdisplay.dll built OK ({0:N0} bytes)" -f (Get-Item $dll).Length)
|
|
Write-Host ("BEFORE: DllCharacteristics = 0x{0:X4}; FORCE_INTEGRITY = {1}" -f $dllchar, (($dllchar -band 0x0080) -ne 0))
|
|
- name: Clear FORCE_INTEGRITY (self-signed-load fix) + verify
|
|
# wdk-build sets /INTEGRITYCHECK unconditionally -> a self-signed driver won't load. Clear the PE
|
|
# bit deterministically (the reusable packaging step; signing/.cat happen later for real drivers).
|
|
run: ../clear-force-integrity.ps1 -Path target\x86_64-pc-windows-msvc\debug\pf_vdisplay.dll
|