4 # Captive project doc Details page Perl template.
5 # Copyright (C) 2003 Jan Kratochvil <project-www.jankratochvil.net@jankratochvil.net>
7 # This program is free software; you can redistribute it and/or modify
8 # it under the terms of the GNU General Public License as published by
9 # the Free Software Foundation; exactly version 2 of June 1991 is required
11 # This program is distributed in the hope that it will be useful,
12 # but WITHOUT ANY WARRANTY; without even the implied warranty of
13 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 # GNU General Public License for more details.
16 # You should have received a copy of the GNU General Public License
17 # along with this program; if not, write to the Free Software
18 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
21 package project::captive::doc::Details;
22 require 5.6.0; # at least 'use warnings;' but we need some 5.6.0+ modules anyway
23 our $VERSION=do { my @r=(q$Revision$=~/\d+/g); sprintf "%d.".("%03d"x$#r),@r; };
28 BEGIN{ open F,"Makefile"; our $top_dir=pop @{[split /\s/,(grep /^top_srcdir/,<F>)[0]]}; eval "use lib '$top_dir'"; close F; }
31 BEGIN { Wuse 'project::captive::doc::Macros'; }
34 project::captive::doc::Macros->init(
35 "__PACKAGE__"=>__PACKAGE__,
36 "title"=>'Captive NTFS Developer Documentation: Implementation Details',
37 "rel_prev"=>'CacheManager.html.pl',
38 "rel_next"=>'APITypes.html.pl',
45 <h1>Implementation Details</h1>
47 <a name="emulmeth"><h2>Choice of the Emulation Methods</h2></a>
49 <p>The intent of the project was to get reliable read-write access to
50 <span class="productname">NTFS</span> partition. There are several possible
51 ways to achieve that:</p>
53 <a name="emulmeth_vm"><h3>Virtualmachine Running the Original W32 Subsystem</h3></a>
55 <p>Creating virtual-hardware PC and running the original W32 binaries
56 including their boot-loader etc. Disk device access would be passed as
57 virtual IDE disk (=hard disk drive). File access API would be implemented
58 either by special escaping by some trapped instruction out of the
59 virtualmachine while using W32 file access API or using the standard W32
60 SMB (Server Message Block) network access through some virtual network
61 card. The latter network access solution is almost the currently available
62 possibility of running full-blown disk-sharing real
63 <span class="productname">Microsoft Windows NT</span> inside virtual
64 machine emulator such as <span class="productname">VMware</span>.</p>
66 <p>pros: Full compatibility due to fully native codebase.</p>
68 <p>cons: Hard to debug, missing documentation of NT booting internals,
69 possible problems by different PC virtual-hardware than expected by NT,
70 requirement of fully installed
71 <span class="productname">Microsoft Windows NT</span> product.</p>
73 <a name="method_ntoskrnl"><h3>"ntoskrnl.exe" Inside Virtual Address Space</h3></a>
75 <p>This solution was chosen by the project. Binary filesystem driver and
76 also <span class="fname">ntoskrnl.exe</span> binary file are required.
77 Unfortunately <span class="fname">ntoskrnl.exe</span> expects a native
78 PC virtual-hardware missing during regular UNIX user space process
79 emulation, therefore such instructions must be trapped and emulated/ignored
80 from case to case.</p>
82 <p>Also the <a name="init_ntoskrnl">initialization code of <span
83 class="fname">ntoskrnl.exe</span></a> is not executed by this project since
84 it expects to get full PC hardware access privileges and thus some
85 datastructures do not get initialized by it (need to be trapped later at
86 runtime stage). Some of the missing initializations are solved by
87 @{[ a_href 'APITypes.html.pl#functype_wrap','API functions wrapping' ]}.
89 <p>pros: Lightweight, easier to debug.</p>
91 <p>cons: Possible incompatible emulation of
92 <span class="fname">ntoskrnl.exe</span> parts, missing documentation needed
93 for the implementation.</p>
95 <a name="emulmeth_fs"><h3>Filesystem Driver Inside Virtual Address Space</h3></a>
97 <p>Unlike @{[ a_href 'Details.html.pl#method_ntoskrnl','previous method' ]} here we do not use
98 even <span class="fname">ntoskrnl.exe</span> as the complete kernel part of
99 W32 is <a name="native_ntoskrnl">emulated from the project source
100 files</a>. <span class="fname">cdfs.sys</span> driver was successfuly ran
101 in this manner in the former versions of this project but the possibility
102 to run without <span class="fname">ntoskrnl.exe</span> was dropped since it
103 had no licensing gains (you need the original
104 <span class="productname">Microsoft Windows NT</span> files at least for
105 the filesystem driver itself) and the emulation of undocumented parts
106 reusable from <span class="fname">ntoskrnl.exe</span> binary was
109 <p>pros: Lightweight, easier to debug.</p>
111 <p>cons: Possible incompatible emulation of the whole
112 <span class="fname">ntoskrnl.exe</span>, its missing documentation.</p>
115 <a name="apichoice"><h2>API Function Implementation Choices</h2></a>
117 <p>During the initial point of the project development all the API
118 functions were defined as unimplemented, of course. Any call of such
119 unimplemented function is fatal and results in program termination. When we
120 need to implement any required API function we have multiple choices to do
122 @{[ a_href 'APITypes.html.pl#functype_pass','Direct pass to original <span class="fname">ntoskrnl.exe</span>' ]},
123 @{[ a_href 'APITypes.html.pl#functype_wrap','Wrap of the original <span class="fname">ntoskrnl.exe</span> function' ]},
124 @{[ a_href 'APITypes.html.pl#functype_native_reactos','Native implementation – $ReactOS' ]},
125 @{[ a_href 'APITypes.html.pl#functype_native_wine','Native implementation – $Wine' ]}
127 @{[ a_href 'APITypes.html.pl#functype_native_libcaptive','Native implementation – project specific' ]}.
128 <!-- a_href 'APITypes.html.pl#functype_undef','Undefined function' -->
131 <a name="sandbox"><h2>Sandboxing of W32 Filesystem</h2></a>
133 <p>The emulated W32 environment running the original W32 filesystem driver
134 is separated from the rest of UNIX OS. It achieves the following goals:</p>
137 <li><b>Restartable</b>: W32 driver can be restartde in clean state if it crashed</li>
138 <li><b>Secure</b>: Malicious W32 code cannot affect the security of UNIX OS</li>
139 <li><b>Stable</b>: Buggy W32 cannot crash any part of UNIX OS</li>
142 <p>Sandboxing is provided with the following attributes:</p>
145 <li>standalone UNIX process with separate memory space</li>
146 <li>chroot(2) in empty directory to prevent any UNIX OS filesystem access</li>
147 <li>setuid(2) to own user/group to prevent interaction with UNIX processes</li>
148 <li>setrlimit(2) to limit system resources available for W32 environment</li>
149 <li>the only connection with the UNIX OS by CORBA/ORBit RPC</li>
152 @{[ doc_img 'dia/arch-all','Project Components Architecture' ]}
154 <p>This security is almost the same as provided by
155 emulated virtual machines such as
156 @{[ a_href 'http://www.vmware.com/solutions/security.html','VMware' ]}.</p>
158 @{[ doc_img 'dia/inheritance','Sandboxing Scheme' ]}
160 <p>Project can be also used in non-sandboxed mode by
161 <span class="command">--no-sandbox</span> option as it is easier to debug
162 without CORBA/ORBit RPC. In this case the
163 <span class="type">DirectorySlave</span>/<span class="type">FileSlave</span>
164 options are used directly instead of their
165 <span class="type">DirectoryParent</span>/<span class="type">FileParent</span>
169 <a name="patched"><h2>"patched" vs. "unpatched" Libraries</h2></a>
171 <p>Library is called <span class="constant">patched</span> if we require
172 loading its original binary code file. Project needs to patch it to be able
173 to trap all the function entry points. The only currently
174 <span class="constant">patched</span> library of this project is
175 <span class="fname">ntoskrnl.exe</span>.</p>
177 <p>Library is called <span class="constant">unpatched</span> if no original
178 binary code is needed since all of its functions are completely emulated by
179 @{[ a_href 'APITypes.html.pl#functype_native','the native implementations' ]} of this project.
180 The typical <span class="constant">unpatched</span> representative is
181 <span class="fname">hal.dll</span> as it specializes on the hardware
182 dependent code and therefore it must be completely replaced by this project
183 running in the $gnulinux operating system environment. Early versions of
184 this project had also full <span class="constant">unpatched</span>
185 <a href="#native_ntoskrnl">native implementation of
186 <span class="fname">ntoskrnl.exe</span></a> but it no longer applies.</p>
188 <a name="mman"><h2>Memory Management</h2></a>
190 <p>Original <span class="productname">Microsoft Windows NT</span>
191 architecture uses two address space areas – user space and kernel space.
192 User space is mapped in the range <span class="constant">0x00000000</span>
193 to <span class="constant">0x7FFFFFFF</span>, kernel space is mapped in the
194 range <span class="constant">0x80000000</span>
195 (<span class="constant">KERNEL_BASE</span> in $ReactOS sources) to
196 <span class="constant">0xFFFFFFFF</span>. All these virtual memory ranges
197 represent addresses after their MMU (Memory Management Unit) mapping, of
198 course. More discussion can be found in the
199 <a href="http://www.microsoft.com/hwdev/platform/server/PAE/PAEmem.asp">description
200 by <span class="productname">Microsoft</span></a>.</p>
202 <p>This project runs in the virtual address space used both for the UNIX
203 user space process part and for the W32 kernel space. Therefore this
204 project defines that W32 kernel runs in the whole range
205 <span class="constant">0x00000000</span> to
206 <span class="constant">0xFFFFFFFF</span> since there are no special mapping
207 assumptions about the UNIX user space process mapping. No W32 user space
208 exists in this project. Such approach also nullifies any special memory
209 moving operations between W32 kernel space and W32 user space memory areas
210 (such as <span class="function">MmSafeCopyToUser()</span>).</p>
212 <a name="unicode"><h2>Unicode Strings and Characters</h2></a>
214 <p>W32 platform uses 16-bit type <span class="type">wchar_t</span> while $gnulinux uses a
215 32-bit one. This can be problem during GCC (GNU C Compiler)
216 compilation of combination of native UNIX C sources (assuming 32-bit
217 GCC with 32-bit <span class="type">wchar_t</span>) and
218 $ReactOS C sources (assuming W32 compiler with 16-bit
219 <span class="type">wchar_t</span>) for literal wide strings
220 (C source file systax: <span class="command">L"wstring"</span>).
221 Possibilities to solve this issue list:</p>
225 <p>Using <span class="constant">-fshort-wchar</span> GCC option and
226 strictly differentiate between compilation of
227 <span class="productname">ReactOS</span> code and UNIX code.</p>
229 <p>pros: No source modifications needed, no runtime performance hit.</p>
231 <p>cons: No type checking if some part of code has bad compilation
232 flags, complicated way to completely split
233 <span class="productname">ReactOS</span> and UNIX code.</p>
236 <p>Wrap all <span class="productname">ReactOS</span> literal constants
237 by some conversions function call (implemented as macro
238 <span class="function">REACTOS_UCS2()</span> by this project).</p>
240 <p>pros: Any forgotten/mistaken conversions are type-checked and warned
241 during the compilation by GCC.</p>
243 <p>cons: All compiled <span class="productname">ReactOS</span> sources
244 files containing literal wide strings have to be wrapped/modified,
245 performance hit by runtime string conversions.</p>
247 <p>This solution was chosen to get the internal sanity checking
252 <a name="binfmt"><h2>Supported Binary Formats</h2></a>
254 <p>The native W32 binary format is identified as
255 <span class="constant">PE-32</span> (Portable Executable 32-bit), such
256 files have all the usual extensions such as
257 <span class="fname">.sys</span>, <span class="fname">.exe</span>,
258 <span class="fname">.dll</span> etc. <span class="constant">PE-32</span>
259 loading support was already implemented by $ReactOS, its memory mapping
260 specifics just had to be ported to $gnulinux environment by this project.
261 This loading support does not (yet) cover importing of debug symbols from
262 W32 <span class="fname">.PDB</span> (Program DataBase) files in $gnulinux
263 ABI (Application Binary Interface) compatible way.</p>
265 <p>This project also supports transparent loading of UNIX
266 <span class="fname">.so</span> (Shared Object file) binary format. If you
267 have W32 source files for some W32 library you can try to compile it by GCC
268 to get the shared library with $gnulinux ABI compatible debug information
269 (GCC option <span class="constant">-ggdb3</span> recommended). Beware of
270 possible compilation problems as <span class="productname">Microsoft</span>
271 C code expects <span class="constant">exception</span> handling to be
272 supported by the compiler (definitely not the case of the plain C compiler
273 of GCC) — all the exception catching code should be discarded as any
274 @{[ a_href '#exception_fatal','generated exceptions are always fatal' ]} when
275 such driver is running in the scope of this project. You can use the
276 following script of this project to compile W32 filesystem source files as
277 UNIX <span class="fname">.so</span>:
278 @{[ captive_srcfile 'src/w32-mod/ext2fsd.so-build.sh' ]}</p>
280 <p>Be aware of some differences if you use
281 <span class="constant">PE-32</span> binary format file vs.
282 <span class="fname">.so</span> format file.
283 <span class="constant">PE-32</span> use the appropriate W32 specific
284 @{[ a_href '#calltype','cdecl/stdcall/fastcall call types' ]},
285 <span class="fname">.so</span> must be completely compiled in the standard
286 UNIX @{[ a_href 'CallType.html.pl#calltype_cdecl','cdecl call type semantics' ]}.
287 @{[ a_href 'APITypes.html.pl#functype_native','Native function implementations' ]} do not need
288 to be explicitely exported by <span class="fname">captivesym</span> as they
289 are resolved automatically by the UNIX dynamic system linker. It may be
290 surprising you will have to fix all such missing symbol exports if you
291 advance during the development from the debugging
292 <span class="fname">.so</span> file for the production version of the
293 original <span class="constant">PE-32</span> binary file.</p>
296 <a name="mounted_one"><h2>At Most One Mounted Filesystem</h2></a>
298 <p>The project technically supports only one (exactly one...) mounted
299 filesystem device and only one filesystem driver. There is nothing
300 complicated to support multiple disks and multiple loaded filesystem
301 modules but as they would share the address space it would only bring
302 a possible complications during bug reports and the bug solving
303 itself. It was considered as a more sane way to support multiple W32
304 mounted disks by completely separately running project instances in
305 a different UNIX processes communicating from their sandboxes via
306 @{[ a_href 'Details.html.pl#sandbox','CORBA sandbox interface' ]}. This sandboxing
307 feature is not yet deployed although its code is already prepared.</p>
309 <p>The project also does not support any state cleanup to be able to load
310 filesystem <span class="constant">A</span>,
311 cleanup <span class="constant">A</span> and load a different
312 filesystem <span class="constant">B</span> in the same process address
313 space. It complies with the preventions of the possible debugging
314 complications as noted above. Despite this you still must call the function
315 <span class="function">captive_shutdown()</span> to flush all the pending
316 filesystem buffers to the disk. After calling
317 <span class="function">captive_shutdown()</span> the process address space is
318 no longer usable for any further project operations and the process is
319 expected to be terminated in the manner compatible with its driving
320 @{[ a_href 'Details.html.pl#sandbox','CORBA sandbox interface' ]} control master.</p>
322 <p>Each sandbox executing the untrusted W32 binary filesystem driver code
323 is connected through its
324 @{[ a_href 'Details.html.pl#sandbox','CORBA sandbox interface' ]} at the point of upper
325 layer <span class="constant">libcaptive</span>-specific filesystem API, at
326 the point of the bottom layer of <span class="type">GIOChannel</span>
327 device access and also for transfers of GLib logging
328 messages/warnings/errors out of the sandbox to the user.</p>
331 <a name="synchronous"><h2>Multithreading and Multiple Processors</h2></a>
333 <p>W32 platform stands on its thorough architecture parallelism. It
334 must lock all its objects to maintain coherence in presence of
335 multithreading and multiple processors. Since the author of this project
336 considers any parallel execution a serious obstacle for debugging the whole
337 project architecture was designed to prevent any undeterministic behaviour.
338 Therefore this projects always emulates uniprocessor
339 <span class="productname">Microsoft Windows NT</span> kernel
340 (<span class="constant">KeNumberProcessors</span> symbol is always 1),
341 everything runs in the single initial thread/process and all the filesystem
342 operations are performed as synchronous
343 ("synchronous" by flags
344 <span class="constant">FILE_SYNCHRONOUS_IO_ALERT</span>,
345 <span class="constant">FO_SYNCHRONOUS_IO</span>,
346 <span class="constant">IRP_SYNCHRONOUS_API</span>,
347 <span class="constant">IRP_SYNCHRONOUS_PAGING_IO</span>,
348 forced <span class="constant">TRUE</span> result of
349 <span class="function">IoIsOperationSynchronous()</span>
351 For several cases needed only by <span class="fname">ntfs.sys</span> there
352 had to be supported asynchronous access
353 (<span class="constant">STATUS_PENDING</span> return code) – parallel
354 execution is emulated by GLib
355 <span class="function">g_idle_add_full()</span> with
356 <span class="function">g_main_context_iteration()</span> called during
357 <span class="function">KeWaitForSingleObject()</span>.</p>
358 Since there is a possibility a real W32 parallel threading would
359 be yet needed in the future all the code that would be hit by W32
360 multithreading capability is marked by
361 <span class="constant">TODO:thread</span> comment.</p>
363 <p>Multiple processors (SMP) support will never need to be implemented
364 since uniprocessor W32 kernels apparently run the filesystem driver modules
365 fine. As this project implements only the uniprocessor W32 kernel all the
366 processor locking functions and structures such as
367 <span class="constant">KSPIN_LOCK</span> etc. can be safely implemented as
370 <p>Asynchronous callbacks registered for
371 <span class="constant">IO_WORKITEM</span>s are passed as GLib idle
372 functions by <span class="function">g_idle_add_full()</span>. Although they
373 will probably never be executed during non-interactive project's batch
374 executions it is the responsibility of W32 driver implementation to
375 complete all the pending tasks before its W32 shutdown. Such W32 shutdown
376 is done during cleanup of the project's execution by
377 <span class="function">captive_shutdown()</span>.</p>
379 <a name="paranoia"><h2>Paranoia Checks</h2></a>
381 <p>A general approach of software projects development is to implement
382 many internal sanity checks during the development stage but to produce the
383 most optimized final release product without those debugging checks.</p>
385 <p>Facilities for these practices can be seen in the standard
386 C include files for example as function
387 <span class="function">assert()</span> which gets disabled by the
388 <span class="constant">NDEBUG</span> symbol used during the final optimized
389 executable compilation. This project uses Gnome GLib messaging subsystem
390 offering sanity checks discarded by symbols
391 <span class="constant">G_DISABLE_ASSERT</span> and
392 <span class="constant">G_DISABLE_CHECKS</span>.
393 <span class="productname">Microsoft</span> also produces two versions of
394 its products – regular customers use the "free build" (also
395 called "retail") while the programmers should develop their code
396 on the "checked build" product releases.</p>
398 <p>As this project will always run unknown binary code of proprietary W32
399 filesystem drivers, the code can never be trusted. Such code even runs in
400 the same unprotected address space as its controlling UNIX code. Since
401 there is not enough documentation for the W32 components of the system and
402 also such documentation is usually misleading it can never be considered as
403 100% emulation. Even in the final releases all the sanity checks
404 implemented in this project should remain active as all the project's code
405 always interacts with unknown and untrusted W32 binaries.</p>
407 <p><span class="productname">Microsoft Windows NT</span> code is written in
408 a foolproof style as it accepts even invalid input values, and which
409 it usually corrects. This makes long-term debugging a pain as it hides
410 sources of problems. "Checked build" releases were probably
411 designed to fix this flaw by strict consistency checks but it did not reach
412 its goals as such checks are usually missing in the code.</p>
414 <p>This project has strict consistency checks across all the code to make
415 the debugging phase easy enough. Failed sanity check is not always
416 a bug – sometimes it just means the real W32 binary code is more
417 benevolent than it could be expected according to the documentation and
418 such sanity check gets removed for the next version build. In other cases
419 the failed sanity checks mean the execution path for some unexpected
420 arguments combination was not yet implemented by this project. I may also
421 mean a bug, of course...</p>
423 <p>Last but not least – never miss a possible sanity check as its
424 later removal is in an order of magnitude cheaper than an uncaught
425 invalid assumption. Failed assertion is not always a bug although it
426 has to be fixed, of course.</p>
429 <a name="logfile"><h2>STATUS_LOG_FILE_FULL</h2></a>
431 <p>After writing approx. 1MB of data on NTFS test partition NTFS driver
432 returns for any further write requests
433 <span class="constant">STATUS_LOG_FILE_FULL</status> error code.
434 Apparently it is caused by the fact this project is
435 @{[ a_href 'Details.html.pl#synchronous','single-threaded' ]} and it ignores the spawn
436 of parallel journalling thread during <span class="fname">ntfs.sys</span>
439 <p>Fortunately <span class="fname">ntfs.sys</span> will clear its
440 journalling log file during filesystem unmount. This project will therefore
441 remount the volume if <span class="constant">STATUS_LOG_FILE_FULL</status>
442 is detected to workaround missing journalling thread.</p>
444 <p>Similiar behaviour can be seen during write of compressed files —
445 the file gets written uncompressed and its compression will proceed only
446 during the final filesystem unmount.</p>
448 <p>For these reasons it was mandatory to support
449 @{[ a_href 'Details.html.pl#parent_connector','transparent volume remounting' ]}.</p>
452 <a name="parent_connector"><h2><span class="constant">ParentConnector</span> volume remounter</h2></a>
454 <p>The sandbox master component of this project has control of restarting
455 its sandbox slaves containing the W32 filesystem. Target goal of
456 <span class="constant">ParentConnector</span> component is to transparently
457 provide persistent view of files and directories over the sandboxed slaves
460 <p>In the case of read-only operations it would be simple as we could only
461 save our state of currently opened filesystem objects with their read
462 file/directory offset. Write operations can be handled as the read-only
463 ones as long as all the operations are successful. In the case of W32
464 filesystem crash we loose all the past write operations. If we would redo
465 all the write operations we could very easily invoke the same crash.
466 Therefore we write:</p>
468 <blockquote class="command">
469 <p>Filesystem crash broke dirty object: FILE/PATH/NAME</p>
472 <p>message to syslog and refuse any further operations with this
475 @{[ doc_img 'dia/parent-connector','Parent Connector' ]}
477 <p><span class="constant">HANDLE</span> represents W32 object open in
478 existing W32 filesystem.<span class="constant">HANDLE</span> is created
479 on-demand according to the saved state of the object (such as its
480 pathname). Even the whole <span class="constant">VFS</span> sandbox slave
481 is spawn on-demand if some object operation requests it.</p>
483 <p>W32 filesystem crash can obviously occur at any moment - it generates
484 @{[ a_href 'http://developer.gnome.org/doc/API/2.0/gobject/','GObject' ]}
485 @{[ a_href 'http://developer.gnome.org/doc/API/2.0/gobject/gobject-Signals.html','signal' ]}
486 <span class="constant">abort</span>. Successful filesystem unmount
487 (even as the part of remount operation) must be first preceded by
488 <span class="constant">detach</span> signal to close all existing
489 W32 <span class="constant">HANDLE</span>s. After their close the filesystem
490 gets the unmount requests. Only in the case all the close operations
491 succeeded including the final filesystem unmount the signal
492 <span class="constant">cease</span> can be activated to notify all the
493 dirty (written) objects they are now clean. During this
494 <span class="constant">cease</span> signal the project will also
495 @{[ a_href '#safe_flush','flush' ]} the sandbox commit buffer to its
496 underlying media.</p>
498 <p>Objects never written remain in <span class="constant">clean</span>
499 state and they can be transparently reopened even if W32 filesystem crash
506 project::captive::doc::Macros->footer();
git://git.jankratochvil.net / www.jankratochvil.net.git / blob