The cold address-space bootstrap (host_bootstrap -> System DTB) ran once and was
terminal: when the adapter attached before the guest finished booting, no System
process was found, the adapter emitted a single ERROR and never retried, so the
memctx datum was never published.
Make it self-healing: on bootstrap failure arm a one-shot backoff timerfd (a
second adapter fd, demuxed by cookie) that re-kicks the bootstrap until it
succeeds; reset and disarm on success. Drop the per-failure URGENT ERROR (a
still-booting guest is transient, not a fault) for a single diagnostic line on
the first failure. Add a stub fail-injection (cfg fail_boots) and test_retry.
Bump 0.3.5.
- the vmsig package no longer ships the gpu lib; it is a Sensor lib for the control, not the daemon
- vgpu-perception gets SOVERSION; runtime (libvgpu-perception0) and dev (-dev) packages, like the vmie split
- per-component install + a 3-package make deb; fix a stale comment (the windows producer is in-tree)
- src/si/vgpu-stream: in-guest vgpu producer built as a Windows cross-compiled target (if(WIN32))
- .gitea: release workflow — cross-build the agent and build/publish the deb against system vmie
- cmake/makefile: resolve vmie from a source tree (LIBVMIE_PATH) or installed libvmie-dev
- core: runtime attach/detach of a per-endpoint adapter trio (runtime-safe add_adapter + vmsig_core_detach_endpoint, deferred reap)
- roster: VMSIG_EV_ROSTER + CAP_ROSTER, retained per-endpoint and replayed to late subscribers
- discovery: inotify trigger dir, vmid/endpoint slot allocator, host probe; vmsigd daemon with config + per-uid admission
- input driver and vgpu perception built in-tree; vgpu perception as a separate library
- memctx: own the supplied ro_fd (closed at detach)
- deb packaging: install rules, systemd unit, tmpfiles, default config
- Pointer motion is now a single event carrying both coordinates (MOVE_ABS /
MOVE_REL with x,y) rather than one event per axis; the adapter actuates both
axes in a single batch. The per-axis ABS/REL kinds are removed.
- Input injection is uinput-only: the driver selection and the optional
guest-side passthrough drop out of the adapter config (the driver is the
driver's concern). A QMP path is still carried for the unchanged service
power/lifecycle path.
- A per-event fire-and-forget flag lets a control inject input without an
actuation acknowledgement, for high-rate streams; without it the addressed
ACT_ACK is emitted as before. Service commands always acknowledge.
The neutral input payload gains x/y/flags, still within the inline event body.
Capability, lease and source gates are unchanged.
- CMD_MEMWRITE now carries a target page-table root (cr3) as its first field;
cr3 == 0 keeps the kernel address-space default (backward-compatible). A control
that has discovered a process's cr3 through its own read-only perception can
write that process's private memory under the same exclusive write lease.
Freshness of the cr3 is the control's responsibility — signaling does not
validate it (that is perception, not coherence), mirroring the read side.
- A socket control can now carry an SRC larger than the inline frame budget: a
length-prefixed SRC tail follows the CMD_MEMWRITE frame (flag SRC_PAYLOAD, the
length being the frame's own len). A per-connection two-phase receiver
accumulates the tail into a fixed conn-owned buffer up to the extent bound,
matching the in-process payload path. A zero or over-bound length is a framing
violation that closes the connection: leaving the promised tail unread would
desync the stream and draining an arbitrary length would be a denial of service.
The capability, exclusive lease, source and extent gates are unchanged and
reused; only the event header gained the cr3 field and the socket transport
gained the tail receiver. The adapter resolves cr3 == 0 to the kernel root on
its worker thread and writes atomically.
An epoll-driven, neutral transfer-event bus that connects sensors and input
actuators to one or more controls, bidirectionally. It owns the transfer context
and events — delivery order, priority, protocol-level timing, and an
interrupt-driven event model over fd sources (eventfd/timerfd/sockets) — and
stays agnostic to both the sensor/input drivers and the control.
What lives here:
- memctx: a coherent address-space context per endpoint — the guest address-space
root paired with a pre-opened read-only RAM-region fd, with per-endpoint epoch
invalidation and retained replay to late subscribers. Perception lives in
out-of-tree sensor libraries that consume this datum read-only.
- exclusive-ownership leases for destructive resource classes (input, power,
memory-write).
- write-signaled memory writes (MEMWRITE): an atomic write to guest memory routed
through the seam under an exclusive lease, never a writable mapping.
- a host-management seam for VM lifecycle/status and a neutral input-injection
command path.
- multi-VM endpoints; capability-gated, audited control authorization over an
in-process or unix-socket transport.
Builds against headers only by default (a stub mode that exercises the seam
without a VM); armed builds link the real sensor/input libraries behind flags.
lirent
