Kernel and process manager
- We now support ARMv8.2 targets.
- By default, you can now use only secure
sigevents
that you've registered with
MsgRegisterEvent().
There's a new -U option for
procnto
that lets you use nonregistered events too.
Instead of using this option, you can use the _NTO_COF_UNREG_EVENTS flag
when you call
ConnectAttach()
to allow a specific connection to use registered and unregistered events.
Note:
- _NTO_COF_UNREG_EVENTS and procnto's -U option are temporary workarounds and will be removed in a future version. You should update your system to use only registered events.
- The mq_notify() function accepts registered events, but for compatibility with POSIX, it also accepts unregistered events, even if the system as a whole is required to use registered events.
- Address Space Layout Randomization (ASLR) is now enabled by default.
- We now save and restore the FPU context in Interrupt Service Routines (ISRs),
signal handlers, trace event handlers, and idle handlers.
GCC 8 may optimize some non-floating-point operations—especially array operations—by using
floating-point (FP) registers and operations (e.g., using SIMD).
This means that although there is no C code using FP operations, the generated opcodes may use them,
violating the requirement to not touch floating point registers in Interrupt Service Routines (ISRs),
signal handlers, trace event handlers, and idle handlers, leading to corruption of
the FP state in user threads, and doing so in a way that is extremely difficult to debug.
Rather than require the use of architecture-specific options (-mgeneral-regs-only for AArch64 or x86_64; there isn't such an option for ARMLE-v7) to force the compiler not to use these registers for an entire compilation unit, we decided to save all FP registers if and when an ISR first accesses any FP register, and to save the FP registers on entering a signal handler, trace event handler, or idle handler. We restore all the FP registers after leaving the ISR or handler. This has the following effects:
- It removes the danger of corrupting the FP registers by optimized code generated by the compiler despite the lack of any FP operations in the ISR or handler's source code.
- It allows the use of FP operations inside an ISR or handler. For an ISR, there's a one-time cost each time the ISR is invoked if there is any use of floating-point registers.
It's still possible to force an ISR to not use FP using the compiler options mentioned above (and therefore guarantee avoiding the performance hit of saving the FP registers), but if the ISR is in a C file that also has functions that explicitly use floating point, or would benefit from these optimizations, you can move the ISR to its own C file and use the appropriate flag to compile that file, but you need to be careful with preprocessor macros and calling functions that aren't in the C file.
- There are some new mechanisms for improving the security of shared memory objects:
- shared memory handles that provide a safe, secure and efficient way to share buffers among processes without the use of public paths
- a way for the creator of a shared memory object to seal a shared memory object to prevent other processes from changing the physical layout of the object, even if these processes are allowed to change the object's contents
- a way for the creator of a shared memory object to revoke access to the object such that it can be safely destroyed or reused for other purposes. Without the revocable flag, a shared memory object is cleaned up only when the last process removes a mapping to it, which means that the creator has no control over destruction and reuse.
For more information, see
Secure Buffer Management
in theShared Memory
chapter of the QNX Neutrino Programmer's Guide. - The following security trace events are new:
Event Emitted when: _NTO_TRACE_SEC_PERM_LOOKUP secpol_get_permission() is called to get a handle to a permission that's associated with a custom class _NTO_TRACE_SEC_PERM_TEST secpol_check_permission() is called to test if a given type has a permission _NTO_TRACE_SEC_UNREG_EVENT MsgDeliverEvent() is called with an unregistered sigevent For more information, see the System Analysis Toolkit (SAT) User's Guide.