Skip to content

Initial broker design and implementation #880

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
wdcui merged 66 commits into from
Jun 17, 2026
Merged

Initial broker design and implementation #880

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
66 commits
Select commit Hold shift + click to select a range
6b1b897
broker design v0.1
wdcui May 27, 2026
6259a2b
updated
wdcui May 27, 2026
b45215f
Document broker split design
wdcui May 28, 2026
605c1c1
Document broker implementation plan
wdcui May 28, 2026
4c7a391
Incorporate sandbox architecture findings
wdcui May 28, 2026
76cd13f
Add split broker event POC
wdcui May 29, 2026
ec6163c
fix cargo lock
wdcui May 29, 2026
551ca42
Decouple broker core from protocol layers
wdcui May 29, 2026
c90b69e
Hide foreign broker object references
wdcui May 29, 2026
4845aa5
Harden split broker interfaces
wdcui May 29, 2026
fb982cc
Simplify broker object handles
wdcui May 29, 2026
f0fb824
Allow Unix broker transport in no_std CI
wdcui May 29, 2026
3deef1c
Refine broker channel interfaces
wdcui May 29, 2026
5965b0f
Prune broker unit tests
wdcui May 29, 2026
717ac4b
Clean up split broker modularity
wdcui May 29, 2026
8d1d5f0
Document split broker dependency boundaries
wdcui May 29, 2026
feafb8f
Address split broker review follow-ups
wdcui May 29, 2026
00b6b30
Integrate split broker with linux userland runner
wdcui May 30, 2026
d12f7f8
Rename broker runner integration
wdcui Jun 1, 2026
463396e
Keep broker startup negotiation-only
wdcui Jun 1, 2026
dc3c445
Clean up broker protocol and eventfd path
wdcui Jun 2, 2026
b68d9bb
Move broker boundary into local core
wdcui Jun 2, 2026
f7cc115
Hide event backend behind local core
wdcui Jun 2, 2026
3118644
Clean up local core broker layering
wdcui Jun 2, 2026
a2e465a
Simplify broker event counter surface
wdcui Jun 2, 2026
03b2764
Split local core broker adapters
wdcui Jun 2, 2026
bc82f18
Clean up broker event layering
wdcui Jun 2, 2026
6da49ee
Simplify broker event adapter
wdcui Jun 3, 2026
c91bebd
Refine broker-backed event counter interface
wdcui Jun 3, 2026
f2f8034
Align event counter factory with event domain
wdcui Jun 3, 2026
813550e
Simplify event counter local-core interface
wdcui Jun 3, 2026
e0641d4
Simplify eventfd shim integration
wdcui Jun 4, 2026
3d49ca3
Restore shim pipe module
wdcui Jun 4, 2026
d2ec34c
Fix eventfd writev zero-length handling
wdcui Jun 4, 2026
7b8bd9e
Prune redundant broker tests
wdcui Jun 4, 2026
f2c6154
Preserve generic writev handling
wdcui Jun 4, 2026
738c871
Update broker design eventfd status
wdcui Jun 4, 2026
9fe28ea
Address broker review followups
wdcui Jun 4, 2026
5c03a0d
Rename broker adapter crates
wdcui Jun 4, 2026
10f15ee
Merge broker wire into protocol
wdcui Jun 4, 2026
09dbbed
Address broker interface review feedback
wdcui Jun 4, 2026
663b7f6
Align broker terminology and control client API
wdcui Jun 4, 2026
1f79af3
Rename broker event channel to notification channel
wdcui Jun 4, 2026
70fa831
Refactor broker policy engine
wdcui Jun 4, 2026
28ae7fb
Fix CI eventfd regressions
wdcui Jun 4, 2026
aacb196
Simplify broker identity model
wdcui Jun 4, 2026
02f7d70
Update eventfd fcntl test expectation
wdcui Jun 4, 2026
5d1cdf7
Restore eventfd fcntl test coverage
wdcui Jun 5, 2026
d702489
Avoid extra broker core test global
wdcui Jun 5, 2026
6f310fe
Prune redundant broker tests
wdcui Jun 5, 2026
6a520d1
Rename broker local and host errors
wdcui Jun 5, 2026
4bc3077
Remove broker local worker
wdcui Jun 5, 2026
83117fc
Align broker local and host naming
wdcui Jun 5, 2026
45732e1
Fold broker negotiation modules into crate roots
wdcui Jun 5, 2026
24529d7
Prune broker local and host tests
wdcui Jun 5, 2026
d5b0f49
Centralize initial broker protocol version
wdcui Jun 5, 2026
2620a48
Organize broker wire codec by protocol layer
wdcui Jun 5, 2026
4063b18
Prune Unix socket transport tests
wdcui Jun 5, 2026
84e8588
Clean up broker local integration layering
wdcui Jun 5, 2026
928acfa
Expand broker eventfd fixture coverage
wdcui Jun 5, 2026
fe92183
Assert broker eventfd traffic in runner test
wdcui Jun 5, 2026
756edcd
Fix shim eventfd and vectored IO semantics
wdcui Jun 5, 2026
f0d9e07
Join epoll eventfd test writer thread
wdcui Jun 8, 2026
5dcc8fd
Remove broker design docs from implementation PR
wdcui Jun 15, 2026
ea52efe
Back out non-eventfd vectored IO changes
wdcui Jun 15, 2026
e1d7407
Simplify eventfd fixture IO paths
wdcui Jun 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -230,6 +230,13 @@ jobs:
# - `litebox_platform_windows_userland` is allowed to have `std` access,
# since it is a purely-userland implementation.
#
# - `litebox_broker_transport` is allowed to have `std` access,
# since it owns hosted concrete broker transport implementations,
# including the current Unix-domain-socket control channel.
#
# - `litebox_broker_userland` is allowed to have `std` access,
# since it is the hosted userland broker executable.
#
# - `litebox_platform_lvbs` has a custom target (`no_std`), so it does
# not work with the current no_std checker.
#
Expand Down Expand Up @@ -285,6 +292,8 @@ jobs:
# can safely use std.
find . -type f -name 'Cargo.toml' \
-not -path './Cargo.toml' \
-not -path './litebox_broker_transport/Cargo.toml' \
-not -path './litebox_broker_userland/Cargo.toml' \
-not -path './litebox_platform_linux_userland/Cargo.toml' \
-not -path './litebox_platform_windows_userland/Cargo.toml' \
-not -path './litebox_runner_linux_on_windows_userland/Cargo.toml' \
Expand Down
52 changes: 52 additions & 0 deletions Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

14 changes: 13 additions & 1 deletion Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,13 @@
[workspace]
resolver = "2"
members = [
"litebox",
"litebox",
"litebox_broker_local",
"litebox_broker_core",
"litebox_broker_protocol",
"litebox_broker_host",
"litebox_broker_transport",
"litebox_broker_userland",
"litebox_common_linux",
"litebox_common_windows",
"litebox_common_optee",
Expand Down Expand Up @@ -29,6 +35,12 @@ members = [
]
default-members = [
"litebox",
"litebox_broker_local",
"litebox_broker_core",
"litebox_broker_protocol",
"litebox_broker_host",
"litebox_broker_transport",
"litebox_broker_userland",
"litebox_common_linux",
"litebox_common_windows",
"litebox_common_optee",
Expand Down
1 change: 1 addition & 0 deletions dev_tests/src/ratchet.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ fn ratchet_globals() -> Result<()> {
ratchet(
&[
("dev_bench/", 1),
("litebox_broker_core/", 1),
("litebox/", 9),
("litebox_platform_linux_kernel/", 6),
("litebox_platform_linux_userland/", 5),
Expand Down
2 changes: 2 additions & 0 deletions litebox/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,8 @@ buddy_system_allocator = { version = "0.11.0", default-features = false, feature
# Depend on (currently unreleased) slabmalloc `main`, which contains some fixes on top of `0.11.0`
slabmalloc = { git = "https://github.com/gz/rust-slabmalloc.git", rev = "19480b2e82704210abafe575fb9699184c1be110" }
litebox_util_log = { version = "0.1.0", path = "../litebox_util_log" }
litebox_broker_local = { version = "0.1.0", path = "../litebox_broker_local" }
litebox_broker_protocol = { version = "0.1.0", path = "../litebox_broker_protocol" }

[target.'cfg(windows)'.dependencies]
windows-sys = { version = "0.60.2", features = [
Expand Down
85 changes: 85 additions & 0 deletions litebox/src/broker/error.rs
View file
Open in desktop
Comment thread
wdcui marked this conversation as resolved.
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
// Copyright (c) Microsoft Corporation.
// Licensed under the MIT license.

use litebox_broker_protocol::ErrorCode;

use crate::event::{counter::EventCounterError, polling::TryOpError};

/// Error returned by the deployment-provided broker control path.
#[derive(Clone, Copy, Debug, PartialEq, Eq)]
#[non_exhaustive]
pub enum BrokerControlError {
/// The broker control transport failed.
Transport,
/// The broker returned an operation error.
Broker(ErrorCode),
/// The broker returned a response shape that does not match the request.
UnexpectedResponse,
}

/// Internal normalized error for broker-backed object adapters.
///
/// This keeps protocol/control-channel failures separate from the public
/// object-specific API error exposed by each local-core facade.
#[derive(Clone, Copy, Debug, PartialEq, Eq)]
pub(crate) enum BrokerObjectError {
/// The deployment-provided broker control path failed.
Control,
/// The broker rejected the cached object handle, type, or rights.
InvalidObject,
/// The object operation would block in its current broker-side state.
WouldBlock,
/// The object or broker-side state cannot grow further.
ResourceExhausted,
/// The broker returned a response shape that does not match the request.
UnexpectedResponse,
/// The broker reported a non-recoverable or unsupported object error.
Internal,
}

impl From<BrokerControlError> for BrokerObjectError {
fn from(error: BrokerControlError) -> Self {
match error {
BrokerControlError::Transport => Self::Control,
BrokerControlError::Broker(error) => error.into(),
BrokerControlError::UnexpectedResponse => Self::UnexpectedResponse,
}
}
}

impl From<ErrorCode> for BrokerObjectError {
fn from(error: ErrorCode) -> Self {
match error {
ErrorCode::InvalidRights
| ErrorCode::UnknownObject
| ErrorCode::WrongObjectType
| ErrorCode::StaleHandle => Self::InvalidObject,
ErrorCode::WouldBlock => Self::WouldBlock,
ErrorCode::ResourceExhausted => Self::ResourceExhausted,
_ => Self::Internal,
}
}
}

pub(crate) fn map_broker_object_result<T>(
result: Result<T, BrokerObjectError>,
) -> Result<T, TryOpError<EventCounterError>> {
match result {
Ok(value) => Ok(value),
Err(BrokerObjectError::WouldBlock) => Err(TryOpError::TryAgain),
Err(error) => Err(TryOpError::Other(error.into())),
}
}

impl From<BrokerObjectError> for EventCounterError {
fn from(error: BrokerObjectError) -> Self {
match error {
BrokerObjectError::WouldBlock => Self::WouldBlock,
BrokerObjectError::ResourceExhausted => Self::ResourceExhausted,
BrokerObjectError::UnexpectedResponse => Self::UnexpectedResponse,
BrokerObjectError::Control
| BrokerObjectError::InvalidObject
| BrokerObjectError::Internal => Self::Io,
}
}
}
90 changes: 90 additions & 0 deletions litebox/src/broker/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,90 @@
// Copyright (c) Microsoft Corporation.
// Licensed under the MIT license.

use alloc::sync::Arc;

use litebox_broker_local::{BrokerLocal, BrokerLocalError};
use litebox_broker_protocol::{CoreRequest, CoreResponse, LocalControlChannel};

use crate::sync::{Mutex, RawSyncPrimitivesProvider};

pub(crate) mod error;
pub use error::BrokerControlError;

/// Local-core access to the negotiated broker control channel.
///
/// LiteBox owns broker-backed local objects and constructs broker protocol
/// requests. Deployment code owns endpoint selection and supplies the connected
/// transport behind this protocol-level boundary.
pub trait BrokerControl: Send + Sync {
/// Sends one active BrokerCore request and returns its response.
fn request(
&self,
request: CoreRequest,
) -> core::result::Result<CoreResponse, BrokerControlError>;
}
Comment on lines +14 to +25

@jaybosamiya-ms jaybosamiya-ms Jun 12, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This interfaces forces a blocking design, should document that we want to move away from this, at minimum


struct BrokerLocalControl<Platform: RawSyncPrimitivesProvider, T> {
local: Mutex<Platform, BrokerLocal<T>>,
}

impl<Platform, T> BrokerLocalControl<Platform, T>
where
Platform: RawSyncPrimitivesProvider,
{
const fn new(local: BrokerLocal<T>) -> Self {
Self {
local: Mutex::new(local),
}
}
}

impl<Platform, T> BrokerControl for BrokerLocalControl<Platform, T>
where
Platform: RawSyncPrimitivesProvider,
T: LocalControlChannel + Send,
{
fn request(
&self,
request: CoreRequest,
) -> core::result::Result<CoreResponse, BrokerControlError> {
self.local
.lock()
.active_core_request(request)
.map_err(broker_control_error)
}
}

fn broker_control_error<E>(error: BrokerLocalError<E>) -> BrokerControlError {
match error {
BrokerLocalError::Broker(error) => BrokerControlError::Broker(error),
BrokerLocalError::UnexpectedResponse(_) => BrokerControlError::UnexpectedResponse,
_ => BrokerControlError::Transport,
}
}

pub(crate) fn control_from_local<Platform, T>(local: BrokerLocal<T>) -> Arc<dyn BrokerControl>
where
Platform: RawSyncPrimitivesProvider,
T: LocalControlChannel + Send + 'static,
{
Arc::new(BrokerLocalControl::<Platform, T>::new(local))
}

pub(crate) struct BrokerState<Platform: RawSyncPrimitivesProvider> {
control: Option<Arc<dyn BrokerControl>>,
_marker: core::marker::PhantomData<Platform>,
}

impl<Platform: RawSyncPrimitivesProvider> BrokerState<Platform> {
pub(crate) fn new(control: Option<Arc<dyn BrokerControl>>) -> Self {
Self {
control,
_marker: core::marker::PhantomData,
}
}

pub(crate) fn control(&self) -> Option<Arc<dyn BrokerControl>> {
self.control.clone()
}
}
Loading