Tock: Multiprogramming a 64kB Computer Safely and Efficiently

less than 1 minute read

Published:

  • Paper
  • Source Code
  • Conference: SOSP’17
  • Tag: System Security, Rust, IoT, Embedded System

Embedded Softwares are not Ready

Classic embedded systems like TinyOS, FreeRTOS, Contiki are common in:

  • All code in a single address space rather than multi-programming
  • Trust all code
  • Monolithic image
  • No fault recovery and fault isolation (basically only watchdog timers)

New isolation tools

  • MPU: protection bits for 8 memory regions
  • Rust

Tock’s Design Goals

  • Isolate drivers
  • Isolate applications
  • Concurrent applications & IO without virtual memory

Tock’s Isolation Mechanisms

  • Capsules: A Rust module and structs, event-driven execution with async IO
  • Processes
    • Capsules and processes interact via IPC
    • Each process maintains a kernel heap, called Grants
  • Use of MPU to protect memory regions without virtualization

An example of capsules is shown below:

struct DMAChannel {
    length: u32,
    base_ptr: *const u8,
}

impl DMAChannel {
    fn set_dma_buffer(&self, buf: &'static [u8]) {
        self.length = buf.len();
        self.base_ptr = buf.as_ref();
    }
}

Thoughts

  • 高级抽象,比如 C++11 里的 Lambda、Rust 里的闭包会给系统级别的编程模型带来变化吗?

Reference

  • https://stackoverflow.com/questions/63164973/why-does-rust-allow-calling-functions-via-null-pointers