8000 Release Tock 2.2 · tock/tock · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Tock 2.2

Latest
Latest
Compare
Choose a tag to compare
@lschuermann lschuermann released this 06 Jan 16:42
· 582 commits to master since this release
release-2.2
9554639
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Tock 2.2

Tock 2.2 represents two years of Tock development since v2.1.1. This release contains almost 3900 commits made across 840 PRs by 90 contributors (of which 48 are new contributors!). It is the first Tock release that can compile on a stable Rust toolchain, and contains many other important fixes, new subsystems, new platforms, new drivers, and major refactors.

Backwards Compatibility

Tock 2.2 extends its system call interface through one new system call (Yield-WaitFor), but retains backwards compatibility with Tock 2.1.1 for its core system call interface and all stabilized drivers.

In this release, we revised Tock's alarm system call driver implementation to predictably wrap its ticks values at (2**32 - 1) ticks, across all platforms. Before this change, hardware alarm implementations that were less than 32 bit wide would wrap before reaching (2**32 - 1) ticks, which complicated correct alarm handling in userspace. In Tock 2.2, these alarm implementations are scaled to 32 bit, while also scaling their advertised frequency appropriately. While this change is non-breaking and compatible with the previous alarm implementation, it can expose such scaled alarms to userspace at significantly higher advertised frequency values. Userspace alarm implementations that did not correctly handle such high frequencies may need to be fixed to support this new driver implementation.

Relevant PRs:
  • [RFC] Yield-WaitFor syscall by @ppannuto in #3577
  • kernel/hil/time,capsules/alarm: pad Ticks to 32 bit for predictable wrapping by @lschuermann in #3973
  • capsules/alarm: left-justify 32 bit ticks, re-architect alarm, add unit tests by @lschuermann in #3975

Security and arch-crate Fixes

Tock 2.2 includes important and security-relevant fixes for its Cortex-M and RISC-V architecture support.

  • When switching between applications, the RISC-V PMP implementation did not correctly invalidate any additional memory protection regions that are not overwritten by the target app's PMP configuration. Under certain conditions this can allow an application to access private memory regions belonging to a different applications (such as when using IPC).

  • The Cortex-M (Armv7-M) and Cortex-M0/M0+ (Armv6-M) hard fault, interrupt and svc handlers contained a bug that could allow an application to execute in privileged mode after returning from the handler. This allows an application to execute code at kernel privileges and read / write arbitrary memory.

Relevant PRs:
  • [RFC] Yield-WaitFor syscall by @ppannuto in #3577
  • kernel/hil/time,capsules/alarm: pad Ticks to 32 bit for predictable wrapping by @lschuermann in #3973
  • capsules/alarm: left-justify 32 bit ticks, re-architect alarm, add unit tests by @lschuermann in #3975

Stable Rust Support

This release removes all nightly Rust features from all of Tock's core kernel crates (such as kernel, arch/*, and chips/*). This allows Tock to be built on the Rust stable toolchain for the first time!

We demonstrate this by switching the hail board to a stable toolchain in this release. We continue to compile other boards on the Rust nightly toolchain, as this enables some important code-size optimizations (such as by compiling our own, size-optimized core library).

Relevant PRs:
  • [RFC] Yield-WaitFor syscall by @ppannuto in #3577
  • kernel/hil/time,capsules/alarm: pad Ticks to 32 bit for predictable wrapping by @lschuermann in #3973
  • capsules/alarm: left-justify 32 bit ticks, re-architect alarm, add unit tests by @lschuermann in #3975

AppID, Credentials and Storage Permissions

This Tock release revisits how applications are identified in the kernel, and introduces a set of mechanisms that allow developers to identify, verify, and restrict applications that are running on a Tock kernel. AppIDs are the core mechanism to enable this and identify an application contained in a userspace binary. AppIDs allow the kernel to apply security policies to applications as their code evolves and their binaries change. We specify AppIDs, Credentials and their interactions with process loading in a draft TRD.

Additionally, we introduce a mechanism to assign applications permissions to access some persistent storage (e.g., keys in a key value store). This mechanism interacts with AppIDs (ShortIDs) and is also specified in a a draft TRD.

Relevant PRs:
  • Adding App IDs and userspace binary integrity to the Tock kernel by @phil-levis in #2809
  • AppID/TBF: Add ShortId header by @bradjc in #4026
  • HIL: Add Signature::verify with const L:usize and process checker for signatures by @bradjc in #3878
  • TRD: Tock Storage Permissions by @bradjc in #4021
  • Add support for ECDSA NIST P256 signature credentials by @alistair23 in #4165
  • Storage Permissions: Implement to match TRD by @bradjc in #4031

Major Refactors and Interface Changes

We implement a number of kernel-internal refactors and interface changes:

  • System call drivers are now mandated to either return Success or Failure(ErrorCode::NODEVICE) for a command system call with command number 0. Previously, some drivers used this command number to also convey additional information to userspace. This release does not change the interface of any stabilized drivers, which will be updated as part of Tock 3.0.

    Relevant PRs:

  • Tock 2.2 introduces [a new policy to support external dependencies][external-deps] in the upstream Tock codebase. As part of this effort, we split up the existing, single capsules crate into multipe crates (such as capsules-core, capsules-extra, and capsules-system) with different guarantees concerning stability and use of external dependencies. The core capsules crate contains capsules deemed essential to most Tock systems, as well as virtualizers which enable a given single peripheral to be used by multiple clients. Other capsules have been moved to the extra capsules crate. The system capsules crate contains components that extend the functionality of the Tock core kernel, while not requiring unsafe.

    Relevant PRs:

  • Furthermore, the DeferredCall and DynamicDeferredCall subsystems have been replaced with a more lightweight and unified deferred call infrastructure. This new approach has a smaller code size overhead and requires less setup boilerplate code than DynamicDeferredCall.

    Relevant PR:

    • Replace DeferredCall and DynamicDeferredCall with a more general-purpose implementation by @hudson-ayers in #3382

  • LeasableBuffer has been renamed to SubSlice and features a significantly improved API. Multiple subsystems have been ported to this new type.

    Relevant PRs:
    • kernel: LeasableBuffer: fix double slice end value by @bradjc in #3511
    • kernel: leasablebuffer: add APIs by @bradjc in #3505
    • Rename LeasableBuffer to SubSlice by @bradjc in #3519
    • Switch SPI master HIL to leasable buffers instead of raw slices by @alevy in #4173
    • ot: tests: switch to subslice by @bradjc in #3570
    • ot: tests: LB->SS by @bradjc in #3573
    • Screen: update HIL to simplify, format, and use SubSlice by @bradjc in #3792
    • kernel: SubSlice: fix slice calculation by @bradjc in #3791

  • Tock 2.2 introduces "configuration boards": variants of in-tree board definition showcasing certain subsystems or peripherals. These boards (under boards/configurations) are implemented by converting some Tock boards into combined "lib + bin" crates and extending these boards.

    Relevant PRs:

  • Tock can now be built entirely using cargo and without its Makefiles. This change also simplifies downstream board definitions:

    Relevant PR:

    • Migrate build to be entirely cargo-based, with make as integration tool by @bradjc in #4075

  • A new StreamingProcessSlice helper provides a reusable data structure to convey a "stream" of data from capsures to userspace. This is used in Tock's new CAN driver, and is useful for ADC, networking, etc.

    Relevant PR:

    • Migrate build to be entirely cargo-based, with make as integration tool by @bradjc in #4075

  • Tock introduces a new interface for custom implementations of the userspace-syscall boundary to hook into the RISC-V trap handler, by specifying which registers are clobbered and providing a generic trampoline to jump to custom code on a trap.

    Relevant PR:

New Boards

This release features support for 7 new boards in the upstream Tock codebase:

New HILs, Drivers and Features

Tock 2.2 features 6 new HILs:

An additional 40 PRs added support for various hardware peripherals, subsystems and other features:

IEEE 802.15.4 and 6LoWPAN Stack

We can now join a Thread network by running OpenThread as a libtock-c userspace implementation, thanks to a major refactor and redesign of Tock's IEEE 802.15.4 and 6LoWPAN stack.

Known issue: UDP transmit functionality is currently broken with a bug / inconsistency between the kernel and libtock-c implementation. When executing the transmit syscall, the libtock-c application fails to provide the src address and fails the error check that occurs for the transmit syscall. For more information, see the Tock 2.2 release testing issue: #4272 (comment)

Relevant PRs:

Fixes, Improvements and Refactors

Another 482 pull requests implement various fixes, improvements and refactors.

Pull Request List:

Documentation and Tests

In this release, we moved a significant part of our documentation out of the Tock kernel repository, and into the Tock book itself. Nonetheless, this release includes 43 PRs to in-kernel documentation, in addition to the documentation changes included in all other PRs.

Pull Request List:

Internal Changes

Last but n 10000 ot least, this release includes 206 contributions to internal documentation, tooling and CI.

Pull Request List:

Contributors

alevy, alistair23, and 68 other contributors
Assets 2
Loading
0