Technical Report on the Brittle Kernel Release 2016-05 Cliff L. Biffle June 09, 2016 Contents 1 Introduction 1 1.1 What Brittle Is..............................................1 1.2 What Brittle Isn’t.............................................1 2 Kernel Architecture 3 2.1 Basic Concepts..............................................3 2.2 Architecture Rules............................................4 2.2.1 What’s In a Kernel?.......................................5 In Scope.............................................5 Out Of Scope...........................................5 2.3 Kernel, System, Application.......................................5 2.4 A Tour of the Kernel Objects.......................................6 2.4.1 Contexts.............................................6 2.4.2 Memory.............................................7 2.4.3 Gates..............................................7 2.4.4 Interrupts............................................8 2.4.5 The Object Table........................................8 2.5 About Keys................................................9 2.5.1 Key Semantics.........................................9 2.5.2 Parts of a Key..........................................9 2.5.3 Brands..............................................9 2.5.4 Generations and Revocation.................................. 10 2.6 Syscalls.................................................. 10 2.6.1 Syscall Descriptor Convention................................. 10 2.6.2 Copy Key............................................ 11 2.6.3 IPC............................................... 11 Message Descriptors....................................... 12 Key Maps............................................. 12 The Send Phase.......................................... 12 The Receive Phase........................................ 13 2.7 Boot Process and Initial Environment.................................. 13 3 Kernel Object Reference 15 3.1 Context.................................................. 15 3.1.1 Branding............................................ 15 Reply Keys............................................ 15 Service Keys........................................... 16 3.1.2 Invalidation........................................... 16 i 3.1.3 Methods............................................. 16 Read Register (1)......................................... 16 Write Register (2)........................................ 17 Read Key Register (3)...................................... 17 Write Key Register (4)...................................... 18 Read MPU Region Register (5)................................. 18 Write MPU Region Register (6)................................. 19 Make Runnable (7)........................................ 19 Get Priority (8).......................................... 20 Set Priority (9).......................................... 20 Read (Low/High) Registers (10/11)............................... 20 Write (Low/High) Registers (12/13)............................... 21 3.2 Gate.................................................... 21 3.2.1 Branding............................................ 21 Service Keys........................................... 21 Transparent Keys......................................... 22 3.2.2 Methods............................................. 22 Make Client Key (1)....................................... 22 3.3 Interrupt................................................. 22 3.3.1 Branding............................................ 22 3.3.2 Invalidation........................................... 23 3.3.3 Methods............................................. 23 Set Target (1)........................................... 23 Enable (2)............................................. 23 3.4 Memory................................................. 23 3.4.1 Mappable Memory....................................... 24 3.4.2 Hierarchy............................................ 24 3.4.3 The Device Attribute...................................... 24 3.4.4 Branding............................................ 24 3.4.5 Invalidation........................................... 24 3.4.6 Methods............................................. 25 Inspect (1)............................................ 25 Change (2)............................................ 25 Split (3).............................................. 26 Become (4)............................................ 27 Peek (5).............................................. 28 Poke (6).............................................. 28 Make Child (7).......................................... 29 3.5 Null.................................................... 29 3.5.1 Message Elision Rule...................................... 30 3.5.2 Branding............................................ 30 3.5.3 Methods............................................. 30 3.6 Object Table............................................... 30 3.6.1 Branding............................................ 30 3.6.2 Methods............................................. 30 Mint Key (1)........................................... 30 Read Key (2)........................................... 31 Get Kind (3)........................................... 31 Invalidate (4)........................................... 32 3.7 Slot.................................................... 32 3.7.1 Branding............................................ 32 3.7.2 Methods............................................. 33 4 Case Study: The Serial Demo 35 ii 4.1 Tasks................................................... 35 4.2 Driver Operation............................................. 35 4.3 Startup.................................................. 36 5 Case Study: FreeRTOS 37 5.1 Introduction............................................... 37 5.2 About FreeRTOS/Brittle......................................... 37 5.2.1 What It Is Not.......................................... 38 5.3 Structure of the Port........................................... 38 5.3.1 The Code (High Level)..................................... 38 5.3.2 The Approach.......................................... 39 Contexts Model Execution Priority Levels............................ 39 Messages Model Supervisor Calls................................ 39 Context Switches Multiplex the Task Context.......................... 39 The Message Dispatch Loop Multiplexes the Interrupt Context................. 40 Application Code Runs In Both Contexts............................ 40 5.4 Discussion................................................ 41 5.4.1 Things Shown.......................................... 41 5.4.2 Problems Encountered..................................... 41 iii iv CHAPTER 1 Introduction Warning: Brittle is immature. It has been used in some demos, but not for anything “real.” Parts of the design are still in flux. I’ll try to call attention to the particularly unstable parts in this document using boxes like this one. 1.1 What Brittle Is Brittle is a microkernel intended for high-reliability embedded applications on ARMv7-M architecture processors, such as the Cortex-M4. These processors don’t have a conventional Memory Management Unit, which limits their ability to run traditional operating systems with (paged) memory protection. Instead, Brittle is designed to use the ARMv7-M Memory Protection Unit to provide isolation. Brittle is a third-generation microkernel. Its design is heavily inspired by EROS/KeyKOS, MINIX 3, and the L4 family, particularly seL4. Like other third-generation microkernels (broadly speaking), Brittle... • Focuses on minimality and security, • Expresses all authority through explicit capabilities, • Moves other mechanisms with security implications outside the kernel, • Blurs the line between a traditional microkernel and a hypervisor, and • Targets a very small kernel codebase (in Brittle’s case, less than 2500 sloccount lines of code). Unlike its peers, Brittle explicitly targets systems with between 16 and 200 kiB of RAM. 1.2 What Brittle Isn’t Brittle is not a complete operating system; it is only a kernel. By analogy: putting the Linux kernel on a computer doesn’t allow one to run Firefox. Linux is only a kernel; there’s a whole lot of operating system that must be added to make a complete system. This is even more true of Brittle than of Linux, because Brittle’s design is so minimal. Like other third-generation microkernels, Brittle doesn’t even include hardware drivers in the kernel. You can write an application around the kernel directly, but the intent is that a system layer wraps the kernel and provides common reusable services that the kernel does not, such as mutexes and timers, or even a full POSIX model. Applications would then be written to target this system layer. 1 Technical Report on the Brittle Kernel, Release 2016-05 The system layer also insulates applications from the details of the hardware, because the Brittle kernel itself is explicitly not portable. Its design is ARMv7-M-specific, and exposes ARMv7-M-specific APIs and abstractions. Applications that wish to run on other types of processors should be written to a portable abstraction layer, provided outside the kernel by the system. Note: I don’t consider Brittle’s non-portability to be a problem, because the entire kernel sources (at <2500 lines) are significantly smaller than the architecture-specific support code for a single CPU in most kernels. 2 Chapter 1. Introduction CHAPTER 2 Kernel Architecture 2.1 Basic Concepts This section introduces some ideas that will help