Reports from working groups:

• Core, Amit Levy
• Networking, Branden Ghena
• OpenTitan, Brad Campbell / Johnathan Van Why

Reports from working groups:

• Documentation, Branden Ghena
• libtock-c, Brad Campbell
• Tools, Brad Campbell

How should libtock-X evolve to support diverse use cases?

Notes

How should Tock better facilitate community engagement and contributions? What barriers exist?

Notes

Session A:

• Non execute-in-place (XIP) platforms
• Code size reduction
• Tock registers
• Formal methods with Tock

Session B:

• Automated driver implementations
• Panic-free kernel
• Multicore
• CHERI

How should the Tock Foundation support the Tock project and become self-sustaining? What should TockWorld 8 look like?

Notes

Overview of day two (main conference).

Scale and performance have for a long time been the dominant topics in software development. However, that has changed over the recent years. A major topic nowadays is trust.

But how did that happen? And what does this have to do with Rust? And how can we engage with it?

This talk tells of a mindshift that silently took its course, the reasons for it, and gives practical guidance on how to deal with it.

Pluton is a root-of-trust technology jointly developed by Microsoft and various SoC partners. It is essentially a purpose-built security processor embedded directly within the SoC die. The SoC partners have some flexibility in dictating how the Pluton core is implemented, however Microsoft owns the firmware and has chosen to use Tock OS as a common platform for (nearly) all Pluton firmware deliverables.

One of our SoC partners has chosen to implement Pluton using an embedded-class x86 core. To support this platform, our team created a port of Tock OS for the x86 architecture. This allowed us to easily port the rest of our Pluton logic, which lives in a usermode app, to the new platform with virtually zero code changes.

This talk dives into the technical aspects of our x86 port, including interrupt handling, memory management, the syscall interface, and emulation. We will also touch on some of the pain points we encountered and some

In addition to Cortex-M and RISC-V chips, TockOS can now run on WebAssembly. Developing the kernel can be done with little to no setup, by running and debugging the operating system in a sandbox on your machine.

The chip implementation provides the low-level drivers for peripherals like GPIO, UART and timers, which is possible due to the interoperability of the WebAssembly modules. Since hardware peripherals are not available, their state, which would usually be retrieved from memory-mapped registers, is updated through a WebSocket-based protocol written in TypeScript. Running libtock applications is done by emulating the Cortex-M4 architecture using Unicorn.js (WASM reimport of the Unicorn CPU Emulator written in C). Developers can debug the WASM kernel through the Node.js Debugger, and the applications through a GDB Stub for Unicorn, written in TypeScript.

CHERI is a set of ISA extensions (with implementations on RISC-V, MIPS, armv8, and more) that add hardware enforced capabilities. These can be utilised by operating systems not just to provide an alternative access control mechanism (instead of an MMU or MPU), but also to enforce system-wide safety in a way that these other mechanisms struggle to help. In this presentation, I will talk about my experience bringing Tock to a RISC-V CHERI platform. I will demonstrate how just slight modifications to code (and new hardware) can improve the hardness of the syscall boundary, and give an example of how the kernel and userspace can work together to provide a temporally safe C heap.

Design, description, and implementation nuances of the new PacketBuffer mechanism. PacketBuffer allows the appending and prepending of metadata into messages sent on the serial port without re-allocating memory at every prepend/append.

This talk will also introduce a new GUI app that connects to the board, reads from the serial port, and uses the metadata to filter messages by sender (the process console, debug messages, and each application) and to show them separately in the UI.

10-15 minute talks on smaller highlights, works-in-progress, future ventures, or other subjects of interest

• Encapsulated Functions, Leon Schuermann, Princeton, Full Talk (YouTube), Slides
• OpenThread, Tyler Potyondy, UC San Diego
• Process Loading, Brad Campbell, UVA
• Reverse Engineering & Securing an Insulin Pump, Alex Bellon, UC San Diego
• Verifying memory safety and process isolation in Tock, Evan Johnson, UC San Diego

We have been teaching an embedded undergraduate course using Rust as the programming language. This talk wants to point out the strength of Tock compared to alternative Rust systems and why we think it might be better for education. We also propose a number of modifications, which we are already working on, that would make Tock a excellent choice for teaching embedded courses.

Slides