### Tock Goes Multicore Gongqi Huang, Princeton 🐯 Raspberry Pi Pico 21 ¹https://www.raspberrypi.com/products/raspberry-pi-pico-2 • Dedicating a CPU core for a specific task Raspberry Pi Pico 21 $<sup>^1</sup>https://www.raspberrypi.com/products/raspberry-pi-pico-2\\$ - Dedicating a CPU core for a specific task - ► Performance isolation - Radio/BLE stack Raspberry Pi Pico 21 ¹https://www.raspberrypi.com/products/raspberry-pi-pico-2 - Dedicating a CPU core for a specific task - Performance isolation - Radio/BLE stack - Security - Close μ-arch side channels Raspberry Pi Pico 21 $<sup>^{1}</sup>https://www.raspberrypi.com/products/raspberry-pi-pico-2\\$ - Dedicating a CPU core for a specific task - Performance isolation - Radio/BLE stack - Security - Close μ-arch side channels - Utilizing multiple CPU cores for a specific task Raspberry Pi Pico 21 <sup>1</sup>https://www.raspberrypi.com/products/raspberry-pi-pico-2 - Dedicating a CPU core for a specific task - Performance isolation - Radio/BLE stack - Security - Close μ-arch side channels - Utilizing multiple CPU cores for a specific task Raspberry Pi Pico 21 - Performance boost with hardware parallelism <sup>&</sup>lt;sup>1</sup>https://www.raspberrypi.com/products/raspberry-pi-pico-2 - Homogeneous (RP2350) or heterogenous (CC26x2) CPU cores - Different ISAs - Homogeneous (RP2350) or heterogenous (CC26x2) CPU cores - Different ISAs - Sharing all memory (RP2350) or part of memory (nRF5340) - ► A radio core can have a *private* memory region - Homogeneous (RP2350) or heterogenous (CC26x2) CPU cores - Different ISAs - Sharing all memory (RP2350) or part of memory (nRF5340) - ► A radio core can have a *private* memory region - Sharing all (RP2350) or part of peripherals (nRF5340) • Tock is a single-core OS - Tock is a single-core OS - The single-core assumption manifests in many of Tock's design - Tock is a single-core OS - The single-core assumption manifests in many of Tock's design - Use of interior mutability - Single-threaded asynchronous drivers **>** ... ### **Goal #1: Run Tock on Multi-Core Platforms** • Utilize other CPU cores ### **Goal #1: Run Tock on Multi-Core Platforms** - Utilize other CPU cores - Performance ### Goal #1: Run Tock on Multi-Core Platforms - Utilize other CPU cores - Performance - Security - Capsules are fully trusted to maintain liveness of the system - Not necessary in a multi-core setting - Avoiding deadlocks and contention - No mutex for synchronization - Avoiding deadlocks and contention - No mutex for synchronization - Predictable resource utilization - No dynamic allocation - Avoiding deadlocks and contention - No mutex for synchronization - Predictable resource utilization - No dynamic allocation - Isolation between process, capsules, and kernel - Maintain the soundness of Rust - Avoiding deadlocks and contention - No mutex for synchronization - Predictable resource utilization - No dynamic allocation - Isolation between process, capsules, and kernel - Maintain the soundness of Rust - Easy-to-write device drivers - No concurrent state ### **Multikernel Tock** - Each instance manages an *exclusive* set of peripherals - ► Retain *all* Tock's benefits - Each instance manages an *exclusive* set of peripherals - ► Retain *all* Tock's benefits - Ownership moving enables - Each instance manages an *exclusive* set of peripherals - ► Retain *all* Tock's benefits - Ownership moving enables - ► BYOB Communication - Bring-Your-Own-Buffer - Each instance manages an *exclusive* set of peripherals - ► Retain *all* Tock's benefits - Ownership moving enables - ► BYOB Communication - Bring-Your-Own-Buffer - Peripheral sharing w/ RPCs - Each instance manages an *exclusive* set of peripherals - ► Retain *all* Tock's benefits - Ownership moving enables - ► BYOB Communication - Bring-Your-Own-Buffer - Peripheral sharing w/ RPCs - Raw peripheral sharing - Each instance manages an *exclusive* set of peripherals - Retain a Ownership BYOB C Bring Runs on QEMU RISC-V Dual-Core Configuration Custom Dual-Core VexRiscv LiteX SoC - Peripheral sharing w/ RPCs - Raw peripheral sharing ``` 1 pub trait Portal<'a, T: Send> { ... 3 fn teleport( 4 &self, 5 traveler: &'static mut T, 6 ) -> Result<(), (ErrorCode, &'static mut T)>; } ``` • Receiving the traveler back through callbacks #### **Teleporting Ownership with Care** • Receiving the traveler back through callbacks #### **Example: Sharing UART Through RPCs** - ☐ impl Uart - ☐ impl Portal - impl Portal with unsafe # **Sharing Raw Peripherals** - Portal permits transferring ownership of a raw device - E.g., Memory-mapped controller ### **Sharing Raw Peripherals** - Portal permits transferring ownership of a raw device - E.g., Memory-mapped controller - Problem: *when* it is safe to transfer? - E.g., UART in the middle of a transmission - Currently unsupported:\*( • Build each kernel instance separately - Build each kernel instance separately - Resolved shared symbols - Hardware portals communicate through shared memory - Build each kernel instance separately - Resolved shared symbols - Hardware portals communicate through shared memory - Prepare the final image (board-dependent) • Each kernel instance is responsible for initializing their own memory - Each kernel instance is responsible for initializing their own memory - ► Instance 0 is responsible for the shared memory - Each kernel instance is responsible for initializing their own memory - ► Instance 0 is responsible for the shared memory - Portals are available *iff all instances are ready* - ► A (one and only) spin lock is used #### **Future Work** - Safely sharing physical devices - ► *When* it is OK to move a device? - Process Migration? Questions?