initial commit

Signed-off-by: Sean Cross <sean@xobs.io>
This commit is contained in:
Sean Cross 2020-03-11 17:53:09 +08:00
parent 474b51b0e5
commit b69e4f4e69
16 changed files with 1308 additions and 0 deletions

514
css/theme/fossasia2020.css Normal file
View File

@ -0,0 +1,514 @@
/**
* Black theme for reveal.js. This is the opposite of the 'white' theme.
*
* By Hakim El Hattab, http://hakim.se
*/
@import url(../../lib/font/space-mono/space-mono.css);
section.has-light-background,
section.has-light-background h1,
section.has-light-background h2,
section.has-light-background h3,
section.has-light-background h4,
section.has-light-background h5,
section.has-light-background h6 {
color: #222;
}
/*********************************************
* GLOBAL STYLES
*********************************************/
/* rgb(250, 166, 26); */
body {
background: #fff;
background-color: #fff;
}
.reveal .commentary {
bottom: 100px;
right: 0em;
padding-bottom: 1em;
padding-right: 1em;
position: absolute;
background-color: rgba(0, 0, 0, 0.50);
font-size: 12pt;
font-family: serif;
z-index: 10;
color: white;
display: none;
}
.reveal .footer {
position: absolute;
bottom: 0em;
right: 0em;
padding-bottom: 1em;
padding-right: 1em;
text-align: right;
font-size: 0.5em;
width: 100%;
height: 68px;
background-image: url("lca2020-logo-cropped.svg");
background-repeat: no-repeat;
background-color: rgb(0, 177, 197);
display: flex;
justify-content: flex-end;
align-items: flex-end;
z-index: 1;
}
.reveal .footer .url {
position: absolute;
padding-bottom: 30px;
}
.reveal .footer .theme {
padding-right: 80px;
}
.reveal .footer .hashtag {
padding-right: 80px;
}
@media only screen and (max-width:800px) {
.reveal .footer .url {
display: none;
}
}
@media only screen and (max-width:550px) {
.reveal .footer {
background-image: none;
}
}
@media only screen and (max-width:750px) {
.reveal .footer .twitter {
display: none;
}
}
@media only screen and (max-width:1050px) {
.reveal .footer .theme {
display: none;
}
}
@media only screen and (max-width:1300px) {
.reveal .footer .hashtag {
display: none;
}
}
.reveal {
font-family: "IBM Plex Mono", "Space Mono", Helvetica, sans-serif;
font-size: 42pt;
font-weight: normal;
color: #212529;
}
::selection {
color: #212529;
background: #bee4fd;
text-shadow: none;
}
::-moz-selection {
color: #212529;
background: #bee4fd;
text-shadow: none;
}
.reveal .slides section,
.reveal .slides section>section {
line-height: 1.3;
font-weight: inherit;
}
/*********************************************
* HEADERS
*********************************************/
@font-face {
font-family: "Brix Sans Medium Firefox";
src: url("HVD_Fonts_-_BrixSlab-Medium.otf") format("opentype");
}
.reveal h1,
.reveal h2,
.reveal h3,
.reveal h4,
.reveal h5,
.reveal h6 {
margin: 0 0 20px 0;
color: #212529;
font-family: "Brix Sans Medium Firefox", "Brix Sans Medium", "Montserrat", Helvetica, sans-serif;
font-weight: 300;
line-height: 1.2;
letter-spacing: normal;
/* text-transform: uppercase; */
/* text-shadow: 1px 1px 2px black; */
text-shadow: none;
word-wrap: break-word;
background-color: rgb(250, 166, 26);
width: 100%;
}
.reveal h1 {
font-size: 2.5em;
}
.reveal h2 {
font-size: 1.6em;
}
.reveal h3 {
font-size: 1.3em;
}
.reveal h4 {
font-size: 1em;
}
.reveal h1 {
text-shadow: none;
}
/*********************************************
* OTHER
*********************************************/
.reveal p {
margin: 20px 0;
line-height: 1.3;
}
/* Ensure certain elements are never larger than the slide itself */
.reveal img,
.reveal video,
.reveal iframe {
max-width: 95%;
max-height: 95%;
}
.reveal strong,
.reveal b {
font-weight: bold;
}
.reveal em {
font-style: italic;
}
.reveal ol,
.reveal dl,
.reveal ul {
display: inline-block;
text-align: left;
margin: 0 0 0 1em;
}
.reveal ol {
list-style-type: decimal;
}
.reveal ul {
list-style-type: disc;
}
.reveal ul ul {
list-style-type: square;
}
.reveal ul ul ul {
list-style-type: circle;
}
.reveal ul ul,
.reveal ul ol,
.reveal ol ol,
.reveal ol ul {
display: block;
margin-left: 40px;
}
.reveal dt {
font-weight: bold;
}
.reveal dd {
margin-left: 40px;
}
.reveal blockquote {
display: block;
position: relative;
width: 70%;
margin: 20px auto;
padding: 5px;
font-style: italic;
background: rgba(255, 255, 255, 0.05);
box-shadow: 0px 0px 2px rgba(0, 0, 0, 0.2);
}
.reveal blockquote p:first-child,
.reveal blockquote p:last-child {
display: inline-block;
}
.reveal q {
font-style: italic;
}
.reveal pre {
display: block;
position: relative;
width: 90%;
margin: 20px auto;
text-align: left;
font-size: 0.55em;
font-family: monospace;
line-height: 1.2em;
word-wrap: break-word;
box-shadow: 0px 0px 6px rgba(0, 0, 0, 0.3);
}
.reveal code {
font-family: monospace;
text-transform: none;
}
.reveal pre code {
display: block;
padding: 5px;
overflow: auto;
max-height: 400px;
word-wrap: normal;
}
.reveal table {
margin: auto;
border-collapse: collapse;
border-spacing: 0;
}
.reveal table th {
font-weight: bold;
}
.reveal table th,
.reveal table td {
text-align: left;
padding: 0.2em 0.5em 0.2em 0.5em;
border-bottom: 1px solid;
}
.reveal table th[align="center"],
.reveal table td[align="center"] {
text-align: center;
}
.reveal table th[align="right"],
.reveal table td[align="right"] {
text-align: right;
}
.reveal table tbody tr:last-child th,
.reveal table tbody tr:last-child td {
border-bottom: none;
}
.reveal sup {
vertical-align: super;
font-size: smaller;
}
.reveal sub {
vertical-align: sub;
font-size: smaller;
}
.reveal small {
display: inline-block;
font-size: 0.6em;
line-height: 1.2em;
vertical-align: top;
}
.reveal small * {
vertical-align: top;
}
/*********************************************
* LINKS
*********************************************/
.reveal a {
color: #190047;
text-decoration: none;
-webkit-transition: color .15s ease;
-moz-transition: color .15s ease;
transition: color .15s ease;
}
.reveal a:hover {
color: #4205b4;
text-shadow: none;
border: none;
}
.reveal .roll span:after {
color: #fff;
background: #068de9;
}
/*********************************************
* IMAGES
*********************************************/
.reveal section img {
margin: 15px 0px;
background: rgba(255, 255, 255, 0.12);
border: 4px solid #fff;
box-shadow: 0 0 10px rgba(0, 0, 0, 0.15);
}
.reveal section img.plain {
border: 0;
box-shadow: none;
}
.reveal a img {
-webkit-transition: all .15s linear;
-moz-transition: all .15s linear;
transition: all .15s linear;
}
.reveal a:hover img {
background: rgba(255, 255, 255, 0.2);
border-color: #42affa;
box-shadow: 0 0 20px rgba(0, 0, 0, 0.55);
}
/*********************************************
* VIDEOS
*********************************************/
.reveal section video {
margin: 15px 0px;
background: rgba(255, 255, 255, 0.12);
border: 4px solid #fff;
box-shadow: 0 0 10px rgba(0, 0, 0, 0.15);
}
.reveal section video.plain {
border: 0;
box-shadow: none;
}
.reveal a video {
-webkit-transition: all .15s linear;
-moz-transition: all .15s linear;
transition: all .15s linear;
}
/* Fragment additions */
.reveal .slides section .fragment.fade-semi-out {
opacity: 1;
visibility: inherit;
}
.reveal .slides section .fragment.fade-semi-out.visible {
opacity: 0.5;
visibility: inherit;
}
.reveal ul.os {
margin-left: 0;
padding-left: 0;
}
.reveal ul.os-good {
list-style: none;
margin-left: 0;
padding-left: 0;
}
.reveal ul.os-good li::before {
content: "✔️ ";
font-family: "sans-serif";
}
.reveal ul.os-bad {
list-style: none;
margin-left: 0;
padding-left: 0;
}
.reveal ul.os-bad li::before {
content: "❌ ";
font-family: "sans-serif";
}
.reveal blockquote.os-quote::before {
content: "“";
left: 20%;
position: absolute;
top: -30px;
font-size: 50pt;
}
.reveal blockquote.os-quote::after {
content: "”";
left: 70%;
position: absolute;
bottom: -60px;
font-size: 50pt;
}
/*********************************************
* NAVIGATION CONTROLS
*********************************************/
.reveal .controls {
color: #42affa;
}
/*********************************************
* PROGRESS BAR
*********************************************/
.reveal .progress {
background: rgba(0, 0, 0, 0.2);
color: #42affa;
}
.reveal .progress span {
-webkit-transition: width 800ms cubic-bezier(0.26, 0.86, 0.44, 0.985);
-moz-transition: width 800ms cubic-bezier(0.26, 0.86, 0.44, 0.985);
transition: width 800ms cubic-bezier(0.26, 0.86, 0.44, 0.985);
}
/*********************************************
* PRINT BACKGROUND
*********************************************/
@media print {
.backgrounds {
background-color: #222;
}
}
.boldblue {
font-weight: bold;
color: blue;
}
.white50bg {
background: rgba(255, 255, 255, 0.5);
}
.bg50 {
background: rgba(0, 177, 197, 0.3);
}

Binary file not shown.

After

Width:  |  Height:  |  Size: 58 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 119 KiB

BIN
img/Library_card.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 225 KiB

File diff suppressed because one or more lines are too long

After

Width:  |  Height:  |  Size: 7.5 KiB

21
img/Untitled.svg Normal file
View File

@ -0,0 +1,21 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg width="100%" height="100%" viewBox="0 0 2120 3225" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve" xmlns:serif="http://www.serif.com/" style="fill-rule:evenodd;clip-rule:evenodd;stroke-linejoin:bevel;stroke-miterlimit:1.5;">
<g id="Artboard1" transform="matrix(1,0,0,1,20,0)">
<rect x="-20" y="0" width="2120" height="3225" style="fill:none;"/>
<g transform="matrix(1,0,0,1,-20,0)">
<g transform="matrix(1.80723,0,0,2.15789,-1144.88,-2190.79)">
<rect x="675" y="1050" width="1079" height="1425" style="fill:rgb(229,229,229);"/>
</g>
<path d="M2025,3150L2025,75" style="fill:none;stroke:rgb(167,167,167);stroke-width:31.48px;"/>
<path d="M75,3150L2025,3150" style="fill:none;stroke:rgb(167,167,167);stroke-width:31.48px;"/>
<path d="M2025,75L75,75L75,3150" style="fill:rgb(229,229,229);stroke:black;stroke-width:31.48px;stroke-linecap:round;stroke-linejoin:round;"/>
<g transform="matrix(24.5625,0,0,24.5625,-6084.94,-6109.5)">
<use xlink:href="#_Image1" x="255" y="255" width="16px" height="18px"/>
</g>
</g>
</g>
<defs>
<image id="_Image1" width="16px" height="18px" xlink:href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAASCAYAAABSO15qAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAA+UlEQVQ4ja1SO4oCQRB9tUwgCxobjIl3MNrEWzQIjan5YOIV7AIz48WormA0mTDRHmJPsMEiAzImdtP2ZxzYfdBQXcV79bq6gH9CN+RUVdWFxDcvpgEHoUjhX0Qk6uCjaRoYYwCgY2YKHTxB1xq61smaMcY5SQroWmO0fgcAKKVcnplBRCAiMDN6HVw/f6OciEBEgMc8sgKn5QntsUV7bC0hiyJX8Imrw4eLb5fShukhznebpGC5nyTzkcBsfE6KfG9/bHf7/vwvhCK3SxmS8w4yIm4Tw2WLhjj9WvhXgrcHKUQCIgKlVGT11Zr3Fvs4RZCIOv+hwTDcAf1BWOiGHoqWAAAAAElFTkSuQmCC"/>
</defs>
</svg>

After

Width:  |  Height:  |  Size: 1.9 KiB

BIN
img/broken image.afdesign Normal file

Binary file not shown.

BIN
img/bt-quarter2-shrunk.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 134 KiB

BIN
img/bt-quarter2.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.4 MiB

Binary file not shown.

Binary file not shown.

After

Width:  |  Height:  |  Size: 24 KiB

File diff suppressed because one or more lines are too long

After

Width:  |  Height:  |  Size: 48 KiB

BIN
img/missing-image.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 71 KiB

81
img/missing-image.svg Normal file
View File

@ -0,0 +1,81 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg width="100%" height="100%" viewBox="0 0 2120 3225" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve" xmlns:serif="http://www.serif.com/" style="fill-rule:evenodd;clip-rule:evenodd;stroke-linejoin:bevel;stroke-miterlimit:1.5;">
<g id="Artboard1" transform="matrix(1,0,0,1,20,0)">
<rect x="-20" y="0" width="2120" height="3225" style="fill:none;"/>
<g transform="matrix(1,0,0,1,-20,0)">
<g transform="matrix(1.80723,0,0,2.15789,-1144.88,-2190.79)">
<rect x="675" y="1050" width="1079" height="1425" style="fill:rgb(229,229,229);"/>
</g>
<path d="M2025,3150L2025,75" style="fill:none;stroke:rgb(167,167,167);stroke-width:31.48px;"/>
<path d="M75,3150L2025,3150" style="fill:none;stroke:rgb(167,167,167);stroke-width:31.48px;"/>
<path d="M2025,75L75,75L75,3150" style="fill:rgb(229,229,229);stroke:black;stroke-width:31.48px;stroke-linecap:round;stroke-linejoin:round;"/>
<g transform="matrix(21.4375,0,0,21.4375,253.125,257)">
<g>
<path d="M2,2L11,2L11,4L12,4L12,9L9,9L9,11L8,11L8,12L4,12L4,14L2,14L2,2Z" style="fill:rgb(169,169,169);"/>
<path d="M11,11L12,11L12,14L9,14L9,13L11,13L11,11Z" style="fill:rgb(169,169,169);"/>
</g>
<g>
<rect x="10" y="2" width="3" height="2" style="fill:white;"/>
<path d="M10,0L10,4L11,4L11,2L12,2L12,1L11,1L11,0L10,0Z" style="fill:rgb(115,115,115);"/>
<g transform="matrix(1,0,0,1,-11,-2)">
<rect x="23" y="4" width="1" height="1" style="fill:rgb(115,115,115);"/>
</g>
<g transform="matrix(1,0,0,1,-10,-1)">
<rect x="23" y="4" width="1" height="1" style="fill:rgb(115,115,115);"/>
</g>
</g>
<g>
<g transform="matrix(3,0,0,2,-66,3)">
<rect x="23" y="4" width="1" height="1"/>
</g>
<g transform="matrix(2,0,0,1,-41,7)">
<rect x="23" y="4" width="1" height="1" style="fill:rgb(203,35,17);"/>
</g>
<g transform="matrix(2,0,0,1,-42,6)">
<rect x="23" y="4" width="1" height="1" style="fill:rgb(203,35,17);"/>
</g>
<g transform="matrix(2,0,0,1,-43,5)">
<rect x="23" y="4" width="1" height="1" style="fill:rgb(203,35,17);"/>
</g>
<g transform="matrix(1,0,0,2,-20,0)">
<rect x="23" y="4" width="1" height="1" style="fill:rgb(203,35,17);"/>
</g>
<path d="M3,9L3,12L6,12L6,11L5,11L5,10L4,10L4,9L3,9" style="fill:rgb(232,48,203);"/>
</g>
<g>
<g transform="matrix(2,0,0,2,-41,-3)">
<rect x="23" y="4" width="1" height="1"/>
</g>
<g transform="matrix(2,0,0,2,-40,-4)">
<rect x="23" y="4" width="1" height="1"/>
</g>
<path d="M4,4L4,6L7,6L7,3L5,3L5,4L4,4" style="fill:rgb(6,105,6);"/>
<g transform="matrix(1,0,0,1,-18,1.77636e-15)">
<rect x="23" y="4" width="1" height="1" style="fill:rgb(14,200,16);"/>
</g>
</g>
<g>
<g transform="matrix(2,0,0,2,-38,1)">
<rect x="23" y="4" width="1" height="1"/>
</g>
<g transform="matrix(2,0,0,2,-37,1.77636e-15)">
<rect x="23" y="4" width="1" height="1"/>
</g>
<g transform="matrix(2,0,0,2,-36,-1)">
<rect x="23" y="4" width="1" height="1"/>
</g>
<path d="M8,7L11,7L11,9L10,9L10,10L8,10L8,7L11,7" style="fill:rgb(3,57,228);"/>
<g transform="matrix(1,0,0,1,-14,4)">
<rect x="23" y="4" width="1" height="1" style="fill:rgb(31,196,242);"/>
</g>
</g>
<g>
<path d="M10,4L10,5L13,5L13,7L14,7L14,4L10,4Z"/>
<path d="M13,9L14,9L14,16L8,16L8,15L13,15L13,9"/>
<path d="M2,16L0,16L0,0L10,0L10,1L1,1L1,15L2,15L2,16Z"/>
</g>
</g>
</g>
</g>
</svg>

After

Width:  |  Height:  |  Size: 4.7 KiB

BIN
img/os-survey-stale.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 68 KiB

666
index.html Normal file
View File

@ -0,0 +1,666 @@
<!doctype html>
<html>
<head>
<meta charset="utf-8">
<title>Xous: Rust Semantics in your OS</title>
<meta name="description" content="Overview of Xous, a microkernel with Rust semantics">
<meta name="author" content="Sean &quot;xobs&quot; Cross">
<meta name="apple-mobile-web-app-capable" content="yes">
<meta name="apple-mobile-web-app-status-bar-style" content="black-translucent">
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no">
<link rel="stylesheet" href="css/reveal.css">
<link rel="stylesheet" href="css/theme/fossasia2020.css" id="theme">
<!-- Theme used for syntax highlighting of code -->
<link rel="stylesheet" href="lib/css/zenburn.css">
<!-- Printing and PDF exports -->
<script>
var link = document.createElement('link');
link.rel = 'stylesheet';
link.type = 'text/css';
link.href = window.location.search.match(/print-pdf/gi) ? 'css/print/pdf.css' : 'css/print/paper.css';
document.getElementsByTagName('head')[0].appendChild(link);
</script>
<!--[if lt IE 9]>
<script src="lib/js/html5shiv.js"></script>
<![endif]-->
</head>
<body>
<!-- Start of main presentation -->
<div class="reveal">
<div class="footer">
<a class="url" href="https://p.xobs.io/fa20-bt/">p.xobs.io/fa20-bt</a>
<span class="theme">Whos Watching</span><span class="hashtag"> | #LCA2020</span><span class="twitter"> |
@linuxconfau</span>
</div>
<div class="commentary"></div>
<div class="slides">
<section data-background-image="css/theme/lca2019-title-bg-transparent.svg">
<h2 style="background-color: transparent;">Betrusted: Being Secure</h2>
<h5 style="background-color: transparent;">That's no Blackberry, it's a chat client!</h5>
<p align="right" style="margin-bottom: 0px; margin-top: 0px; line-height: 1;">
<small>Sean Cross - <a href="https://xobs.io/">https://xobs.io/</a> - @xobs</small>
</p>
</section>
<section>
<h3>Betrusted: A Security Chip with I/O</h3>
<p>
<img data-src="img/bt-quarter2-shrunk.jpg" width="90%">
</p>
</section>
<section>
<section>
<h2>Xous: Why another kernel?</h2>
<aside class="notes">
A big question that gets asked is -- why another kernel? Why don't we just
put Linux on it and be done with it? Or something else like Minix, TockOS,
or FreeRTOS?
</aside>
</section>
<section>
<h2>Betrusted Goals</h2>
<ol style="width: 100%;">
<li>&lt;=4 MiB RAM</li>
<li>Safe language</li>
<li>Process Isolation</li>
</ol>
<ul style="text-align: left; width: 100%;" class="os-good">
<li class="fragment">Microkernel</li>
<li class="fragment">Auditable by one person</li>
</ul>
<aside class="notes">
With Betrusted, we wanted to reduce the code footprint. This will allow
us to run with less RAM -- ideally 4 MiB or less. We also wanted to have
a full MMU, which is somewhat unusual in the embedded microcontroller
space, where a more limited Memory Protection Unit is preferred.
Whereas the Linux kernel is huge, not to mention all of the support libraries
required to run a system, we would like the Betrusted system to be auditable
by one person. Lowering the memory footprint helps in this regard, as the
less RAM we have, the less code we must have.
Additionally, we would like to have the operating system written in a safe
systems language to protect us from common programming errors involving
memory and concurrency.
Even so, we would like to have full process isolation, so even if one process
is compromised, attackers will have a harder time boring through the system
to gain a more complete takeover. This allows us to have legacy software
written in non-safe languages, in case we need to take third-party code such
as font renderers from legacy systems.
As a result, we would like Betrusted to run a Microkernel-style operating
system, with "servers" that provide features such as the display,
keyboard, and even basic task switching. These should all run in
userspace with the bare minimum permissions required to get the job done.
</aside>
</section>
<section>
<h2>Microkernels</h2>
<img data-src="img/Annotation 2020-01-16 111040.png">
<div style="font-size: 12pt;">FlexSC: Flexible System Call Scheduling with Exception-Less System
Calls</div>
<aside class="notes">
Microkernels minimize the amount of code in each section. Everything from
the user-facing software to drivers run in userspace, with only memory
management and top-level exception dispatch taking place within the kernel.
By having a microkernel, individuals can contribute to servers, and be
responsible for their own section. This is not just one person working
on it, it enables lots of people to work on it together.
</aside>
</section>
<section>
<h2>Too Many Cooks</h2>
<table>
<tr>
<td style="width: 500px;">
<img data-src="img/code_ownership_effects_bugs.svg">
</td>
<td>
<blockquote class="os-quote" style="font-size: 24pt;">if there is one primary
contributor, <strong>the chances for a file to be buggy decreases
significantly</strong></blockquote>
</td>
</tr>
<tr>
<td colspan="2">Source: <a
href="https://docs.microsoft.com/en-us/azure/devops/learn/devops-at-microsoft/code-ownership-software-quality">Microsoft
Research</a></td>
</tr>
</table>
<aside class="notes">
According to a Microsoft research paper analyzing the failures of Windows Vista,
the number one predictor for code quality is the number of people who work on
a module. If one person works on the project, then the number of bugs goes down.
</aside>
</section>
<section>
<h2>Felix' Rule of Thumb</h2>
<table>
<tr>
<td style="width: 400px;">
<img data-src="img/Cthulhu_sketch_by_Lovecraft.jpg">
</td>
<td>
<blockquote class="os-quote" style="width: 100%; margin-left: 0; margin-right: 0;">
The largest amount of security-related code that one person can reasonably audit is
about 64 KiB of binary data
</blockquote>
</td>
</tr>
</table>
<aside class="notes">
A friend of ours named Felix has a rule of thumb: The barrier at which a codebase becomes
too much to reason about for one individual is about 64 KiB. Anything more than this and
it becomes an eldrich horror that morphs and changes when you're not looking at it. As
a result, we would like to keep the core of the system small, so that we can keep it in
our heads as we reason about the system.
</aside>
</section>
<section>
<h2>Principles of Software</h2>
<table width="100%">
<tr>
<td style="text-align: right">
<img width="80%" class="fragment"
data-src="img/Rust_programming_language_black_logo.svg">
</td>
<td valign="top" width="50%">
<ul style="margin-left: 0px;">
<li>Safety</li>
<li>Concurrency</li>
<li class="fragment fade-semi-out">Speed</li>
<li class="fragment">Size</li>
</ul>
</td>
</tr>
</table>
<aside class="notes">
The Rust programming language promises the holy trifecta: Safety, Speed,
Concurrency. Pick any three. If you're going to start over on a systems-
level project, choose Rust. There will be a lot of wailing and gnashing
of teeth to begin with, but the end result will be better.
When we started Betrusted, we decided that it should primarily use Rust
as the systems language. That way we can be sure that our code is sound.
Additionally, Rust has the ability to produce efficient binaries, and the
efficiency is only going to get better as time progresses.
This eliminates non-Rust choices such as Linux or Minix.
</aside>
</section>
<section>
<h2>Rust OS Landscape</h2>
<img class="fragment" data-src="img/os-survey-stale.png">
<aside class="notes">
Having decided to use Rust, we did a survey of Rust-based operating
systems. There are several available, in various states of completeness.
Many projects have long since been abandoned, which is fine because up
until recently you needed to work on Rust nightly to build an OS. The
language underpinnings of these projects has shifted, and so many of them
have been abandoned. A few are still going, and
the two biggest candidates are Redox and Tock.
</aside>
</section>
<section>
<h2>Rust-based OS: Tock</h2>
<table>
<tr>
<td colspan="2" style="text-align: center;">
<img height="250px" data-src="img/os/tockos.svg">
</td>
</tr>
<tr style="font-size: 24pt">
<td>
<ul class="os-good fragment">
<li>Active Project</li>
<li>RISC-V Port</li>
<li>C and Rust Libs</li>
</ul>
</td>
<td>
<ul class="os-bad fragment">
<li>No MMU Support</li>
<li>No runtime spawn()</li>
<li>Limited messaging</li>
</ul>
</td>
</tr>
</table>
<aside class="notes">
Tock is the most obvious choice, since it already has a RISC-V port
and is supported by a well-documented ABI. Tock supports multiple
tasks written in either Rust or C, which is a very nice feature.
However, Tock does not support an MMU. It would be possible to adapt
the MPU interface to work with an MMU, but a lot of design work has
gone into Tock to make it work well with only the standard MPU that
is present on most ARM chips. Using Tock would be asking it to do
something that it's not designed for. Instead, it's better to pick
the right tool for the job.
Additionally, the Tock message passing infrastructure assumes only
one server per process, which can limit flexibility.
</aside>
</section>
<section>
<h2>Rust-based OS: Redox</h2>
<table>
<tr>
<td colspan="2" style="text-align: center;">
<img height="250px" data-src="img/os/Redox_logo_2015.svg">
</td>
</tr>
<tr style="font-size: 24pt">
<td>
<ul class="os-good fragment">
<li>Active Project</li>
<li>Full Rust stdlib</li>
<li>Full Userspace</li>
</ul>
</td>
<td>
<ul class="os-bad fragment">
<li>x86_64 only</li>
<li>Unix-like</li>
<li>Desktop-focused</li>
</ul>
</td>
</tr>
</table>
<aside class="notes">
Redox is the other large Rust-based operating system, and is the most
compelling. Redox is currently limited to x86-64 (with a plan to
port it to AArch64), so we would need to port it ourselves to RISC-V.
The biggest problem with Redox is its size: It's a full Desktop
operating system, and supporting it on Betrusted would require us to
spend a lot of time cutting it down to just the bare microkernel,
at which point we can start to recreate everything ourselves. The
kernel itself is such a small part of Betrusted. Besides, we would
like the freedom to experiment, to randomize the syscall numbers and
have keepout areas of the screen and add IMEs to the input, which
would quickly introduce incompatibility with Redox.
Finally, we would like to be able to use stable Rust for our applications,
which we can almost do with Xous. We're just waiting for either the
"alloc_error_handler" attribute to be stabilized (issue 66740), or
defaulting handle_alloc_error to panic (issue 66741), which would give
us everything we'd need to use alloc on stable Rust.
In short, Tock is too small, and Redox is too big.
</aside>
</section>
<section>
<h2>Rust-based OS: Tifflin</h2>
<table>
<tr>
<td colspan="2" style="text-align: center;"><span style="font-size: 168pt">?</span></td>
</tr>
<tr style="font-size: 24pt">
<td>
<ul class="os-good fragment">
<li>Active Project</li>
<li>Rust stdlib</li>
<li>Full Userspace</li>
</ul>
</td>
<td>
<ul class="os-bad fragment">
<li>nightly only</li>
<li>Mainly x86_64</li>
<li>???</li>
</ul>
</td>
</tr>
</table>
<aside class="notes">
Tifflin is a kernel that's been around for a while, but I've
only just learned about. It has a lot of promise, and seems
to be an interesting desktop operating system. I must admit
I don't know much about it, because it's not well-publicised.
However, it does have a rust stdlib, the design of which we
may borrow for Xous. One downside to it is that it requires
the nightly compiler, whereas we want to focus on stable for Xous.
</aside>
</section>
<section>
<h2>Other Alternatives and Inspirations</h2>
<ul>
<li><strong>ChibiOS</strong> - Embedded RTOS</li>
<li><strong>HelenOS</strong> - Everything is a message</li>
<li><strong>Solaris</strong> - Doors</li>
<li><strong>QNX</strong> - Traditional Microkernel</li>
</ul>
<div>Microkernels isolate and make IPC cheap</div>
<aside class="notes">
There are many alternative operating systems. We can draw inspiration
from them, even if we don't use them directly.
For example, both the QNX microkernel and Solaris Doors implementation
allow for one process to pass a message to another, which then inherits
its remaining quantum and runlevel. This prevents priority inversions
and makes syscalls relatively cheap.
</aside>
</section>
</section>
<section>
<h2>Betrusted Goals</h2>
<ul>
<li>&lt;=4 MB RAM</li>
<li>Process Isolation</li>
<li>Safe language</li>
<li class="fragment">Microkernel</li>
</ul>
<aside class="notes">
With Betrusted, we wanted to reduce the code footprint. This will allow
us to run with less RAM -- ideally 4 MB or less. We also wanted to have
a full MMU, which is somewhat unusual in the embedded microcontroller
space, where a more limited Memory Protection Unit is preferred.
We would like to have full process isolation, so even if one process is
compromised, attackers will have a harder time boring through the system
to gain a more complete takeover.
Therefore, we would like Betrusted to run a Microkernel-style operating
system, with "servers" that provide features such as the display,
keyboard, and even basic task switching. These should all run in
userspace with the bare minimum permissions required to get the job done.
Finally, we would like to have the operating system written in a safe
systems language.
</aside>
</section>
<section>
<section>
<h2 style="margin-top: 25%;">Xous: System Design</h2>
<aside class="notes">
Xous is, currently, very much under development. However, there has
been a lot of planning.
</aside>
</section>
<section>
<h2>Xous: Memory Model</h2>
<table>
<tr>
<td>
<img data-src="img/Library_card.jpg">
</td>
<td height="100%">
<ul class="os">
<li>Rust Borrow Checker</li>
<li class="fragment">Message passing</li>
<li class="fragment" style="font-weight: 500">Inter-process borrowing</li>
<li class="fragment">Borrow types:
<ul>
<li class="fragment">Mutable&nbsp;&nbsp;&nbsp;^ Immutable</li>
<li class="fragment">No Access | Read Only</li>
</ul>
</li>
</ul>
<a style="margin-top: auto; font-size: 12pt;"
href="https://www.flickr.com/people/9337414@N05">Image CC-BY Tammy</a>
</td>
</tr>
</table>
<aside class="notes">
Xous will base its memory model on the Rust borrow checker. That is,
shared memory will be used for IPC. If one process wishes to get a
response from another, it can pass pages via a mutable borrow. If
a process wishes to share pages across multiple process, then only an
immutable borrow may be made, and the sharing process cannot access
pages until all processes have returned the memory.
A process can move memory into another, which for example is how
process spawning works. In such a case, memory is no longer available
in the sending process.
</aside>
</section>
<section>
<h2>Xous: Memory Model</h2>
<ol>
<li class="fragment">Mutable Borrow
<ul>
<li>draw()</li>
</ul>
</li>
<li class="fragment">Immutable Borrow
<ul>
<li>Mapping font database</li>
</ul>
</li>
<li class="fragment">Move
<ul>
<li>Encrypting a string</li>
</ul>
</li>
</ol>
</section>
<section>
<h2>Xous: Interrupts</h2>
<pre><code style="font-size: 23pt; line-height: 1.2em;" class="rust">fn setup_int2() -> xous::Result {
let gpio = xous::syscall::map_physical(
Some(0xe0000000), None, 4096)?;
xous::syscall::claim_interrupt(2, |_int_num, gpio| {
unsafe {
let val = gpio.read_volatile();
gpio.write_volatile(val + 1);
};
}, gpio)
}</code></pre>
<div class="fragment">All in userspace</div>
<aside class="notes">
Interrupts block the whole system, and follow similar behavior to
memory. That is, each interrupt can only be assigned to a single
handler. This is an example of a server claiming interrupt 2,
and this function will be called to handle that interrupt. It will
be called in Supervisor mode with the process space of this server.
During the interrupt handler, interrupts are disabled, and after it
returns they will be re-enabled. You can't make any syscalls in
this mode that don't have an "_i" suffix. This will form the
basis of drivers running in userspace using safe code.
</aside>
</section>
<section>
<h2>Xous: Missing Features</h2>
<table style="width: 100%">
<tr>
<td style="width: 300px">
<img data-src="img/missing-image.svg">
</td>
<td>
<ul class="os-bad">
<li class="fragment">fork()</li>
<li class="fragment">Filesystem</li>
<li class="fragment">Scheduler</li>
<li class="fragment">Threads</li>
<li class="fragment">Locking primitives</li>
<li class="fragment">Shared libraries</li>
</ul>
</td>
</tr>
</table>
<aside class="notes">
Xous has no fork(). Instead it will have spawn().
Xous has no scheduler. The scheduler will be implemented as a userspace
program, which will request the Timer interrupt and call a kernel function
to preempt the current process.
It has no threads. However, there is enough information passed from the
kernel to enable the userspace scheduler to implement threads.
Similarly, it has no kernel-level locking primitives. Because memory can't
be shared between processes, there is no need for inter-process locking.
Within a process, threads are available with LLVM intrinsics such as cmpxchg.
Shared libraries aren't available at the start, but may come later via
shared immutable borrows from the linker server.
</aside>
</section>
<section>
<h2>Xous: Everything in Userspace</h2>
<ul style="width: 100%;">
<li>Small Kernel</li>
<li>Message Passing</li>
<li>Protected Memory</li>
</ul>
<br />
<br />
<div><strong class="fragment" style="font-size: 40pt;">Understandable by one human</strong></div>
<div><strong class="fragment" style="font-size: 40pt;">Made by many</strong></div>
</section>
</section>
<section data-background-image="img/sw/renode.png">
<table style="width:100%">
<tr>
<td width="33%" valign="top">
<img class="fragment" data-src="img/os/betrusted.gif" height="100%">
</td>
<td width="10%" align="center">
&nbsp;
</td>
<td width="53%" align="center">
<br />
<br />
<br />
<br />
<ul class="boldblue white50bg">
<li class="fragment">CI</li>
<li class="fragment">Simulation</li>
<li class="fragment">On Target</li>
<li class="fragment">UI Robot</li>
</ul>
</td>
</tr>
</table>
<aside class="notes">
We plan to support Continuous Integration using Renode<br />
<br />
*.cs (defines simulated hardware)<br />
LiteX -> Lxsocdoc -> SVD -> Renode (annotations register access)<br />
Rust -> ELF (software) <br />
*.repl (defines renode platform, loads *.cs, *.svd, ELF)<br />
*.resc (defines renode script - orchestrates everything)<br />
And, as a following pipeline step, running on prototype hardware <br />
Ideally with automated UI testing<br>
</aside>
</section>
</div>
</div> <!-- class="reveal" -->
<!-- End of main presentation -->
<!-- Start of configuration section -->
<script src="lib/js/head.min.js"></script>
<script src="js/reveal.js"></script>
<script>
var presenter = !!Reveal.getQueryHash().s;
// More info https://github.com/hakimel/reveal.js#configuration
Reveal.initialize({
controls: presenter ? false : true,
progress: true,
history: true,
center: false,
controlsTutorial: presenter ? false : true,
slideNumber: presenter ? null : 'c/t',
// The "normal" size of the presentation, aspect ratio will be preserved
// when the presentation is scaled to fit different resolutions. 16:9 is common.
width: 1280,
height: 720,
// Factor of the display size that should remain empty around the content
margin: 0.1,
multiplex: {
url: 'https://p.xobs.io/',
id: 'd03979a76e514b4c',
secret: Reveal.getQueryHash().s || null
},
// Bounds for smallest/largest possible scale to apply to content
minScale: 0.02,
maxScale: 5.5,
transition: 'slide', // none/fade/slide/convex/concave/zoom
// More info https://github.com/hakimel/reveal.js#dependencies
dependencies: [
{ src: 'lib/js/classList.js', condition: function () { return !document.body.classList; } },
{ src: 'plugin/markdown/marked.js', condition: function () { return !!document.querySelector('[data-markdown]'); } },
{ src: 'plugin/markdown/markdown.js', condition: function () { return !!document.querySelector('[data-markdown]'); } },
{ src: 'plugin/highlight/highlight.js', async: true, callback: function () { hljs.initHighlightingOnLoad(); } },
{ src: 'plugin/search/search.js', async: true },
{ src: 'plugin/zoom-js/zoom.js', async: true },
{ src: 'plugin/notes/notes.js', async: true },
{ src: 'lib/js/socket.io.js', async: true },
{
src: presenter ?
'plugin/multiplex/master.js' :
'plugin/multiplex/client.js', async: true
},
]
});
// After the talk, show speaker notes on the slide.
if (new Date() > new Date(1584770026751)) {
Reveal.addEventListener('slidechanged', function (event) {
// event.previousSlide, event.currentSlide, event.indexh, event.indexv
var commentaries = document.getElementsByClassName("commentary");
Array.prototype.forEach.call(commentaries, cmt => {
cmt.innerHTML = "";
cmd.style.display = "none";
});
event.currentSlide.childNodes.forEach(element => {
if ((element.nodeName == "ASIDE") && (element.className == "notes")) {
Array.prototype.forEach.call(commentaries, cmt => {
cmd.style.display = "";
cmt.innerHTML = "<p>" + element.innerHTML.replace("\n\n", "</p><p>") + "</p>";
});
}
});
});
}
</script>
</body>
</html>