Move allow_readwrite and allow_readonly from SyscallDriver into common Grant framework

[jettr]

Pull Request Overview

Similar to how we removed subscribe from the SyscallDriver trait in favor of the kernel always managing the data, do the same for read-only and read-write process buffers.

This has multiple advantages

• It reduces boilerplate code in almost every SyscallDriver implementation
  • Each boiler plate implementation of allow_readonly or allow_readwrite costs about 170 bytes of flash
• It allows libtock-rs implementation to rely on the fact that there cannot be improperly behaving capsule that holds on to process buffers when application calls allow with 0 (i.e. unsubscribe)

Note each commit builds and compiles (but isn't necessarily functional)

Testing Strategy

So far, I have tried this code out locally with a modification in kernel that handles both the SyscallDriver and new Grant-based process buffer allows. I didn't upload that, but I was able to convert a few capsules over to the new approach and they worked correctly.

Once we migrate all of the capsules, we would need to test again of course

TODO or Help Wanted

• Help with converting the reset of the capsule code to use the new common framework style of accessing buffers. So far I only converted ADC as an example. Once people agree this is a good way forward, we would need to convert the rest of the capsules
  • boards/
  • capsules//.rs (files in subfolders within capsules)
  • capsules/[a-c]*.rs
  • capsules/[d-i]*.rs
  • capsules/[j-m]*.rs
  • capsules/[n-r]*.rs
  • capsules/[a-z]*.rs
• Once all capsules are converted, we should remove the allow_readonly and allow_readwrite function on the SyscallDriver trait
• Potential cleanup: we may no longer need the Default implementation on ReadOnlyProcessBuffer and ReadWriteProcessBuffer since they no longer needed in a capsule specific grant region, which required Default.
• Potential cleanup: if we can remove Default and impl for process buffers, then we should be able to directly put a lifetime constraint on the process buffer structs themselves. This will allow us to drop the Refs versions and permit the unsafe callers of new to more easily uphold the invariant of the pointer lifetime
• Potential cleanup: add a access_grant_inner function to de-monomorphize if needed for size reduction.

Documentation Updated

• Updated the relevant files in /docs

Formatting

• Ran make prepush.

[jrvanwhy]

• It allows libtock-rs implementation to rely on the fact that there cannot be improperly behaving capsule that holds on to process buffers when application calls allow with 0 (i.e. unsubscribe)

In order for libtock-rs to rely on this implementation, we would need to supercede or modify the following wording from TRD 104:

Note that these requirements are typically on capsule code, and are not
enforced by the core kernel. Because capsules may have bugs or not be fully
trusted, userspace SHOULD NOT rely on the fact that drivers follow these rules as
described, especially if the capsule code is not independently checked and tested.
Instead, userspace SHOULD employ additional checks to ensure that
drivers behave as specified, and implement proper error handling as needed.
The core kernel MAY enforce a subset of these
specified rules in the future.

@phil-levis Would modifying TRD 104 or adding a new TRD be the correct process to do this?

[hudson-ayers]

I like the design overall, most of these comments are nits. I will try to take a pass on porting some more capsules sometime this week

One high-level comment:
There is a lot of code de-duplication in this PR which is largely separate from adding the actual allow implementations. For enter_grant_kernel_managed() it makes sense from a code size perspective. De-duplicating the code in access_grant() and access_grant_with_allocator() is nice, though I do wonder what the implications are / if there was a reason those were initially duplicated code instead of what you have done. Most boards will never use the allocator so that is something to think about.

Regarding your potential cleanups:

• getting rid of Default for the ProcessBuffer types would be nice, and I don't immediately see any reason we shouldn't. Being able to drop the ref types in that case would be a win.
• I did try adding an access_grant_inner() when I first made a de-monomorphization pass on the grant code, and found doing so actually increased code size because there was not enough that could be taken out into the inner function to offset the extra overhead of a function call in the outer one. That may be worth revisiting though, given how much this file has changed. Either way I think that may be best left for a followup PR.

[jettr]

One high-level comment: There is a lot of code de-duplication in this PR which is largely separate from adding the actual allow implementations. For enter_grant_kernel_managed() it makes sense from a code size perspective. De-duplicating the code in access_grant() and access_grant_with_allocator() is nice, though I do wonder what the implications are / if there was a reason those were initially duplicated code instead of what you have done. Most boards will never use the allocator so that is something to think about.

Boy scout motto: always try to leave the place cleaner than when you found it :) Also it pains me to copy and paste code when it is reasonable to de-dup it. There is much less potential for future mistakes. I also couldn't find any good reason to not de-dep in this way. I am actually now thinking about have make the allocator version an internal one that takes in its closure by dyn reference, and that have the two public method call the internal one with the dynamic dispatch. That would cut down on monomorphism cost (most likely -- still would have to profile size changes) since we only monomorphize on return type instead of each unique closure instance. I agree that this should be in a follow up PR too.

Thanks for being willing to help out to convert some of these files! I figured we could just take an alphabetic chunk of the files. When someone wants to take a batch of files, please comment here first so we don't duplicate effort. I am going to take a batch of files later today since it seems like there aren't any major red flags with this PR. I will post the chunk I take then.

[jettr]

• It allows libtock-rs implementation to rely on the fact that there cannot be improperly behaving capsule that holds on to process buffers when application calls allow with 0 (i.e. unsubscribe)

In order for libtock-rs to rely on this implementation, we would need to supercede or modify the following wording from TRD 104:

Note that these requirements are typically on capsule code, and are not
enforced by the core kernel. Because capsules may have bugs or not be fully
trusted, userspace SHOULD NOT rely on the fact that drivers follow these rules as
described, especially if the capsule code is not independently checked and tested.
Instead, userspace SHOULD employ additional checks to ensure that
drivers behave as specified, and implement proper error handling as needed.
The core kernel MAY enforce a subset of these
specified rules in the future.

@phil-levis Would modifying TRD 104 or adding a new TRD be the correct process to do this?

Yay, this is still a draft! I added a commit that updates this draft TRD. I was going to add some text, but I thought the cleanest way to modify it was to actually just remove the paragraph that Johnathan mentioned completely; this matches the way the subscribe section is worded by not calling to attention that the application can rely on this behavior.

[hudson-ayers]

Boy scout motto: always try to leave the place cleaner than when you found it :) Also it pains me to copy and paste code when it is reasonable to de-dup it. There is much less potential for future mistakes. I also couldn't find any good reason to not de-dep in this way. I am actually now thinking about have make the allocator version an internal one that takes in its closure by dyn reference, and that have the two public method call the internal one with the dynamic dispatch. That would cut down on monomorphism cost (most likely -- still would have to profile size changes) since we only monomorphize on return type instead of each unique closure instance. I agree that this should be in a follow up PR too.

My main concern here was that having access_grant_with_allocator always be called would lead to code associated with the GrantRegionAllocator being included in the binary, despite that type not actually being used by the caller of access_grant_with_allocator(). I just tested it and it looks like LLVM's dead code elimination is smart enough to prevent that, so I am happy with how this looks.

Monomorphizing only on return type would be an interesting optimization for size -- many closures probably use the same few return types (e.g. Result<(), ErrorCode> or ()) -- but this would definitely add a runtime cost to almost every system call, since those closures could no longer be inlined across the call to Grant::enter(). Profiling both the size and cycle overhead would be important, imo.

Thanks for being willing to help out to convert some of these files! I figured we could just take an alphabetic chunk of the files. When someone wants to take a batch of files, please comment here first so we don't duplicate effort. I am going to take a batch of files later today since it seems like there aren't any major red flags with this PR. I will post the chunk I take then.

Alphabetic sounds good to me, I won't be touching anything today so I can take whatever chunk comes after yours.

[bradjc]

I went through grant.rs and kernel.rs pretty closely and they look good to me.

The only thing I'm not 100% about is GrantEnterLifetimeGuard. process.leave_grant(grant_num); is only one line and provides a clear window between when the grant is entered and left. Adding another type and instructing the caller to hold on to the type seems like extra complexity for not a lot of benefit.

[jettr]

I went through grant.rs and kernel.rs pretty closely and they look good to me.

Thank you for taking a thorough look at it! I appreciate it!

The only thing I'm not 100% about is GrantEnterLifetimeGuard. process.leave_grant(grant_num); is only one line and provides a clear window between when the grant is entered and left. Adding another type and instructing the caller to hold on to the type seems like extra complexity for not a lot of benefit.

It seems more dangerous (from incorrect behavior POV) to have the unmatched enter and leave grants occur because someone accidentally used the ? operator between enter and leave calls. Using an RAII object guards against this easy-to-make mistake in the future.

Should we make the guard hold the pointer, so you have to access the guard to get the pointer? I will upload a commit for that.

[jettr]

Should we make the guard hold the pointer, so you have to access the guard to get the pointer? I will upload a commit for that.

That doesn't work as well as I thought for the two places we use it. I would want to wrap a KernelManagedLayout in only place and the raw pointer in the other.

[jettr]

I converted two files. These conversions take more time than I would have hoped. I do like the paradigm of creating something like the following at the top of the file. Thoughts?

/// Ids for read-only allow buffers
mod ro_allow {
    pub const WRITE: usize = 0;
    /// The number of allow buffers the kernel stores for this grant
    pub const COUNT: usize = 1;
}

/// Ids for read-write allow buffers
mod rw_allow {
    pub const READ: usize = 0;
    pub const CFG: usize = 1;
    pub const RX_CFG: usize = 2;
    /// The number of allow buffers the kernel stores for this grant
    pub const COUNT: usize = 3;
}

[hudson-ayers]

I converted two files. These conversions take more time than I would have hoped. I do like the paradigm of creating something like the following at the top of the file. Thoughts?

/// Ids for read-only allow buffers
mod ro_allow {
    pub const WRITE: usize = 0;
    /// The number of allow buffers the kernel stores for this grant
    pub const COUNT: usize = 1;
}

/// Ids for read-write allow buffers
mod rw_allow {
    pub const READ: usize = 0;
    pub const CFG: usize = 1;
    pub const RX_CFG: usize = 2;
    /// The number of allow buffers the kernel stores for this grant
    pub const COUNT: usize = 3;
}

Thanks for doing the networking capsules, those are probably 2 of the harder ones to take on.

I am a fan of that paradigm

[jettr]

That was a marathon! I finished converting everything over and removed the allow_readonly and allow_readwrite function from the SyscallDriver interface.

I pulled out conversions to their own commit if there were any non-trivial changes-- specifically ipc, touch, screen, and bluetooth.

Looks like we can't immediately remove the Default implementation for the process buffers because the UserspaceReadableProcessBuffer is still using the SyscallDriver mechanism, and I think this PR is already large enough without trying to tackle that too :)

Assuming everything looks okay (I am assuming there will be feedback to incorporate first), this is ready to land!

[jettr]

Looks like I already have a rebase conflict, should we leave it for now and do one rebase and force push at the end of the review or should I rebase and force push now (or try to merge mainline changes into this branch)?

[lschuermann]

Looks like I already have a rebase conflict, should we leave it for now and do one rebase and force push at the end of the review or should I rebase and force push now (or try to merge mainline changes into this branch)?

I suppose whatever works best for you. This touches a large number of files, sometimes it's easier to keep on track with smaller, more frequent conflicts.

[hudson-ayers]

Surprisingly, this only saves 530 bytes of code size on Imix. While that is still a win, I must admit I was expecting a little more

[jettr]

This is surprising, I was seeing about ~200 bytes savings for every allow_readonly allow_readwrite call that was omitted. I guess this favors the boards that have more driver. Also this helps make libtock-rs smaller, which will favor boards that have more apps. I do wish it saved more, but still think this is the correct path forward.

[hudson-ayers]

I would like this PR even if there were no savings -- the reduction in duplicated code + correctness guarantees are really valuable. I am just surprised by the result

[hudson-ayers]

I tried out the IPC libtock-c apps (rot13_service/rot13_client) with this branch, and they do not work. That should be fixed before this is merged. I tried to debug it briefly but did not discover the cause -- I should have some time tomorrow to look further

[jettr]

We might just want to try out the alternate approach for IPC that leaves the handles unchanged. This does mean that every readwrite_allow call into the kernel will check for the IPC driver number for the special case logic, but I think that might be an okay cost to pay. Thoughts?

[jettr]

I figured out what is wrong with the IPC implementation: the ipc_register_service_callback in libtock-c hard codes a 0 for the target_id to indicate service when it calls subscribe. If we instead took in the service name and performed a discover on itself, and use that number instead of hard coding 0, then it would work. That seems like a better API, but it is a breaking change for the IPC driver unfortunately.

Is it okay to change the libtock-c implementation right now or should I put in the special case handling code for IPC in kernel?

[jettr]

I made the speculative change for IPC in a libtock-c PR. This seems like the way to go. This will also let us drop the NUM_CALLS const generic parameter on IPC in favor of using NUM_PROCS directly for both allow and upcalls.

[hudson-ayers]

My instinct is that your fix is preferable -- I think we should avoid special case handling for IPC if at all possible, especially since there are a number of issues with IPC that we would still like to eventually resolve, and given that plenty of boards choose not to include IPC, and we would like to keep that decision zero cost. IPC is not a stable driver, so I think we can update it without a major version bump, but I think a minor version bump might be prudent. That said, we are probably due for a minor version bump reasonably soon anyway. Removing the extra upcall from the IPC driver is a nice added bonus.

[bradjc]

Changing IPC is fine. We don't guarantee any stability so we don't have to worry about version numbers.

[jettr]

All tests should be passing now with the libtock-c PR change! Everything is rebased on ToT and merge conflicts are resolved.

[jettr]

@jettr Would you mind rebasing this PR on master? There are no conflicts.

Done. And thank you for figuring out the issue with libtock-c!

[lschuermann]

And thank you for figuring out the issue with libtock-c!

No worries! And wohoo, the CI is happy again!

[hudson-ayers]

bors r+

finally!

[bors]

Build succeeded:

• ci-build (macos-latest)
• ci-build (ubuntu-latest)
• ci-format (ubuntu-latest)
• ci-qemu
• ci-tests (macos-latest)
• ci-tests (ubuntu-latest)

[lschuermann]

I looked over most of this PR, especially the kernel code and it looks pretty good to me. Great work @jettr!

[lschuermann]

welp... it appears i was a little to slow. :)