



#### ▼ Speaker Notes

Students will likely need some hints here. Hints include:

- UTF16 vs UTF8. Students should be aware that Rust strings are always UTF8, and will probably decide that it's better to do the conversion on the C++ side using `base::UTF16ToUTF8` and back again.
- If students decide to do the conversion on the Rust side, they'll need to consider `String::from_utf16`, consider error handling, and consider which [CXX supported types can transfer a lot of u16s](#).
- Students may design the C++/Rust boundary in several different ways, e.g. taking and returning strings by value, or taking a mutable reference to a string. If a mutable reference is used, CXX will likely tell the student that they need to use `Pin`. You may need to explain what `Pin` does, and then explain why CXX needs it for mutable references to C++ data: the answer is that C++ data can't be moved around like Rust data, because it may contain self-referential pointers.
- The C++ target containing `ResourceBundle::MaybeMangleLocalizedString` will need to depend on a `rust_static_library` target. The student probably already did this.
- The `rust_static_library` target will need to depend on `//third_party/rust/uwuify/v0_2:lib`.

# Exercise Solutions

Solutions to the Chromium exercises can be found in [this series of CLs](#).

# Welcome to Bare Metal Rust

This is a standalone one-day course about bare-metal Rust, aimed at people who are familiar with the basics of Rust (perhaps from completing the Comprehensive Rust course), and ideally also have some experience with bare-metal programming in some other language such as C.

Today we will talk about 'bare-metal' Rust: running Rust code without an OS underneath us. This will be divided into several parts:

- What is `no_std` Rust?
- Writing firmware for microcontrollers.
- Writing bootloader / kernel code for application processors.
- Some useful crates for bare-metal Rust development.

For the microcontroller part of the course we will use the [BBC micro:bit v2](#) as an example. It's a [development board](#) based on the Nordic nRF52833 microcontroller with some LEDs and buttons, an I2C-connected accelerometer and compass, and an on-board SWD debugger.

To get started, install some tools we'll need later. On gLinux or Debian:

```
sudo apt install gdb-multiarch libudev-dev picocom pkg-config qemu-system-arm build-essential
rustup update
rustup target add aarch64-unknown-none thumbv7em-none-eabihf
rustup component add llvm-tools-preview
cargo install cargo-binutils
curl --proto '=https' --tlsv1.2 -LsF https://github.com/probe-rs/probe-rs/releases/latest/download/probe-rs-tools-installer.sh | sh
```

And give users in the `plugdev` group access to the micro:bit programmer:

```
echo 'SUBSYSTEM=="hidraw", ATTRS{idVendor}=="0d28", MODE="0660", GROUP="logindev", TAG+="uaccess"' | \
    sudo tee /etc/udev/rules.d/50-microbit.rules
sudo udevadm control --reload-rules
```

You should see "NXP ARM mbed" in the output of `lsusb` if the device is available. If you are using a Linux environment on a Chromebook, you will need to share the USB device with Linux, via <chrome://os-settings/crostini/sharedUsbDevices>.

On MacOS:

```
xcode-select --install
brew install gdb picocom qemu
rustup update
rustup target add aarch64-unknown-none thumbv7em-none-eabihf
rustup component add llvm-tools-preview
cargo install cargo-binutils
curl --proto '=https' --tlsv1.2 -LsF https://github.com/probe-rs/probe-rs/releases/latest/download/probe-rs-tools-installer.sh | sh
```

# no\_std

| core                                                                                                                                                                                                                                                                                                                                                                                                         | alloc                                                                                                                                                            | std                                                                                                                                                                                                                                                                                                                                                                       |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| <ul style="list-style-type: none"><li>• Slices, &amp;str, CStr</li><li>• NonZeroU8 ...</li><li>• Option, Result</li><li>• Display, Debug, write! ...</li><li>• Iterator</li><li>• Error</li><li>• panic!, assert_eq! ...</li><li>• NonNull and all the usual pointer-related functions</li><li>• Future and async / await</li><li>• fence, AtomicBool, AtomicPtr, AtomicU32 ...</li><li>• Duration</li></ul> | <ul style="list-style-type: none"><li>• Box, Cow, Arc, Rc</li><li>• Vec, BinaryHeap, BtreeMap, LinkedList, VecDeque</li><li>• String, CString, format!</li></ul> | <ul style="list-style-type: none"><li>• HashMap</li><li>• Mutex, Condvar, Barrier, Once, RwLock, mpsc</li><li>• File and the rest of fs</li><li>• println!, Read, Write, Stdin, Stdout and the rest of io</li><li>• Path, OsString</li><li>• net</li><li>• Command, Child, ExitCode</li><li>• spawn, sleep and the rest of thread</li><li>• SystemTime, Instant</li></ul> |

## ▼ Speaker Notes

- HashMap depends on RNG.
- std re-exports the contents of both core and alloc .

# A minimal no\_std program

```
1 #![no_main]
2 #![no_std]
3
4 use core::panic::PanicInfo;
5
6 #[panic_handler]
7 fn panic(_panic: &PanicInfo) -> ! {
8     loop {}
9 }
```

## ▼ Speaker Notes

- This will compile to an empty binary.
- `std` provides a panic handler; without it we must provide our own.
- It can also be provided by another crate, such as `panic-halt`.
- Depending on the target, you may need to compile with `panic = "abort"` to avoid an error about `eh_personality`.
- Note that there is no `main` or any other entry point; it's up to you to define your own entry point. This will typically involve a linker script and some assembly code to set things up ready for Rust code to run.

# alloc

To use `alloc` you must implement a [global \(heap\) allocator](#).

```
1  #![no_main]
2  #![no_std]
3
4  extern crate alloc;
5  extern crate panic_halt as _;
6
7  use alloc::string::ToString;
8  use alloc::vec::Vec;
9  use buddy_system_allocator::LockedHeap;
10
11 #[global_allocator]
12 static HEAP_ALLOCATOR: LockedHeap<32> = LockedHeap::<32>::new();
13
14 const HEAP_SIZE: usize = 65536;
15 static mut HEAP: [u8; HEAP_SIZE] = [0; HEAP_SIZE];
16
17 pub fn entry() {
18     // SAFETY: `HEAP` is only used here and `entry` is only called once.
19     unsafe {
20         // Give the allocator some memory to allocate.
21         HEAP_ALLOCATOR.lock().init(&raw mut HEAP as usize, HEAP_SIZE);
22     }
23
24     // Now we can do things that require heap allocation.
25     let mut v = Vec::new();
26     v.push("A string".to_string());
27 }
```

## ▼ Speaker Notes

- `buddy_system_allocator` is a crate implementing a basic buddy system allocator. Other crates are available, or you can write your own or hook into your existing allocator.
- The `const` parameter of `LockedHeap` is the max order of the allocator; i.e. in this case it can allocate regions of up to  $2^{32}$  bytes.
- If any crate in your dependency tree depends on `alloc` then you must have exactly one global allocator defined in your binary. Usually this is done in the top-level binary crate.
- `extern crate panic_halt as _` is necessary to ensure that the `panic_halt` crate is linked in so we get its panic handler.
- This example will build but not run, as it doesn't have an entry point.

# Microcontrollers

The `cortex_m_rt` crate provides (among other things) a reset handler for Cortex M microcontrollers.

```
1  #![no_main]
2  #![no_std]
3
4  extern crate panic_halt as _;
5
6  mod interrupts;
7
8  use cortex_m_rt::entry;
9
10 #[entry]
11 fn main() -> ! {
12     loop {}
13 }
```

Next we'll look at how to access peripherals, with increasing levels of abstraction.

## ▼ Speaker Notes

- The `cortex_m_rt::entry` macro requires that the function have type `fn() -> !`, because returning to the reset handler doesn't make sense.
- Run the example with `cargo embed --bin minimal`

# Raw MMIO

Most microcontrollers access peripherals via memory-mapped IO. Let's try turning on an LED on our micro:bit:

```
1  #![no_main]
2  #![no_std]
3
4  extern crate panic_halt as _;
5
6  mod interrupts;
7
8  use core::mem::size_of;
9  use cortex_m_rt::entry;
10
11 // GPIO port 0 peripheral address
12 const GPIO_P0: usize = 0x5000_0000;
13
14 // GPIO peripheral offsets
15 const PIN_CNF: usize = 0x700;
16 const OUTSET: usize = 0x508;
17 const OUTCLR: usize = 0x50c;
18
19 // PIN_CNF fields
20 const DIR_OUTPUT: u32 = 0x1;
21 const INPUT_DISCONNECT: u32 = 0x1 << 1;
22 const PULL_DISABLED: u32 = 0x0 << 2;
23 const DRIVE_S0S1: u32 = 0x0 << 8;
24 const SENSE_DISABLED: u32 = 0x0 << 16;
25
26 #[entry]
27 fn main() -> ! {
28     // Configure GPIO 0 pins 21 and 28 as push-pull outputs.
29     let pin_cnf_21 = (GPIO_P0 + PIN_CNF + 21 * size_of::<u32>()) as *mut u32;
30     let pin_cnf_28 = (GPIO_P0 + PIN_CNF + 28 * size_of::<u32>()) as *mut u32;
31     // SAFETY: The pointers are to valid peripheral control registers, and no
32     // aliases exist.
33     unsafe {
34         pin_cnf_21.write_volatile(
35             DIR_OUTPUT
36             | INPUT_DISCONNECT
37             | PULL_DISABLED
38             | DRIVE_S0S1
39             | SENSE_DISABLED,
40         );
41         pin_cnf_28.write_volatile(
42             DIR_OUTPUT
43             | INPUT_DISCONNECT
44             | PULL_DISABLED
45             | DRIVE_S0S1
46             | SENSE_DISABLED,
47         );
48     }
49
50     // Set pin 28 low and pin 21 high to turn the LED on.
51     let gpio0_outset = (GPIO_P0 + OUTSET) as *mut u32;
52     let gpio0_outclr = (GPIO_P0 + OUTCLR) as *mut u32;
53     // SAFETY: The pointers are to valid peripheral control registers, and no
54     // aliases exist.
55     unsafe {
56         gpio0_outclr.write_volatile(1 << 28);
57         gpio0_outset.write_volatile(1 << 21);
58     }
59
60     loop {}
61 }
```

- GPIO 0 pin 21 is connected to the first column of the LED matrix, and pin 28 to the first row.

Run the example with:

```
cargo embed --bin mmio
```

# Peripheral Access Crates

`svd2rust` generates mostly-safe Rust wrappers for memory-mapped peripherals from [CMSIS-SVD](#) files.

```
1  #![no_main]
2  #![no_std]
3
4  extern crate panic_halt as _;
5
6  use cortex_m_rt::entry;
7  use nrf52833_pac::Peripherals;
8
9  #[entry]
10 fn main() -> ! {
11     let p = Peripherals::take().unwrap();
12     let gpio0 = p.P0;
13
14     // Configure GPIO 0 pins 21 and 28 as push-pull outputs.
15     gpio0.pin_cnf[21].write(|w| {
16         w.dir().output();
17         w.input().disconnect();
18         w.pull().disabled();
19         w.drive().s0s1();
20         w.sense().disabled();
21         w
22     });
23     gpio0.pin_cnf[28].write(|w| {
24         w.dir().output();
25         w.input().disconnect();
26         w.pull().disabled();
27         w.drive().s0s1();
28         w.sense().disabled();
29         w
30     });
31
32     // Set pin 28 low and pin 21 high to turn the LED on.
33     gpio0.outclr.write(|w| w.pin28().clear());
34     gpio0.outset.write(|w| w.pin21().set());
35
36     loop {}
37 }
```

## ▼ Speaker Notes

- SVD (System View Description) files are XML files typically provided by silicon vendors which describe the memory map of the device.
  - They are organised by peripheral, register, field and value, with names, descriptions, addresses and so on.
  - SVD files are often buggy and incomplete, so there are various projects which patch the mistakes, add missing details, and publish the generated crates.
- `cortex-m-rt` provides the vector table, among other things.
- If you `cargo install cargo-binutils` then you can run `cargo objdump --bin pac -- -d --no-show-raw-instr` to see the resulting binary.

Run the example with:

```
cargo embed --bin pac
```

# HAL crates

HAL crates for many microcontrollers provide wrappers around various peripherals. These generally implement traits from [embedded-hal](#).

```
1  #![no_main]
2  #![no_std]
3
4  extern crate panic_halt as _;
5
6  use cortex_m_rt::entry;
7  use embedded_hal::digital::OutputPin;
8  use nrf52833_hal::gpio::{Level, p0};
9  use nrf52833_hal::pac::Peripherals;
10
11 #[entry]
12 fn main() -> ! {
13     let p = Peripherals::take().unwrap();
14
15     // Create HAL wrapper for GPIO port 0.
16     let gpio0 = p0::Parts::new(p.P0);
17
18     // Configure GPIO 0 pins 21 and 28 as push-pull outputs.
19     let mut col1 = gpio0.p0_28.into_push_pull_output(Level::High);
20     let mut row1 = gpio0.p0_21.into_push_pull_output(Level::Low);
21
22     // Set pin 28 low and pin 21 high to turn the LED on.
23     col1.set_low().unwrap();
24     row1.set_high().unwrap();
25
26     loop {}
27 }
```

## ▼ Speaker Notes

- `set_low` and `set_high` are methods on the `embedded_hal OutputPin` trait.
- HAL crates exist for many Cortex-M and RISC-V devices, including various STM32, GD32, nRF, NXP, MSP430, AVR and PIC microcontrollers.

Run the example with:

```
cargo embed --bin hal
```

# Board support crates

Board support crates provide a further level of wrapping for a specific board for convenience.

```
1 #![no_main]
2 #![no_std]
3
4 extern crate panic_halt as _;
5
6 use cortex_m_rt::entry;
7 use embedded_hal::digital::OutputPin;
8 use microbit::Board;
9
10 #[entry]
11 fn main() -> ! {
12     let mut board = Board::take().unwrap();
13
14     board.display_pins.col1.set_low().unwrap();
15     board.display_pins.row1.set_high().unwrap();
16
17     loop {}
18 }
```

## ▼ Speaker Notes

- In this case the board support crate is just providing more useful names, and a bit of initialisation.
- The crate may also include drivers for some on-board devices outside of the microcontroller itself.
  - `microbit-v2` includes a simple driver for the LED matrix.

Run the example with:

```
cargo embed --bin board_support
```

# The type state pattern

```
1 #[entry]
2 fn main() -> ! {
3     let p = Peripherals::take().unwrap();
4     let gpio0 = p0::Parts::new(p.P0);
5
6     let pin: P0_01<Disconnected> = gpio0.p0_01;
7
8     // let gpio0_01_again = gpio0.p0_01; // Error, moved.
9     let mut pin_input: P0_01<Input<Floating>> = pin.into_floating_input();
10    if pin_input.is_high().unwrap() {
11        // ...
12    }
13    let mut pin_output: P0_01<Output<OpenDrain>> = pin_input
14        .into_open_drain_output(OpenDrainConfig::Disconnect0Standard1, Level::Low)
15    pin_output.set_high().unwrap();
16    // pin_input.is_high(); // Error, moved.
17
18    let _pin2: P0_02<Output<OpenDrain>> = gpio0
19        .p0_02
20        .into_open_drain_output(OpenDrainConfig::Disconnect0Standard1, Level::Low)
21    let _pin3: P0_03<Output<PushPull>> =
22        gpio0.p0_03.into_push_pull_output(Level::Low);
23
24    loop {}
25 }
```

## ▼ Speaker Notes

- Pins don't implement `Copy` or `Clone`, so only one instance of each can exist. Once a pin is moved out of the port struct nobody else can take it.
- Changing the configuration of a pin consumes the old pin instance, so you can't keep use the old instance afterwards.
- The type of a value indicates the state that it is in: e.g. in this case, the configuration state of a GPIO pin. This encodes the state machine into the type system, and ensures that you don't try to use a pin in a certain way without properly configuring it first. Illegal state transitions are caught at compile time.
- You can call `is_high` on an input pin and `set_high` on an output pin, but not vice-versa.
- Many HAL crates follow this pattern.

# embedded-hal

The [embedded-hal](#) crate provides a number of traits covering common microcontroller peripherals:

- GPIO
- PWM
- Delay timers
- I2C and SPI buses and devices

Similar traits for byte streams (e.g. UARTs), CAN buses and RNGs are broken out into [embedded-io](#), [embedded-can](#) and [rand\\_core](#) respectively.

Other crates then implement [drivers](#) in terms of these traits, e.g. an accelerometer driver might need an I2C or SPI device instance.

## ▼ Speaker Notes

- The traits cover using the peripherals but not initialising or configuring them, as initialisation and configuration is usually highly platform-specific.
- There are implementations for many microcontrollers, as well as other platforms such as Linux on Raspberry Pi.
- [embedded-hal-async](#) provides async versions of the traits.
- [embedded-hal-nb](#) provides another approach to non-blocking I/O, based on the [nb](#) crate.

# probe-rs and cargo-embed

[probe-rs](#) is a handy toolset for embedded debugging, like OpenOCD but better integrated.

- SWD (Serial Wire Debug) and JTAG via CMSIS-DAP, ST-Link and J-Link probes
- GDB stub and Microsoft DAP (Debug Adapter Protocol) server
- Cargo integration

`cargo-embed` is a cargo subcommand to build and flash binaries, log RTT (Real Time Transfers) output and connect GDB. It's configured by an `Embed.toml` file in your project directory.

## ▼ Speaker Notes

- [CMSIS-DAP](#) is an Arm standard protocol over USB for an in-circuit debugger to access the CoreSight Debug Access Port of various Arm Cortex processors. It's what the on-board debugger on the BBC micro:bit uses.
- ST-Link is a range of in-circuit debuggers from ST Microelectronics, J-Link is a range from SEGGER.
- The Debug Access Port is usually either a 5-pin JTAG interface or 2-pin Serial Wire Debug.
- `probe-rs` is a library which you can integrate into your own tools if you want to.
- The [Microsoft Debug Adapter Protocol](#) lets VSCode and other IDEs debug code running on any supported microcontroller.
- `cargo-embed` is a binary built using the `probe-rs` library.
- RTT (Real Time Transfers) is a mechanism to transfer data between the debug host and the target through a number of ringbuffers.

# Debugging

*Embed.toml:*

```
[default.general]
chip = "nrf52833_xxAA"

[debug.gdb]
enabled = true
```

In one terminal under `src/bare-metal/microcontrollers/examples/`:

```
cargo embed --bin board_support debug
```

In another terminal in the same directory:

On gLinux or Debian:

```
gdb-multiarch target/thumbv7em-none-eabihf/debug/board_support --eval-command="target
remote :1338"
```

On MacOS:

```
arm-none-eabi-gdb target/thumbv7em-none-eabihf/debug/board_support --eval-
command="target remote :1338"
```

## ▼ Speaker Notes

In GDB, try running:

```
b src/bin/board_support.rs:29
b src/bin/board_support.rs:30
b src/bin/board_support.rs:32
c
c
c
```

# Other projects

- [RTIC](#)
  - “Real-Time Interrupt-driven Concurrency”.
  - Shared resource management, message passing, task scheduling, timer queue.
- [Embassy](#)
  - `async` executors with priorities, timers, networking, USB.
- [TockOS](#)
  - Security-focused RTOS with preemptive scheduling and Memory Protection Unit support.
- [Hubris](#)
  - Microkernel RTOS from Oxide Computer Company with memory protection, unprivileged drivers, IPC.
- [Bindings for FreeRTOS](#).

Some platforms have `std` implementations, e.g. [esp-idf](#).

## ▼ Speaker Notes

- RTIC can be considered either an RTOS or a concurrency framework.
  - It doesn't include any HALs.
  - It uses the Cortex-M NVIC (Nested Virtual Interrupt Controller) for scheduling rather than a proper kernel.
  - Cortex-M only.
- Google uses TockOS on the Haven microcontroller for Titan security keys.
- FreeRTOS is mostly written in C, but there are Rust bindings for writing applications.

# Exercises

We will read the direction from an I2C compass, and log the readings to a serial port.

▼ *Speaker Notes*

After looking at the exercises, you can look at the [solutions](#) provided.

# Compass

We will read the direction from an I2C compass, and log the readings to a serial port. If you have time, try displaying it on the LEDs somehow too, or use the buttons somehow.

Hints:

- Check the documentation for the `lsm303agr` and `microbit-v2` crates, as well as the `micro:bit hardware`.
- The LSM303AGR Inertial Measurement Unit is connected to the internal I2C bus.
- TWI is another name for I2C, so the I2C master peripheral is called TWIM.
- The LSM303AGR driver needs something implementing the `embedded_hal::i2c::I2c` trait. The `microbit::hal::Twim` struct implements this.
- You have a `microbit::Board` struct with fields for the various pins and peripherals.
- You can also look at the [nRF52833 datasheet](#) if you want, but it shouldn't be necessary for this exercise.

Download the [exercise template](#) and look in the `compass` directory for the following files.

`src/main.rs`:

```
#!/usr/bin/rustc
// This file is part of the micro:bit-rs project.
// See https://github.com/microbit-rs/microbit-rs for more information.
// Copyright (c) 2017-2018 Microbit Foundation
// SPDX-License-Identifier: MIT

use core::fmt::Write;
use cortex_m_rt::entry;
use microbit::{hal::{Delay, uarte::{Baudrate, Parity, Uarte}}}, Board;

#[entry]
fn main() -> ! {
    let mut board = Board::take().unwrap();

    // Configure serial port.
    let mut serial = Uarte::new(
        board.UARTE0,
        board.uart.into(),
        Parity::EXCLUDED,
        Baudrate::BAUD115200,
    );

    // Use the system timer as a delay provider.
    let mut delay = Delay::new(board.SYST);

    // Set up the I2C controller and Inertial Measurement Unit.
    // TODO

    writeln!(serial, "Ready.").unwrap();

    loop {
        // Read compass data and log it to the serial port.
        // TODO
    }
}
```

`Cargo.toml` (you shouldn't need to change this):

```
[workspace]
```

```
[package]
name = "compass"
version = "0.1.0"
edition = "2024"
publish = false

[dependencies]
cortex-m-rt = "0.7.5"
embedded-hal = "1.0.0"
lsm303agr = "1.1.0"
microbit-v2 = "0.15.1"
panic-halt = "1.0.0"
```

*Embed.toml* (you shouldn't need to change this):

```
[default.general]
chip = "nrf52833_xxAA"

[debug.gdb]
enabled = true

[debug.reset]
halt_afterwards = true
```

*.cargo/config.toml* (you shouldn't need to change this):

```
[build]
target = "thumbv7em-none-eabihf" # Cortex-M4F

[target.'cfg(all(target_arch = "arm", target_os = "none"))']
rustflags = ["-C", "link-arg=-Tlink.x"]
```

See the serial output on Linux with:

```
picocom --baud 115200 --imap lfcrlf /dev/ttyACM0
```

Or on Mac OS something like (the device name may be slightly different):

```
picocom --baud 115200 --imap lfcrlf /dev/tty.usbmodem14502
```

Use Ctrl+A Ctrl+Q to quit picocom.

# Bare Metal Rust Morning Exercise

## Compass

([back to exercise](#))

```

#![no_main]
#![no_std]

extern crate panic_halt as _;

use core::fmt::Write;
use cortex_m_rt::entry;
use embedded_hal::digital::InputPin;
use lsm303agr::{
    AccelMode, AccelOutputDataRate, Lsm303agr, MagMode, MagOutputDataRate,
};
use microbit::Board;
use microbit::display::blocking::Display;
use microbit::hal::twim::Twim;
use microbit::hal::uarte::{Baudrate, Parity, Uarte};
use microbit::hal::{Delay, Timer};
use microbit::pac::twim0::frequency::FREQUENCY_A;

const COMPASS_SCALE: i32 = 30000;
const ACCELEROMETER_SCALE: i32 = 700;

#[entry]
fn main() -> ! {
    let mut board = Board::take().unwrap();

    // Configure serial port.
    let mut serial = Uarte::new(
        board.UARTE0,
        board.uart.into(),
        Parity::EXCLUDED,
        Baudrate::BAUD115200,
    );

    // Use the system timer as a delay provider.
    let mut delay = Delay::new(board.SYST);

    // Set up the I2C controller and Inertial Measurement Unit.
    writeln!(serial, "Setting up IMU...").unwrap();
    let i2c = Twim::new(board.TWIM0, board.i2c_internal.into(), FREQUENCY_A::K100);
    let mut imu = Lsm303agr::new_with_i2c(i2c);
    imu.init().unwrap();
    imu.set_mag_mode_and_odr(
        &mut delay,
        MagMode::HighResolution,
        MagOutputDataRate::Hz50,
    )
    .unwrap();
    imu.set_accel_mode_and_odr(
        &mut delay,
        AccelMode::Normal,
        AccelOutputDataRate::Hz50,
    )
    .unwrap();
    let mut imu = imu.into_mag_continuous().ok().unwrap();

    // Set up display and timer.
    let mut timer = Timer::new(board.TIMER0);
    let mut display = Display::new(board.display_pins);

    let mut mode = Mode::Compass;
    let mut button_pressed = false;

    writeln!(serial, "Ready.").unwrap();

    loop {
        // Read compass data and log it to the serial port.
        while !(imu.mag_status().unwrap().xyz_new_data()
            && imu.accel_status().unwrap().xyz_new_data())
        {}
        let compass_reading = imu.magnetic_field().unwrap();

```

```

        serial,
        "{}{},{}\\t{},{}{},{}",
        compass_reading.x_nt(),
        compass_reading.y_nt(),
        compass_reading.z_nt(),
        accelerometer_reading.x_mg(),
        accelerometer_reading.y_mg(),
        accelerometer_reading.z_mg(),
    )
    .unwrap();

let mut image = [[0; 5]; 5];
let (x, y) = match mode {
    Mode::Compass => (
        scale(-compass_reading.x_nt(), -COMPASS_SCALE, COMPASS_SCALE, 0, 4)
            as usize,
        scale(compass_reading.y_nt(), -COMPASS_SCALE, COMPASS_SCALE, 0, 4)
            as usize,
    ),
    Mode::Accelerometer => (
        scale(
            accelerometer_reading.x_mg(),
            -ACCELEROMETER_SCALE,
            ACCELEROMETER_SCALE,
            0,
            4,
        ) as usize,
        scale(
            -accelerometer_reading.y_mg(),
            -ACCELEROMETER_SCALE,
            ACCELEROMETER_SCALE,
            0,
            4,
        ) as usize,
    ),
};
image[y][x] = 255;
display.show(&mut timer, image, 100);

// If button A is pressed, switch to the next mode and briefly blink all LEDs
// on.
if board.buttons.button_a.is_low().unwrap() {
    if !button_pressed {
        mode = mode.next();
        display.show(&mut timer, [[255; 5]; 5], 200);
    }
    button_pressed = true;
} else {
    button_pressed = false;
}
}

#[derive(Copy, Clone, Debug, Eq, PartialEq)]
enum Mode {
    Compass,
    Accelerometer,
}

impl Mode {
    fn next(self) -> Self {
        match self {
            Self::Compass => Self::Accelerometer,
            Self::Accelerometer => Self::Compass,
        }
    }
}

fn scale(value: i32, min_in: i32, max_in: i32, min_out: i32, max_out: i32) -> i32 {
    let range_in = max_in - min_in;

```

```
    scaled.clamp(min_out, max_out)
}
```

# Application processors

So far we've talked about microcontrollers, such as the Arm Cortex-M series. These are typically small systems with very limited resources.

Larger systems with more resources are typically called application processors, built around processors such as the ARM Cortex-A or Intel Atom.

For simplicity we'll just work with QEMU's aarch64 '[virt](#)' board.

## ▼ *Speaker Notes*

- Broadly speaking, microcontrollers don't have an MMU or multiple levels of privilege (exception levels on Arm CPUs, rings on x86).
- Application processors have more resources, and often run an operating system, instead of directly executing the target application on startup.
- QEMU supports emulating various different machines or board models for each architecture. The 'virt' board doesn't correspond to any particular real hardware, but is designed purely for virtual machines.
- We will still address this board as bare-metal, as if we were writing an operating system.

# Getting Ready to Rust

Before we can start running Rust code, we need to do some initialisation.

```

/***
 * This is a generic entry point for an image. It carries out the
 * operations required to prepare the loaded image to be run.
 * Specifically, it
 *
 * - sets up the MMU with an identity map of virtual to physical
 *   addresses, and enables caching
 * - enables floating point
 * - zeroes the bss section using registers x25 and above
 * - prepares the stack, pointing to a section within the image
 * - sets up the exception vector
 * - branches to the Rust `main` function
 *
 * It preserves x0-x3 for the Rust entry point, as these may contain
 * boot parameters.
 */
.section .init.entry, "ax"
.global entry
entry:
/*
 * Load and apply the memory management configuration, ready to
 * enable MMU and caches.
 */
.adrp x30, idmap
(msr ttbr0_el1, x30

mov_i x30, .Lmairval
(msr mair_el1, x30

mov_i x30, .Ltcrvval
/* Copy the supported PA range into TCR_EL1.IPS. */
(mrs x29, id_aa64mmfr0_el1
(bfi x30, x29, #32, #4

(msr tcr_el1, x30

mov_i x30, .Lsctlrval

/*
 * Ensure everything before this point has completed, then
 * invalidate any potentially stale local TLB entries before they
 * start being used.
 */
(isb
tlbi vmalle1
ic iallu
dsb nsh
(isb

/*
 * Configure sctlr_el1 to enable MMU and cache and don't proceed
 * until this has completed.
 */
(msr sctlr_el1, x30
(isb

/* Disable trapping floating point access in EL1. */
(mrs x30, cpacr_el1
(orr x30, x30, #(0x3 << 20)
(msr cpacr_el1, x30
(isb

/* Zero out the bss section. */
adr_l x29, bss_begin
adr_l x30, bss_end
0: cmp x29, x30
b.hs 1f
stp xzr, xzr, [x29], #16
b 0b

```

```

mov sp, x30

/* Set up exception vector. */
adr x30, vector_table_el1
msr vbar_el1, x30

/* Call into Rust code. */
bl main

/* Loop forever waiting for interrupts. */
2: wfi
b 2b

```

▼ *Speaker Notes*

This code is in `src/bare-metal/aps/examples/src/entry.s`. It's not necessary to understand this in detail – the takeaway is that typically some low-level setup is needed to meet Rust's expectations of the system.

- This is the same as it would be for C: initialising the processor state, zeroing the BSS, and setting up the stack pointer.
  - The BSS (block starting symbol, for historical reasons) is the part of the object file which containing statically allocated variables which are initialised to zero. They are omitted from the image, to avoid wasting space on zeroes. The compiler assumes that the loader will take care of zeroing them.
- The BSS may already be zeroed, depending on how memory is initialised and the image is loaded, but we zero it to be sure.
- We need to enable the MMU and cache before reading or writing any memory. If we don't:
  - Unaligned accesses will fault. We build the Rust code for the `aarch64-unknown-none` target which sets `+strict-align` to prevent the compiler generating unaligned accesses, so it should be fine in this case, but this is not necessarily the case in general.
  - If it were running in a VM, this can lead to cache coherency issues. The problem is that the VM is accessing memory directly with the cache disabled, while the host has cacheable aliases to the same memory. Even if the host doesn't explicitly access the memory, speculative accesses can lead to cache fills, and then changes from one or the other will get lost when the cache is cleaned or the VM enables the cache. (Cache is keyed by physical address, not VA or IPA.)
- For simplicity, we just use a hardcoded pagetable (see `idmap.s`) which identity maps the first 1 GiB of address space for devices, the next 1 GiB for DRAM, and another 1 GiB higher up for more devices. This matches the memory layout that QEMU uses.
- We also set up the exception vector (`vbar_el1`), which we'll see more about later.
- All examples this afternoon assume we will be running at exception level 1 (EL1). If you need to run at a different exception level you'll need to modify `entry.s` accordingly.

# Inline assembly

Sometimes we need to use assembly to do things that aren't possible with Rust code. For example, to make an HVC (hypervisor call) to tell the firmware to power off the system:

```
1  #![no_main]
2  #![no_std]
3
4  use core::arch::asm;
5  use core::panic::PanicInfo;
6
7  mod asm;
8  mod exceptions;
9
10 const PSCI_SYSTEM_OFF: u32 = 0x84000008;
11
12 // SAFETY: There is no other global function of this name.
13 #[unsafe(no_mangle)]
14 extern "C" fn main(_x0: u64, _x1: u64, _x2: u64, _x3: u64) {
15     // SAFETY: this only uses the declared registers and doesn't do anything
16     // with memory.
17     unsafe {
18         asm!("hvc #0",
19             inout("w0") PSCI_SYSTEM_OFF => _,
20             inout("w1") 0 => _,
21             inout("w2") 0 => _,
22             inout("w3") 0 => _,
23             inout("w4") 0 => _,
24             inout("w5") 0 => _,
25             inout("w6") 0 => _,
26             inout("w7") 0 => _,
27             options(nomem, nostack)
28         );
29     }
30
31     loop {}
32 }
```

(If you actually want to do this, use the `smccc` crate which has wrappers for all these functions.)

## ▼ Speaker Notes

- PSCI is the Arm Power State Coordination Interface, a standard set of functions to manage system and CPU power states, among other things. It is implemented by EL3 firmware and hypervisors on many systems.
- The `0 => _` syntax means initialise the register to 0 before running the inline assembly code, and ignore its contents afterwards. We need to use `inout` rather than `in` because the call could potentially clobber the contents of the registers.
- This `main` function needs to be `#[unsafe(no_mangle)]` and `extern "C"` because it is called from our entry point in `entry.s`.
  - Just `#[no_mangle]` would be sufficient but [RFC3325](#) uses this notation to draw reviewer attention to attributes which might cause undefined behavior if used incorrectly.
- `_x0 - _x3` are the values of registers `x0 - x3`, which are conventionally used by the bootloader to pass things like a pointer to the device tree. According to the standard aarch64 calling convention (which is what `extern "C"` specifies to use), registers `x0 - x7` are used for the first 8 arguments passed to a function, so `entry.s` doesn't need to do anything special except make sure it doesn't change these registers.
- Run the example in QEMU with `make qemu_psci` under `src/bare-metal/aps/examples`.

# Volatile memory access for MMIO

- Use `pointer::read_volatile` and `pointer::write_volatile`.
- Never hold a reference to a location being accessed with these methods. Rust may read from (or write to, for `&mut`) a reference at any time.
- Use `&raw` to get fields of structs without creating an intermediate reference.

```
1 const SOME_DEVICE_REGISTER: *mut u64 = 0x800_0000 as _;
2 // SAFETY: Some device is mapped at this address.
3 unsafe {
4     SOME_DEVICE_REGISTER.write_volatile(0xff);
5     SOME_DEVICE_REGISTER.write_volatile(0x80);
6     assert_eq!(SOME_DEVICE_REGISTER.read_volatile(), 0xaa);
7 }
```

## ▼ Speaker Notes

- Volatile access: read or write operations may have side-effects, so prevent the compiler or hardware from reordering, duplicating or eliding them.
  - Usually if you write and then read, e.g. via a mutable reference, the compiler may assume that the value read is the same as the value just written, and not bother actually reading memory.
- Some existing crates for volatile access to hardware do hold references, but this is unsound. Whenever a reference exists, the compiler may choose to dereference it.
- Use `&raw` to get struct field pointers from a pointer to the struct.
- For compatibility with old versions of Rust you can use the `addr_of!` macro instead.

# Let's write a UART driver

The QEMU 'virt' machine has a [PL011](#) UART, so let's write a driver for that.

```
1 const FLAG_REGISTER_OFFSET: usize = 0x18;
2 const FR_BUSY: u8 = 1 << 3;
3 const FR_TXFF: u8 = 1 << 5;
4
5 /// Minimal driver for a PL011 UART.
6 #[derive(Debug)]
7 pub struct Uart {
8     base_address: *mut u8,
9 }
10
11 impl Uart {
12     /// Constructs a new instance of the UART driver for a PL011 device at the
13     /// given base address.
14     ///
15     /// # Safety
16     ///
17     /// The given base address must point to the 8 MMIO control registers of a
18     /// PL011 device, which must be mapped into the address space of the process
19     /// as device memory and not have any other aliases.
20     pub unsafe fn new(base_address: *mut u8) -> Self {
21         Self { base_address }
22     }
23
24     /// Writes a single byte to the UART.
25     pub fn write_byte(&self, byte: u8) {
26         // Wait until there is room in the TX buffer.
27         while self.read_flag_register() & FR_TXFF != 0 {}
28
29         // SAFETY: We know that the base address points to the control
30         // registers of a PL011 device which is appropriately mapped.
31         unsafe {
32             // Write to the TX buffer.
33             self.base_address.write_volatile(byte);
34         }
35
36         // Wait until the UART is no longer busy.
37         while self.read_flag_register() & FR_BUSY != 0 {}
38     }
39
40     fn read_flag_register(&self) -> u8 {
41         // SAFETY: We know that the base address points to the control
42         // registers of a PL011 device which is appropriately mapped.
43         unsafe { self.base_address.add(FLAG_REGISTER_OFFSET).read_volatile() }
44     }
45 }
```

## ▼ Speaker Notes

- Note that `Uart::new` is unsafe while the other methods are safe. This is because as long as the caller of `Uart::new` guarantees that its safety requirements are met (i.e. that there is only ever one instance of the driver for a given UART, and nothing else aliasing its address space), then it is always safe to call `write_byte` later because we can assume the necessary preconditions.
- We could have done it the other way around (making `new` safe but `write_byte` unsafe), but that would be much less convenient to use as every place that calls `write_byte` would need to reason about the safety
- This is a common pattern for writing safe wrappers of unsafe code: moving the burden of proof for soundness from a large number of places to a smaller number of places.

# More traits

We derived the `Debug` trait. It would be useful to implement a few more traits too.

```
1 use core::fmt::{self, Write};
2
3 impl Write for Uart {
4     fn write_str(&mut self, s: &str) -> fmt::Result {
5         for c in s.as_bytes() {
6             self.write_byte(*c);
7         }
8         Ok(())
9     }
10 }
11
12 // SAFETY: `Uart` just contains a pointer to device memory, which can be
13 // accessed from any context.
14 unsafe impl Send for Uart {}
```

## ▼ Speaker Notes

- Implementing `Write` lets us use the `write!` and `writeln!` macros with our `Uart` type.
- `Send` is an auto-trait, but not implemented automatically because it is not implemented for pointers.

# Using it

Let's write a small program using our driver to write to the serial console.

```
1  #![no_main]
2  #![no_std]
3
4  mod asm;
5  mod exceptions;
6  mod pl011_minimal;
7
8  use crate::pl011_minimal::Uart;
9  use core::fmt::Write;
10 use core::panic::PanicInfo;
11 use log::error;
12 use smccc::Hvc;
13 use smccc::psc::system_off;
14
15 /// Base address of the primary PL011 UART.
16 const PL011_BASE_ADDRESS: *mut u8 = 0x900_0000 as _;
17
18 // SAFETY: There is no other global function of this name.
19 #[unsafe(no_mangle)]
20 extern "C" fn main(x0: u64, x1: u64, x2: u64, x3: u64) {
21     // SAFETY: `PL011_BASE_ADDRESS` is the base address of a PL011 device, and
22     // nothing else accesses that address range.
23     let mut uart = unsafe { Uart::new(PL011_BASE_ADDRESS) };
24
25     writeln!(uart, "main({x0:#x}, {x1:#x}, {x2:#x}, {x3:#x})").unwrap();
26
27     system_off::Hvc().unwrap();
28 }
```

## ▼ Speaker Notes

- As in the [inline assembly](#) example, this `main` function is called from our entry point code in `entry.s`. See the speaker notes there for details.
- Run the example in QEMU with `make qemu_minimal` under `src/bare-metal/aps/examples`.

# A better UART driver

The PL011 actually has [a bunch more registers](#), and adding offsets to construct pointers to access them is error-prone and hard to read. Plus, some of them are bit fields which would be nice to access in a structured way.

| Offset | Register name | Width |
|--------|---------------|-------|
| 0x00   | DR            | 12    |
| 0x04   | RSR           | 4     |
| 0x18   | FR            | 9     |
| 0x20   | ILPR          | 8     |
| 0x24   | IBRD          | 16    |
| 0x28   | FBRD          | 6     |
| 0x2c   | LCR_H         | 8     |
| 0x30   | CR            | 16    |
| 0x34   | IFLS          | 6     |
| 0x38   | IMSC          | 11    |
| 0x3c   | RIS           | 11    |
| 0x40   | MIS           | 11    |
| 0x44   | ICR           | 11    |
| 0x48   | DMACR         | 3     |

## ▼ Speaker Notes

- There are also some ID registers which have been omitted for brevity.

# Bitflags

The `bitflags` crate is useful for working with bitflags.

```
1 use bitflags::bitflags;
2
3 bitflags! {
4     /// Flags from the UART flag register.
5     #[repr(transparent)]
6     #[derive(Copy, Clone, Debug, Eq, PartialEq)]
7     struct Flags: u16 {
8         /// Clear to send.
9         const CTS = 1 << 0;
10        /// Data set ready.
11        const DSR = 1 << 1;
12        /// Data carrier detect.
13        const DCD = 1 << 2;
14        /// UART busy transmitting data.
15        const BUSY = 1 << 3;
16        /// Receive FIFO is empty.
17        const RXFE = 1 << 4;
18        /// Transmit FIFO is full.
19        const TXFF = 1 << 5;
20        /// Receive FIFO is full.
21        const RXFF = 1 << 6;
22        /// Transmit FIFO is empty.
23        const TXFE = 1 << 7;
24        /// Ring indicator.
25        const RI = 1 << 8;
26    }
27 }
```

## ▼ Speaker Notes

- The `bitflags!` macro creates a newtype something like `struct Flags(u16)`, along with a bunch of method implementations to get and set flags.

# Multiple registers

We can use a struct to represent the memory layout of the UART's registers.

```
1 #[repr(C, align(4))]
2 pub struct Registers {
3     dr: u16,
4     _reserved0: [u8; 2],
5     rsr: ReceiveStatus,
6     _reserved1: [u8; 19],
7     fr: Flags,
8     _reserved2: [u8; 6],
9     ilpr: u8,
10    _reserved3: [u8; 3],
11    ibrd: u16,
12    _reserved4: [u8; 2],
13    fbrd: u8,
14    _reserved5: [u8; 3],
15    lcr_h: u8,
16    _reserved6: [u8; 3],
17    cr: u16,
18    _reserved7: [u8; 3],
19    ifls: u8,
20    _reserved8: [u8; 3],
21    imsc: u16,
22    _reserved9: [u8; 2],
23    ris: u16,
24    _reserved10: [u8; 2],
25    mis: u16,
26    _reserved11: [u8; 2],
27    icr: u16,
28    _reserved12: [u8; 2],
29    dmacr: u8,
30    _reserved13: [u8; 3],
31 }
```

## ▼ Speaker Notes

- `#[repr(C)]` tells the compiler to lay the struct fields out in order, following the same rules as C. This is necessary for our struct to have a predictable layout, as default Rust representation allows the compiler to (among other things) reorder fields however it sees fit.

# Driver

Now let's use the new `Registers` struct in our driver.

```
1  /// Driver for a PL011 UART.
2  #[derive(Debug)]
3  pub struct Uart {
4      registers: *mut Registers,
5  }
6
7  impl Uart {
8      /// Constructs a new instance of the UART driver for a PL011 device with the
9      /// given set of registers.
10     /**
11      /// # Safety
12      /**
13      /// The given pointer must point to the 8 MMIO control registers of a PL011
14      /// device, which must be mapped into the address space of the process as
15      /// device memory and not have any other aliases.
16      pub unsafe fn new(registers: *mut Registers) -> Self {
17          Self { registers }
18      }
19
20      /// Writes a single byte to the UART.
21      pub fn write_byte(&mut self, byte: u8) {
22          // Wait until there is room in the TX buffer.
23          while self.read_flag_register().contains(Flags::TXFF) {}
24
25          // SAFETY: We know that self.registers points to the control registers
26          // of a PL011 device which is appropriately mapped.
27          unsafe {
28              // Write to the TX buffer.
29              (&raw mut (*self.registers).dr).write_volatile(byte.into());
30          }
31
32          // Wait until the UART is no longer busy.
33          while self.read_flag_register().contains(Flags::BUSY) {}
34      }
35
36      /// Reads and returns a pending byte, or `None` if nothing has been
37      /// received.
38      pub fn read_byte(&mut self) -> Option<u8> {
39          if self.read_flag_register().contains(Flags::RXFE) {
40              None
41          } else {
42              // SAFETY: We know that self.registers points to the control
43              // registers of a PL011 device which is appropriately mapped.
44              let data = unsafe { (&raw const (*self.registers).dr).read_volatile()
45                  // TODO: Check for error conditions in bits 8-11.
46                  Some(data as u8)
47              }
48          }
49      }
50
51      fn read_flag_register(&self) -> Flags {
52          // SAFETY: We know that self.registers points to the control registers
53          // of a PL011 device which is appropriately mapped.
54          unsafe { (&raw const (*self.registers).fr).read_volatile() }
55      }
}
```

## ▼ Speaker Notes

- Note the use of `&raw const` / `&raw mut` to get pointers to individual fields without creating an intermediate reference, which would be unsound.
- The example isn't included in the slides because it is very similar to the `safe_mmc` example.

`metal/aps/examples` if you need to.

# safe-mmio

The `safe-mmio` crate provides types to wrap registers which can be read or written safely.

|             | Can't read | Read has no side-effects | Read has side-effects |
|-------------|------------|--------------------------|-----------------------|
| Can't write |            | ReadPure                 | ReadOnly              |
| Can write   | WriteOnly  | ReadPureWrite            | ReadWrite             |

```
1 use safe_mmio::fields::{ReadPure, ReadPureWrite, ReadWrite, WriteOnly};
2
3 #[repr(C, align(4))]
4 pub struct Registers {
5     dr: ReadWrite<u16>,
6     _reserved0: [u8; 2],
7     rsr: ReadPure<ReceiveStatus>,
8     _reserved1: [u8; 19],
9     fr: ReadPure<Flags>,
10    _reserved2: [u8; 6],
11    ilpr: ReadPureWrite<u8>,
12    _reserved3: [u8; 3],
13    ibrd: ReadPureWrite<u16>,
14    _reserved4: [u8; 2],
15    fbrd: ReadPureWrite<u8>,
16    _reserved5: [u8; 3],
17    lcr_h: ReadPureWrite<u8>,
18    _reserved6: [u8; 3],
19    cr: ReadPureWrite<u16>,
20    _reserved7: [u8; 3],
21    ifls: ReadPureWrite<u8>,
22    _reserved8: [u8; 3],
23    imsc: ReadPureWrite<u16>,
24    _reserved9: [u8; 2],
25    ris: ReadPure<u16>,
26    _reserved10: [u8; 2],
27    mis: ReadPure<u16>,
28    _reserved11: [u8; 2],
29    icr: WriteOnly<u16>,
30    _reserved12: [u8; 2],
31    dmacr: ReadPureWrite<u8>,
32    _reserved13: [u8; 3],
33 }
```

- Reading `dr` has a side effect: it pops a byte from the receive FIFO.
- Reading `rsr` (and other registers) has no side-effects. It is a 'pure' read.

## ▼ Speaker Notes

- There are a number of different crates providing safe abstractions around MMIO operations; we recommend the `safe-mmio` crate.
- The difference between `ReadPure` OR `ReadOnly` (and likewise between `ReadPureWrite` and `ReadWrite`) is whether reading a register can have side-effects which change the state of the device. E.g. reading the data register pops a byte from the receive FIFO. `ReadPure` means that reads have no side-effects, they are purely reading data.

# Driver

Now let's use the new `Registers` struct in our driver.

```
1 use safe_mmio::{UniqueMmioPointer, field, field_shared};
2
3 /// Driver for a PL011 UART.
4 #[derive(Debug)]
5 pub struct Uart<'a> {
6     registers: UniqueMmioPointer<'a, Registers>,
7 }
8
9 impl<'a> Uart<'a> {
10     /// Constructs a new instance of the UART driver for a PL011 device with the
11     /// given set of registers.
12     pub fn new(registers: UniqueMmioPointer<'a, Registers>) -> Self {
13         Self { registers }
14     }
15
16     /// Writes a single byte to the UART.
17     pub fn write_byte(&mut self, byte: u8) {
18         // Wait until there is room in the TX buffer.
19         while self.read_flag_register().contains(Flags::TXFF) {}
20
21         // Write to the TX buffer.
22         field!(self.registers, dr).write(byte.into());
23
24         // Wait until the UART is no longer busy.
25         while self.read_flag_register().contains(Flags::BUSY) {}
26     }
27
28     /// Reads and returns a pending byte, or `None` if nothing has been
29     /// received.
30     pub fn read_byte(&mut self) -> Option<u8> {
31         if self.read_flag_register().contains(Flags::RXFE) {
32             None
33         } else {
34             let data = field!(self.registers, dr).read();
35             // TODO: Check for error conditions in bits 8-11.
36             Some(data as u8)
37         }
38     }
39
40     fn read_flag_register(&self) -> Flags {
41         field_shared!(self.registers, fr).read()
42     }
43 }
```

## ▼ Speaker Notes

- The driver no longer needs any unsafe code!
- `UniqueMmioPointer` is a wrapper around a raw pointer to an MMIO device or register. The caller of `UniqueMmioPointer::new` promises that it is valid and unique for the given lifetime, so it can provide safe methods to read and write fields.
- Note that `Uart::new` is now safe; `UniqueMmioPointer::new` is unsafe instead.
- These MMIO accesses are generally a wrapper around `read_volatile` and `write_volatile`, though on aarch64 they are instead implemented in assembly to work around a bug where the compiler can emit instructions that prevent MMIO virtualisation.
- The `field!` and `field_shared!` macros internally use `&raw mut` and `&raw const` to get pointers to individual fields without creating an intermediate reference, which would be unsound.
- `field!` needs a mutable reference to a `UniqueMmioPointer`, and returns a

- `field_shared!` works with a shared reference to either a `UniqueMmioPointer` or a `SharedMmioPointer`. It returns a `SharedMmioPointer` which only allows pure reads.

# Using It

Let's write a small program using our driver to write to the serial console, and echo incoming bytes.

```
1  #![no_main]
2  #![no_std]
3
4  mod asm;
5  mod exceptions;
6  mod pl011;
7
8  use crate::pl011::Uart;
9  use core::fmt::Write;
10 use core::panic::PanicInfo;
11 use core::ptr::NonNull;
12 use log::error;
13 use safe_mmio::UniqueMmioPointer;
14 use smccc::Hvc;
15 use smccc::psc::system_off;
16
17 /// Base address of the primary PL011 UART.
18 const PL011_BASE_ADDRESS: NonNull<pl011::Registers> =
19     NonNull::new(0x900_0000 as _) .unwrap();
20
21 // SAFETY: There is no other global function of this name.
22 #[unsafe(no_mangle)]
23 extern "C" fn main(x0: u64, x1: u64, x2: u64, x3: u64) {
24     // SAFETY: `PL011_BASE_ADDRESS` is the base address of a PL011 device, and
25     // nothing else accesses that address range.
26     let mut uart = Uart::new(unsafe { UniqueMmioPointer::new(PL011_BASE_ADDRESS) })
27
28     writeln!(uart, "main({x0:#x}, {x1:#x}, {x2:#x}, {x3:#x})").unwrap();
29
30     loop {
31         if let Some(byte) = uart.read_byte() {
32             uart.write_byte(byte);
33             match byte {
34                 b'\r' => uart.write_byte(b'\n'),
35                 b'q' => break,
36                 _ => continue,
37             }
38         }
39     }
40
41     writeln!(uart, "\n\nBye!").unwrap();
42     system_off::Hvc().unwrap();
43 }
```

## ▼ Speaker Notes

- Run the example in QEMU with `make qemu_safemmio` under `src/bare-metal/aps/examples`.

# Logging

It would be nice to be able to use the logging macros from the `log` crate. We can do this by implementing the `Log` trait.

```
1 use crate::pl011::Uart;
2 use core::fmt::Write;
3 use log::{LevelFilter, Log, Metadata, Record, SetLoggerError};
4 use spin::mutex::SpinMutex;
5
6 static LOGGER: Logger = Logger { uart: SpinMutex::new(None) };
7
8 struct Logger {
9     uart: SpinMutex<Option<Uart<'static>>>,
10 }
11
12 impl Log for Logger {
13     fn enabled(&self, _metadata: &Metadata) -> bool {
14         true
15     }
16
17     fn log(&self, record: &Record) {
18         writeln!(  
19             self.uart.lock().as_mut().unwrap(),  
20             "[{}]\n",  
21             record.level(),  
22             record.args()
23         )
24         .unwrap();
25     }
26
27     fn flush(&self) {}
28 }
29
30 /// Initialises UART logger.
31 pub fn init(  
32     uart: Uart<'static>,
33     max_level: LevelFilter,  
34 ) -> Result<(), SetLoggerError> {
35     LOGGER.uart.lock().replace(uart);
36
37     log::set_logger(&LOGGER)?;
38     log::set_max_level(max_level);
39     Ok(())
40 }
```

## ▼ Speaker Notes

- The first unwrap in `log` will succeed because we initialise `LOGGER` before calling `set_logger`. The second will succeed because `Uart::write_str` always returns `Ok`.

# Using it

We need to initialise the logger before we use it.

```
1  #![no_main]
2  #![no_std]
3
4  mod asm;
5  mod exceptions;
6  mod logger;
7  mod pl011;
8
9  use crate::pl011::Uart;
10 use core::panic::PanicInfo;
11 use core::ptr::NonNull;
12 use log::{LevelFilter, error, info};
13 use safe_mmio::UniqueMmioPointer;
14 use smccc::Hvc;
15 use smccc::psc::system_off;
16
17 /// Base address of the primary PL011 UART.
18 const PL011_BASE_ADDRESS: NonNull<pl011::Registers> =
19     NonNull::new(0x900_0000 as _) .unwrap();
20
21 // SAFETY: There is no other global function of this name.
22 #[unsafe(no_mangle)]
23 extern "C" fn main(x0: u64, x1: u64, x2: u64, x3: u64) {
24     // SAFETY: `PL011_BASE_ADDRESS` is the base address of a PL011 device, and
25     // nothing else accesses that address range.
26     let uart = unsafe { Uart::new(UniqueMmioPointer::new(PL011_BASE_ADDRESS)) };
27     logger::init(uart, LevelFilter::Trace).unwrap();
28
29     info!("main({x0:#x}, {x1:#x}, {x2:#x}, {x3:#x})");
30
31     assert_eq!(x1, 42);
32
33     system_off::<Hvc>().unwrap();
34 }
35
36 #[panic_handler]
37 fn panic(info: &PanicInfo) -> ! {
38     error!("{}");
39     system_off::<Hvc>().unwrap();
40     loop {}
41 }
```

## ▼ Speaker Notes

- Note that our panic handler can now log details of panics.
- Run the example in QEMU with `make qemu_logger` under `src/bare-metal/aps/examples`.

# Exceptions

AArch64 defines an exception vector table with 16 entries, for 4 types of exceptions (synchronous, IRQ, FIQ, SError) from 4 states (current EL with SP0, current EL with SPx, lower EL using AArch64, lower EL using AArch32). We implement this in assembly to save volatile registers to the stack before calling into Rust code:

```
1 use log::error;
2 use smccc::Hvc;
3 use smccc::psc::system_off;
4
5 // SAFETY: There is no other global function of this name.
6 #[unsafe(no_mangle)]
7 extern "C" fn sync_exception_current(_elr: u64, _spsr: u64) {
8     error!("sync_exception_current");
9     system_off::<Hvc>().unwrap();
10 }
11
12 // SAFETY: There is no other global function of this name.
13 #[unsafe(no_mangle)]
14 extern "C" fn irq_current(_elr: u64, _spsr: u64) {
15     error!("irq_current");
16     system_off::<Hvc>().unwrap();
17 }
18
19 // SAFETY: There is no other global function of this name.
20 #[unsafe(no_mangle)]
21 extern "C" fn fiq_current(_elr: u64, _spsr: u64) {
22     error!("fiq_current");
23     system_off::<Hvc>().unwrap();
24 }
25
26 // SAFETY: There is no other global function of this name.
27 #[unsafe(no_mangle)]
28 extern "C" fn serr_current(_elr: u64, _spsr: u64) {
29     error!("serr_current");
30     system_off::<Hvc>().unwrap();
31 }
32
33 // SAFETY: There is no other global function of this name.
34 #[unsafe(no_mangle)]
35 extern "C" fn sync_lower(_elr: u64, _spsr: u64) {
36     error!("sync_lower");
37     system_off::<Hvc>().unwrap();
38 }
39
40 // SAFETY: There is no other global function of this name.
41 #[unsafe(no_mangle)]
42 extern "C" fn irq_lower(_elr: u64, _spsr: u64) {
43     error!("irq_lower");
44     system_off::<Hvc>().unwrap();
45 }
46
47 // SAFETY: There is no other global function of this name.
48 #[unsafe(no_mangle)]
49 extern "C" fn fiq_lower(_elr: u64, _spsr: u64) {
50     error!("fiq_lower");
51     system_off::<Hvc>().unwrap();
52 }
53
54 // SAFETY: There is no other global function of this name.
55 #[unsafe(no_mangle)]
56 extern "C" fn serr_lower(_elr: u64, _spsr: u64) {
57     error!("serr_lower");
58     system_off::<Hvc>().unwrap();
59 }
```

#### ▼ Speaker Notes

- EL is exception level; all our examples this afternoon run in EL1.
- For simplicity we aren't distinguishing between SP0 and SPx for the current EL exceptions, or between AArch32 and AArch64 for the lower EL exceptions.
- For this example we just log the exception and power down, as we don't expect any of them to actually happen.
- We can think of exception handlers and our main execution context more or less like different threads. `Send` and `Sync` will control what we can share between them, just like with threads. For example, if we want to share some value between exception handlers and the rest of the program, and it's `Send` but not `Sync`, then we'll need to wrap it in something like a `Mutex` and put it in a static.

## aarch64-rt

The `aarch64-rt` crate provides the assembly entry point and exception vector that we implemented before. We just need to mark our main function with the `entry!` macro.

It also provides the `initial_pagetable!` macro to let us define an initial static pagetable in Rust, rather than in assembly code like we did before.

We can also use the UART driver from the `arm-pl011-uart` crate rather than writing our own.

```

1  #![no_main]
2  #![no_std]
3
4  mod exceptions;
5
6  use aarch64_paging::paging::Attributes;
7  use aarch64_rt::{InitialPagetable, entry, initial_pagetable};
8  use arm_pl011_uart::{PL011Registers, Uart, UniqueMmioPointer};
9  use core::fmt::Write;
10 use core::panic::PanicInfo;
11 use core::ptr::NonNull;
12 use smccc::Hvc;
13 use smccc::psc::system_off;
14
15 /// Base address of the primary PL011 UART.
16 const PL011_BASE_ADDRESS: NonNull<PL011Registers> =
17     NonNull::new(0x900_0000 as _).unwrap();
18
19 /// Attributes to use for device memory in the initial identity map.
20 const DEVICE_ATTRIBUTES: Attributes = Attributes::VALID
21     .union(Attributes::ATTRIBUTE_INDEX_0)
22     .union(Attributes::ACCESSED)
23     .union(Attributes::UXN);
24
25 /// Attributes to use for normal memory in the initial identity map.
26 const MEMORY_ATTRIBUTES: Attributes = Attributes::VALID
27     .union(Attributes::ATTRIBUTE_INDEX_1)
28     .union(Attributes::INNER_SHAREABLE)
29     .union(Attributes::ACCESSED)
30     .union(Attributes::NON_GLOBAL);
31
32 - initial_pagetable!({
33     let mut idmap = [0; 512];
34     // 1 GiB of device memory.
35     idmap[0] = DEVICE_ATTRIBUTES.bits();
36     // 1 GiB of normal memory.
37     idmap[1] = MEMORY_ATTRIBUTES.bits() | 0x40000000;
38     // Another 1 GiB of device memory starting at 256 GiB.
39     idmap[256] = DEVICE_ATTRIBUTES.bits() | 0x4000000000;
40     InitialPagetable(idmap)
41 });
42
43 entry!(main);
44 - fn main(x0: u64, x1: u64, x2: u64, x3: u64) -> ! {
45     // SAFETY: `PL011_BASE_ADDRESS` is the base address of a PL011 device, and
46     // nothing else accesses that address range.
47     let mut uart = unsafe { Uart::new(UniqueMmioPointer::new(PL011_BASE_ADDRESS)) }
48
49     writeln!(uart, "main({x0:#x}, {x1:#x}, {x2:#x}, {x3:#x})").unwrap();
50
51     system_off::<Hvc>().unwrap();
52     panic!("system_off returned");
53 }
54
55 #[panic_handler]
56 - fn panic(_info: &PanicInfo) -> ! {
57     system_off::<Hvc>().unwrap();
58     loop {}
59 }

```

## ▼ Speaker Notes

- Run the example in QEMU with `make qemu_rt` under `src/bare-metal/aps/examples`.

# Other projects

- [oreboot](#)
  - “coreboot without the C”.
  - Supports x86, aarch64 and RISC-V.
  - Relies on LinuxBoot rather than having many drivers itself.
- [Rust RaspberryPi OS tutorial](#)
  - Initialisation, UART driver, simple bootloader, JTAG, exception levels, exception handling, page tables.
  - Some dodginess around cache maintenance and initialisation in Rust, not necessarily a good example to copy for production code.
- [cargo-call-stack](#)
  - Static analysis to determine maximum stack usage.

## ▼ Speaker Notes

- The RaspberryPi OS tutorial runs Rust code before the MMU and caches are enabled. This will read and write memory (e.g. the stack). However, this has the problems mentioned at the beginning of this session regarding unaligned access and cache coherency.

# Useful crates

We'll look at a few crates which solve some common problems in bare-metal programming.

# zerocopy

The [zerocopy](#) crate (from Fuchsia) provides traits and macros for safely converting between byte sequences and other types.

```
1 use zerocopy::{Immutable, IntoBytes};
2
3 #[repr(u32)]
4 #[derive(Debug, Default, Immutable, IntoBytes)]
5 enum RequestType {
6     #[default]
7     In = 0,
8     Out = 1,
9     Flush = 4,
10 }
11
12 #[repr(C)]
13 #[derive(Debug, Default, Immutable, IntoBytes)]
14 struct VirtioBlockRequest {
15     request_type: RequestType,
16     reserved: u32,
17     sector: u64,
18 }
19
20 fn main() {
21     let request = VirtioBlockRequest {
22         request_type: RequestType::Flush,
23         sector: 42,
24         ..Default::default()
25     };
26
27     assert_eq!(
28         request.as_bytes(),
29         &[4, 0, 0, 0, 0, 0, 0, 0, 42, 0, 0, 0, 0, 0, 0, 0]
30     );
31 }
```

This is not suitable for MMIO (as it doesn't use volatile reads and writes), but can be useful for working with structures shared with hardware e.g. by DMA, or sent over some external interface.

## ▼ Speaker Notes

- `FromBytes` can be implemented for types for which any byte pattern is valid, and so can safely be converted from an untrusted sequence of bytes.
- Attempting to derive `FromBytes` for these types would fail, because `RequestType` doesn't use all possible `u32` values as discriminants, so not all byte patterns are valid.
- `zerocopy::byteorder` has types for byte-order aware numeric primitives.
- Run the example with `cargo run` under `src/bare-metal/useful-crates/zerocopy-example/`. (It won't run in the Playground because of the crate dependency.)