hubris VS stm32-rs

I wouldn't put this comment here. It's not just some detail of this function; it's an invariant of the field that all writers have to respect (maybe this is the only one now but still) and all readers can take advantage of. So I'd add it to the `TaskDesc::regions` docstring. [1]

[1] https://github.com/oxidecomputer/hubris/commit/b44e677fb39cd...

With respect to Hubris, the build badge was, in turns out, pointing to a stale workflow. (That is, the build was succeeding, but the build badge was busted.) This comment has been immortalized in the fix.[0]

With respect to Humility, I am going to resist the temptation of pointing out why one of those directories has a different nomenclature with respect to its delimiter -- and just leave it at this: if you really want to find some filthy code in Humility, you can do much, much better than that!

[0] https://github.com/oxidecomputer/hubris/commit/651a9546b20ce...

A lot of questions in there! Taking these in order:

1. We aren't making standalone servers: the Oxide compute sled comes in the Oxide rack. So are not (and do not intend to be) a drop in replacement for extant rack mounted servers.

2. We have taken a fundamentally different approach to firmware, with a true root of trust that can attest to the service processor -- which can turn attest to the system software. This prompts a lot of questions (e.g., who attests to the root of trust?), and there is a LOT to say about this; look for us to talk a lot more about this

3. In stark contrast (sadly) to nearly everyone else in the server space, the firmware we are developing is entirely open source. More details on that can be found in Cliff Biffle's 2021 OSFC talk and the Hubris and Humility repos.[0][1][2]

4. Definitely not vaporware! We are in the process of shipping to our first customers; you can follow our progress in our Oxide and Friends podcast.[3]

[0] https://www.osfc.io/2021/talks/on-hubris-and-humility-develo...

[1] https://github.com/oxidecomputer/hubris

[2] https://github.com/oxidecomputer/humility

[3] https://oxide-and-friends.transistor.fm/

everywhere, for example in https://github.com/oxidecomputer/hubris/search?q=dyn

Is Box really allocating here? Is the "Rust By Example" text incomplete?

Then I had to stop learning Rust for other reasons, but this doubt really hit me at the time.

I work on an embedded OS in Rust (Hubris) that has a very bespoke build system. As part of the build system, it has to set environmental variables based on (1) the target device and (2) the specific "task"; this is an OS with task-level isolation, so tasks are compiled as individual Rust crates.

Oxide Computer told some storied about the difficulty of bring up of a new motherboard, and mentioned a lot of gotcha details and hack solutions for managing their AMD chip.

They talked about their bring up sequence, boot chain verification on their motherboard, and designing / creating / verifying their hardware root of trust.

I heard mention of this on a podcast recently, trying to find the reference.

I'm pretty sure it was [S3]

- "Tales from the Bringup Lab" https://lnns.co/FBf5oLpyHK3

- or "More Tales from the Bringup Lab" https://lnns.co/LQur_ToJX9m

But I found again these interesting things worth sharing on that search. https://oxide.computer/blog/hubris-and-humility, https://github.com/oxidecomputer/hubris

Search 1 [S1], Trammell Hudson ep mentioning firmware (chromebook related iirc) https://lnns.co/pystdPm0QvG.

Search 2 [S2], Security, Cryptography, Whatever podcast episode mentioning Oxide and roots of trust or similar. https://lnns.co/VnyTvdhBiGC

Search links:

[S1]: https://www.listennotes.com/search/?q=oxide+tpm

[S2]: https://www.listennotes.com/search/?q=oxide%20and%20friends%...

[S3]: https://www.listennotes.com/search/?q=oxide%20and%20friends%...

When we started the company, we knew it would be a three year build -- and indeed, our first product is in the final stages of development (i.e. EMC/safety certification). We have been very transparent about our progress along the way[0][1][2][3][4][5][6][7] -- and our software is essentially all open source, so you can follow along there as well.[8][9][10]

If you are asking "does anyone want a rack-scale computer?" the (short) answer is: yes, they do. The on-prem market has been woefully underserved -- and there are plenty of folks who are sick of Dell/HPE/VMware/Cisco, to say nothing of those who are public cloud borne and wondering if they should perhaps own some of their own compute rather than rent it all.

[0] https://oxide-and-friends.transistor.fm/episodes/holistic-bo...

[1] https://oxide-and-friends.transistor.fm/episodes/the-oxide-s...

[2] https://oxide-and-friends.transistor.fm/episodes/bringup-lab...

[3] https://oxide-and-friends.transistor.fm/episodes/more-tales-...

[4] https://oxide-and-friends.transistor.fm/episodes/another-lpc...

[5] https://oxide-and-friends.transistor.fm/episodes/the-pragmat...

[6] https://oxide-and-friends.transistor.fm/episodes/tales-from-...

[7] https://oxide-and-friends.transistor.fm/episodes/the-sidecar...

[8] https://github.com/oxidecomputer/omicron

[9] https://github.com/oxidecomputer/propolis

[10] https://github.com/oxidecomputer/hubris

Hubris is a microkernel-ish OS for embedded systems, and has a bunch of documentation about its design:

https://hubris.oxide.computer/reference/

It's all open-source on Github:

https://github.com/oxidecomputer/hubris

(I work at Oxide, mostly using Hubris)

Developing code at the PAC, well, requires a PAC crate for the targeted controller. For the STM32 there exists a repo for all the supported PACs. These PACs are all generated using a command line tool called svd2rust. svd2rust grabs what is called an svd file and converts it into a PAC exposing API allowing access to peripheral registers. An SVD file is an Extensible Markup Language (XML) formatted file describing the hardware features of a device, listing all the peripherals and the registers associated with them. SVD files typically are released by microcontroller manufacturers.

In real world software, 99% of code is gluing preexisting lower-level functions together. In C/C++, the unsafe is implicit and needlessly covers everything. In Rust, the unsafe is only needed for the 1%.

You can safely implement a doubly-linked list in Rust, using unsafe, and that list can offer a safe interface so that the next higher level of code does not need to use unsafe. In fact, one doubly-linked list implementation that provides a safe interface is in the Rust standard library: https://doc.rust-lang.org/std/collections/struct.LinkedList.... . Most people do not rewrite std::list in C++ either.

Much of the Linux kernel really is the same: normal C code (maybe slightly more complicate than average userspace code, and definitely more carefully reviewed, but definitely not magic), that depends on extra carefully written lower level primitives that are _much_ more complicated internally than they appear from the outside (like the memory allocator, printk, RCU, etc.).

Rust is powerful enough to have libraries for register level access to micro-controllers (e.g. https://github.com/stm32-rs/stm32-rs), that encode moderately complex access rules safely in the type system (e.g. which specific set of bits is read-only or write-only, with which particular values (with nice human-readable names, even!), in which particular states of a state machine depending on other bits), all while allowing bypassing the restrictions with a simple unsafe keyword without even giving up on the nice API.

On the C/C++ side, I've used libopencm3, MBED, CMSIS, and everyone's favorite toy, Arduino. They're, in different ways, all much more mature and complete than anything Rust has today, but nothing comes even remotely close to Rust in terms of safety and long term potential.

Packages: Where would I start with e.g. running Ada on a stm32? Resources are just a bit tough to find, and there's only a single stm32 package on Alire (which was inspired by cargo). But Rust has easy to find PACs and HALs for everything in the family, plus an official guide to setting up a project, including HIL debugging and unit testing on qemu, that takes about 15 minutes.

> (I threw out all my C/C++ books about 15 years ago - oops!).

The future is here for STM32: https://github.com/stm32-rs/stm32-rs

Specifically these Rust register definitions are being auto-generated using SVD files published by the chip vendors (https://www.keil.com/pack/doc/CMSIS/SVD/html/index.html). For stm32 for example there are the auto-generated register definitions: https://github.com/stm32-rs/stm32-rs and then the HAL layers on top that try to build easy to use tools on top of the registers (e.g. an SPI or USART type with write and read functions). e.g. https://github.com/stm32-rs/stm32f4xx-hal for the stm32f4xx line

For STM32, check out the Peripheral Access Crates by the stm32-rs ream. For higher-level access, I wrote This HAL library for STM32. Works on most newer variants, and includes examples for specific peripherals, and simple applications.

Patches: https://github.com/stm32-rs/stm32-rs/tree/master/devices