stm32-rs VS humility

Developing code at the PAC, well, requires a PAC crate for the targeted controller. For the STM32 there exists a repo for all the supported PACs. These PACs are all generated using a command line tool called svd2rust. svd2rust grabs what is called an svd file and converts it into a PAC exposing API allowing access to peripheral registers. An SVD file is an Extensible Markup Language (XML) formatted file describing the hardware features of a device, listing all the peripherals and the registers associated with them. SVD files typically are released by microcontroller manufacturers.

In real world software, 99% of code is gluing preexisting lower-level functions together. In C/C++, the unsafe is implicit and needlessly covers everything. In Rust, the unsafe is only needed for the 1%.

You can safely implement a doubly-linked list in Rust, using unsafe, and that list can offer a safe interface so that the next higher level of code does not need to use unsafe. In fact, one doubly-linked list implementation that provides a safe interface is in the Rust standard library: https://doc.rust-lang.org/std/collections/struct.LinkedList.... . Most people do not rewrite std::list in C++ either.

Much of the Linux kernel really is the same: normal C code (maybe slightly more complicate than average userspace code, and definitely more carefully reviewed, but definitely not magic), that depends on extra carefully written lower level primitives that are _much_ more complicated internally than they appear from the outside (like the memory allocator, printk, RCU, etc.).

Rust is powerful enough to have libraries for register level access to micro-controllers (e.g. https://github.com/stm32-rs/stm32-rs), that encode moderately complex access rules safely in the type system (e.g. which specific set of bits is read-only or write-only, with which particular values (with nice human-readable names, even!), in which particular states of a state machine depending on other bits), all while allowing bypassing the restrictions with a simple unsafe keyword without even giving up on the nice API.

On the C/C++ side, I've used libopencm3, MBED, CMSIS, and everyone's favorite toy, Arduino. They're, in different ways, all much more mature and complete than anything Rust has today, but nothing comes even remotely close to Rust in terms of safety and long term potential.

Packages: Where would I start with e.g. running Ada on a stm32? Resources are just a bit tough to find, and there's only a single stm32 package on Alire (which was inspired by cargo). But Rust has easy to find PACs and HALs for everything in the family, plus an official guide to setting up a project, including HIL debugging and unit testing on qemu, that takes about 15 minutes.

> (I threw out all my C/C++ books about 15 years ago - oops!).

The future is here for STM32: https://github.com/stm32-rs/stm32-rs

Specifically these Rust register definitions are being auto-generated using SVD files published by the chip vendors (https://www.keil.com/pack/doc/CMSIS/SVD/html/index.html). For stm32 for example there are the auto-generated register definitions: https://github.com/stm32-rs/stm32-rs and then the HAL layers on top that try to build easy to use tools on top of the registers (e.g. an SPI or USART type with write and read functions). e.g. https://github.com/stm32-rs/stm32f4xx-hal for the stm32f4xx line

For STM32, check out the Peripheral Access Crates by the stm32-rs ream. For higher-level access, I wrote This HAL library for STM32. Works on most newer variants, and includes examples for specific peripherals, and simple applications.

Patches: https://github.com/stm32-rs/stm32-rs/tree/master/devices

A lot of questions in there! Taking these in order:

1. We aren't making standalone servers: the Oxide compute sled comes in the Oxide rack. So are not (and do not intend to be) a drop in replacement for extant rack mounted servers.

2. We have taken a fundamentally different approach to firmware, with a true root of trust that can attest to the service processor -- which can turn attest to the system software. This prompts a lot of questions (e.g., who attests to the root of trust?), and there is a LOT to say about this; look for us to talk a lot more about this

3. In stark contrast (sadly) to nearly everyone else in the server space, the firmware we are developing is entirely open source. More details on that can be found in Cliff Biffle's 2021 OSFC talk and the Hubris and Humility repos.[0][1][2]

4. Definitely not vaporware! We are in the process of shipping to our first customers; you can follow our progress in our Oxide and Friends podcast.[3]

[0] https://www.osfc.io/2021/talks/on-hubris-and-humility-develo...

[1] https://github.com/oxidecomputer/hubris

[2] https://github.com/oxidecomputer/humility

[3] https://oxide-and-friends.transistor.fm/

It's a mix of embedded work and improving the system's tooling (faster builds, debugger support, etc)

Other folks have mentioned this, but it's important to understand the limitations of Rust with respect to safety. In particular: every stack operation is -- at some level -- an unsafe operation as it operates without a bounds check. This isn't Rust's fault per se; non-segmented architectures don't have an architecturally defined way to know the stack base. As a result, even an entirely safe Rust program can make an illegal access to memory that results in fatal program failure. That, of course, assumes memory protection; if you don't have memory protection (or, like many embedded operating systems, you don't make use of it), stack overflows will plow into adjacent memory.

But wait, it gets worse: stack overflows are often not due to infinite stack consumption (e.g., recursion) but rather simply going deep on an unusual code path. If stack consumption just goes slightly beyond the base of the stack and there is no memory protection, this is corrupt-and-run -- and you are left debugging a problem that looks every bit like a gnarly data race in an unsafe programming language. And this problem becomes especially acute when memory is scarce: you really don't want a tiny embedded system to be dedicating a bunch of its memory to stack space that will never ("never") be used, so you make the stacks as tight as possible -- making stack overflows in fact much more likely.

Indeed, even with the MPU, these problems were acute in the development of Hubris: we originally put the stack at the top of a task's data space, and its data at the bottom -- and we found that tasks that only slightly exceeded their stack (rather than running all of the way through its data and into the protection boundary) were corrupting themselves with difficult-to-debug failures. We flipped the order to assure that every stack overflow hit the protection boundary[0], which required us to be much more intentional about the stack versus data split -- but had the added benefit of allowing us to add debugging support for it.[1]

Stack overflows are still pesky (and still a leading cause of task death!), but without the MPU, each one of these stack overflows would be data corruption -- answering for us viscerally what we "need the MPU for."

[0] https://github.com/oxidecomputer/hubris/commit/d75e832931f67...

[1] https://github.com/oxidecomputer/humility#humility-stackmarg...

In addition to Cliff's talk/blog -- which are absolutely outstanding -- I would recommend listening to the Twitter Space we did on Hubris and Humility last week.[0] It was a really fun conversation, and it also serves as a bit of a B-side for the talk in that it goes into some of the subtler details that we feel are important, but didn't quite rise to the level of the presentation. And of course, be sure to check out the source itself![1][2]

[0] https://www.youtube.com/watch?v=cypmufnPfLw

[1] https://github.com/oxidecomputer/hubris

[2] https://github.com/oxidecomputer/humility

Humility (the debugger)