Just writing some notes about this idea: create an "unprivileged sandbox".
- Threads could be privileged or not privileged.
- The address space is by accessible only by privileged code (this is the Cortex-M default).
- The application can create a "sandbox" using one or two MPU regions (for code and data).
- The sandbox code would start with an header containing some metadata (entry points and stack sizes).
- The application starts one or more threads to enter the sandbox and be trapped there using the metadata for entry points.
- The boxed threads cannot touch anything, just call SVC for services (API TBD), threads cannot call ChibiOS functions directly.
- Exceptions caused by sandboxed threads would just terminate the thread without affecting the rest of the system.
- The sandbox is static, no MPU reconfiguration at context switch (fast).
- Sandbox is pretty much like a Posix process but static and without overhead.
- It would be an optional module on top of both RT or NIL, it makes more sense for RT anyway.
- Run loadable code safely (sandbox in RAM, or in a dedicated flash that can be rewritten with external code).
- ISO26262 isolation concept (non-ASIL code in the sandbox in an ASIL system).
- Multiple sandboxes isolated from each other, pretty much processes, would require MPU dynamic handling.
- exit, sleep for sure.
- Access to named global objects like mailboxes or message servers.
- Posix-like API? as an option?
- How much isolation is really possible on Cortex-M.
Just writing notes right now, feedback is of course welcome.
This forum is dedicated to feedback, discussions about ongoing or future developments, ideas and suggestions regarding the ChibiOS projects are welcome.
1 post • Page 1 of 1
Who is online
Users browsing this forum: Google Adsense [Bot] and 3 guests