sorpaas/rux

Rux, a microkernel written in Rust

Rux is a hobbyist microkernel written in Rust, featuring a capability-based system similar to seL4.

• Repository
• Documentation

Overview

Rux's goal is to become a safe general-purpose microkernel. It tries to take advantage of Rust's memory model -- ownership and lifetime. While the kernel will be small, unsafe code should be kept minimal. This makes updating functionalities of the kernel hassle-free.

Rux uses a design that is similar to seL4. While there won't be formal verification in the short term, it tries to address some design issues of seL4, for example, capability allocation.

Contributing

We use Phabricator to manage code reviews and collabration. To submit a patch, install arcanist. After you finished coding, run arc diff and it will guide you to create a new patch in Phabricator.

If you don't like arcanist, you can also submit raw diff directly through the web interface. Refer to guide in this page for details on how to do this.

Quickstart

Currently, due to packaging problem, the kernel is only tested to compile and run on Linux with x86_64. Platforms with qemu and compiler target of x86_64 should all be able to run this kernel, but do it at your own risk.

To run the kernel, first install Rust, qemu, and cross-compiled GNU's binutils. The easiest way to do it is through the default.nix file provided in the source code. Install Nix, then go to the source code root and run the following command:

nix-shell

After that, run:

make run

You should see the kernel start to run with a qemu VGA buffer. The buffer, after the kernel successfully booted, should show a simple command-line interface controlled by rinit program launched by the kernel. Several commands can be used to test things out.

echo [message]

Echo messages and print them back to the VGA buffer.

list

Print the current CPool slots into the kernel message buffer.

retype cpool [source slot id] [target slot id]

Retype an Untyped capability into a CPool capability. [source slot id] should be a valid slot index of an Untyped capability. [target slot id] should be an empty slot for holding the retyped CPool capability.

Example: Talk With a Child Task

The rinit program will start the command line interface when it is the first to run. For all subsequent rinit programs, they will wait on a channel (using the root CPool of index 255), and print out the value to the serial buffer.

When you see the command line in the qemu VGA buffer, the "parent" rinit program has been successfully started. We can then create a "child" program using the same memory layout (sharing one page table), and make them talk.

When the "parent" rinit program is started, you should see something like below in the VGA buffer:

Child entry should be at: 0x88b0 (34992)
Child stack pointer should be at: 0x70003ffc (1879064572)

Those messages are useful if we want to create a "child".

To do this, we first retype a new task from an untyped capability.

retype task 2 249

This creates a new task in "inactive" state, which allows us to do further settings. We then set its stack pointer and instruction pointer to the valid value:

set stack 249 1879064572
set instruction 249 34992

Then we set the task's root CPool and top page table the same as the "parent":

set cpool 249 0
set table 249 3

The task buffer is used for system calls, thus we need a new one for the child. Fortunately, in the kernel kmain, we have already created one at index 250, so we can set that as the "child"'s buffer.

set buffer 249 250

After that, we can set the state of the task to active. This will start the task.

set active 249 1

If you are lazy and don't want to create the task from scratch. The command below automates the task from retyping tasks from untyped to activating the task.

start child

After the child has started, we can send numbers to channel (with CPool index 255).

send raw 5

You should see [kernel] Userspace print: Received from master: 5 in the serial message buffer.

You can also send capabilities over the channel. Rux uses different system calls to send raw values, payloads and capabilities through channels. If you wish to send capabilities, modify let value: u64 = system::channel_take(CAddr::from(255)); in child_main of rinit/src/lib.rs to let value: CAddr = system::channel_take_cap(CAddr::from(255));.

send cap 0

And the top-level capability pool capability (CPoolCap) is copied again from parent to child.

Source Code Structure

The development of Rux happen in the master branch in the source code tree. The kernel resides in the kernel folder, with platform-specific code in kernel/src/arch. For the x86_64 platform, the kernel is booted from kernel/src/arch/x86_64/start.S. The assembly code them jumps to the kinit function in kernel/src/arch/x86_64/init/mod.rs.

After the kernel is bootstrapped, it will initialize a user-space program called rinit, which resides in the rinit folder. The user-space program talks with the kernel through system calls, with ABI defined in the package abi, and wrapped in system.

Kernel Design

Capabilities

Capabilities are used in kernel to manage Kernel Objects. Those Capabilities are reference-counted pointers that provide management for object lifecycles.

Capabilities in user-space can be accessed using so-called CAddress, refered through the root capability of the user-space task. This helps to handle all permission managements for the kernel, and thus no priviliged program or account is needed.

Current implemented capabilities are:

• Untyped memory capability (UntypedCap)
• Capability pool capability (CPoolCap)
• Paging capability
  • PML4Cap, PDPTCap, PDCap, PTCap
  • RawPageCap, TaskBufferPageCap
  • VGA buffer
• CPU time sharing capability (TaskCap)
• Inter-process communication capability (ChannelCap)

Example: Initialize a New Task

This example shows how to initialize a new task using the capability system.

• Create an empty TaskCap.
• Create an empty CPoolCap.
• Initialize paging capabilities (One PML4Cap, Several PDPTCap, PDCap, PTCap and RawPageCap)
• Assign the stack pointer in TaskCap.
• Load the program into those RawPageCap.
• Assign the PML4Cap to TaskCap.
• Assign the CPoolCap to TaskCap.
• Switch to the task!

Implementation

Implementing reference-counted object is a little bit tricky in kernel, as objects need to be immediately freed, and all weak pointers need to be cleared after the last strong pointer goes out. Rux's implementation uses something called WeakPool to implement this. The original reference counted object (called Inner), form a double-linked list into the nodes in multiple WeakPools.

Capability Pools

Capability Pools (or CPool) are used to hold multiple capability together. This is useful for programs to pass around permissions, and is essential for CPool addressing. In implementation, capability pools are implemented as a WeakPool.

Tasks

A task capability has a pointer to a capability pool (the root for CPool addressing), a task buffer (for kernel calls), and a top-level page table. When switching to a task, the kernel switches to the page table specified.

The switch_to function implemented uses several tricks to make it "safe" as in Rust's sense. When an interrupt happens in userspace, the kernel makes it as if the switch_to function has returned.

In kernel-space, interrupts are disabled.

Channels

Tasks communicate with each other through channels. A channel has a short buffer holding messages sent from a task, and will respond this to the first task that calls wait on the channel.