Merge branch 'master' into host-dtrace-support

oxidecomputer · Oct 2, 2023 · 5f6ee09 · 5f6ee09
2 parents 43b24da + 6d6daa6
commit 5f6ee09
Show file tree

Hide file tree

Showing 14 changed files with 361 additions and 54 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/app/lpc55xpresso/app.toml b/app/lpc55xpresso/app.toml
@@ -142,7 +142,7 @@ extern-regions = ["sram2"]
 [tasks.attest]
 name = "task-attest"
 priority = 5
-max-sizes = {flash = 13600, ram = 16384}
+max-sizes = {flash = 14800, ram = 16384}
 stacksize = 9304
 start = true
 extern-regions = ["dice_alias", "dice_certs"]

diff --git a/app/oxide-rot-1/app-dev.toml b/app/oxide-rot-1/app-dev.toml
@@ -77,7 +77,7 @@ task-slots = ["syscon_driver"]
 [tasks.sprot]
 name = "drv-lpc55-sprot-server"
 priority = 6
-max-sizes = {flash = 45792, ram = 32768}
+max-sizes = {flash = 46300, ram = 32768}
 uses = ["flexcomm8", "bootrom"]
 features = ["spi0"]
 start = true
@@ -158,7 +158,7 @@ binary_path = "../../target/gimlet-c/dist/default/final.bin"
 [tasks.attest]
 name = "task-attest"
 priority = 5
-max-sizes = {flash = 13600, ram = 16384}
+max-sizes = {flash = 14800, ram = 16384}
 stacksize = 9304
 start = true
 extern-regions = ["dice_alias", "dice_certs"]

diff --git a/app/oxide-rot-1/app.toml b/app/oxide-rot-1/app.toml
@@ -68,7 +68,7 @@ task-slots = ["syscon_driver"]
 [tasks.sprot]
 name = "drv-lpc55-sprot-server"
 priority = 6
-max-sizes = {flash = 45792, ram = 32768}
+max-sizes = {flash = 46300, ram = 32768}
 uses = ["flexcomm8", "bootrom"]
 features = ["spi0"]
 start = true
@@ -137,7 +137,7 @@ task-slots = ["swd"]
 [tasks.attest]
 name = "task-attest"
 priority = 5
-max-sizes = {flash = 13600, ram = 16384}
+max-sizes = {flash = 14800, ram = 16384}
 stacksize = 9304
 start = true
 extern-regions = ["dice_alias", "dice_certs"]

diff --git a/app/rot-carrier/app.toml b/app/rot-carrier/app.toml
@@ -108,7 +108,7 @@ task-slots = ["syscon_driver"]
 [tasks.sprot]
 name = "drv-lpc55-sprot-server"
 priority = 6
-max-sizes = {flash = 45792, ram = 32768}
+max-sizes = {flash = 46300, ram = 32768}
 uses = ["flexcomm8", "bootrom"]
 features = ["spi0"]
 start = true
@@ -204,8 +204,8 @@ binary_path = "../../target/gemini-bu/dist/final.bin"
 [tasks.attest]
 name = "task-attest"
 priority = 5
-max-sizes = {flash = 13600, ram = 16384}
-stacksize = 9304
+max-sizes = {flash = 14800, ram = 16384}
+stacksize = 9952
 start = true
 extern-regions = ["dice_alias", "dice_certs"]
 

diff --git a/doc/tr1.adoc b/doc/tr1.adoc
@@ -291,7 +291,8 @@ Here are some highlights.
 As with most operating systems, tasks can be in a number of states: stopped,
 runnable, blocked, etc. A common way to express this might be:
 
-....
+[source,rust]
+----
 struct Task {
     state: State,
     // other stuff omitted
@@ -302,14 +303,15 @@ enum State {
     Runnable,
     Blocked,
 }
-....
+----
 
 A fault event causes a task to no longer be schedulable, until the fault is
 resolved or the task is restarted. A fault cannot *replace* the task's state,
 because we want to remember it -- for debugging, at the least. And so we might
 be tempted to do this:
 
-....
+[source,rust]
+----
 struct Task {
     state: State,
     fault: Option<Fault>,
@@ -326,19 +328,20 @@ enum Fault {
     MemoryAccess(Address),
     OtherReasons,
 }
-....
+----
 
 But this makes it really easy to schedule a faulted task _by accident,_ in a way
 that's hard to spot with local reasoning. Specifically:
 
-....
+[source,rust]
+----
 for task in tasks {
     if task.state == State::Runnable {
         schedule(task);
         break;
     }
 }
-....
+----
 
 Looks correct! Is not correct. (The same issue could happen when replying to a
 blocked task, setting it runnable without noticing a fault.)
@@ -349,7 +352,9 @@ but are _not_: a fault makes the other state temporarily irrelevant.
 We can express this at the type level to make this class of mistake much less
 likely:
 
-....
+
+[source,rust]
+----
 struct Task {
     state: HealthState,
     // other stuff omitted
@@ -373,7 +378,7 @@ enum Fault {
     MemoryAccess(Address),
     OtherReasons,
 }
-....
+----
 
 That is, while the original `State` is preserved when a fault is taken, it's
 moved inside the `HealthState::Faulted` variant where it's structurally distinct
@@ -382,14 +387,15 @@ from `Healthy`.
 Our scheduler loop above no longer compiles, because `task.state` is not a
 `State`. Instead, we write the code like this:
 
-....
+[source,rust]
+----
 for task in tasks {
     if task.state == HealthState::Healthy(State::Runnable) {
         schedule(task);
         break;
     }
 }
-....
+----
 
 Any faulted state fails that equality test without further thought.
 
@@ -412,14 +418,15 @@ the next scheduling round without checking.
 
 Hubris currently addresses this with the `NextTask` enum, which looks like this:
 
-....
+[source,rust]
+----
 #[must_use]
 enum NextTask {
     Same,
     Specific(usize),
     Other,
 }
-....
+----
 
 An operation returns `NextTask` if it *may* affect scheduling. `Same` indicates
 that no context switch is required; `Specific(x)` indicates that a switch to a
@@ -440,7 +447,8 @@ When two `NextTask` values meet, they can be combined; this provides better
 composition of operations than a simple "switch needed" flag. Combining two
 `NextTask` values works as follows (expressed as a Rust `match`):
 
-....
+[source,rust]
+----
 match (self, other) {
     // If both agree, our job is easy.
     (x, y) if x == y => x,
@@ -454,7 +462,7 @@ match (self, other) {
     // All we have left is...
     (Same, Same) => Same,
 }
-....
+----
 
 (That's copied verbatim from the kernel source.)