add details on porting hubris to riscv

FerralCoder · rusty1968 · commit 89b6fa0e37a4 · 2025-10-30T15:08:04.000-07:00
diff --git a/docs/src/design/hubris-riscv.md b/docs/src/design/hubris-riscv.md
@@ -0,0 +1,130 @@
+# Porting Hubris OS to RISC-V
+
+## Executive Summary
+
+Porting Hubris OS to RISC-V would be **trivial** compared to porting most operating systems because Hubris was explicitly designed with architecture portability in mind. The documentation already includes RISC-V specifications, and the architecture-specific code is minimal and well-isolated.
+
+## 🏗️ Architecture-Agnostic Design Philosophy
+
+### Minimal Kernel Surface Area
+Hubris follows a **microkernel philosophy** where the kernel does as little as possible:
+
+- **Small syscall set**: Only 14 syscalls total.
+- **Preemptive scheduling**: Simple priority-based scheduler.
+- **Statically allocated**: All resources determined at compile time
+- **Task isolation**: Memory protection via region-based MPU/PMP, not page tables
+
+### Clean Architecture Abstraction
+
+All architecture-specific code is isolated in a single module:
+
+```rust
+// sys/kern/src/arch.rs - Current structure
+cfg_if::cfg_if! {
+    if #[cfg(target_arch = "arm")] {
+        pub mod arm_m;
+        pub use arm_m::*;
+    } else {
+        compile_error!("support for this architecture not implemented");
+    }
+}
+```
+
+Adding RISC-V support requires only:
+
+```rust
+// Proposed addition
+    } else if #[cfg(target_arch = "riscv32")] {
+        pub mod riscv;
+        pub use riscv::*;
+    } else {
+```
+
+## What Already Exists for RISC-V
+
+### Documentation References
+
+The Hubris documentation **already includes RISC-V specifications**:
+
+#### 1. **Syscall Interface** (syscalls.adoc:74-76)
+```
+=== RISC-V
+
+Syscalls are invoked using the `ECALL` instruction. The rest is TBD.
+```
+
+#### 2. **Timer System** (timers.adoc:6)
+```
+silicon vendors -- the `SysTick` on ARM, the `mtimer` on RISC-V. Hubris provides
+a multiplexer for this timer, so that each task appears to have its own.
+```
+
+#### 3. **Interrupt Handling** (interrupts.adoc:5-11)
+```
+Hubris port, but these ideas are intended to translate to RISC-V systems using
+controllers like the PLIC.
+```
+
+### Architecture Requirements Already Defined
+
+The documentation specifies what any architecture port needs:
+
+1. **32-bit registers**: ✅ RISC-V32 matches
+2. **Supervisor call instruction**: ✅ `ECALL` equivalent to ARM's `SVC`
+3. **Memory protection**: ✅ RISC-V PMP equivalent to ARM MPU
+4. **Standard timer**: ✅ `mtimer` equivalent to ARM `SysTick`
+5. **Interrupt controller**: ✅ PLIC equivalent to ARM NVIC
+
+## 🔧 Implementation Requirements (Minimal)
+
+### Architecture Module (~2000 lines total)
+
+Based on the existing ARM implementation (`sys/kern/src/arch/arm_m.rs` - 1901 lines):
+
+| Component | Estimated Lines | Complexity | ARM Equivalent |
+|-----------|----------------|------------|----------------|
+| **Context switching** | ~300 | Medium | Save/restore `x1-x31` vs `r0-r15` |
+| **Syscall entry** | ~200 | Low | `ECALL` handler vs `SVC` handler |
+| **Timer integration** | ~100 | Low | `mtimer` vs `SysTick` |
+| **Memory protection** | ~200 | Medium | PMP setup vs MPU setup |
+| **Interrupt routing** | ~200 | Low | PLIC vs NVIC |
+| **Task state management** | ~500 | Medium | TCB save/restore |
+| **Boot sequence** | ~100 | Low | Reset handler |
+| **Utilities/macros** | ~300 | Low | Architecture helpers |
+| **Total** | **~1900** | **Low-Medium** | **Direct translation** |
+
+### Register Mapping (Trivial)
+
+**Current ARM Syscall Convention:**
+- Arguments: `r4` through `r10` (7 args)
+- Syscall number: `r11`
+- Returns: `r4` through `r11` (8 returns)
+
+**Proposed RISC-V Convention:**
+- Arguments: `x10-x16` (`a0-a6`) (7 args)
+- Syscall number: `x17` (`a7`)
+- Returns: `x10-x17` (`a0-a7`) (8 returns)
+
+### Core Functions to Implement
+
+```rust
+// Required architecture interface (based on ARM module)
+pub fn apply_memory_protection(task: &Task) -> Result<(), FaultInfo>;
+pub fn start_task(task: &Task) -> !;
+pub fn save_task_state(task: &mut Task);
+pub fn restore_task_state(task: &Task);
+pub fn current_task_ptr() -> *const Task;
+pub fn set_current_task_ptr(task: *const Task);
+pub fn usermode_entry_point() -> u32;
+pub fn get_task_dump_area() -> &'static mut [u8];
+```
+
+### ✅ What Makes Hubris Easy to Port
+
+1. **🎯 Narrow target scope**: Only 32-bit microcontrollers
+2. **📦 Rust ecosystem**: RISC-V already well-supported
+3. **🔒 Memory safety**: Rust prevents most porting bugs
+4. **⚡ Simple execution model**: Privileged kernel, unprivileged tasks
+5. **🛡️ Minimal assembly**: Most code is portable Rust
+6. **📚 Clear documentation**: Architecture requirements already specified
+
diff --git a/docs/src/design/os-selection.md b/docs/src/design/os-selection.md
@@ -48,7 +48,7 @@ Complex embedded systems require robust debugging and monitoring capabilities th
 | **System Composition** | **Static**: All tasks defined at compile-time in app.toml configuration, cannot be created/destroyed at runtime. Build system validates all configurations with static assertions. Supports in-place task reinitialization for fault recovery - supervisor task can restart crashed tasks without system reboot. Design philosophy prioritizes eliminating functionality not essential for server management and platform security, resulting in a smaller, more focused codebase to audit and validate. | **Dynamic**: Tasks can be dynamically loaded and assigned. Offers flexibility for diverse application scenarios and runtime adaptation. | Static model with compile-time validation prevents entire classes of runtime failures. In-place restart capability enables component-level recovery, avoiding system-wide reboots for isolated faults. Dynamic models provide flexibility for applications requiring runtime component loading or updates. |
 | **Communication** | **Strictly Synchronous**: IPC blocks sender until reply received. Uses rendezvous mechanism inspired by L4 microkernel - kernel performs direct memory copy between tasks, extending Rust's ownership model across task boundaries through leasing. | **Asynchronous**: Callback-based notifications for applications. | Synchronous communication eliminates race conditions, enables precise fault isolation (REPLY_FAULT at error point), and simplifies kernel design by avoiding complex message queue management. |
 | **Fault Isolation** | **Disjoint Protection Domains**: Drivers and kernel in separate, MPU-enforced memory spaces. Failing driver cannot corrupt kernel. | **Shared Protection Domain**: Drivers run in same domain as kernel but are partitioned by Rust's type system and capsule architecture. Capsules are kernel modules that rely on Rust's memory safety (borrowing rules, lifetime management) and trait-based interfaces for isolation rather than hardware memory protection. | Hardware-enforced isolation provides robust defense against faults. Memory-safe languages alone don't prevent all failures in critical systems. |
-| **Embedded CPU Architecture Support** | **ARM Cortex-M:** Official native support included.<br> **RISC-V** Designed with RISC-V in mind, but currently only has unnofficial support from outside developers including OpenPRoT partners. | **ARM Cortex-M:** Official native support included.<br> **RISC-V** Official native support included.<br> **x86 (32bit):**  Official native support included. |  |
+| **Embedded CPU Architecture Support** | **ARM Cortex-M:** Official native support included.<br> **RISC-V** Designed with RISC-V in mind, but currently only has unnofficial support from outside developers including OpenPRoT partners. | **ARM Cortex-M:** Official native support included.<br> **RISC-V** Official native support included.<br> **x86 (32bit):**  Official native support included. | While native support is desireable, Hubris is relatively trivial to port to additional architectures for these reasons:<br><br> 1. **🎯 Narrow target scope**: Only 32-bit microcontrollers<br> 2. **📦 Rust ecosystem**: RISC-V already well-supported<br> 3. **🔒 Memory safety**: Rust prevents most porting bugs<br> 4. **⚡ Simple execution model**: Privileged kernel, unprivileged tasks<br> 5. **🛡️ Minimal assembly**: Most code is portable Rust<br> 6. **📚 Clear documentation**: Architecture requirements already specified<br><br> [More details](./hubris-riscv.md) |
 | **Licensing** | **Mozilla Public License Version 2.0**: Commercial use allowed, May be combined with proprietary code, Modified MPL files must be shared and remain MPL, Explicit patent grant included, Must retain copyright notices | **Apache License 2.0**: Commercial use allowed without restrictions, May be combined with proprietary code, Must state significant changes but not required to share, Explicit patent grant included, Must retain copyright notices | Both licenses allow for commercial use and mixing files with other licenses (including proprietary code). The primary difference is that any MPL licensed files must remain under the MPL license, and any changes to those files must be shared publicly. |
 
 ### Resource & Memory Management
