|
| 1 | +# uVisor Onboarding Guide |
| 2 | + |
| 3 | +Welcome to the uVisor team, where the fun never ends! You've discovered our |
| 4 | +wonderful onboarding guide, designed to get you on board and making meaningful |
| 5 | +contributions as quickly as is reasonable. |
| 6 | + |
| 7 | +The uVisor Onboarding Guide is broken into multiple segments, of which there is |
| 8 | +only one segment currently. |
| 9 | + |
| 10 | + * [uVisor Design Rules](#uvisor-design-rules) |
| 11 | + |
| 12 | +## uVisor Design Rules |
| 13 | + |
| 14 | +These rules were learned the hard way: through detailed technical oversight |
| 15 | +working on uVisor. Often, a design would arise from any of our team members |
| 16 | +that'd solve a problem in a nice way, except that it'd break some unwritten |
| 17 | +rule the rest of the team kept stored in their heads. The design would be |
| 18 | +rejected, and the team member dejected. Sometimes, the team member would have |
| 19 | +to do as many as five design iterations until design approval. If only the team |
| 20 | +member had known the unwritten rules when they set out on their initial design! |
| 21 | +After all these design iterations, the resulting design truly was better, but |
| 22 | +much time could have been saved had the design rules been written down. |
| 23 | + |
| 24 | +The written uVisor Design Rules are designed to help you, the potential |
| 25 | +contributor, come up with workable designs quicker, by writing down those |
| 26 | +previously unwritten design rules. This should also help save the rest of the |
| 27 | +team's time as well, as less "architecture review" technical oversight meetings |
| 28 | +should be required. This also makes design work possible from contributors |
| 29 | +outside the core uVisor team employed by ARM. |
| 30 | + |
| 31 | +Any new feature, design, or redesign will have to follow these rules. The |
| 32 | +business priorities of the day will also impose additional constraints on |
| 33 | +designs, but we make no attempt to document those volatile constraints here. |
| 34 | +The rules we focus on here will remain relatively static over the course of |
| 35 | +uVisor development. |
| 36 | + |
| 37 | +These are clumped together in rough categories, in no particular order. |
| 38 | + |
| 39 | +### Portability |
| 40 | + |
| 41 | +Keep uVisor independent from other software components as much as possible. |
| 42 | +This maximizes uVisor's resiliency and usefulness. During the transition |
| 43 | +between mbed OS 3 and mbed OS 5, uVisor core didn't have to change much at all; |
| 44 | +most changes came from integrating uVisor with an RTOS on ARMv7-M. |
| 45 | + |
| 46 | + - uVisor core should not contain OS-specific code. |
| 47 | + - uVisor APIs should not match one-to-one with an OS API |
| 48 | + - It will end up being a lot of work to port the uVisor API to a different |
| 49 | + OS where the API doesn't match as well. We don't want to write code to |
| 50 | + abstract differences between operating systems. |
| 51 | + - uVisor core should only contain CPU-core- or MPU-specific code. |
| 52 | + - uVisor lib can contain OS-specific code. |
| 53 | + - Two different operating systems may use two different uVisor lib binaries. |
| 54 | + |
| 55 | + |
| 56 | +### Usability |
| 57 | + |
| 58 | +Make uVisor APIs easy to use. |
| 59 | + |
| 60 | + - Where possible, perform operations on behalf of the user that the user might |
| 61 | + forget to do. Perform higher-level operations all together as a whole, even |
| 62 | + if that makes the API less orthogonal. For instance, don't make a user obtain |
| 63 | + a handle in one function call and then open a handle in another function |
| 64 | + call, obtain and open the handle for the user all in one go. |
| 65 | + - Make APIs explicit and flat. Don't require the user to have knowledge of |
| 66 | + layers of APIs, or require them to do things in certain orders. For example, |
| 67 | + make the user provide a list of functions as RPC targets when they want to |
| 68 | + wait for incoming RPC, as opposed to making the user provide the list up |
| 69 | + front in exchange for a cookie they use later on when waiting. This makes |
| 70 | + the information relevant to the API call available as close to the point of |
| 71 | + use as possible. |
| 72 | + |
| 73 | + |
| 74 | +### Security |
| 75 | + |
| 76 | + - Don't trust user provided values. Check and sanitize everything. |
| 77 | + - Use the uVisor threat model to decide what inputs you can trust. For |
| 78 | + example, values provided from flash can be trusted (perhaps until we have |
| 79 | + modular firmware update). Values provided from box-private SRAM can be |
| 80 | + trusted as having come from the box that owns that SRAM, but still must be |
| 81 | + sanitized and validated should those values be used by another box or uVisor |
| 82 | + itself (even indirectly). |
| 83 | + |
| 84 | + |
| 85 | +### Performance |
| 86 | + |
| 87 | + - Minimize the number of transitions between user mode and uVisor. On ARMv7-M, |
| 88 | + we use SVCs to transition to uVisor. SVCs come with a relatively high cost. |
| 89 | + On ARMv8-M, we use SG to transition to uVisor (or uVisor Secure Device |
| 90 | + Services [SDS]). SG also has to stack a lot of state. |
| 91 | + |
| 92 | + |
| 93 | +### Updating the Design Rules |
| 94 | + |
| 95 | +If you find your solutions getting rejected due to some "unwritten rule" you |
| 96 | +wished you would have known about before designing and implementing your |
| 97 | +solution, please document that rule here. Be sure the rational of the new rule |
| 98 | +is well understood and communicated by your addition. |
| 99 | + |
| 100 | +Also, these rules aren't set in stone; these aren't permanent, never to be |
| 101 | +changed rules. There has been an attempt to clearly document the rationale |
| 102 | +behind each rule so that we have the institutional memory sufficient to change |
| 103 | +the rules where and when necessary. |
0 commit comments