-
Notifications
You must be signed in to change notification settings - Fork 651
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a nRF52-specific driver for the NVMC #1467
Conversation
The purpose of this driver is to provide low-level access to the embedded flash of nRF52 boards to allow applications to implement flash-aware (like wear-leveling) data-structures. The driver only permits applications to operate on their writeable flash regions. The API is blocking since the CPU is halted during write and erase operations.
@ia0 this structure for a board/chip-specific driver is exactly right! Because this requires a change to the kernel crate, and uses it in a way that is contrary to the typical hierarchies of layers (typically chip crates aren't really "aware" of applications), I'm going to think through whether this can be done differently. My initial intuition is not without a more substantial change, in which case I think this design is good, especially if we're willing to mark this new kernel function as experimental. Will respond again soon (and please feel free to ping if soon turns into not so soon) |
I see. I agree this is weird for chips to know about applications. I didn't realize it. Here are some possible alternatives:
I'll also continue thinking about it on my side and post any other solutions that would come to mind here. |
It seems like it would be good to have the |
AFAIU, having the
Regarding my previous comment about alternatives for this PR, I think there would be a 3rd alternative. If we want chips to define syscall drivers but not expose the application, then we need a new trait. That trait would implement trait ChipDriver {
fn subscribe(&self, minor: usize, callback: Option<Callback>, app: RestrictedAppId) -> ReturnCode;
fn command(&self, minor: usize, r2: usize, r3: usize, app: RestrictedAppId) -> ReturnCode;
fn allow(...);
}
impl<T: ChipDriver> Driver for T { ... }
impl RestrictedAppId {
fn in_writeable_flash_region(...) -> bool;
} So the 3 alternatives to have chip-specific drivers would be:
|
Hi @alevy, Do you have any updates on how to fix the fact that chip drivers should not be aware of applications? As I see it, a new trait is necessary to hide the |
I believe this is blocked on the outcome of the discussion on #1459 |
This PR is only blocked by a design question raised by @alevy : How to implement chip drivers that would like to ensure an allow slice is in the writeable flash regions of the application? See #1467 (comment) for the original concern. This PR is not blocked by #1459. It's actually the opposite, this PR will provide data to be able to take a decision on that issue. |
Hi @alevy, Did you have time to look into how chip-specific drivers can require a slice to be in writable flash region without breaking the typical hierarchies of layers? |
I think where this is at is:
|
Thanks @bradjc for the feedback!
Yes, #1459 is an effort to either extend the current flash HIL with low-level operations or add a new low-level flash HIL.
That sounds great! How do we proceed? As far as I understand we would need some HIL at some point, which seems to require that #1459 gets fixed. Or do you see an alternative way? (like maybe having a HIL for a family of flash controllers like in #1457) |
This check should be done by the syscall filter so that the driver does not need to look at the application information. Note however that we still need the appid to access the grant.
Hi @alevy, I updated the pull request to not check whether the syscall applies to the writable flash regions of the application, because this can now be done in the platform using The only usage of Thanks! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ia0 This seems great to me, with one remaining question:
I don't quite follow how this actually going to be used in conjuction with board-specific policies. In particular, it's important both that the AppSlice
passed into this driver's allow
is able to reside in flash (which is the kernel will refuse, by default) and that it's not in RAM (since attempts to use the flash controller to write to memory will probably fail?).
Since you've tested this, I trust you have a mechanism for this, I just don't totally follow it.
Change-Id: If480fb8767f932c56af972476cc697f2d42d7fdf
There's probably a misunderstanding on how the driver works:
Note that due to #1274 it is not possible to copy from flash to flash.
I would need to test again now that I merged with master, because we currently use an older version of Tock. |
I could test that this PR works for our use-case (OpenSK) on a nRF52840 dev-kit board. |
I think we want to keep |
Thanks for the update. I'll follow #2248 to see if it can fit our use-case. |
Pull Request Overview
The purpose of this driver is to provide low-level access to the embedded flash of nRF52 boards to allow applications to implement flash-aware (like wear-leveling) data-structures. The driver only permits applications to operate on their writeable flash regions. The API is blocking since the CPU is halted during write and erase operations.
Testing Strategy
In addition to
make ci-travis
, this pull request was tested on the nrf52840dk board by implementing in libtock-rs:blink.rs
but with a persistent counterAnd updating the linker script.
TODO or Help Wanted
Which driver number should be used?
The following boards could be tested:
Documentation Updated
Formatting
make formatall
.