Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

The seL4 Core

Description

Summary

The seL4 Core is the essential set of seL4 components that are needed to build any seL4-based system. These include systems built on the seL4 Core Platform, but also other classes of systems, such as dynamic systems and minimal systems based on directly supporting run-times for languages like Rust or Erlang.

Motivation

There are several complications and restrictions of the current state of the seL4 software ecosystem that complicate using seL4 to develop systems.

In particular:

  • the requirement to use the CMake-based build system

  • the requirement to use the muslc C library

  • the assumption that one of the provided higher-level frameworks (e.g. CAmkES, the dynamic prototyping libraries, etc.) will be used. These impose some policy on the resulting systems. Trying to untangle the core of seL4 from this is complicated.

  • the number of (kernel) configuration options (and understanding which combinations are supported and how well they are supported)

  • the varying quality of support for different hardware platforms, i.e. not all supported hardware platforms are equally well supported (e.g. not all kernel configs supported, not all tests pass, kernel is not verified, etc.)

The goal is to identify a core set of components that the developer of any seL4-based system will use.

Such a core should not impose policy that restricts the design space enabled by se4. This policy freedom applies to both run-time and build-time.

Furthermore, this core must be of high quality.

High quality means:

1. It must be clearly documented which boards and configurations are supported.
2. It must be clearly documented which configurations use a verified kernel
3. If there is a verified kernel for a platform, the Core must use it.
4. All the supported boards must support all configurations.
5. The release must include a way to test the functionality and performance of the components.
6. All the individual tests and benchmarks must be clearly documented as to their purpose.
7. All the tests must pass.
8. All the benchmarks must run and provide reasonable results; any marketing material as to kernel performance must be based these benchmarks for a release version only.
9. The release must include evidence of tests and benchmarks (so a human readable report with clear traceability must be included as part of the release).
10. The release must include a cryptographic hash of the contents that is clearly published on the website.
11. The build must be reproducible; a user must be able to take the source release and generate a bit-for-bit accurate copy of the release.
12. Any configuration options must be documented, including explaining why/when a user would want to set it (ideally fewer options the better).
13. All APIs must be accurately documented.
14. Source code of the core must be high-quality and an exemplar for users.
15. Any JIRA tickets associated with the configurations / boards have been resolved. Or, if not, are very clearly spelled out in the release notes.

Guide-level explanation

The seL4 Core consists of:

  • an SDK

  • tests (sel4test)

  • benchmarks (sel4bench)

  • documentation

The SDK consists of

  • kernel binary

  • sel4corelib: a minimal C library with no dependencies

  • simple starter root task code

  • minimal linker file

  • image building script

  • SHA hashes of source used to build the kernel

The SDK does not contain:

  • a Makefile (or other build system files)

  • kernel source

  • build tools (including compiler, etc.)

There should be a simple directory layout per board/configuration. A user, in their build system, would point to and use the appropriate SDK directory.

More details can be found in:

https://github.com/BreakawayConsulting/platform-sel4-docs/blob/master/sel4-core.md

Reference-level explanation

The SDK could be delivered as a single tar file.

This means that:

  • users never have to deal with repo (unless they want to)

  • users don't have to deal with cmake (unless they want to)

  • users can start and build up easily.

As an example, a developer wishing to start development with the SDK would:

  • Download the binary SDK

  • Open a text editor with "rootserver.c"

  • Type in the classical hello world.

  • Compile with gcc -I$SDK/include -L$SDK/lib -lsel4 rootserver.c -o rootserver

  • Create an image $SDK/bin/build_image_script rootserver -o bootable_image

  • Run the image on their board

Ultimately the code to generate seL4 Core should just all go in a single repository, removing the need for a tool like `repo` to manage multiple repositories (not that systems built on to of the Core (e.g. CAmkES) may still span multiple repositories and use repo (or other approach to managing multiple repositories).

Drawbacks

The core platform would limit the set of supported platforms. A limited set of platforms will never please everyone - there will be potential users who are not well served by the seL4 Core and would/could be alienated by this.

There is the risk that developers start with the seL4 Core and do not move beyond it.
Re-inventing higher-level platforms and frameworks, rather than using existing ones.

Rationale and alternatives

This seL4 Core aims to solve two problems with the seL4 software ecosystem:

  • to much policy/framework required when using seL4

  • low quality support for some most hardware platforms

Alternatives are

  • to provide only the kernel source

  • require developers to use higher level platforms and frameworks (like CAmkES)

Prior art

  • the existing seL4 codebase

  • various projects (e.g. Genode) using only the seL4 kernel and no the other related code

Unresolved questions

  • which hardware platforms should be targetted?

  • how many hardware platforms should be supported?

Disposition

None

Activity

Show:

Curtis Millar January 27, 2021 at 9:22 PM

It is also impractical to make the Core platform independent (although the interface it provides may be). The kernel intrinsically depends on the platform for implementation of an IRQ controller, a timer, any perform-specific device MMU, and (for debug builds) a serial service.

Additionally, the configurations for which Core is provided becomes those which are fully supported and tested by maintainers with configurations outside those being provided more limited support.

As for providing source rather than providing a binary distribution, the source will likely still be available and you would still be able to build the equivalent output of the binary distribution. Most of the configuration options in the build system are configured by choice of the platform and there is little need to configure then otherwise. Of those that remain, it would be preferable to make an many of those dynamically configurable at boot time (as almost all relate to the manner in which the kernel boots).

Curtis Millar January 27, 2021 at 9:07 PM

sel4runtime no longer depends on the presence of any C library, it’s only dependency is libsel4. I believe the intent is to pair it with a platform-independent C library that provides a subset of the standard C library interface.

Indan Zupancic January 27, 2021 at 4:11 PM
Edited

Overal I am in favour of this proposal, it would make it much easier to start using seL4.

I agree with Curtis, I don’t think sel4test or sel4bench should be part of the core platform, as that will pull in too much unrelated libraries and muddy the waters. Writing new test and benchmark code on top of this core platform and no other libraries is another matter though.

I have the feeling that there a couple conflicting requirements in this proposal:

  1. One the one hand the core should be useful to build any seL4-based system, on the other hand only specific hardware and kernel configurations are supported. I think one goal should be to make everything as platform independent as possible, so things should be more driver based and less board based. But this is more an seL4 kernel issue.

  2. Reproducible builds, but no information is provided how exactly it was build. Currently I’m missing build information, like CFLAGS and how exactly things are build. For this providing example Makefile and CMake files seems fine, not sure how else you would give this information in a useful way.

There are a lot of seL4 kernel configuration options which depend on how seL4 will be used. For the foreseeable future I expect all users to have different configurations, until such options are configurable via DTS and the same seL4 binary can be used for all of them. Some policy decisions are currently seL4 kernel configuration options.

All in all I would focus on providing the core as a git repository and not as a binary SDK (though those can also be provided of course).

Commenting on sel4-core.md:

sel4runtime assumes muslc C library, so why include it? Or did you mean one that uses another (own?) minimal libc? I do not mind using muslc, but I do mind using a heavily modified version which doesn’t support non-Linux natively. For this reason we will use a standard ARM toolchain and treat seL4 as a bare-metal platform (but our background is embedded).

Curtis Millar January 13, 2021 at 1:09 AM

I don’t think it makes sense to incorporate sel4test or sel4bench into the core platform as they both essentially carry a minimal operating system with them (and one that may not currently be the best reference for building on seL4). They should both be changed to be built on the core platform though, they should benchmark and test the platform rather than some variant that is not a platform release.

Gerwin Klein January 4, 2021 at 3:32 AM

I agree, have added it to the agenda of the next TSC meeting.

Gernot Heiser January 3, 2021 at 12:57 AM

This RFC seems pretty uncontroversial, I recommend that the TSC approves it. I also note that the RFC process, as defined, doesn’t really match this case, as it is specifically designed for

  • Removing support for a platform

  • Changing the versioning system used for libraries

  • Adding a new major API feature to the kernel

It doesn’t envisage this case of adding an important component to the seL4 userland. Hence the process in this case isn’t defined but should be, something the TSC should do at its next meeting.

Specifically I recommend a two-step process for such cases:

  1. in-principle approval of the spec, and asking for an implementation, incl typical use cases

  2. full approval of spec and implementation

The reason this should be a two-step process is that the principles should be agreed before embarking on an implementation, but the implementation may uncover unforeseen complications.

Matt Rice November 19, 2020 at 9:28 AM

Such a core should not impose policy that restricts the design space enabled by se4.

se4 sel4

(not that systems built on to of

unbalanced paren, not note, on to on top

Details

Assignee

Reporter

Created November 18, 2020 at 9:03 PM
Updated May 13, 2023 at 7:43 AM