Talk given on March 20, 2020 at Oxidize 1K, a virtual conference that went from first idea to 300+ person conference in a week during the COVID-19 pandemic. Video: https://www.youtube.com/watch?v=zPuELAzJyno#t=10534s
Deducing Tock execution ﬂow
from Ibex Verilator traces
Oxide Computer Company
● New computer company seeking to modernize on-premises computers
● We are rethinking the embedded systems at the foundation of
computers: the hardware root-of-trust and service processor
● With its emphasis on safety, security, and size, Rust is an excellent ﬁt for
● Tock is a Rust-based operating system designed for embedded systems
● A logical descendent of TinyOS, retains the emphasis on small size while
allowing the system to be extensible, portable and reliable
● Tock allows for MPU-/PMP-protected applications
● Importantly, Tock aims for application portability
● As such, promising for collaboration across different embedded
projects -- and being used for the OpenTitan root-of-trust project
Verilator + Ibex
● Verilator is an open source, cycle-accurate simulation tool that takes
synthesizable Verilog, and translates it to C++ to execute
● Verilator can emit e.g. FST for use as input to GTKwave
● Verilator is being used to simulate Ibex, an open 32-bit RISC-V core
● Ibex is the softcore for Earl Grey, the ﬁrst OpenTitan SoC
● Ibex has a tracer module that has been modiﬁed to support Verilator
with human-readable instruction logging
Complete instruction tracing!
● Debugging embedded systems is extraordinarily excruciating...
● ...but having entire instruction traces is singularly valuable!
● Looking at instruction traces can enable bringup -- and obviously has
tremendous power around code coverage, memory coverage, etc.
● Challenge: as tedious as instruction traces are to use to understand
C-based systems, they are much, much harder for Rust-based systems!
● Can we process Ibex Verilator traces to make sense of Tock?
● Rust program that takes an Ibex Verilator trace and a pointer to the ELF
objects representing the boot ROM and Tock instance
● Symbolically resolves instructions; by determining function entry and
return, can show execution ﬂow through Tock
● Tockilator uses DWARF information to decode function parameters
and (importantly!) inlined function calls
● Tock architecture allows Tockilator to show app + kernel ﬂow
● Primordial, but promising for Tock and Tock-based applications!
Rust, Tockilator and beyond
● Rust is an excellent ﬁt for embedded systems: its ability to have
powerful abstractions with tiny binaries borders on the magical
● But to debug systems, we must cut through the magic, allowing the
system to be understood from the machine up
● Tockilator is one approach, but there is much more than can be done;
instruction traces are a very rich vein for system understanding!
● Tockilator is available at https://github.com/oxidecomputer/tockilator