An extension to ChibiOS/RT exclusive to Cortex-M4 and M7 cores. ChibiOS/SR is able to create isolated partitions in the application code called sandboxes:

  • One or more sandbox are supported.
  • A single thread runs the code into a sandbox in non-privileged mode.
  • The non-privileged threads have no access to HW resources except for their sandbox code and data areas. Communication with outside world is performed with a syscall entry point using the SVC instruction.
  • It is responsibility of the main application to provide “services” to the sandbox code.
  • Malfunctions in the sandbox code such as overflows, exceptions and illegal accesses, do not affect the rest of the system, the thread terminates gracefully and can be eventually restarted.

Sandboxes are ideally suited for running code downloaded from outside safely or to isolate non-critical parts of the application.

Sandboxes Types

There are two kind of sandboxes:

  • Static Sandboxes are within statically allocated MPU regions, their number is limited by the number of available regions. Regions are not swapped during context switching.
  • Dynamic Sandboxes all use the same MPU regions that are swapped during context switch, there is no limit in their number but the context switch operation is slower because the extra context data.