A ChibiOS/RT extension exclusive to Cortex-M3, M4 and M7 cores. ChibiOS/SB is able to create isolated partitions in the application code called sandboxes:

A sandbox is a full C/C++ application with its own startup file, main() function and its own copy of C runtime library. The API module provides means of communication between the sandbox application and the privileged application (acting as a standalone OS), in addition, a basic Posix-like API is provided to the sandbox application for console I/O. The privileged application can define its own extensions to the sandbox API.

You may consider sandboxes as “processes” in a standalone classic OS.

• One or more sandbox are supported.
• A single thread runs the code into a sandbox in non-privileged mode.
• The non-privileged threads have no access to HW resources except for their sandbox code and data areas. Communication with outside world is performed with a syscall entry point using the SVC instruction. A basic API is included in the SB module.
• It is responsibility of the main application to provide “services” to the sandbox code via an “API” module.
• Malfunctions in the sandbox code such as overflows, exceptions and illegal accesses, do not affect the rest of the system, the thread terminates gracefully and can be eventually restarted.

Sandboxes are ideally suited for running code downloaded from outside safely or to isolate non-critical parts of the application.

There are two kinds of sandboxes: static or dynamic.

Static Sandboxes are statically allocated within MPU regions, their number is limited by the number of available regions. Regions are not swapped during context switching.

The main advantages are:

1. Faster context switching.

Disadvantages:

1. No isolation among sandboxes, all regions are “open” at same time.
2. Sandboxes number limited by the number of available MPU regions.

Dynamic Sandboxes all use the same MPU regions that are swapped during context switch, there is no limit in their number but the context switch operation is slower because the extra context data.

The main advantages are:

1. No limits to the number of sandboxes.
2. Sandboxes are isolated from each other, interference is not possible.

Disadvantages:

1. More thread context data.
2. Slower context switching.

Sandboxes can have two possible memory setups.

1. Flash+RAM, the sandbox is linked with the main application, it uses a portion of flash and a portion of RAM, see the above figures.
2. RAM only, the sandbox is “loaded” by the main application from some media or via network, code and data are in the same RAM region, this kind of sandboxes only use one MPU region.