Helping you integrate CHERIoT in embedded systems!

lowRISC® is pleased to announce the first stable, long-term release of Sonata™: v1.0! In this blogpost we explain its features and what you can achieve with this platform. Sonata is part of the Sunburst project which is funded by DSbD and UKRI (Grant Number: 107540). Sonata is a platform that puts CHERIoT hardware in the hands of embedded systems engineers.

The Sonata Board

Why CHERIoT?

The CHERIoT technology was initially created by Microsoft using lowRISC’s RISC-V Ibex® core and based on the CHERI research at the University of Cambridge and SRI International. CHERI mitigates memory safety vulnerabilities such as buffer overflows and use after free. On top of this, CHERIoT capabilities allow for scalable and efficient compartmentalisation, which is essential if you want to run untrusted software on your embedded systems. Next we discuss some technical details of CHERIoT’s implementation of CHERI in more detail.

CHERIoT technical details

CHERIoT builds on the basic properties provided by CHERI’s capabilities. The CHERIoT capability format contains permissions (perms) indicating whether you can read from, write to or execute the memory it refers to; the object type (ot) used to indicate what compartment a capability belongs to; the bounds which has a base and a top limiting the amount of memory that can be accessed through this capability; and finally the address itself.

These capabilities form the primitives on top of which CHERIoT RTOS builds compartments. Compartments are a way to isolate parts of a system. For example, you can isolate the network stack from the kernel, but you can also compartmentalise the kernel itself to increase resilience. Each compartment in CHERIoT RTOS has the following:

  • Program counter capability (PCC) that encompasses the compartment’s code and read-only globals.
  • Capability global pointer (CGP) used to access the compartment’s mutable globals.
  • Import table:
    • MMIO regions
    • Sentries for library functions
    • Sealed capabilities to functions exported by other compartments
  • Export table: the exported functions that other compartments can call.

Compartments are run in threads which have the following properties:

  • The function entry-point to start executing from. This entry point must be present in an export table of one of the compartments.
  • Their priority.
  • The size of their stack and trusted stack.

Sonata overview

Sonata is an open source project that includes a PCB, the RTL for an SoC design and software collateral which runs on top of these. Here you can see a diagram of what is included on the PCB and how it interacts with the RTL that runs on the FPGA:

The purple blocks are part of the RTL design with the CHERIoT Ibex core developed by Microsoft and a TL-UL crossbar that can carry capability bits. We’ve also added a pin multiplexer (pinmux) in v1.0 so that the software can control which pins the SPI, I2C, GPIO and UART blocks are connected to. The red blocks are part of the PCB, the green blocks are ways you can extend the PCB with custom hardware and the grey area is the FPGA. 

Release features

Sonata has a high focus on usability. For example:

  • Drag and drop programming for both bitstream and software. Users can drag UF2 files into the Sonata drive that appears on the PC connected to a Sonata board. This drive is emulated by the RP2040 on the PCB.
  • The bootloader populates the SRAM from flash.
  • Support for software slots in the bootloader.
  • Live switching of bitstreams by the RP2040 using a switch on the PCB.
  • Documentation for hardware, toolchain and software.

We’ve also done significant work on the testing framework for this release:

  • The Verilator simulation, which includes DPI models for I2C, SPI, UART and USB.
  • Continuous Integration (CI) including automated testing on FPGA and simulation.
  • CI also includes linting and other checks.

Software compatibility and ease of use is highly important. To enable this Sonata has the following properties:

  • CHERIoT RTOS compatible by integrating Microsoft’s CHERIoT Ibex.
  • Nix development environment for reproducible builds.

Hardware IP blocks that are included in the Sonata RTL:

  • GPIO for LED output and user input including output enable bits.
  • 3 UARTs.
  • 2 I2C hosts.
  • 5 SPI hosts: one for LCD, one for ethernet, one for Flash / MicroSD Card and two for external headers such as Raspberry Pi HAT,  Arduino Shield, mikroBUS Click, RS-232, RS-485 and Pmods.
  • USB device for using the user USB.
  • Timer for generating interrupts.
  • Control for the RGB LEDs.
  • Support for XADC, which is the FPGA’s analogue to digital converter.
  • Pin multiplexer and padring.
  • System information IP for git build hash.

CHERI has an impact on memory architecture, so we have focussed considerable effort on making things as efficient and usable as possible::

  • SRAM for both data and instructions.
  • A TL-UL bus extended with capability tags in the user field with single-cycle SRAM access.
  • Hardware revoker for all tagged memory.
  • Execution from HyperRAM including instruction cache support.

On top of that we have implemented other general features:

  • SPI chip selects can be compartmentalised as they are controlled by each SPI host separately.
  • Timing and pin constraints to help Vivado with routing.
  • Interrupt mapping, where each block has one line going through the PLIC.
  • 40 MHz system clock frequency.

Please note that software written for v0.2 and v0.4 is not compatible with v1.0 due to some decisions we made for the long-term usability of the system. Examples of these are changes to the memory map, such as those necessary to multiplex blocks like I2C, SPI and UART to multiple output pins and moving the chip selects from a single GPIO block to the individual SPI blocks. However, since v1.0 is a stable release we do not plan any changes that will affect software compatibility from this point.

CHERIoT RTOS

We currently have our own fork of CHERIoT RTOS because the upstream repository (including the development environment) does not yet have support for our v1.0 release. We are in the process of upstreaming updated drivers. Non-contiguous memory is also an open issue that is being resolved so that software can make use of the HyperRAM.

Sonata software

We have a getting started guide using Nix with example applications and a downstream RTOS version that is compatible with v1.0. In the Sonata software repository, we have two exercises for you to get started with, explaining how you can implement access control on hardware blocks using CHERIoT compartmentalisation and how to use the auditing tool to prove properties on your compartmentalisation scheme.

HiPEAC 2025

We’ve run a number of tutorials using Sonata. In May 2024, we had a dedicated CHERIoT Hackathon at the University of Cambridge Department of Computer Science and Technology, and in September 2024 we had a Sonata workshop at the CHES conference. If you’re interested in attending a Sonata workshop, we will be holding a workshop at HiPEAC in January 2025. We would love to meet you there!

Get Sonata

Sonata boards are available on Mouser, and you can even build your own because the PCB is open source!

If you have any questions feel free to contact us at info@lowrisc.org, and join our workshop at HiPEAC.