Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Add TRD: Tock Code Tiers #4694

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
bradjc wants to merge 4 commits into
base: master
Choose a base branch
from
Draft

Add TRD: Tock Code Tiers #4694

bradjc wants to merge 4 commits into from

Conversation

@bradjc
Copy link
Contributor

@bradjc bradjc commented Dec 18, 2025

Pull Request Overview

Tock has something like 150 crates and 2200 source files, and the expectations for those files, in terms of importance to the OS, scrutiny in development, expectations for code review, and consensus needed to make changes, differ widely. Those expectations are largely implicit, with the understanding being based on convention, conversations in PRs, rough implications based on crate name/location, developer preference, rate of patches, importance to the threat model, and the impact of any bugs. This is hard for everyone to understand from the core team to new contributors. Having this be implicit leads to issues and can lead to issues, including:

  • PRs taking much longer to review than contributors expect, because of a change to a "sensitive" file.
  • Reasonable looking changes being rejected because they potentially reintroduce problems to bug-prone subsystems.
  • PR reviewers having difficulty reviewing large changes, and not properly scrutinizing changes to "sensitive" files that are lost in changes to many files.
  • Board developers not understanding which code is well tested/trusted, and which code is experimental.
  • Changes to experimental subsystems taking too long because it isn't clear to reviewers the subsystem is experimental.
  • Contributors not realizing a change is unlikely to be accepted, and then building other code on the assumption that original change will be accepted.

This TRD proposes "code tiers" which is a mechanism to explicitly annotate Tock source code with a tier indicating how scrutinized and trusted the code is. This should make the implicit understanding we have today more explicit. Eventually, developers and reviewers should be able to use these tiers to better understand how changes will affect the Tock code base.

rendered

Testing Strategy

n/a

TODO or Help Wanted

The first opening of this PR is intended to socialize the idea and gather feedback. As of the original opening, we don't have a prototype of exactly what these annotations would look like.

Documentation Updated

  • Updated the relevant files in /docs, or no updates are required.

Formatting

  • Ran make prepush.

lschuermann
lschuermann reviewed Dec 18, 2025
View reviewed changes
doc/reference/trd-tiers.md

| Tier # | Tier | Description |
|--------|--------------|-----------------------------------------------------------------|
| 5 | Verified | Formally verified code with necessary proof |
Copy link
Member

@lschuermann lschuermann Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think "verified" is a reasonable hierarchical "security tier", esp. in comparison with the other tiers on this list.

Formal verification is one particular family of tools we can use to get assurance that our code is doing what it's supposed to, among many other types of tools. Just because something is verified doesn't mean that it's automatically important to the Tock security model. Conversely, just because something is not formally verified does not mean it is not an important component. Some things are just not (yet) tractable to be fully verified. And even then, the particular specification and guarantees matter.

I'd be much more comfortable with removing Verified from this list of tiers, and add progressively more encouragement for verification as a tool to gain high assurance to the other, higher tiers.

Copy link
Contributor Author

@bradjc bradjc Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In a practical sense, if a portion of Tock code is formally verified, even if that Tock code is on the periphery, would a change be expected to also be formally verified? I can imagine that going from formally verified to not formally verified would be a significant change with significant discussion. In that case, annotating that code as such is important.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lschuermann lschuermann lschuermann left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

documentation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@bradjc @lschuermann @alevy