Skip to content

smartmeter demo (CHERIoT device bits) #20

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 67 commits into
base: main
Choose a base branch
from
Open

smartmeter demo (CHERIoT device bits) #20

wants to merge 67 commits into from

Conversation

nwf
Copy link
Member

@nwf nwf commented Feb 12, 2025

No description provided.

@rmn30 rmn30 force-pushed the 202502-smartmeter branch 2 times, most recently from 285556b to 778c515 Compare February 18, 2025 16:47
@vmurali
Copy link
Collaborator

vmurali commented Feb 20, 2025
edited
Loading

Looks like I cannot push to this branch. Here's a slightly different design to highlight the security guarantees of CHERIoT against a system that has no compartmentalization:

  1. The grid controller

    1. Receives scheduled outages (array of <start time, duration>)
    2. Recieves request for corrective actions i.e. load shedding, load increase (array of <start time, duration, maximum load value, minimum load value>)

  2. The provider

    1. Receives hourly rate information for the next day (<date, array of 24 prices>); the old rates are used till a new rate is received for a day
    2. Sends accumulated consumption information hourly
    3. Optional: receives a directive to turn off the energy for various reasons (payment not made, hourly consumption information isa not received for a long time)

  3. The sensor: provides a passive interface for reading the following values

    1. Instantaneous total load consumption in the house
    2. Optional: Instantaneous energy stored in each battery in the house (array of <battery index, energy>)

  4. The house

    1. Updates/accumulates the hourly comsumption information based on energy consumption sensor data (reads sensor data frequently)
    2. Provides a passive interface to specify the load to be consumed for an array of load consumers (array of <consumer index, load> updated frequently)
    3. Optional: Provides a passive interface to specify the status of charge/discharge for an array of batteries (array of <battery index, CHARGE/DISCHARGE> updated frequently)

  5. The user

    1. Provides a passive interface to specify the policy (using a Javascript bytecode) to drive the load consumers (and optionally battery) based on grid request, provider rate (and optionally battery energy)
    2. Calls the house interface to specify load consumer values and battery charge/discharge status based on the current policy

The grid controller and provider each run a thread for receiving data in the form of MQTT messages, and the provider runs a thread for sending accumulated consumption information.
The provider has web interface to show the current accumulated (monthly) charges.
The sensor can optionally have a web interface to show the current load consumption and batteries' levels. The house runs a thread the updates the hourly consumption information.
The user provides a web interface to input the javascript program to specify policy.
The user runs a thread to update the loads to be consumed by various consumers and optionally the charge/discharge status for the batteries.
Optional: The grid and provider has a web interface to submit new rates, requests, outages etc.

The javascript VM has FFI functions to access

  1. the outage information, () -> (Start Time, Duration)
  2. grid load requests, () -> (Start Time, Duration, Max Load Value, Min Load Value)
  3. provider rate information for the current day, Hour -> Rate
  4. sensor load consumption, () -> Current load
  5. battery level, Battery Index -> Current Energy Stored
  6. set load consumptions, Consumer Index -> Load -> ()
  7. set battery charge/discharge, Battery Index -> CHARGE/DISCHARGE -> ()

On a system with no security features, a user can write a javascript program that abuses the set load consumptions or set battery charge/discharge functions to specify an arbitrary 32-bit index to update any value in the memory.
In particular, the hourly consumption information can be overwritten to 0 to make the provider think that the total energy consumption is 0 throughout.

With CHERIoT, each of the above components can be specified as a separate compartment and as a result, the user compartment that has the javascript VM cannot access/update arbitrary memory using the index value in the set load consumptions/set battery charge/discharge functions.

Note that the grid controller is optional for this security feature demonstration and can potentially be removed to simplify the design.

@rmn30 rmn30 force-pushed the 202502-smartmeter branch 2 times, most recently from 106b4bd to fa09d89 Compare February 25, 2025 18:25
@rmn30 rmn30 force-pushed the 202502-smartmeter branch 2 times, most recently from 28a966f to f940bcb Compare March 4, 2025 17:17
nwf and others added 23 commits March 26, 2025 14:48
@nwf
First draft of smartmeter demo CHERIoT bits
0fac09d
@nwf
Allow speeding up simulated time
195f5d8 
This should allow making the demo more interesting
@rmn30 @nwf
Change xmake default paths to suit cheriot-demos repo.
0d0649d 
Also change the name of CHERIOT_SDK env variable to CHERIOT_RTOS_SDK to avoid confusion with --sdk option to xmake.
@rmn30 @nwf
Add smart_meter demo to CI.
aef5dc9 
Also set default board for smart_meter demo to sonata-1.1.
@nwf
broker configuration via xmake
c394441
@nwf
fix client IDs
f9535a0 
We self-check for validity only if debugging is turned on, and how odd
that '-' isn't in the spec's permitted set (3.1.3.1, MQTT-3.1.3-5).
@nwf
grid: report some data, not just a Tick
d487995
@nwf
Very, very initial web frontend goo
c244324
@nwf
WIP: monolithic image as well
65e8569
@nwf
Incremental progress on user frontend
34d2d85
@nwf
Monolithic build
af88e65 
Works after CHERIoT-Platform/cheriot-rtos#461
@nwf
sample_policy: use spaces, not tabs
5ea2bac
@nwf
Add "revert to last submitted" button to editor
945d6c5
@nwf
Further set the stage for badness
af2846f 
On monolithic builds, move the sensor data and the userJS data snapshot
objects into (the one compartment's) globals.  This should make it
possible, in a monolithic build, for a cap held in the JS machine to be
abused to write to the sensor data.
@nwf
Further demolish monolith security
a4fe43d 
Place sensitive and non-sensitive structures not just in the same .data
segment but as subobjects of the same struct.  This subverts
CHERIoT-LLVM's understanding of properly bounding address-taken globals
and permits subobject bounds violtion to model code running on a
pre-CHERI machine.
@rmn30 @nwf
Add 'unique-id' xmake option for setting meter ID at compile time.
de77361 
Defaults to 'random' which causes the device to generate a random ID on boot.
@rmn30 @nwf
Update network stack to include fix for MQTT packet bounds.
3a95c7c
@nwf
Expand CHERIoT component README a bit
ac44e0e
@nwf
frontend: user-editor rollup config file
139506f
@nwf
frontend democonfig: add default meter ID
51d6d43
@nwf
frontend: rename directory holding on-device JS
e570d8d
@nwf
frontend: more functionality in grid view
ad15347
@rmn30 @nwf
Fix comment in ffigen.js and regenerate userffi.h.
fccea39
nwf added 23 commits March 26, 2025 14:48
@nwf
frontend: allow relative paths for broker certs
7418a82 
Have the server interpret them relative to the static resource
directory, as they would be by the clients (served out of the static
directory).
@nwf
frontend: user editor dropdown for provided examples
9269944
@nwf
device: report user JS crashes to grid
b44af20
@nwf
frontends: consumption updates might be negative
61f06f4
@nwf
grid frontend: report crash counts
247834a
@nwf
clang-format
72bc2d2
@nwf
device: optional fake sensor reports
a5e462b
@nwf
device provider: publish samples
40a0df9
@nwf
treewide: overhaul js
edc4755
@nwf
Add omitted file
3fde6dc
@nwf
Further tweaking of policy files
48e17f9
@nwf
device: tweak sensor coarsening
ddf6ba7 
- Give symbolic name to the coarsening depth
- Fix a rather embarassing bug
@nwf
Tweak default policy
3fa852a 
And make it really the default JS baked in.  While here, make that
process easier and document it.
@nwf
Attack demo
9ea55f7
@nwf
device: refactor monolith build; separate user
5478bd9 
This lets the JS crash and get forcibly unwound back to a calling
compartment rather than to thread exit.
@nwf
Add crash example
414c4a4
@nwf
Revise monolith again
c2ac624 
This partially reverts ca4e802 and puts
the merged data object back into the monolith compartment's .data.  The
separated user compartment can get it via a cross-compartment call
during initialization.  This means that it can be accessed via the CGP
exposed to JS, too, in addition to the array pointer exposed via the
FFI.
@nwf
frontends: arrays are 0 indexed, d'oh.
3f82f21 
While here, sort the consumption arrays so we know we're dropping
prefixes, just in case timestamps wiggle a bit.
@nwf
Emit newlines when sending to house
c359e09
@nwf
device sensor: attempt to make reads more robust
40a9abd 
- Move to IRQ-based reads, rather than burning the core
- Bump the sensor thread priority over the workers'
- Prevent std::string from consuming unbounded heap
- Have std::string perform allocation up front and Debug::Assert success
@nwf
device sensor: reuse std::string for lines
a740d06 
We're seeing somewhat mysterious allocation failures, so try to reduce
the number of allocations we make?
@nwf
device js: add export to inject network faults
8b9e23d
@nwf
smartmeter device user: fix multiwater use
1240e9e 
multiwaiter_wait() overwrites the value fields of its EventWaiterSource
structures, so cache the values passed in.  Update the cache and copy
from it back to the wait events each loop iteration.
@nwf nwf force-pushed the 202502-smartmeter branch from 1f4c9b8 to 1240e9e Compare March 26, 2025 19:47
nwf and others added 6 commits April 28, 2025 13:27
@nwf
smartmeter: deeper housekeeping stacks
b59bca3 
We were running out of stack deep in the network code, spinning in a
tight loop of failing to allocate a network buffer.  Don't do that.
@nwf
smartmeter: coarsen samples over many minutes
06bcdc7
@rmn30
Add more notes and config files for server config on Mac
e0d5cbc
@rmn30
Add new cheriot.demo cert as the old one expired.
f4d339b 
Also move it to /static dir as that's where it needs to be.
@rmn30
Add index.html with iframes for the three views.
fe49153 
Adjust graph width properties to make this work.
@nwf
smartmeter: lower SNTP timeouts
bc16823 
The FreeRTOS-Plus-TCP network stack drops with success UDP datagrams it
cannot immediately send, so our first attempt at this is all but
guaranteed to fail at present.  Don't wait quite so long for that to
happen, and don't wait so long between attempts.  Continue to allow the
2nd and subsequent attempts to take longer.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@nwf @vmurali @rmn30