The reframe (from jess's RT1176 + gust work)
Working the Pixhawk 6X-RT bring-up, a nice realization fell out: gale isn't really "verified Zephyr primitives" — it's a library of composable, formally-verified OS components, usable two ways:
- Drop into an existing OS — the
zephyr/*.c integration track (gale replaces Zephyr's C kernel primitives in place). Proven: 36 QEMU suites.
- Construct your own OS — compose
gale primitives + kiln (scheduler) + an async HAL substrate + wasm driver bodies into a bespoke, purpose-built OS. gust is the first instance (bare Cortex-M3, no Zephyr).
jess wants mode (2) for the flight stack — and the payoff is that the C disappears: no Zephyr, no NuttX/PX4, no NXP SDK C drivers. The flight TCB becomes verified Rust (gale + kiln + HAL) + wasm (Kani-proven drivers + falcon) — one language discipline, one verification story end-to-end (Verus/Rocq/Lean + Kani), the smallest auditable trusted base, and the same OS at three scales: M7 (falcon) / M4 (sensor-I/O offload) / F100 (gust). (The only non-Rust residue — the i.MX boot ROM — is out of the flight path; it's touched only by the on-ground update bootloader. jess DD-016.)
The driver model (the sophisticated piece Zephyr's C otherwise gives you)
gust's driver model is trivial (a ~4-item sync native shim). The M7 needs the real thing — DMA, async completion, multiple isolated buses, redundancy. We think the clean substrate is:
- Seam anchored on
embedded-hal-async (the standard async embedded-HAL traits).
- Native host substrate = Embassy-class async HAL (bus transport + DMA + IRQ-completion) — "drivers as host components, driven down."
- Executor = kiln-async (which is already Embassy-inspired — its design cites
embassy-executor's task-arena/waker-as-index).
- Verifiable logic stays wasm — relay's Kani-proven protocol decode + the redundancy voting sit above the async traits.
So: verify what's verifiable (decode/voting in wasm), reuse battle-tested for the timing/DMA you can't easily prove (async HAL). This is jess DD-012/DD-015 (the relay↔jess seam) made concrete for async+DMA, the full-fat version of the gust seam.
The enabler we just found
The MIMXRT1176 CMSIS-SVD (NXP official, BSD-3-Clause, cm7 + cm4) is the keystone for both sides: svd2rust → an RT1176 PAC → the Embassy-class HAL foundation; and Renode ApplySVD → a named-register model for the hermetic HIL. One artifact unblocks the real-silicon HAL and the emulation, for M7 and M4.
The ask — get the ball rolling
Would gale treat "build-your-own OS" as a first-class mode, not just a side-effect of the standalone (plain/) track? Concretely, what we'd love to discuss:
- A standalone runtime/construction crate — gale core + the minimal scaffold (boot/scheduler-init/device_init hooks) to compose an OS, no Zephyr.
- The driver-framework backbone — are
device_init / work / poll the right hooks to host the embedded-hal-async + kiln-async driver model, or should that be a thin new layer?
- Positioning — does the "gale = composable OS components (drop-in or build-your-own), C-free" framing fit gale's roadmap? It changes the README story from "Zephyr primitives" to "OS components."
Cross-refs: gale#63 (host substrate epic), gale#65 (gust/gale-nano), and jess's DD-006 (maximal-wasm) / DD-011 (gust) / DD-017 (M7 = gale-maximal-wasm, no Zephyr in flight). No urgency — opening this to get the conversation started.
The reframe (from jess's RT1176 + gust work)
Working the Pixhawk 6X-RT bring-up, a nice realization fell out: gale isn't really "verified Zephyr primitives" — it's a library of composable, formally-verified OS components, usable two ways:
zephyr/*.cintegration track (gale replaces Zephyr's C kernel primitives in place). Proven: 36 QEMU suites.galeprimitives +kiln(scheduler) + an async HAL substrate + wasm driver bodies into a bespoke, purpose-built OS.gustis the first instance (bare Cortex-M3, no Zephyr).jess wants mode (2) for the flight stack — and the payoff is that the C disappears: no Zephyr, no NuttX/PX4, no NXP SDK C drivers. The flight TCB becomes verified Rust (gale + kiln + HAL) + wasm (Kani-proven drivers + falcon) — one language discipline, one verification story end-to-end (Verus/Rocq/Lean + Kani), the smallest auditable trusted base, and the same OS at three scales: M7 (falcon) / M4 (sensor-I/O offload) / F100 (gust). (The only non-Rust residue — the i.MX boot ROM — is out of the flight path; it's touched only by the on-ground update bootloader. jess DD-016.)
The driver model (the sophisticated piece Zephyr's C otherwise gives you)
gust's driver model is trivial (a ~4-item sync native shim). The M7 needs the real thing — DMA, async completion, multiple isolated buses, redundancy. We think the clean substrate is:
embedded-hal-async(the standard async embedded-HAL traits).embassy-executor's task-arena/waker-as-index).So: verify what's verifiable (decode/voting in wasm), reuse battle-tested for the timing/DMA you can't easily prove (async HAL). This is jess DD-012/DD-015 (the relay↔jess seam) made concrete for async+DMA, the full-fat version of the gust seam.
The enabler we just found
The MIMXRT1176 CMSIS-SVD (NXP official, BSD-3-Clause, cm7 + cm4) is the keystone for both sides:
svd2rust→ an RT1176 PAC → the Embassy-class HAL foundation; and RenodeApplySVD→ a named-register model for the hermetic HIL. One artifact unblocks the real-silicon HAL and the emulation, for M7 and M4.The ask — get the ball rolling
Would gale treat "build-your-own OS" as a first-class mode, not just a side-effect of the standalone (
plain/) track? Concretely, what we'd love to discuss:device_init/work/pollthe right hooks to host theembedded-hal-async+ kiln-async driver model, or should that be a thin new layer?Cross-refs: gale#63 (host substrate epic), gale#65 (gust/gale-nano), and jess's DD-006 (maximal-wasm) / DD-011 (gust) / DD-017 (M7 = gale-maximal-wasm, no Zephyr in flight). No urgency — opening this to get the conversation started.