Overview
Over the course of summer ‘25, my research partner (Spencer O’Brien) and I were tasked with advancing the RISC-V port of the Embedded Xinu educational operating system. We addressed many technical challenges presented by the RISC-V architecture, and successfully hardened the security posture of both the kernel and boot loading firmware.
Initially we set out to find a reproducible boot loader to replace the version shipped with the board. In this pursuit we very quickly discovered the main subject of our work. Due to the complexity and overhead of privilege level management, Xinu had never provided complete implementation. The modern design of RISC-V supports this control at the hardware level, and requires its management for any non-trivial task.
As we discovered while upgrading the boot loader, the initial port to this hardware had circumvented all privilege control. This was done by modifying the boot process to start the kernel in machine mode and therefore shirking proper privilege control. This discovery set us firmly on the path of revamping privilege level usage, and fixing any dependent systems to better align with the RISC-V Specification.
Details
Our work is easily divided into two buckets: privilege levels, and boot loading.
Boot Loading
While the boards we used shipped with a version of U-boot, the boot process was bloated with general purpose functionality and remained in a fragile state. We found a newer version of the firmware, as well as its source code. Now that we could rebuild and re-image the firmware without fear of permanently bricking our hardware we set out to reconfigure the boot process to better align with our needs.
Privilege Levels
Implementing proper privilege levels required two efforts: redesigning the kernel boot sequence, and retooling kernel systems to align with those changes.
The circumvention mentioned in the original port worked to quickly get a functioning system, but broke a key requirement of RISC-V. In order to avoid refactoring the kernel, a modified boot loader image started the kernel in machine mode where hardware configurations could be modified to align with the current design.
The RISC-V Specification defines three main privilege levels:
- Machine Mode: firmware only, access to hardware configuration registers, highest privilege during escalation
- Supervisor Mode: kernel only, access to user-space and interrupts but no hardware,
- User Mode: for user processes, heavily sandboxed environment with little access
In order to get the kernel working under the newly reduced privileges, we dove deep into the documentation. While gaining a better understanding of the Control and Status registers available to supervisor mode, we worked to refactor the initialization and interrupt control schemes.
Results
Improvements to the boot loader:
- disabled unused hardware initialization, reducing the systems boot time by ~20 seconds
- hardcoded network boot information, removing the need for delicate
expectscripting during the dhcp phase - configured additional quality of life features such as the watchdog timer
- provided a stable and maintainable system for imaging
Improvements to the kernel:
- kernel complies with RISC-V spec
- interrupt control improved
- proper routing through CSRs
- improved support for the Platform Level Interrupt Controller
- implemented timing via external timer interrupts
Set up for future work in:
- atomic operations
- cross-privilege boundary messaging
- asynchronous operations
Publication
Our work was accepted to the SIGCSE 2026 Student Research Competition, where we presented in the poster session. While we did not advance to the finals, we received great feedback from many attendees excited about the embedded approach to teaching operating systems.