Released: 2026-05-29
Branch: v1.5.x
Covers: v1.4.9 → v1.5.8
Commits: 80+ | Files changed: 200+ | Insertions: ~18,000

Overview

The v1.5.x line is a hardening and capability-expansion cycle built on top of the WAMR-based runtime shipped in v1.4.9. The headline themes are:

  • Security hardening — 15 critical and high-severity bugs fixed across the runtime, sandbox, OTA, connectivity, and storage subsystems.
  • New connectivity — USB web serial, BLE companion service, centralized WiFi manager, improved Bluetooth pairing flow.
  • New language runtimes — MicroPython and Rust WASM app support.
  • New hardware — BQ28Z610 fuel gauge, nucleo_l476rg board, Sharp LS027B7DH01 display stabilization, ESP32-S3 Super Mini tuning.
  • System settings — centralized flash-backed settings manager with filtered public API.
  • PSRAM-aware memory — all large allocations migrated to akira_malloc_buffer() to prevent DRAM exhaustion on non-PSRAM builds.

Security Fixes

This release closes 15 critical and high findings identified in a full codebase audit.

Critical

# Finding File Fix
1 Runtime cache use-after-freemodule_cache_store() could evict a slot with ref_count > 0, freeing a pointer still held by live instances. src/runtime/runtime_cache.c Return -EBUSY; refuse eviction when ref_count > 0.
2 Incomplete RSA signature verificationapp_verify_signature() checked the cert hash against trusted roots but never called mbedtls_pk_verify(); any app with a crafted matching hash would load. src/runtime/security/app_signing_v2.c Implement full mbedTLS RSA/Ed25519 verify path; guard with #if defined(MBEDTLS_PK_PARSE_C).
3 Sandbox rate-limit bypassrate_bucket_refill() was non-atomic; two cores could both skip refill, permanently starving tokens. atomic_dec on a signed counter would wrap positive after 2³¹ decrements. src/runtime/security/sandbox.c Protect refill with a spinlock; cap token floor at INT32_MIN + 1.
4 Audit ring buffer corruptionatomic_inc(&write_idx) followed by non-atomic field writes allowed concurrent writers to interleave and silently drop security events. src/runtime/security/sandbox.c Serialize the entire entry write under the same spinlock.
5 OTA write-buffer racewrite_buffer[4096] and buffer_pos were accessed from both the worker and transport threads with no mutex. src/connectivity/ota/ota_manager.c Dedicated ota_buf_mutex; internal flush_write_buffer_locked() called under lock; public wrapper for external callers.

High

# Finding File Fix
6 FD allocation race — mutex released after fd_alloc() but before fs_open(); concurrent close on the same fd caused double-release. src/api/akira_fs_api.c Hold mutex across fd_alloc + fs_open atomically.
7 Double-destroy on concurrent app install — two threads installing the same app both called akira_runtime_destroy() on the same container_id. src/runtime/app_manager/app_manager.c Zero container_id atomically under lock before stop; second thread sees -1.
8 Registry CRC never computedregistry_save() wrote crc = 0 (marked /* TODO */); flash bit-flips and truncations went undetected. src/runtime/app_manager/app_manager.c Compute crc32_ieee over the serialized buffer before writing; verify on load (skip if crc == 0 for legacy compatibility).
9 Manifest port truncation bypassportval cast to uint16_t without bounds check; ports ≥ 65536 silently truncated to low-numbered ports, defeating the network policy. src/runtime/manifest_parser.c Reject manifests where portval > 65535.
10 Integer overflow in TAR bounds checkpos + fsize could wrap on 32-bit targets, bypassing the buffer bounds check. src/lib/akpkg.c if (fsize > tar_len \|\| pos > tar_len - fsize) (subtract, don’t add).
11 NVS compaction racecompact_entries() performed multi-step read/write sequences without holding the partition mutex; a concurrent akira_settings_set() could corrupt the partition. src/settings/settings.c Wrap the entire compaction sequence in akira_settings_mutex.
12 BT companion irq_lock re-entryirq_lock() called in BLE callback context, then again from the same work handler submission chain; not reentrant on all platforms. src/connectivity/bluetooth/companion_service.c Replace with struct k_spinlock / k_spinlock_key_t pair.
13 Cloud deserialization OOBhandle_app_chunk() cast msg->payload to payload_chunk_t* before validating payload_len; truncated messages caused data_len underflow. src/connectivity/cloud/cloud_app_handler.c Validate payload_len >= sizeof(payload_chunk_t) before casting; check overflow before addition.
14 USB HID pointer OOB — when dlen == 1 and the Report ID matched, data++; dlen-- left data pointing past the buffer end. src/connectivity/usb/usb_hid.c Check dlen > 1 before advancing the pointer.
15 WiFi credentials non-atomic write — SSID and PSK stored in two separate NVS writes; power-loss between them left partial credentials and a permanent connection failure on next boot. src/connectivity/wifi/wifi_manager.c Encode both values in one combined NVS key ("ssid\tpsk") as a single atomic write.

New Features

Language Runtimes

  • MicroPython WASM — MicroPython now compiles to wasm32 via the AkiraOS toolchain; native symbol registration allows Python apps to call all registered NativeSymbol exports (feat(python): add MicroPython WASM app support).
  • Rust WASM — Rust apps targeting bare wasm32-unknown-unknown are now a supported SDK build target (feat(sdk): add Rust and Python app support).

Connectivity

  • Centralized WiFi manager (src/connectivity/wifi/wifi_manager.c) — replaces ad-hoc wifi_connect() call sites. Offers connect, disconnect, update_credentials, get_stats, get_state, register_cb (up to CONFIG_AKIRA_WIFI_MANAGER_MAX_CBS), unregister_cb.
  • USB web serial interface (usb_cdc_serial) and BLE companion service for host pairing — two-way channel between AkiraConsole and a paired host over USB CDC or BLE.
  • Improved Bluetooth pairing — connection flow now detects error reason 4 (security/bonding failure) and wipes the stale bond automatically before retrying, eliminating the manual “forget device” step.

Power Management

  • BQ28Z610 fuel gauge driver — Texas Instruments gauge with DTS binding ti,bq28z610; reports state-of-charge, voltage, current, and charging polarity.

Runtime & Memory

  • Pre-allocated WASM thread stacks via SYS_INIT — stacks reserved at boot, not at app-launch time, preventing heap fragmentation after prolonged uptime.
  • PSRAM-aware allocator for all large buffersakira_malloc_buffer() used for app catalog, download, BT companion transfer, RAM filesystem, USB CDC chunk staging, and cloud handler buffers; DRAM pressure on non-PSRAM targets eliminated.

Settings

  • Centralized system settings (src/settings/settings.c + src/settings/system_settings.h) — flash-backed NVS key-value store with filtered exported API; WiFi credentials, OTA config, and app preferences all routed through one subsystem.

Platform Extension

  • AkiraPlatform hooks (src/platform/akira_platform.c) — weakly-linked extension points for app-launch, app-crash, WiFi state change, and custom peripheral initialization; allows product-specific firmware layers without forking the OS tree.

Boot Animation

  • Boot animation now fully configurable via CONFIG_AKIRA_BOOT_ANIMATION, with FPS and color palette tunable from Kconfig; build guard prevents inclusion in OS shell builds.

Board Support

  • nucleo_l476rg — full board support added.
  • ESP32-S3 Super Mini — BLE HID enabled; no-PSRAM memory tuning applied.
  • nucleo_h743zi and rpi_pico / rpi_pico2 board configs added.
  • Sharp LS027B7DH01 display enabled and stabilized on akiraconsole_prod.

Bug Fixes

Memory / DRAM

  • Fixed DRAM overflow on akiraconsole — heap pool reduced to pass CI; PSRAM paths added for all large staging buffers.
  • Fixed RAM overflow on nucleo_l476rg.
  • Increased WASM app stack to 4096 on ESP32-H2.

Build

  • Resolved all-board build failures: Kconfig orphans, web server link errors, display guards.
  • Fixed nucleo_l476rg RAM overflow.
  • Fixed conflict marker artifact in build.sh SBOM generation — SBOM version field now uses ${AKIRA_VERSION} variable instead of a hardcoded string.
  • build.sh: dorny/test-reporter git exit 128 in CI test job resolved.
  • Boot animation source guard; lvgl_input_driver removed from OS shell build.

Display

  • refactor(config): Use native Zephyr driver selectors for display panel; removed manual #define guards that broke multi-board builds.

Storage

  • SD hot-plug: sd_manager_mount() now re-probes via akira_sd_card_init() on insertion; deinit before reinit; retry on init failure; case-insensitive .wasm/.aot scan.

OTA

  • Port-safety guards added for ota_manager delta paths.
  • akira_malloc used for delta staging buffer (was stack-allocated).

Runtime

  • Shell log_filter_set guarded behind CONFIG_LOG_RUNTIME_FILTERING.
  • CONFIG_AKIRA_APP_MAX_INSTALLED constant used in runtime commands (was magic number 16).

Breaking Changes

None. All public WASM API exports, manifest schema fields, and NVS key namespaces are backwards compatible with v1.4.9.

The WiFi credentials NVS layout changed internally (combined "system/wifi/creds" key replaces two separate keys). The load path falls back to the old individual keys if the combined key is absent, so existing devices upgrade cleanly with no credential loss.

Upgrade Path from v1.4.9

  1. Flash the new firmware image over OTA or west flash.
  2. No NVS wipe required — settings and app registry are backwards compatible.
  3. If using the AkiraSDK, pull the updated submodule (git submodule update --remote AkiraSDK).
  4. If you have a product layer using akira_platform_* stubs, implement the new AkiraPlatform extension hooks defined in src/platform/akira_platform.h to opt into crash handling and WiFi notifications.

Verified Build Matrix

Board Build Notes
native_sim Passing  
akiraconsole_esp32s3_procpu Passing Primary target
akiraconsole_prod_esp32s3_procpu Passing Production PSRAM config
esp32s3_devkitm_esp32s3_procpu Passing  
esp32s3_super_mini_esp32s3_procpu Passing  
esp32_devkitc_procpu Passing  
esp32c3_devkitm Passing  
b_u585i_iot02a Passing  
nucleo_l476rg Passing New in 1.5.8
nrf54l15dk_nrf54l15_cpuapp Passing  

Stats

Metric v1.4.9 v1.5.8
Supported boards 7 10
WASM API exports ~45 ~60
Security findings open 0 (15 closed)
App stack languages C C, Rust, MicroPython
NVS credential write atomicity Non-atomic (2 writes) Atomic (1 write)
Boot time to first app (ESP32-S3) ~1.8 s ~1.6 s

Copyright © 2025-2026 AkiraOS Project. Licensed under GNU GPL v3.