VOSYSmonitor, a Monitor layer for Mixed-Criticality Automotive Systems on ARMv8 Platforms
In mixed critical systems, a key design requirement is the integration into a same hardware platform of software applications having different levels of criticality. In automotive domain, the traditional practice used to isolate safety critical applications is through proliferation of many hardware Engine Control Units (ECUs). However, progresses in hardware with the availability of multicore heterogeneous processors in a single SoC, as well as the high demand for more and more feature-rich ethernet/vSwitch gateway connected cars, tend to combine mixed-criticality systems on a single ECU, where there are stringent requirements related to latency, performance, cost, space, weight and power consumption. Connected cars are demanded to run safety-critical control functions, such as break, electric-assist steering, and more, that have to be securely isolated from the In-Vehicle Infotainment (IVI) system, while executing on a same SoC into a single ECU. In this context of mixed critical systems, the main challenges to address include real-time execution along with software applications running on a general purpose OS within virtual machines, memory isolation, data and control coupling.
VOSYSmonitor enables RTOS & virtualized GPOS in mixed-critical automotive systems
With this challenging target in mind, Virtual Open Systems offers VOSYSmonitor, a powerful product solution, which consists in a low level software monitor layer developed for the 64-bit ARMv8-A architecture. VOSYSmonitor allows to both a safety critical Real Time Operating System (RTOS) and a number of virtualized In-Vehicle Infotainment (IVI) systems. This software layer isolates the RTOS from the virtualized instances and provides, at the same time, functions to enable a safe and secure communication between them. VOSYSmonitor is based on ARM TrustZone technology, which enforces among others, memory, CPU and interrupt isolation between the RTOS and the IVI systems. The design goal of VOSYSmonitor is to give the full priority to the secure world application in order to meet real-time constraints, while being compliant with the stringent requirements of the ISO-26262 certification.
Top level architecture of the Virtual Open Systems VOSYSmonitor product offer
VOSYSmonitor is meant to be integrated into a full fledged IVI automotive AGL software stack, which integrates features such as software over the air (SOTA), ethernet gateway virtual switch, support for third party applications and communication protocols (e.g., Apple CarPlay, MirrorLink, Google AAP, etc.), hardware acceleration through FPGA, virtualized Trusted Platform Module (vTPM), KVM/Linx to execute the normal world, split display support, etc. Moreover, outcomes from standards and initiatives such as AGL, GENIVI, Autosar, ADAS are monitored and continuously integrated into the Virtual Open Systems automotive software stack to provide customers with latest updates from these communities.
VOSYSmonitor - monitor layer main features
The main features of VOSYSmonitor enabling co-execution of RTOS and virtualized GPOS systems consist of:
- Infotainment and safety critical OSes co-execution on a same processor within a single ECU
- Safety critical OS isolation using ARM TrustZone
- Fast context switch to meet real-time constraints
- Provide virtualization features for the GPOS
- Monitor the Safety critical OS to recover failures
- Scaleable architecture
- Minimal changes to IVI OS and safety critical OS