Virtual Open Systems Scientific Publications
29th Euromicro Conference on Real-Time Systems (ECRTS-2017), Dubrovnik, Croatia.
VOSYSmonitor, ARM TrustZone, mixed criticality, virtualization, real-time, embedded system.
This research work has been supported by the FP7 DREAMS project under the Grant Agreement number 610640.
With the emergence of multicore embedded System on Chip (SoC), the integration of several applications with different levels of criticality on the same platform is becoming increasingly popular. These platforms, known as mixed-criticality systems, need to meet numerous requirements such as real-time constraints, Operating System (OS) scheduling, memory and OSes isolation.
To construct mixed-criticality systems, various solutions, based on virtualization extensions, have been presented where OSes are contained in a Virtual Machine (VM) through the use of a hypervisor. However, such implementations usually lack hardware features to ensure a full isolation of other bus masters (e.g., Direct Memory Access (DMA) peripherals, Graphics Processing Unit (GPU)) between OSes. Furthermore on multicore implementation, one core is usually dedicated to one OS, causing CPU underutilization.
To address these issues, this paper presents VOSYSmonitor, a multi-core software layer, which allows the co-execution of a safety-critical Real-Time Operating System (RTOS) and a non-critical General Purpose Operating System (GPOS) on the same hardware ARMv8-A platform. VOSYSmonitor main differentiation factors with the known solutions is the possibility for a processor to switch between secure and non-secure code execution at runtime. The partitioning is ensured by the ARM TrustZone technology, thus allowing to preserve the usage of virtualization features for the GPOS.
VOSYSmonitor architecture will be detailed in this paper, while benchmarking its performance versus other known solutions.
An important challenge in the design of embedded systems is the consolidation of software applications with different levels of criticality on a common hardware platform. In the automotive domain, a common practice to isolate safety critical applications is through the proliferation of multiple hardware Engine Control Units (ECUs), which are dedicated to basic operations, such as lowering the windows, to critical tasks as Electronic Braking System (EBS), engine control and digital dashboard applications. This is a highly inefficient way of using the available processing power since many of these ECUs are typically not used at their full potential. However, recent multi-core architectures with new hardware extensions (e.g., virtualization, TrustZone) enable the execution of multiple applications on the same platform safely and securely, thus reducing costs and vehicle weight, helping to increase efficiency.
The consolidation of different OSes on the same platform implies the concurrent execution of a critical OS with stringent real-time requirements with non-critical applications. As a matter of fact, connected cars are required to support safety-critical control functions, such as EBS and Electric Power Assist Steering (EPAS) that have to be securely isolated from the In-Vehicle Infotainment (IVI) system. Similarly in avionics, functions are usually classified either as flight-critical (necessary for ensuring a safe flight) or mission-critical (essential for business execution). In this context, the main challenges are to integrate real-time tasks execution with software applications of a GPOS.
In the past, virtualization has been presented as a solution to isolate OSes in a VM. This approach offers the advantages of reducing implementation costs by abstracting the host platform. Additionally, features provided by hypervisors, such as memory partitioning, CPU and interrupts abstraction help the OSes isolation. However, the use of a hypervisor may cause performance overheads, and therefore the critical execution path of real-time operations may not be ensured.
In this context, Virtual Open Systems has developed VOSYSmonitor, a software monitor layer, which enables the native concurrent execution of a safety critical RTOS (or another type of OS) along with a GPOS with the option to use virtualization extensions, such as Linux/KVM, in order to instantiate a variety of different VMs. The monitor layer is the highest secure operating mode available on ARM processors, designed with the hardware security extension ARM TrustZone, which manages the interaction between two execution worlds. In this context, VOSYSmonitor has been designed for the ARMv8-A architecture by guaranteeing peripherals and memory isolation between both OSes with ARM TrustZone. The main advantage of such a solution is to allow dynamically cores sharing between both applications, thus offering a close to native performance. To achieve this, VOSYSmonitor supports a context switch mechanism with a minimal overhead.
Access the full content of this publication
Login or register to access full information