<div class='slidealt'>Virtualization solutions for heterogeneous <a title='ARMv7-ARMv8 virtualization open source solutions' href='/en/solutions'>ARM multicore systems</a></div> <div class='slidealt'>Virtualization research projects <a title='ARM multicore kvm open source' href='/en/research'>in cloud and embedded systems</a></div> <div class='slidealt'>KVM on ARMv7 and ARMv8 <a title='kvm-on-arm open source smu extensions' href='/en/solutions/guides/vfio-on-arm/'>IOMMU full virtualization</a></div> <div class='slidealt'>Benefit from custom <a title='kvm on arm services full virtualization' href='/en/services'>virtualization services</a></div> <div class='slidealt'>Experience kvm <a title='virtualization for embedded heterogeneous arm core platforms' href='/en/products'>virtualization extensions</a></div>

VOSySmonitor on Mediatek MT2712 Realizes Hypervisor-less Automotive eCockpit

Android Auto 9 In-Vehicle Infotainment and critical RTOS co-executed with VOSySmonitor on MT2712

VOSySmonitor on the Mediatek MT2712 Platform for Hypervisor-less Automotive eCockpit

VOSySmonitor is an ISO 26262 ASIL C certified safety-critical system partitioner built on ARM TrustZone that enables the concurrent execution of multiple operating systems with different levels of criticality. The innovative VOSySmonitor architecture splits the system in two main compartments, one for the safety critical and the other for standard applications, isolating them with the use of Arm TrustZone. Such isolation is of pivotal importance to provide security, with safety critical applications running fully protected (in a separate memory address space with tagged caches and isolated devices) from the standard applications. The VOSySmonitor software layer is positioned in the lowest level of the vehicle software stack (Arm monitor layer), providing strongest control on the system resources partitioning at best-in-class performance, while offering the most flexible system architecture.

VOSySmonitor is therefore the perfect solution for enabling the Automotive eCockpit next generation, where Vehicle information, entertainment, navigation, camera/video and device connectivity are being combined into displays, in modern vehicles without the cumbersome dependency of using expensive traditional type-1 hypervisors. Furthermore, VOSySmonitor does not impose any closed solution or dependent component and can be used in combination with open source technologies like Linux, Android, Automotive Grade Linux, etc., which allows to reduce costs by proposing a bottom-up solution, where Virtual Open Systems focuses on the isolation, safety and performances of critical resources.

  • Simplified virtualized electronic control units: VOSySmonitor enables the execution of multiple operating systems on the same platform with no performance overhead, reducing hardware and wiring costs, easing software maintenance and prototyping.
  • Highest security and safety: VOSySmonitor partitions the system resources isolating safety critical applications in a protected compartment. It is ISO 26262 ASIL C certified and supports security Trusted Execution Environment implementations, such for instance OPTEE.
  • Scalability and openness: VOSySmonitor provides a scaleable solution with increasing complexity from simple use cases (for instance with Linux running with an RTOS) to ADAS applications with a high number of operating systems working together.
VOSySmonitor on the Mediatek MT2712 Platform for Hypervisor-less Automotive eCockpit

Android Auto 9 IVI and critical RTOS co-execution with VOSySmonitor on Mediatek MT2712

VOSySmonitor benchmarked performances on Mediatek MT2712

This video showcases an use-case example of VOSySmonitor application, where an IVI system (Android Auto 9) and a safety critical Real-Time Operating System (FreeRTOS) are executed on a Mediatek MT2712 platform (2 Cortex-A72 and 4 Cortex-A35). The main goal of this demonstrator is to showcase the high performance of VOSySmonitor and the freedom from interference between the Safety critical RTOS and Android Auto 9. Indeed, it is important to notice that VOSySmonitor ensures full isolation of the safety critical domain even in case of failure on the Android OS side.

  • Safety critical domain - Fast boot: VOSySmonitor always starts the Safety critical domain first in order to meet stringent real-time constraints from the critical OS. It is important to notice that VOSySmonitor is a software layer that is executed before the Safety critical domain, which adds a small overhead in the full cold-boot time of the Safety critical domain compared to a native execution. However, VOSySmonitor has been developed to minimize this overhead as demonstrated with the hereinafter measurement; in fact the total cold-boot time is kept below 265ms, whichever the core selected by VOSySmonitor for scheduling the Safety critical OS (i.e., FreeRTOS): this value includes the VOSySmonitor setup time (corresponds to the execution time from the VOSySmonitor entry point to the FreeRTOS entry point), which is negligible at ~1ms.
  • Safety critical domain freedom from interference: The design goal of VOSYSmonitor is to give the full priority to the Safety critical domain assigned in the Secure world in order to meet the real-time constraints. This means that the Android workload has no or insignificant impact on the responsiveness of Safety critical domain as the FIQ latency benchmark can prove. Indeed, the FIQ latency impact (Average: 1,6µs to 4,3µs) observed by varying the Android workload is only due to the cache eviction performed by Android operations, which might impact data used by VOSySmonitor and slightly vary the context switch time. However, it is important to notice that the context switch time is faster enough to be negligible from the Safety critical RTOS point of view. As a matter of fact, FreeRTOS is scheduled with a tick period of 2ms in this demonstrator, so, it means that the VOSySmonitor overhead represents no more than 0,5% in the worst case scenario (i.e., Maximum context switch value = 10,18µs).
  • Android OS crash monitoring: VOSySmonitor is monitoring the Normal World execution to detect potential failures and to eventually inform the safety critical RTOS execution, running in the Secure world, about this failure. In addition, it is important to notice that VOSySmonitor ensures full isolation of the Safety Critical domain, therefore, the critical RTOS execution is not impacted by the crash of Android.
Item Description Performance results
Safety critical OS boot time Full boot time needed to enter in the Safety critical OS from a Power-On operation. 265ms (including 1ms of VOSySmonitor setup time)
Safety critical OS FIQ latency Overhead induced by VOSySmonitor context switch to forward an FIQ to Safety critical OS Average = 1,6µs - 4,33µs
Android AnTuTu benchmark Benchmarks for Android devices that test/stress several parts of a device and assigns a score
  • Native Android: 91201
  • Android with VOSySmonitor: 86367
Android Drhystone benchmark Computing benchmark (integer) that allows to measure the general CPU performance
  • Native Android: Avg=188,9ms
  • Android with VOSySmonitor: Avg=191,1ms
Non-critical domain IRQ latency IRQ latency of non-critical domain induced by prioritizing Safety critical domain execution
  • Native Normal world app: 4,33µs
  • Normal world app with VOSySmonitor: 4,33µs

VOSySmonitor benchmarked performances on Mediatek MT2712 platform

Vosysmonitor On Mt2712 Boosts Hypervisor-Less Ecockpit - Boot, Fiq/Irq Latency Benchmark VOSySmonitor on Mediatek MT2712 boosts hypervisor-less Automotive eCockpit - boot time, critical interrupt latency, andorid benchmarked superior performances