Hardware IPC for a TrustZone-assisted Hypervisor

Dissertação de mestrado em Engenharia Eletrónica Industrial e ComputadoresIn this modern era ruled by technology and the IoT (Internet of Things), embedded systems have an ubiquitous presence in our daily lives. Although they do differ from each other in their functionalities and end-purpose, they all share the same basic requirements: safety and security. Whether in a non-critical system such as a smartphone, or a critical one, like an electronic control unit of any modern vehicle, these requirements must always be fulfilled in order to accomplish a reliable and trust-worthy system. One well-established technology to address this problem is virtualization. It provides isolation by encapsulating each subsystem in separate Virtual-Machines (VMs), while also enabling the sharing of hardware resources. However, these isolated subsystems may still need to communicate with each other. Inter-Process Communication is present in most OSes’ stacks, representing a crucial part of it, which allows, through a myriad of different mechanisms, communication be- tween tasks. In a virtualized system, Inter-Partition Communication mechanisms implement the communication between the different subsystems referenced above. TrustZone technology has been in the forefront of hardware-assisted security and it has been explored for virtualization purposes, since natively it provides sep- aration between two execution worlds while enforcing, by design, different privi- lege to these execution worlds. LTZVisor, an open-source lightweight TrustZone- assisted hypervisor, emerged as a way of providing a platform for exploring how TrustZone can be exploited to assist virtualization. Its IPC mechanism, TZ- VirtIO, constitutes a standard virtual I/O approach for achieving communication between the OSes, but some overhead is caused by the introduction of the mech- anism. Hardware-based solutions are yet to be explored with this solution, which could bring performance and security benefits while diminishing overhead. Attending the reasons mentioned above, hTZ-VirtIO was developed as a way to explore the offloading of the software-based communication mechanism of the LTZVisor to hardware-based mechanisms.Atualmente, onde a tecnologia e a Internet das Coisas (IoT) dominam a so- ciedade, os sistemas embebidos são omnipresentes no nosso dia-a-dia, e embora possam diferir entre as funcionalidades e objetivos finais, todos partilham os mes- mos requisitos básicos. Seja um sistema não crítico, como um smartphone, ou um sistema crítico, como uma unidade de controlo de um veículo moderno, estes requisitos devem ser cumpridos de maneira a se obter um sistema confiável. Uma tecnologia bem estabelecida para resolver este problema é a virtualiza- ção. Esta abordagem providencia isolamento através do encapsulamento de sub- sistemas em máquinas virtuais separadas, além de permitir a partilha de recursos de hardware. No entanto, estes subsistemas isolados podem ter a necessidade de comunicar entre si. Comunicação entre tarefas está presente na maioria das pilhas de software de qualquer sistema e representa uma parte crucial dos mesmos. Num sistema virtualizado, os mecanismos de comunicação entre-partições implementam a comunicação entre os diferentes subsistemas mencionados acima. A tecnologia TrustZone tem estado na vanguarda da segurança assistida por hardware, e tem sido explorada na implementação de sistemas virtualizados, visto que permite nativamente a separação entre dois mundos de execução, e impondo ao mesmo tempo, por design, privilégios diferentes a esses mundos de execução. O LTZVisor, um hypervisor em código-aberto de baixo overhead assistido por Trust- Zone, surgiu como uma forma de fornecer uma plataforma que permite a explo- ração da TrustZone como tecnologia de assistência a virtualização. O TZ-VirtIO, mecanismo de comunicação do LTZVisor, constitui uma abordagem padrão de E/S virtuais, para permitir comunicação entre os sistemas operativos. No entanto, a introdução deste mecanismo provoca sobrecarga sobre o hypervisor. Soluções baseadas em hardware para o TZ-VirtIO ainda não foram exploradas, e podem trazer benefícios de desempenho e segurança, e diminuir a sobrecarga. Atendendo às razões mencionadas acima, o hTZ-VirtIO foi desenvolvido como uma maneira de explorar a migração do mecanismo de comunicação baseado em software do LTZVisor para mecanismos baseados em hardware

Estado del arte de los hipervisores para FPGAs y sus interferencias en la comunicación

Resumen Con el aumento exponencial de las necesidades tanto de usuarios como de empresas de aumentar la velocidad de comunicación de sus sitemas, los desarrolladores se han visto en la obligación de usar cada vez más FPGAs. Sin embargo, las FPGAs resultan ser un elemento muy caro y potente al que, en muchas ocasiones, no se llega a sacar el 100 % de la utilidad, de modo que, con el objetivo de conseguir un ahorro económico (y ya que las mismas lo permiten) las FPGAs se han empezado a virtualizar. La virtualización es una tecnología bastante conocida, pues se emplea tan- to en ordenadores de escritorio como en servidores, y esta misma tecnología se está trasladando ahora a arquitecturas ARM, haciendo posible la insta- lación de hipervisores en FPGAs. En este trabajo se realizará un estudio sobre los diversos hipervisores disponibles actualmente en el mercado para, seguidamente, realizar la puesta en marcha de un hipervisor XNG sobre una ZYBO y una evaluación de las velocidades en sus comunicaciones de red. La primera parte, recogida en los capítulos 5 a 8, es un estado del arte centrado en los virtualizadores que incluye una clasificación de los mismos, junto con una descripción de los distintos hipervisores y su correspondiente clasificación. La segunda parte, englobada en los capítulos 9 a 10, contiene una breve descripción de algunos de los hipervisores que pueden ser usados en arqui- tecturas ARM. La tercera y última parte de este trabajo se encuentra en el capítulo 11 y describe, primeramente, cómo instalar Linux en una tarjeta de desarrollo ZYBO y, en segundo lugar, cómo instalar el hipervisor XNG y una partición de Linux en la misma placa ZYBO. En este apartado también se presentan las mediciones de las velocidades de comunicación para cada uno de los supuestos y se comparan los resultados obtenidos.Laburpena Erabiltzaileek eta enpresek beren sistemen komunikazio-abiadura han- ditzeko dituzten beharrak esponentzialki handitu direnez, garatzaileek gero eta FPGA gehiago erabili behar izan dituzte. Hala ere, FPGAk oso elementu garesti eta indartsuak dira, eta, askotan, ez zaie %100 baliagarritasuna ateratzen; beraz, aurrezki ekonomikoa lortzeko helburuarekin (eta FPGA-ek ahalbidetzen dutenez), FPGAk birtualizatzen hasi dira. Birtualizazioa teknologia nahiko ezaguna da, mahaigaineko orde- nagailuetan zein zerbitzarietan erabili ohi izan dena, eta egun teknologia hau ARM arkitekturetara eramaten hasi da, FPGAn hiperbisoreak instalatzeko aukera emanez. Lan honetan, gaur egun merkatuan dauden hiperbisoreei buruzko ikerketa bat aurkeztuko da, eta, jarraian, ZYBO baten gainean XNG hiperbisore bat martxan jarriko da sareko komunikazioetako abiaduren ebaluazioa egiteko. Lehenengo atala, 5. kapitulutik 8.era , birtualizatzaileetan zentratutako artearen egoera bat da, hauen sailkapen batekin batera, eta hiperbisore ez- berdinen deskribapenak ere jasotzen ditu, dagokien sailkapenarekin. Bigarren atalean, 9. eta 10. kapituluetan, ARM arkitekturetan erabil dai- tezkeen hiperbisoreetako batzuen deskribapen laburra jasotzen da. Bukatzeko, lan honen hirugarren eta azken atala 11. kapituluan dago, eta, lehenik, Linux ZYBO garapen-txartel batean nola instalatzen den deskri- batzen du, eta, bigarrenik, XNG hiperbisorea eta Linux partizio bat ZYBO plaka berean nola instalatu azaltzen du. Atal honetan, kasu bakoitzerako komunikazio-abiaduren neurketak ere aurkezten dira, eta lortutako emaitzak alderatzen dira.Abstract With the exponential rise in the needs of both users and companies to increase the communication speed of their systems, developers have been forced to use more and more FPGAs. However, FPGAs turn out to be a very expensive and powerful element that, on many occasions, is not used to its full potential, so, in order to achieve economic savings (and since they allow it), FPGAs have begun to be virtualized. The virtualization is a well known technology, commonly used in both desktop computers and servers, whitch is now being transferred to ARM architectures making it possible to install hypervisors in FPGAs. In this paper, a study of the various hypervisors currently available on the market will be carried out, followed by the implementation of an XNG hypervisor on a ZYBO and an evaluation of its network communication speeds. The first part, contained in chapters 5 to 8, shows the state of the art mainly focused on virtualizers, including a classification of them, together with a description of the different hypervisors and their corresponding clas- sification. The second part, comprising chapters 9 to 10, contains a brief description of some of the hypervisors that can be used on ARM architectures. The third and last part of this work is found in chapter 11 and describes, firstly, how to install Linux on a ZYBO development board and, secondly, how to install the XNG hypervisor and a Linux partition on the same ZYBO board. This section also presents the measurements of the communication speeds for each of the assumptions and compares the results obtained

Applying Hypervisor-Based Fault Tolerance Techniques to Safety-Critical Embedded Systems

This document details the work conducted through the development of this thesis, and it is structured as follows: • Chapter 1, Introduction, has briefly presented the motivation, objectives, and contributions of this thesis. • Chapter 2, Fundamentals, exposes a series of concepts that are necessary to correctly understand the information presented in the rest of the thesis, such as the concepts of virtualization, hypervisors, or software-based fault tolerance. In addition, this chapter includes an exhaustive review and comparison between the different hypervisors used in scientific studies dealing with safety-critical systems, and a brief review of some works that try to improve fault tolerance in the hypervisor itself, an area of research that is outside the scope of this work, but that complements the mechanism presented and could be established as a line of future work. • Chapter 3, Problem Statement and Related Work, explains the main reasons why the concept of Hypervisor-Based Fault Tolerance was born and reviews the main articles and research papers on the subject. This review includes both papers related to safety-critical embedded systems (such as the research carried out in this thesis) and papers related to cloud servers and cluster computing that, although not directly applicable to embedded systems, may raise useful concepts that make our solution more complete or allow us to establish future lines of work. • Chapter 4, Proposed Solution, begins with a brief comparison of the work presented in Chapter 3 to establish the requirements that our solution must meet in order to be as complete and innovative as possible. It then sets out the architecture of the proposed solution and explains in detail the two main elements of the solution: the Voter and the Health Monitoring partition. • Chapter 5, Prototype, explains in detail the prototyping of the proposed solution, including the choice of the hypervisor, the processing board, and the critical functionality to be redundant. With respect to the voter, it includes prototypes for both the software version (the voter is implemented in a virtual machine) and the hardware version (the voter is implemented as IP cores on the FPGA). • Chapter 6, Evaluation, includes the evaluation of the prototype developed in Chapter 5. As a preliminary step and given that there is no evidence in this regard, an exercise is carried out to measure the overhead involved in using the XtratuM hypervisor versus not using it. Subsequently, qualitative tests are carried out to check that Health Monitoring is working as expected and a fault injection campaign is carried out to check the error detection and correction rate of our solution. Finally, a comparison is made between the performance of the hardware and software versions of Voter. • Chapter 7, Conclusions and Future Work, is dedicated to collect the conclusions obtained and the contributions made during the research (in the form of articles in journals, conferences and contributions to projects and proposals in the industry). In addition, it establishes some lines of future work that could complete and extend the research carried out during this doctoral thesis.Programa de Doctorado en Ciencia y Tecnología Informática por la Universidad Carlos III de MadridPresidente: Katzalin Olcoz Herrero.- Secretario: Félix García Carballeira.- Vocal: Santiago Rodríguez de la Fuent

Dynamic management of multiple operating systems in an embedded multi-core environment

Modernit sulautetut laitteet, kuten älypuhelimet, ovat kasvaneet monimutkaisiksi tietokonejärjestelmiksi, jotka tarjoavat samaan aikaan niin rikasta käyttäjäkokemusta kuin reaaliaikaista suorituskykyä alemman tason laitteille, kuten kameralle tai radiolle. Kilpailu sulautettujen järjestelmien markkinoilla on kovaa, etenkin loppukäyttäjille myytävissä mobiililaitteissa, mikä johtaa tarpeeseen vähentää laitteiden valmistuskustannuksia vaikuttamatta laitteen suorituskykyyn. Pöytäkoneiden markkinoilla jo pitkään tapahtunut siirtyminen moniydinsuorittimen käyttöön on viime aikoina alkanut tapahtua myös sulautetuissa järjestelmissä, joiden haasteena on jatkuvasti kasvava vaatimustaso suorituskyvylle ja toisaalta taas tiukat rajoitukset energiankäytölle. Moniydinsuorittimista ei kuitenkaan saada toivottua suorituskyvyn lisäystä, jos ohjelmistokehitystä jatketaan vanhoilla, yksiydinsuorittimille tarkoitettuilla toimintatavoilla. Tässä työssä esitellään systeemitason ratkaisu moniydinprosessorien rinnakkaisen laskentavoiman tehokkaaseen käyttöön. Työssä kehitettiin ratkaisu nimeltä DynOS SPUMONE, jonka perustana on käyttää kevyttä virtualisointikerrosta ajamaan samanaikaisesti eri käyttöjärjestelmiä moniydinprosessorin eri ytimillä tarpeen mukaan. Ideana on ajaa tarvittaessa reaaliaikaista suorituskykyä vaativat ohjelmat omalla ytimellään käyttäen reaaliaikakäyttöjärjestelmää. Ratkaisua voitaisiin käyttää säästämään sulautettujen laitteiden valmistuskuluissa poistamalla nykyisen tarpeen käyttää erillisiä piirejä ajamaan reaaliaikasovelluksia. Työssä kehitettiin myös DynOS SPUMONE:en perustuva prototyyppi, joka verifikoitiin ja arvioitiin. Työn tulokset osoittavat DynOS SPUMONE:en pohjautuvien ratkaisujen olevan toteutettavissa erittäin kohtuullisin suunnittelukustannuksin ilman mainittavaa vaikutusta systeemin reaaliaikaiseen suorituskykyyn.Modern embedded devices, such as smartphones, have grown into complex computer systems that provide a rich set of functionality for their users while still maintaining real-time responsiveness for their low level functions such as radio communication or camera control. The embedded market is very competitive, especially in end-user mobile devices, making it desirable to reduce manufacturing costs without compromising device performance wherever possible. The ever-growing user demand for more computing-intensive applications coupled with tight energy budgets has led the embedded manufacturers to seek performance gains from multi-core architectures, much like their desktop counterparts. However, multi-core architectures have little to provide in performance gains when used with applications developed with traditional software design methods that are aimed at single-core archictures. This thesis presents a system-level solution for e_ectively using the parallel computing power of multi-core processors. DynOS SPUMONE, a concept of using a light weight virtualization layer to dynamically dispatch di_erent OSes on di_erent cores, was developed. The concept is to run real-time tasks, such as device control for peripherals, on real-time capable operating systems running on dedicated cores only when they are actually needed. This could be used to eliminate separate physical chips on the device, which would reduce manufacturing costs. A prototype implementation of DynOS SPUMONE was built, veri_ed and evaluated. The results show that the DynOS SPUMONE concept is realizable with reasonable engineering costs and without significant drops in real-time performance

Enhancing the Automotive E/E Architecture Utilising Container-Based Electronic Control Units

Over the past 40 years, with the advent of computing technology and embedded systems, such as Electronic Control Units (ECUs), cars have moved from solely mechanical control to predominantly digital control. Whilst improvements have been realised in terms of passenger safety and vehicle efficiency, there are several issues currently facing the automotive industry as a result of the rising number of ECUs. These include greater demands placed on power, increased vehicle weight, complexities of hardware and software, dependency on software, software life expectancy, ad-hoc methods concerning automotive software updates, and rising costs for the vehicle manufacturer and consumer. As the modern-day motor car enters the autonomous age, these issues are predicted to increase because there will be an even greater reliance on computing hardware and software technology to support these new driving functions. To address the issues highlighted above, a number of solutions that aid hardware consolidation and promote software reusability have been proposed. However, these depend on bespoke embedded hardware and there remains a lack of clearly defined mechanisms through which to update ECU software. This research moves away from these current practices and identifies many similarities between the datacentre and the automotive Electronic and Electrical (E/E) architecture, demonstrating that virtualisation technologies, which have provided many benefits to the datacentre, can be replicated within an automotive context. Specifically, the research presents a comprehensive study of the Central Processor Unit (CPU) and memory resources required and consumed to support a container-based ECU automotive function. The research reveals that lightweight container virtualisation offers many advantages. A container-based ECU can promote consolidation and enhance the automotive E/E architecture through power, weight and cost savings, as well as enabling a robust mechanism to facilitate future software updates throughout the lifetime of a vehicle. Furthermore, this research demonstrates there are opportunities to adopt this new research methodology within both the automotive industry and industries that utilise embedded systems, more broadly

System Support for Distributed Energy Management in Modular Operating Systems

This thesis proposes a novel approach for managing energy in modular operating systems. Our approach enables energy awareness if the resource-management subsystem is distributed among multiple operating-system modules. There are four key achievements: a model for modularization-aware energy management; the support for exposed and distributed energy accounting and allocation; the use of different energy-management interaction protocols; and, finally, the support virtualization of energy effects

Sécurité temps réel dans les systèmes embarqués critiques

Satellites are real-time embedded systems and will be used more and more in the world. Become essential for the geo-location, meteorology or communications across the planet, these systems are increasingly in demand. Due to the influx of requests, the designers of these products are designing a more and more complex hardware and software part. Thanks to the evolution of terrestrial equipment, the aero-space field is turning to new technologies such as caches, multi-core, and hypervisor. The integration of these new technologies bring new technical challenges. In effect, it is necessary to improve the performance of these systems by reducing the cost of manufacturing and the production time. One of the major advantages of these technologies is the possibility of reducing the overall number of satellites in space while increasing the number of operators. Multiple clients softwares may be together today in a same satellite. The ability to integrate multiple customers on the same satellite, with the increasing complexity of the system, makes a number of malicious acts possible. These acts were once considered as hypothetical. Become a priority today, the study of the vulnerability of such systems become major. In this paper, we present first work a quick exploration of the field of malicious acts on onboard system and more specifically those carried out on satellite system. Once the risk presentation we will develop some particular points, such as the problematic real-time. In this thesis we are particularly interested in the security of space hypervisors. We will develop precisely 2 lines of research. The first axis is focused on the development of production technics and implementing a control system of a satellite temporal characteristics. The objective is to adapt an existing system to the constraints of the new highly complex systems. We confront the difficulty of measuring the temporal characteristics running on a satellite system. For this we use an optimization method called dynamic analysis and genetic algorithm. Based on trends, it can automatically search for the worst execution time of a given function. The second axis improves the technical knowledge on a satellite in operation and enables decision making in case of malicious act. We propose specifically a physical solution to detect anomalies in the management of internal memory to the satellite. Indeed, memory is an essential component of system operation, and these common properties between all clients makes them particularly vulnerable to malicious acts. Also, know the number of memory access enables better scheduling and better predictability of a real time system. Our component allows the detection and interpretation of a potential attack or dependability problem. The work put in evidence the complementarity of the two proposed work. Indeed, the measure of the number of memory access that can be measured via a genetic algorithm whose shape is similar to the program seeking the worst execution time. So we can expand our work of the first part with the second.La croissance des flux d'information à travers le monde est responsable d'une importante utilisation de systèmes embarqués temps-réel, et ce notoirement dans le domaine des satellites. La présence de ces systèmes est devenue indispensable pour la géolocalisation, la météorologie, ou les communications. La forte augmentation du volume de ces matériels, impactée par l'afflux de demande, est à l'origine de l'accroissement de la complexité de ces derniers. Grâce à l'évolution du matériel terrestre, le domaine aérospatial se tourne vers de nouvelles technologies telles que les caches, les multi-coeurs, et les hyperviseurs. L'intégration de ces nouvelles technologies est en adéquation avec de nouveaux défis techniques. La nécessité d'améliorer les performances de ces systèmes induit le besoin de réduction du coût de fabrication et la diminution du temps de production. Les solutions technologiques qui en découlent apportent pour majeure partie des avantages en matière de diminution du nombre global de satellites à besoin constant. La densité d'information traitée est parallèlement accrue par l'augmentation du nombre d'exploitants pour chaque satellite. En effet, plusieurs clients peuvent se voir octroyer tout ou partie d'un même satellite. Intégrer les produits de plusieurs clients sur une même plateforme embarquée la rend vulnérable. Augmenter la complexité du système rend dès lors possible un certain nombre d'actes malveillants. Cette problématique autrefois à l'état d'hypothèse devient aujourd'hui un sujet majeur dans le domaine de l'aérospatial. Figure dans ce document, en premier travail d'exploration, une présentation des actes malveillants sur système embarqué, et en particulier ceux réalisés sur système satellitaire. Une fois le risque exposé, je développe la problématique temps-réel. Je m'intéresse dans cette thèse plus précisément à la sécurité des hyperviseurs spatiaux. Je développe en particulier deux axes de recherche. Le premier porte sur l'évolution des techniques de production et la mise en place d'un système de contrôle des caractéristiques temporelles d'un satellite. Le deuxième axe améliore les connaissances techniques sur un satellite en cours de fonctionnement et permet une prise de décision en cas d'acte malveillant. Je propose plus particulièrement une solution physique permettant de déceler une anomalie sur la gestion des mémoires internes au satellite. En effet, la mémoire est un composant essentiel du fonctionnement du système, et ses propriétés communes entre tous les clients la rend particulièrement vulnérable. De plus, connaître le nombre d'accès en mémoire permet un meilleur ordonnancement et une meilleure prédiction d'un système temps réel. Notre composant permet la détection et l'interprétation d'une potentielle attaque ou d'un problème de sûreté de fonctionnement. Cette thèse met en évidence la complémentarité des deux travaux proposés. En effet, la mesure du nombre d'accès en mémoire peut se mesurer via un algorithme génétique dont la forme est équivalente au programme cherchant le pire temps d'exécution. Il est finalement possible d'étendre nos travaux de la première partie vers la seconde

Virtualisierung eingebetteter Echtzeitsysteme im Mehrkernbetrieb zur Partitionierung sicherheitsrelevanter Fahrzeugsoftware

Die Automobilindustrie verzeichnete innerhalb der letzten Jahre einen enormen Zuwachs an neuen elektrischen und elektronischen Fahrzeugfunktionen. Dies führt gleichzeitig zu einer Mehrung der Softwareumfänge in eingebetteten Systemen. Nicht-funktionale Anforderungen wie Sicherheit, Performanz, Verlässlichkeit und Wartbarkeit stellen zusätzliche Herausforderungen an die Entwicklung zukünftiger Fahrzeugsysteme dar. Um die Anzahl der Steuergeräte zu reduzieren, sollen Fahrzeugfunktionen auf gemeinsamen Integrationssteuergeräten konsolidiert werden. Systemvirtualisierung kann hierfür eine zielführende Herangehensweise darstellen, um die Softwaremigration auf Integrationssteuergeräte zu erleichtern und gleichzeitig den geforderten Isolationsansprüchen neuer Sicherheitsstandards gerecht zu werden. In dieser Arbeit wird die Partitionierung sicherheitsrelevanter Fahrzeugfunktionen auf einer gemeinsamen Hardwareplattform fokussiert. Unter Verwendung von Methoden zur Bewertung sozialer Netzwerke wird eine graphenbasierte Herangehensweise vorgestellt, um die Partitionierbarkeit von Softwarenetzen mit sicherheitsrelevanten Anteilen abschätzen zu können. Zur Realisierung der Systempartitionierung wird eine Methodik zur Auswahl der geeignetsten Kernelarchitektur eingeführt. Dabei werden aus gewählten nicht-funktionalen Eigenschaften potentielle technische Lösungskonzepte innerhalb einer Baumstruktur abgeleitet und ingenieurmäßig bewertet. Darauf aufbauend wird ein Hypervisor für eingebettete Echtzeitsysteme der Firma ETAS Ltd. evaluiert. Um die Kosten einer zusätzlichen Hypervisorschicht beurteilen zu können, werden in diesem Rahmen Laufzeitmessungen durchgeführt. Somit werden die Auswirkungen einer zusätzlichen Virtualisierungsschicht auf Fahrzeugsoftwaresysteme zur Erfüllung ausgewählter nicht-funktionaler Eigenschaften aufgezeigt. Die Anbindung virtualisierter Systeme an die Kommunikationsschnittstellen des Hypervisors stellt einen weiteren Schwerpunkt dar. Virtuelle Steuergeräte tauschen sich weiterhin über bereits implementierte Kommunikationskanäle aus und greifen auf gemeinsame Hardwareressourcen zu. Es wird somit ein Konzept eingeführt, um sicherheitsrelevante Anteile des AUTOSAR Microcontroller Abstraction Layers zu entkoppeln. Der Hypervisor selbst wird hierzu an relevanten Stellen erweitert und ein verlässliches Kommunikationskonzept implementiert. Ein Demonstratoraufbau, zur Konsolidierung von produktiver Fahrzeugsoftware auf einer gemeinsamen Hardwareplattform, finalisiert die Arbeit. Hierfür werden unabhängige Softwarestände paravirtualisiert. Als Resümee der Arbeit erhält der Leser sowohl einen technischen Überblick über den Mehrwert als auch der Kosten paravirtualisierter Fahrzeugplattformen, welche auf Kleinststeuergeräten integriert sind.Within the automotive industry, electric and electronic functionality is rapidly rising within the last few years. This fact yields an increase of software functionality of embedded systems within the car. Non-functional requirements like safety, performance, reliability or maintainability represent additional challenges for future vehicle system development. Vehicle functionality is consolidated on common hardware platforms, to reduce the amount of electronic control units. System virtualization can act as a proper approach, to ease the migration of different vehicle applications to a consolidated system and achieve additional demands for functional isolation. Within this thesis, the partitioning of safety-related automotive applications on a common hardware platform is focused. To assess the partitioning of safety-related automotive systems, methods for social network evaluation with a graph-oriented approach are proposed. For realizing the system partitioning, a decision-making model is introduced, which results in the most appropriate kernel architecture. From a chosen set of non-functional requirements, technical solutions are derived and rated from a tree structure. As a result, a hypervisor for embedded real-time systems, supplied by ETAS Ltd., is evaluated. For that purpose, timing measurements are performed to estimate the costs of virtual electronic control units. The impact of an additional virtualization layer for automotive software systems to achieve non-functional requirements is analyzed. A further main focus is the integration of virtualized systems to the communication interfaces of the hypervisor. Virtual ECUs further exchange information over already implemented communication channels and use common hardware ressources. Thus, a concept to decouple the safety-related parts of the AUTOSAR Microcontroller Abstraction Layer is introduced. The hypervisor itself will be enhanced by a reliable communication concept. A demonstrator to consolidate already productive automotive applications on a common hardware platform finalizes the work. Here, independent software parts are paravirtualized. This thesis concludes with a technical overview of the benefits and costs for integrating paravirtualized electronic control units on less capable hardware platforms

Hypervisors for Consumer Electronics

Abstract—Virtualization, well established in enterprise computing, is finding its way into embedded systems. However, the use cases differ dramatically between the domains, and this results in significant differences in the requirements on the virtual-machine technology. This paper examines a number of typical virtualization use cases from the CE domain, and the resulting requirements imposed on the hypervisor. We find that enterprise-style hypervisors are ill-matched to the requirements of the embedded domain, which are characterised by low-overhead communication, realtime capability, small memory footprint, small trusted computing base, and fine-grained control over security. We present the OKL4 hypervisor, a member of the L4 microkernel family, designed for embedded-systems use. We outline OKL4’s relevant properties with an emphasis on its security mechanisms, and compare its performance to a version of Xen that has recently been promoted for CE use. We conclude that OKL4 is superior to enterprise-style hypervisors for use in CE devices. I