435 research outputs found
Applying Hypervisor-Based Fault Tolerance Techniques to Safety-Critical Embedded Systems
This document details the work conducted through the development of this thesis, and it
is structured as follows:
• Chapter 1, Introduction, has briefly presented the motivation, objectives, and contributions
of this thesis.
• Chapter 2, Fundamentals, exposes a series of concepts that are necessary to correctly
understand the information presented in the rest of the thesis, such as the
concepts of virtualization, hypervisors, or software-based fault tolerance. In addition,
this chapter includes an exhaustive review and comparison between the different
hypervisors used in scientific studies dealing with safety-critical systems, and a
brief review of some works that try to improve fault tolerance in the hypervisor itself,
an area of research that is outside the scope of this work, but that complements
the mechanism presented and could be established as a line of future work.
• Chapter 3, Problem Statement and Related Work, explains the main reasons why
the concept of Hypervisor-Based Fault Tolerance was born and reviews the main
articles and research papers on the subject. This review includes both papers related
to safety-critical embedded systems (such as the research carried out in this thesis)
and papers related to cloud servers and cluster computing that, although not directly
applicable to embedded systems, may raise useful concepts that make our solution
more complete or allow us to establish future lines of work.
• Chapter 4, Proposed Solution, begins with a brief comparison of the work presented
in Chapter 3 to establish the requirements that our solution must meet in order to
be as complete and innovative as possible. It then sets out the architecture of the
proposed solution and explains in detail the two main elements of the solution: the
Voter and the Health Monitoring partition.
• Chapter 5, Prototype, explains in detail the prototyping of the proposed solution,
including the choice of the hypervisor, the processing board, and the critical functionality
to be redundant. With respect to the voter, it includes prototypes for both
the software version (the voter is implemented in a virtual machine) and the hardware
version (the voter is implemented as IP cores on the FPGA).
• Chapter 6, Evaluation, includes the evaluation of the prototype developed in Chapter
5. As a preliminary step and given that there is no evidence in this regard, an
exercise is carried out to measure the overhead involved in using the XtratuM hypervisor
versus not using it. Subsequently, qualitative tests are carried out to check that
Health Monitoring is working as expected and a fault injection campaign is carried
out to check the error detection and correction rate of our solution. Finally, a comparison
is made between the performance of the hardware and software versions of
Voter.
• Chapter 7, Conclusions and Future Work, is dedicated to collect the conclusions
obtained and the contributions made during the research (in the form of articles in
journals, conferences and contributions to projects and proposals in the industry).
In addition, it establishes some lines of future work that could complete and extend
the research carried out during this doctoral thesis.Programa de Doctorado en Ciencia y TecnologĂa Informática por la Universidad Carlos III de MadridPresidente: Katzalin Olcoz Herrero.- Secretario: FĂ©lix GarcĂa Carballeira.- Vocal: Santiago RodrĂguez de la Fuent
Hardware IPC for a TrustZone-assisted Hypervisor
Dissertação de mestrado em Engenharia Eletrónica Industrial e ComputadoresIn this modern era ruled by technology and the IoT (Internet of Things),
embedded systems have an ubiquitous presence in our daily lives. Although they
do differ from each other in their functionalities and end-purpose, they all share the
same basic requirements: safety and security. Whether in a non-critical system
such as a smartphone, or a critical one, like an electronic control unit of any
modern vehicle, these requirements must always be fulfilled in order to accomplish
a reliable and trust-worthy system.
One well-established technology to address this problem is virtualization. It
provides isolation by encapsulating each subsystem in separate Virtual-Machines
(VMs), while also enabling the sharing of hardware resources. However, these
isolated subsystems may still need to communicate with each other. Inter-Process
Communication is present in most OSes’ stacks, representing a crucial part of
it, which allows, through a myriad of different mechanisms, communication be-
tween tasks. In a virtualized system, Inter-Partition Communication mechanisms
implement the communication between the different subsystems referenced above.
TrustZone technology has been in the forefront of hardware-assisted security
and it has been explored for virtualization purposes, since natively it provides sep-
aration between two execution worlds while enforcing, by design, different privi-
lege to these execution worlds. LTZVisor, an open-source lightweight TrustZone-
assisted hypervisor, emerged as a way of providing a platform for exploring how
TrustZone can be exploited to assist virtualization. Its IPC mechanism, TZ-
VirtIO, constitutes a standard virtual I/O approach for achieving communication
between the OSes, but some overhead is caused by the introduction of the mech-
anism. Hardware-based solutions are yet to be explored with this solution, which
could bring performance and security benefits while diminishing overhead.
Attending the reasons mentioned above, hTZ-VirtIO was developed as a way
to explore the offloading of the software-based communication mechanism of the
LTZVisor to hardware-based mechanisms.Atualmente, onde a tecnologia e a Internet das Coisas (IoT) dominam a so-
ciedade, os sistemas embebidos sĂŁo omnipresentes no nosso dia-a-dia, e embora
possam diferir entre as funcionalidades e objetivos finais, todos partilham os mes-
mos requisitos básicos. Seja um sistema nĂŁo crĂtico, como um smartphone, ou
um sistema crĂtico, como uma unidade de controlo de um veĂculo moderno, estes
requisitos devem ser cumpridos de maneira a se obter um sistema confiável.
Uma tecnologia bem estabelecida para resolver este problema Ă© a virtualiza-
ção. Esta abordagem providencia isolamento através do encapsulamento de sub-
sistemas em máquinas virtuais separadas, além de permitir a partilha de recursos
de hardware. No entanto, estes subsistemas isolados podem ter a necessidade de
comunicar entre si. Comunicação entre tarefas está presente na maioria das pilhas
de software de qualquer sistema e representa uma parte crucial dos mesmos. Num
sistema virtualizado, os mecanismos de comunicação entre-partições implementam
a comunicação entre os diferentes subsistemas mencionados acima.
A tecnologia TrustZone tem estado na vanguarda da segurança assistida por
hardware, e tem sido explorada na implementação de sistemas virtualizados, visto
que permite nativamente a separação entre dois mundos de execução, e impondo
ao mesmo tempo, por design, privilégios diferentes a esses mundos de execução. O
LTZVisor, um hypervisor em cĂłdigo-aberto de baixo overhead assistido por Trust-
Zone, surgiu como uma forma de fornecer uma plataforma que permite a explo-
ração da TrustZone como tecnologia de assistência a virtualização. O TZ-VirtIO,
mecanismo de comunicação do LTZVisor, constitui uma abordagem padrão de
E/S virtuais, para permitir comunicação entre os sistemas operativos. No entanto,
a introdução deste mecanismo provoca sobrecarga sobre o hypervisor. Soluções
baseadas em hardware para o TZ-VirtIO ainda nĂŁo foram exploradas, e podem
trazer benefĂcios de desempenho e segurança, e diminuir a sobrecarga.
Atendendo às razões mencionadas acima, o hTZ-VirtIO foi desenvolvido como
uma maneira de explorar a migração do mecanismo de comunicação baseado em
software do LTZVisor para mecanismos baseados em hardware
MCS-IOV : Real-time I/o virtualization for mixed-criticality systems
In mixed-criticality systems, timely handling of I/O is a key for the system being successfully implemented and functioning appropriately. The criticality levels of functions and sometimes the whole system are often dependent on the state of the I/O. An I/O system for a MCS must provide simultaneously isolation/separation, performance/efficiency and timing-predictability, as well as being able to manage I/O resource in an adaptive manner to facilitate efficient yet safe resource sharing among components of different criticality levels. Existing approaches cannot achieve all of these requirements simultaneously. This paper presents a MCS I/O management framework, termed MCS-IOV. MCS-IOV is based on hardware assisted virtualisation, which provides temporal and spatial isolation and prohibits fault propagation with small extra overhead in performance. MCS-IOV extends a real-time I/O virtualisation system, by supporting the concept of mixed criticalities and customised interfaces for schedulers, which offers good timing-preditability. MCS-IOV supports I/O driven criticality mode switch (the mode switch can be triggered by detection of unexpected I/O behaviors, e.g., a higher I/O utilization than expected) and timely I/O resource reconfiguration up on that. Finally, We evaluated and demonstrate MCS-IOV in different aspects
VOSYSmonitor, a Low Latency Monitor Layer for Mixed-Criticality Systems on ARMv8-A
With the emergence of multicore embedded System on Chip (SoC), the integration of several applications with different levels of criticality on the same platform is becoming increasingly popular. These platforms, known as mixed-criticality systems, need to meet numerous requirements such as real-time constraints, Operating System (OS) scheduling, memory and OSes isolation.
To construct mixed-criticality systems, various solutions, based on virtualization extensions, have been presented where OSes are contained in a Virtual Machine (VM) through the use of a hypervisor. However, such implementations usually lack hardware features to ensure a full isolation of other bus masters (e.g., Direct Memory Access (DMA) peripherals, Graphics Processing Unit (GPU)) between OSes. Furthermore on multicore implementation, one core is usually dedicated to one OS, causing CPU underutilization.
To address these issues, this paper presents VOSYSmonitor, a multi-core software layer, which allows the co-execution of a safety-critical Real-Time Operating System (RTOS) and a non-critical General Purpose Operating System (GPOS) on the same hardware ARMv8-A platform.
VOSYSmonitor main differentiation factors with the known solutions is the possibility for a processor to switch between secure and non-secure code execution at runtime. The partitioning is ensured by the ARM TrustZone technology, thus allowing to preserve the usage of virtualization features for the GPOS.
VOSYSmonitor architecture will be detailed in this paper, while benchmarking its performance versus other known solutions
The Road towards Predictable Automotive High-Performance Platforms
Due to the trends of centralizing the E/E architecture and new computing-intensive applications, high-performance hardware platforms are currently finding their way into automotive systems. However, the SoCs currently available on the market have significant weaknesses when it comes to providing predictable performance for time-critical applications. The main reason for this is that these platforms are optimized for averagecase performance. This shortcoming represents one major risk in the development of current and future automotive systems. In this paper we describe how high-performance and predictability could (and should) be reconciled in future HW/SW platforms. We believe that this goal can only be reached in a close collaboration
between system suppliers, IP providers, semiconductor companies, and OS/hypervisor vendors. Furthermore, academic input will be needed to solve remaining challenges and to further improve initial solutions
- …