Fig 1 - uploaded by Tatsuo Nakajima
Content may be subject to copyright.
Source publication
A virtualization layer makes it possible to compose multiple functionalities on a multi-core processor with minimum modifications of OS kernels and applications. A multi-core processor is a good candidate to compose various software independently developed for dedicated processors into one multi-core processor to reduce both the hardware and develo...
Context in source publication
Context 1
... processors are being increasingly adopted for embedded systems because they improve performance, power consumption and lower development cost. Composing multiple operating systems on a multi-core processor enhances the reusability of software when developing rich functional information appliances. Multiple OS environments enable the product to use two versions of an operating system at the same time. In order to build multiple OS environments, a virtualization layer specialized for embedded systems is necessary 1 , since most of processors for embedded systems support only two protection levels, and there is no hardware support for virtualization. In traditional approaches, an OS kernel runs at the user level to isolate the respective OS kernels to increase reliability, but this approach requires heavy modifications to the guest OSes if there is no proper hardware virtualization support that rarely exists in embedded systems. Therefore existing virtualization solutions are not preferred by the embedded system industry. In [1], Armand and Gien present several requirements for a virtualization layer to be suitable for embedded systems: i. It should run an existing operating system and its supported applications in a virtualized environment, such that modifications required to the operating system are minimized (ideally none), and performance overhead is as low as possible. ii. It should be straightforward to move from one version of an operating system to another one; this is especially important to keep up with frequent Linux evolutions. iii. It should reuse native device drivers from their existing execution environments with no modification. iv. It should support existing legacy often real-time operating systems and their applications while guaranteeing their deterministic real-time behavior. Our project is developing SPUMONE, which is a virtualization layer for multi-core processor-based embedded systems. SPUMONE assumes to use an SMP(Symmetric Multiprocessing)-based multi-core processor, and each core has a core-local memory. Thus, it is easy to share code and data from all cores, but each core can keep some code and data secretly in a core-local memory. SPUMONE uses the characteristics to implement the spatial isolation. SPUMONE satisfies the above requirements, and currently focuses on achieving the following four goals. i. Mapping of virtual cores on physical cores dynamically to balance the tradeoff among real-time constraints, performance and energy consumption. ii. Reducing interrupt latency without degrading real-time performance in a single and multi-core processor. iii. Isolating RTOS from GPOS without executing guest OSes in user space. iv. Detecting integrity violations in OS kernels, and repairing them by rebooting the kernels independently. The rest of the paper is structured as follows. In Section II, we present why we need a virtualization layer. Section III shows the basic architecture of SPUMONE. In Section IV, we describe how SPUMONE supports the temporal isolation, and how it supports the spatial isolation in Section V. In Section VI, we present a mechanism to enhance the security and reliability of the guest OS. Finally, Section VII concludes the paper. The section presents three advantages to use the virtualization layer in embedded systems. Fig. 1 shows the first advantage of the virtualization layer. Embedded systems usually include control processing like mechanical motor control, wireless communication control or chemical control. Using software enables us to adopt a more flexible control strategy, so recent advanced embedded systems contain microprocessors for implementing flexible control strategies. On the other hand, recent embedded systems need to process various information for supporting better human decision making. Therefore, recent embedded systems contain both control and information processing functionalities. In traditional embedded systems, dedicated processors are assigned for respective processing. A multi-core processor offers a possibility to combine these multiple processing on a single processor. Fig.1 shows that both control and information processing runs on a virtualization layer that is executed on a single processor. This approach requires less processors and reduces the cost of embedded systems. Fig.2 shows the second advantage that a virtualization layer makes it possible to reuse existing software. In the left figure, three existing independently developed software are integrated in a single system. The virtualization layer allows the software to be integrated with minimum modification. In the left figure, OS independent services can be continuously used even when an OS personality that implements user interface is changed ex. from Symbian to Android. The OS personality needs to be changed according to various business reasons. If additional software developed by an embedded system company is implemented as OS independent services, the software needs not to be ported on a new OS personality. Also, introducing virtualization layer in embedded systems offers additional advantages. For example, proprietary device drivers can be mixed with GPL codes without license violation. This solves various business issues when adopting Linux in embedded systems. requires to modify the OS kernel to manage heterogeneous resources. The virtualization layer makes it possible to hide the heterogeneity from OS. Thus, unmodified OS can be used on a heterogeneous multi-core processor. There are several traditional approaches to execute multiple operating systems on a single processor in order to compose multiple functionalities. Microkernels and virtual machine monitors execute guest OS kernels at the user level. When using microkernels, various privileged instructions, traps and interrupts in the OS kernel need to be virtualized by replacing their codes. Also, since OS kernels are to be executed as user level tasks, application tasks need to communicate with the operating system kernel via inter-process communication. Therefore, a significant amount of the operating system needs to be modified. Virtual machine monitors are another approach to execute multiple operating systems. If a processor offers hardware virtualization support, all instructions that need to be virtualized trigger traps to the virtual machine monitor. This makes it possible to use any OSes without any modification. But if the hardware virtualization support is incomplete, some instructions still need to be complemented by replacing some code to virtualize them. Most of processors used for embedded systems only have two protection levels, and MMU cannot usually be used in the privileged level. So, when OS kernels are located in the privileged level, they are hard to isolate. On the other hand, if the OS kernels are located in the user level, the kernels need to be modified significantly. Most of embedded system industries prefer not to modify a large amount of the OSes' code, so it is desirable to put them in the privileged level. Also, the virtualization of MMU requires significant overhead if the virtualization is implemented by software. Therefore, we need alternative mechanisms to reduce the engineering cost, to ensure the reliability of the kernels and to exploit some advanced characteristics of multi-core processors. We believe that the following three issues are serious problems, when a guest OS is implemented in the user level. i. The user level OS implementation requires heavy modification of the OS kernel. ii. Emulating an interrupt disabling instruction is very expensive if the instruction cannot be replaced. iii. Emulating a device access instruction is very expensive if the instruction cannot be replaced. In a typical RTOS, both the kernel and application codes are executed in the same address space. Embedded systems have dramatically increased their functionalities in every new product. For reducing the development cost, the old version of application codes should be reused and extended in an ad-hoc way. The limitation of hardware resources is always the most important issue to reduce the product cost. Therefore, the application codes sometimes use very ad-hoc programming styles. For example, application codes running on RTOS usually contain many ...
Similar publications
We consider the problem of managing a 5G network composed of virtualized entities, called Reusable Functional Blocks (RFBs), as proposed by the Horizon 2020 SUPERFLU-IDITY project. The RFBs are used to decompose network functions and services, and are deployed on top of physical nodes, in order to realize the 5G functionalities. After formally mode...
Citations
... Microkernels [17] can isolate guest OSes running upon them, but have significant impact on performance and need a great amount of modifications on the guest OSes. On the other hand, embedded hypervisors sometimes do not provide the isolation between VMs in performance-sensitive designs, such as SPUMONE [18]. Some approaches [19] [20] providing the isolation with the same method in traditional hypervisors cause visible overhead to VMs, and extra methods are needed to reduce overhead, such as importing hardware virtualization extensions [21]. ...
The Limited Local Memory (LLM) machine architecture is proposed to improve the security on a multi-core processor with a small trusted computing base (TCB). It uses one privileged core's local memory for executing detection tools to monitor the state of a target OS running on other cores, depending on isolation of the privileged core to ensure the reliability of the detection tools. It has some characteristics fitting embedded systems, such as causing little overhead, a small TCB and requiring minimal modification on the target OS. However, in current research, the LLM architecture was only emulated in QEMU, a virtual machine monitor, and assumed a limited and somehow big space of the local memory that may rarely be equipped on embedded processors. In this paper, we apply this method to a real embedded platform with a LLM-similar hardware configuration, but equipped with a much smaller local memory. Firstly, we propose design details to apply our system to a local memory with such a small size. Then we evaluate the influence that this method would cause to the detection tools and present some hardware recommendations to make the LLM architecture more applicable on real processors. Our research can illustrate the efficiency of the LLM architecture and generalize the application of it for embedded systems by reducing the size requirement on the local memory.
... The second issue is also a big problem because executing guest OS kernels in virtual address spaces requires significant modification on them. vlk proposes a technique to solve the first issue presented in Section 4 and the second issue is presented in [10]. ...
... In the original project of vlk, named SPUMONE, we provided optional spacial protection mechanism between guest OSes with the method named secure pager mainly for the security purpose [10]. With the secure pager, invalid behavior of one guest OS which cause malicious memory rewriting can be detected with low runtime overhead. ...
In this paper, we introduce a lightweight processor abstraction layer named SPUMONE. SPUMONE provides virtual CPUs for respective guest OSes, and schedules them according to their priorities. In a typical case, SPUMONE schedules Linux with a low priority and an RTOS with a high priority. We first discuss why the traditional virtual machine monitor design is not appropriate for embedded systems, and how the features of SPUMONE allow us to design modern complex embedded systems with less efforts. Then, we describe two features of SPUMONE for the real-time resource management. SPUMONE also offers a novel mechanism to protect a critical component from malicious programs injected into the GPOS kernel.
... When RTOS consumes the time of f (0 ≤ f < 1) on one pCPU, Linux should exploit the rest of CPU resources: 4 − f (When f = 1, which means RTOS never yields pCPU, the rest of CPU resources is not equal to 3. Because this is the same as the situation when 1 CPU stops execution suddenly from the perspective of Linux). The line of the ideal score is calculated as: I( f ) = S 1 4− f where f means the CPU consumption rate of RTOS and S 1 means the score of Linux dominating one core. hackbench has enough parallelism, therefore we predicted that the score might be linear according to the CPU consumption rate of RTOS. ...
The capability of real-time resource management in the Linux kernel is dramatically improving due to the effective contribution of the real-time Linux commu-nity. However, to develop commercial products cost-effectively, it must be possible to re-use existing real-time applications from other real-time OSes whose OS API differs significantly from the POSIX interface. A virtual machine monitor that executes multiple oper-ating systems simultaneously is a promising solution, but existing virtual machine monitors such as Xen and KVM are hard to used for embedded systems due to their complexities and throughput oriented designs. In this paper, we introduce a lightweight processor abstrac-tion layer named SPUMONE. SPUMONE provides vir-tual CPUs (vCPUs) for respective guest OSes, and schedules them according to their priorities. In a typical case, SPUMONE schedules Linux with a low priority and an RTOS with a high priority. The important fea-tures of SPUMONE are the exploitation of an interrupt prioritizing mechanism and a vCPU migration mech-anism that improves real-time capabilities in order to make the virtualization layer more suitable for embed-ded systems. We also discuss why the traditional virtual machine monitor design is not appropriate for embed-ded systems, and how the features of SPUMONE allow us to design modern complex embedded systems with less efforts.
The Internet of Things (IoT) comprises billions of Internet-connected devices (ICD) or "things", each of which can sense, communicate, compute, and potentially actuate and can have intelligence, multimodal interfaces, physical/virtual identities, and attributes. Cyber-assurance is the justified confidence that networked systems are adequately secure to meet operational needs, even in the presence of attacks, failures, accidents, and unexpected events. The cyber-assurance recognition strategy is to define only the service-level interfaces and leave out domain-specific implementation details. Once the recognition of a cyber-attack has been identified from the recognition process, the fortification process takes place. Reestablishment is a means to return the ICDs to its operational condition after the cyber-attack through remapping to a different route since the ICD was under attack. When the IoT technologies are used as part of mission critical systems, the IoT services should be survivable in order to support the important missions.
Industrial systems currently include not only control processing with real-time operating system (RTOS) but also information processing with general-purpose operating system (GPOS). Multicore-based virtualization is an attractive option to provide consolidated environment when GPOS and RTOS are put in service on a single hardware platform. Researches on this technology have predominantly focused on the schedulability of RTOS virtual machines (VMs) by completely dedicated physical-CPUs (pCPUs) but have rarely considered parallelism or the throughput of the GPOS. However, it is also important that the multicore-based hypervisor adaptively selects pCPU assignment policy to efficiently manage resources in modern industrial systems. In this paper, we report our study on the effects of dynamic isolation when two mixed criticality systems are working on one platform. Based on our investigation of mutual interferences between RTOS VMs and GPOS VMs, we found explicit effects of dynamic isolation by special events. While maintaining low RTOS VMs scheduling latency, a hypervisor should manage pCPUs assignment by event-driven and threshold-based strategies to improve the throughput of GPOS VMs. Furthermore, we deal with implicit negative effects of dynamic isolation caused by the synchronization inside a GPOS VM, then propose a process of urgent boosting with dynamic isolation. In experimental evaluation with benchmarks and an automotive digital cluster application for RTOS and GPOS in KVM we analyzed that proposed dynamic isolation guarantees soft real-time operations for RTOS tasks while improving the throughput of GPOS tasks on a virtualized multicore system.
Embedded software has become a major concern in current embedded systems. Recent embedded products include dynamic software features that are driven by the users' needs. Still, real-time applications are required to execute along non real-time applications as both of them can be part of a bigger and more complex software system. Virtualization has emerged as a feasible technique for embedded systems as it provides more secure platforms, improves software design quality and reduces costs. Nevertheless, real-time and memory constraints require the development of different techniques from those widely applied to enterprise computing. However, distinguished vendors have designed virtualization extensions for their processors and a few manufacturers have adopted them. This work presents a hypervisor implementation approach with real-time support to the MIPS M5150 processor which supports hardware-assisted virtualization. The results show that the implementation allows full-virtualization and communication among virtual machines with minimal overhead while providing strong spatial and temporal isolation between virtual machines.
Virtualization has emerged as a feasible technique for Embedded Systems, providing safer platforms, improving design quality and reducing manufacturing costs. However, its inherit overhead still prevent its wide adoption. Most of the current attempts use the para-virtualization technique that imposes the cost of performing comprehensive changes in the guest OS. We propose the adoption of full-virtualization for MPSoCs, where no guest OS changes are required and, in order to reduce known virtualization overheads, we propose some hardware modifications to a MIPS-based architecture. We conducted experiments that demonstrate our proposal by comparing its processing and communication overheads against a non-virtualized solution.
When a real-time OS (RTOS) and a symmetric multiprocessing general purpose OS (SMP GPOS) are executed on the same multicore processor, there is a possibility to cause the lock holder preemption (LHP) problem, which is a well known problem of the sources of the performance degradation on an SMP GPOS. The problem occurs when a kernel mode thread holding a lock in a SMP GPOS is preempted by other OSes if these OSes share the same physical core. The existing solution does not take into account real-time responsiveness so it is not suitable to use in embedded systems. The paper proposes two new techniques to avoid the LHP problem for ensuring both the real-time responsiveness of real-time OS and the high throughput of SMP GPOS. The new proposed techniques have been implemented on our virtualization layer called SPUMONE, and we measured the results showing that the proposed new techniques reduce the LHP problem without degrading the real-time responsiveness.
