Virtualization in Automotive Embedded Systems: an Outlook
2 likes4,408 views
This document discusses virtualization in automotive embedded systems. It outlines the increasing complexity of automotive electrical/electronics systems and how virtualization could help address this. The document covers different virtualization technologies and outlines some potential use cases for virtualization in automotive systems, such as running heterogeneous operating systems, improving security of critical systems, and safety-critical redundancy. It also discusses some limitations of virtualization related to real-time performance and technical challenges. In conclusion, the document states that virtualization is a mature technology that could provide benefits to automotive, but real-time behavior of virtualized systems needs to be verified.
![Proliferation of ECUs
raises problems!
50
Number of ECUs (CAN/MOST/LIN)
45
40
35
30
25
20
15 Mercedes-Benz
BMW
10
Audi
5 VW
0
1986 1988 1990 1992 1994 1996 1998 2000 2002 2004 2006 2008
Year Graphics on this page from [3]
Lexus LS430 has more than 100 ECUs [9]
© 2010 RTaW / PSA / Freescale - 5](https://image.slidesharecdn.com/rts10virtualization-100522041652-phpapp01/85/Virtualization-in-Automotive-Embedded-Systems-an-Outlook-5-320.jpg)
![Possible upcoming architectures
in two car generations
Fewer ECUs but more powerful
– Multi-core μ-controller
– Multi-source software
– Autosar OS strong protection mechanisms
– Virtualization ?
– ISO2626-2 dependability standard
Backbone :
– CAN 500Kbit/s with offsets
– FlexRay™ : 10 Mbit/s
– Ethernet ?
How centralized is unsure
because of carry‐over ..
FlexRay™ as backbone at BWM in a few years [8]
© 2010 RTaW / PSA / Freescale - 7](https://image.slidesharecdn.com/rts10virtualization-100522041652-phpapp01/85/Virtualization-in-Automotive-Embedded-Systems-an-Outlook-7-320.jpg)
![Virtualization basics
Executing software on virtual machines
decoupled from the real HW
– Virtual Machine: software that executes software like a physical machine
– (System) VM contains an OS
– HW resources can be shared between VMs : role of hypervisor
Strong isolation
between VMs : security
and fault‐confinement are
the primary motivations
Picture from [2]
© 2010 RTaW / PSA / Freescale - 9](https://image.slidesharecdn.com/rts10virtualization-100522041652-phpapp01/85/Virtualization-in-Automotive-Embedded-Systems-an-Outlook-9-320.jpg)
![Classification of virtualization schemes [3]
Virtualization
Emulation Native
Hypoth. Real Full Para-
Machine Machine Virtua. virtua.
eg. JVM eg. Bochs eg. Z/VM eg. Xen, Sysgo,
Wind River
© 2010 RTaW / PSA / Freescale - 10](https://image.slidesharecdn.com/rts10virtualization-100522041652-phpapp01/85/Virtualization-in-Automotive-Embedded-Systems-an-Outlook-10-320.jpg)
![Heterogeneous operating system
environments (2/2)
Using the best execution platform : eg. Body gateway with
both an Autosar and an infotainment VM (eg., linux, android)
Benefits
– Performances
– Availability of manpower / applications
– Time-to-market
– Security despite open systems
– Segregation in “vehicle domains” VMM
– Etc
Picture from [2]
The most obvious and likely use‐case in a first step
© 2010 RTaW / PSA / Freescale - 13](https://image.slidesharecdn.com/rts10virtualization-100522041652-phpapp01/85/Virtualization-in-Automotive-Embedded-Systems-an-Outlook-13-320.jpg)
![AUTOSAR OS protection mechanism -
a recap (see [7])
Issues : resource confiscation (CPU, memory,
drivers), non authorized access / calls, fault-
propagation
5 types of mechanisms
Memory protection
Temporal protection
As of Autosar R4, there
are multi‐core
OS service protection
extensions enabling CPU
HW resource protection
core partitioning
trusted / non-trusted code
4 scalability classes
© 2010 RTaW / PSA / Freescale - 16](https://image.slidesharecdn.com/rts10virtualization-100522041652-phpapp01/85/Virtualization-in-Automotive-Embedded-Systems-an-Outlook-16-320.jpg)
![Real-time performances
Virtualization implies a
hierarchical two-level scheduling
that is inherently less predictable
and more complex to handle
Picture from [2]
Actually, three‐level scheduling since runnables
are scheduled within OS tasks!
Static core allocation (to VMs) is probably the way to go ..
© 2010 RTaW / PSA / Freescale - 18](https://image.slidesharecdn.com/rts10virtualization-100522041652-phpapp01/85/Virtualization-in-Automotive-Embedded-Systems-an-Outlook-18-320.jpg)
![Technical issues
Memory:
VMM footprint: < 64KB
Possibly several OSs !
CPU:
Limited hardware support in embedded CPU [6]
Preemption, L2 cache flush, locked cache
Resource sharing is tricky: ISR, IOs, com. controllers
Real-time performances (eg. LIN)
peripheral virtualization is complex (eg. CAN)
VMM must be kept small to be secure (more than guest
OSs) and ideally bug free … otherwise responsibility
sharing is impossible
© 2010 RTaW / PSA / Freescale - 19](https://image.slidesharecdn.com/rts10virtualization-100522041652-phpapp01/85/Virtualization-in-Automotive-Embedded-Systems-an-Outlook-19-320.jpg)
![References
[1] N. Navet, F. Simonot-Lion, editors, The Automotive Embedded Systems
Handbook, Industrial Information Technology series, CRC Press / Taylor
and Francis, ISBN 978-0849380266, December 2008.
[2] R. Kaiser, D. Zöbel, Quantitative Analysis and Systematic Parametrization
of a Two-Level Real-Time Scheduler, paper and slides at IEEE ETFA’2009.
[3] T. Nolte, Hierarchical Scheduling of Complex Embedded Real-Time
Systems, slides presented at the Summer School on Real-Time Systems
(ETR’09), Paris, 2009.
[4] G. Heiser, The role of virtualization in embedded systems, Proceedings of
the 1st workshop on Isolation and integration in embedded systems,
2008.
[5] D. Baldin, T. Kerstan, Proteus, a Hybrid Virtualization Platform for
Embedded Systems, IFIP Advances in Information and Communication
Technology, 978-3-642-04283-6, 2009.
[6] F. Behmann, Virtualization for embedded Power Architecture CPUs,
Electronic Products, September 2009.
[7] N. Navet, A. Monot, B. Bavoux, F. Simonot-Lion, Multi-source and
multicore automotive ECUs - OS protection mechanisms and scheduling,
to appear in IEEE ISIE, 2010.
[8] A. Schedl, Goals and Architecture of FlexRay at BMW, slides presented at
the Vector FlexRay Symposium, March 2007.
[9] R. Schreffler, Japanese OEMs, Suppliers, Strive to Curb ECU Proliferation,
Wardsauto.com, March 6, 2006.
© 2010 RTaW / PSA / Freescale - 22](https://image.slidesharecdn.com/rts10virtualization-100522041652-phpapp01/85/Virtualization-in-Automotive-Embedded-Systems-an-Outlook-22-320.jpg)
Virtualization in Automotive Embedded Systems: an Outlook
- 1. Virtualization in Automotive Embedded Systems : an Outlook Nicolas Navet, RTaW Bertrand Delord, PSA Peugeot Citroën Markus Baumeister, Freescale Talk at RTS Embedded Systems 2010 Paris, 31/03/2010
- 2. Outline 1. Automotive E/E Systems: mastering complexity 2. Ecosystems of virtualization technologies 3. Automotive use-cases of virtualization 4. Limits of virtualization © 2010 RTaW / PSA / Freescale - 2
- 3. Mastering complexity of automotive Electrical and Electronics (E/E) Systems © 2010 RTaW / PSA / Freescale - 3
- 4. Electronics is the driving force of innovation – 90% of new functions use software – Electronics: 40% of total costs – Huge complexity: 80 ECUs, 2500 signals, 6 networks, multi-layered run-time environment (AUTOSAR), multi-source software, multi-core CPUs, etc Strong costs, safety, reliability, time‐to‐market, reusability, legal constraints ! © 2010 RTaW / PSA / Freescale - 4
- 5. Proliferation of ECUs raises problems! 50 Number of ECUs (CAN/MOST/LIN) 45 40 35 30 25 20 15 Mercedes-Benz BMW 10 Audi 5 VW 0 1986 1988 1990 1992 1994 1996 1998 2000 2002 2004 2006 2008 Year Graphics on this page from [3] Lexus LS430 has more than 100 ECUs [9] © 2010 RTaW / PSA / Freescale - 5
- 6. The case of a “generalist” car manufacturer - PSA 45 40 35 30 CAN LAS info-div LIN 25 CAN CAR CAN CONF 20 CAN I/S 15 10 5 0 X4-2000 X4-2003 D2 2004 D2 TG D25 X3 X6-2005 X7-2007 W2 PF3 The number of ECUs has more than doubled in 10 years © 2010 RTaW / PSA / Freescale - 6
- 7. Possible upcoming architectures in two car generations Fewer ECUs but more powerful – Multi-core μ-controller – Multi-source software – Autosar OS strong protection mechanisms – Virtualization ? – ISO2626-2 dependability standard Backbone : – CAN 500Kbit/s with offsets – FlexRay™ : 10 Mbit/s – Ethernet ? How centralized is unsure because of carry‐over .. FlexRay™ as backbone at BWM in a few years [8] © 2010 RTaW / PSA / Freescale - 7
- 8. Ecosystem of virtualization technologies © 2010 RTaW / PSA / Freescale - 8
- 9. Virtualization basics Executing software on virtual machines decoupled from the real HW – Virtual Machine: software that executes software like a physical machine – (System) VM contains an OS – HW resources can be shared between VMs : role of hypervisor Strong isolation between VMs : security and fault‐confinement are the primary motivations Picture from [2] © 2010 RTaW / PSA / Freescale - 9
- 10. Classification of virtualization schemes [3] Virtualization Emulation Native Hypoth. Real Full Para- Machine Machine Virtua. virtua. eg. JVM eg. Bochs eg. Z/VM eg. Xen, Sysgo, Wind River © 2010 RTaW / PSA / Freescale - 10
- 11. Use-cases of virtualization © 2010 RTaW / PSA / Freescale - 11
- 12. Heterogeneous operating system environments (1/2) Re-use of a complete legacy ECU : eg. parking assistance Legacy Benefits – Time-to-market, applications – – Cost reduction Validation done Legacy OS – Way to deal with + discontinued hardware Comm. stack Hypervisor hardware © 2010 RTaW / PSA / Freescale - 12
- 13. Heterogeneous operating system environments (2/2) Using the best execution platform : eg. Body gateway with both an Autosar and an infotainment VM (eg., linux, android) Benefits – Performances – Availability of manpower / applications – Time-to-market – Security despite open systems – Segregation in “vehicle domains” VMM – Etc Picture from [2] The most obvious and likely use‐case in a first step © 2010 RTaW / PSA / Freescale - 13
- 14. Virtualization for security-critical sub-systems Benefits: – Critical code can run on bare hardware – Sufficiently small for formal methods – “Brick-wall” partitioning for open systems (OTA update) Critical code Hypervisor hardware © 2010 RTaW / PSA / Freescale - 14
- 15. Virtualization for safety-critical sub-systems Short term benefits: – Memory, CPU, IO protection mechanisms – Redundant execution with diversity reduces common faults, possible to go one step farther with OS and com. stack diversity – Monitoring / watchdog on the same multi-core chip (ideally with some HW diversity at the core level) Medium term goal: – Virtual lockstep execution without dedicated HW Not the same scope of protection as Autosar OS Autosar OS : OS application, OS task, ISR Virtualization : VM (usually with an OS) © 2010 RTaW / PSA / Freescale - 15
- 16. AUTOSAR OS protection mechanism - a recap (see [7]) Issues : resource confiscation (CPU, memory, drivers), non authorized access / calls, fault- propagation 5 types of mechanisms Memory protection Temporal protection As of Autosar R4, there are multi‐core OS service protection extensions enabling CPU HW resource protection core partitioning trusted / non-trusted code 4 scalability classes © 2010 RTaW / PSA / Freescale - 16
- 17. Limits of virtualization © 2010 RTaW / PSA / Freescale - 17
- 18. Real-time performances Virtualization implies a hierarchical two-level scheduling that is inherently less predictable and more complex to handle Picture from [2] Actually, three‐level scheduling since runnables are scheduled within OS tasks! Static core allocation (to VMs) is probably the way to go .. © 2010 RTaW / PSA / Freescale - 18
- 19. Technical issues Memory: VMM footprint: < 64KB Possibly several OSs ! CPU: Limited hardware support in embedded CPU [6] Preemption, L2 cache flush, locked cache Resource sharing is tricky: ISR, IOs, com. controllers Real-time performances (eg. LIN) peripheral virtualization is complex (eg. CAN) VMM must be kept small to be secure (more than guest OSs) and ideally bug free … otherwise responsibility sharing is impossible © 2010 RTaW / PSA / Freescale - 19
- 20. Conclusion Virtualization is a mature technology, industrial risk is limited Automotive can benefit from both aerospace / military and consumer electronic experiences: Products, certification, deployment tools, etc The overlap between virtualization and Autosar OS seems small There are meaningful use-cases but real-time behavior of the virtualized systems should be (formally) verified. © 2010 RTaW / PSA / Freescale - 20
- 21. References © 2010 RTaW / PSA / Freescale - 21
- 22. References [1] N. Navet, F. Simonot-Lion, editors, The Automotive Embedded Systems Handbook, Industrial Information Technology series, CRC Press / Taylor and Francis, ISBN 978-0849380266, December 2008. [2] R. Kaiser, D. Zöbel, Quantitative Analysis and Systematic Parametrization of a Two-Level Real-Time Scheduler, paper and slides at IEEE ETFA’2009. [3] T. Nolte, Hierarchical Scheduling of Complex Embedded Real-Time Systems, slides presented at the Summer School on Real-Time Systems (ETR’09), Paris, 2009. [4] G. Heiser, The role of virtualization in embedded systems, Proceedings of the 1st workshop on Isolation and integration in embedded systems, 2008. [5] D. Baldin, T. Kerstan, Proteus, a Hybrid Virtualization Platform for Embedded Systems, IFIP Advances in Information and Communication Technology, 978-3-642-04283-6, 2009. [6] F. Behmann, Virtualization for embedded Power Architecture CPUs, Electronic Products, September 2009. [7] N. Navet, A. Monot, B. Bavoux, F. Simonot-Lion, Multi-source and multicore automotive ECUs - OS protection mechanisms and scheduling, to appear in IEEE ISIE, 2010. [8] A. Schedl, Goals and Architecture of FlexRay at BMW, slides presented at the Vector FlexRay Symposium, March 2007. [9] R. Schreffler, Japanese OEMs, Suppliers, Strive to Curb ECU Proliferation, Wardsauto.com, March 6, 2006. © 2010 RTaW / PSA / Freescale - 22
- 23. Questions / feedback ? Please get in touch at : nicolas.navet@realtimeatwork.com bertrand.delord@mpsa.com B17517@freescale.com © 2010 RTaW / PSA / Freescale - 23