EB corbos and the L4Re microhypervisor: Open-source automotive safety
- 1. 2018-09-19, Vancouver, Linaro Connect 2018 Alexander Much, Michael Hohmuth, Adam Lackorzynski EB corbos and the L4Re microhypervisor: Open-source automotive safety 2018-09-19 | Linaro Connect 2018 | Public | © Elektrobit Automotive GmbH 2018 | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
- 2. 22018-09-19 | Linaro Connect 2018 | Public | © Elektrobit Automotive GmbH 2018 | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. About EB EB corbos and the L4Re microhypervisor: Open-source automotive safety Technical competencies EB’s technical core competencies are development of automotive-grade (software) products and engineering services. Employees More than 2200 employees worldwide. Spans three continents and ten countries. Consistent growth Average growth (CAGR) > 10 % Global presence Development and business offices in Austria, China, Finland, France, Germany, India, Israel, Japan, Romania and USA. Continental AG Wholly owned, independent subsidiary of Continental AG. 100+ million Over 90 million vehicles on the road and 1 billion embedded devices.
- 3. 32018-09-19 | Linaro Connect 2018 | Public | © Elektrobit Automotive GmbH 2018 | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. What we do EB corbos and the L4Re microhypervisor: Open-source automotive safety Vehicle infrastructure • AUTOSAR standard • Single- & multi-core OS • Functional Safety OS • Embedded Security • Automotive networks, e.g. Ethernet Automated driving • Hardware and software products for development, test, visualization, and validation. • Key software components to bring automated driving functions and systems to serial production. User experience • Navigation client for connected use cases • Electronic horizon provider enabling map-based ADAS functions • Model-based development of multimodal user interfaces • Augmented reality solutions Connected car • Intelligent big data analytics & online diagnostics • Scalable backend infrastructures • Cyber security solutions plus modular add-ons by Argus • Software updates over-the-air • Consulting services for Functional Safety and Software Architectures • Lean Software Development • Established agile processes • End-to-end testing of complex embedded software systems • Test concept development • Independent verification and validation of software systems Consulting services Verification and validation
- 4. 42018-09-19 | Linaro Connect 2018 | Public | © Elektrobit Automotive GmbH 2018 | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. Interesting times... EB corbos and the L4Re microhypervisor: Open-source automotive safety Machine learning Crowd-sourced data System of systems Third party access Evolution after SOPPersonalization Shortened development cycles New topics new business models ?
- 5. 52018-09-19 | Linaro Connect 2018 | Public | © Elektrobit Automotive GmbH 2018 | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. We need to completely re-think the E/E architecture: • Domain or zonal architectures • Centralized computing units • High-speed, reliable and dependable networking • Connected vehicle within infrastructure eco-systems What comes first? Mobile on wheels or wheels on mobile? EB corbos and the L4Re microhypervisor: Open-source automotive safety Source: https://pxhere.com/en/photo/1064249, CC0 Public Domain Cloud and mobile first!
- 6. 62018-09-19 | Linaro Connect 2018 | Public | © Elektrobit Automotive GmbH 2018 | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. Most prominent answer: „Of course, my car!“ People don‘t realize: • How many security solutions are in today‘s phones • Cloud and phones set the „state-of-the-art“ • ... not cars! What needs to be „more“ secure? Phone and cloud vs. vehicle EB corbos and the L4Re microhypervisor: Open-source automotive safety Source: https://www.kompulsa.com/wordpress/wp-content/uploads/2018/06/bigstock-Cyber-security-information- pr-205808125.jpg, CC0 Creative Commons
- 7. 72018-09-19 | Linaro Connect 2018 | Public | © Elektrobit Automotive GmbH 2018 | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. Evolution of E/E architectures EB corbos and the L4Re microhypervisor: Open-source automotive safety Today Tomorrow Future Domain Architecture Centralized Architecture Zonal Architecture • Signal-based communication • System of ECUs • Predictable communication • Function orientated topology • Central computing nodes • Mix of signal based and service orientated communication • Partly centralized functions • Software upgradeability • IP/Ethernet communication • Centralized applications / functions • Computing power for AD and AI • Anything anywhere (sensors/actors) • Architecture follows software / system demands
- 8. 82018-09-19 | Linaro Connect 2018 | Public | © Elektrobit Automotive GmbH 2018 | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. Building blocks of the next architecture EB corbos and the L4Re microhypervisor: Open-source automotive safety HPC = High performance controller HPC-1 HPC-2 HPC-3 Horizontal deployment of functions RT-SW RT-SW RT-SW RT-SW “logic”-SW “logic”-SW “logic”-SW “logic”-SW “logic”-SW “logic”-SW Computing layer Real time and sensor/ actuator layer Back-end Vehicle API / basic services / information layer Every information anywhere – enables horizontal deployment of services and updating service. But needs to be controlled for safety and security reasons
- 9. 2018-09-19 | Linaro Connect 2018 | Public | © Elektrobit Automotive GmbH 2018 | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. EB corbos Safety, security and performance
- 10. 102018-09-19 | Linaro Connect 2018 | Public | © Elektrobit Automotive GmbH 2018 | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. EB corbos – The architecture EB corbos and the L4Re microhypervisor: Open-source automotive safety AUTOSAR OS Adaptive AUTOSAR App App High-performance computer Classic AUTOSAR Hypervisor Adaptive AUTOSAR App POSIX OS POSIX OS Trusted Execution Environment App Trusted OS Classic AUTOSAR App Safety cores AUTOSAR Safety OS New CPU-intensive (safety-relevant) functions: e.g. sensor fusion Novel user functions: e.g. App Store Reuse of existing vehicle functions from Classic AUTOSAR (SWCs) Secure startup, authentication Safety-relevant vehicle functions, monitoring of performance partitions Security partition Safety partition Virtual machineVirtual machine Virtual machine Performance cores Secure Boot Performance partitions
- 11. 112018-09-19 | Linaro Connect 2018 | Public | © Elektrobit Automotive GmbH 2018 | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. EB product line EB corbos – The architecture (II) EB corbos and the L4Re microhypervisor: Open-source automotive safety EB tresos AutoCore OS EB corbos AdaptiveCore App App High-performance computer EB tresos AutoCore EB corbos Hypervisor EB corbos AdaptiveCore App EB corbos Linux POSIX RTOS Trusted Execution Environment App Trusted OS EB tresos AutoCore App Safety cores EB tresos Safety OS Security partition Safety partition Performance cores Secure Boot Performance partitions EB tresos Studio Logging and debugging EB corbos Studio Code generation Configuration Application development Integration and deployment Tools EB tresos EB corbos Services 3rd party Software Hardware (SoC)
- 12. 122018-09-19 | Linaro Connect 2018 | Public | © Elektrobit Automotive GmbH 2018 | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. EB corbos AdaptiveCore EB corbos and the L4Re microhypervisor: Open-source automotive safety EB corbos 3rd PartyHW-depend.Tools Generic Alternatives EB corbos Studio Studio Build environment EB corbos AdaptiveCore OS Adaptive applicationAdaptive application Adaptive applicationAdaptive application Time Management Runtime for adaptive applications Platform Health Management Persistency Foundation Services Execution management Diagnostic management Update & configuration management Network management Log & Trace Application EB corbos Linux Communication management ara::com/rest/dds* Adaptiveplatform POSIX RTOS EB corbos Hypervisor … Time synchronization Persistency Hardware acceleration* Platform health management Signal-2-service mapping* Cryptography* Identity & Access management* Future content*
- 13. 132018-09-19 | Linaro Connect 2018 | Public | © Elektrobit Automotive GmbH 2018 | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. Classic AUTOSAR components Distributed safety management EB corbos and the L4Re microhypervisor: Open-source automotive safety Classic AUTOSAR components Lockstep Safety OS WDG Core CoreCore Core Safety core Safety core Core…. CoreCore Health control Bootloader Hypervisor Privileged partition Adaptive AUTOSAR on Linux Health manager Vehicle functions partition Adaptive AUTOSAR on Linux Container Vehicle function Virtual resources Container Vehicle function Virtual resources Container Vehicle function Virtual resources Pesistency manager Execution manager Health manager Diagnostic manager Virtual resources Physical resources …. Classic AUTOSAR Safety core Safety core Lockstep Safety OS WDG Health control Classic AUTOSAR Monitor Control
- 14. 142018-09-19 | Linaro Connect 2018 | Public | © Elektrobit Automotive GmbH 2018 | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. Platform security layers EB corbos and the L4Re microhypervisor: Open-source automotive safety Operating systems Containers Hardware Classic µC HSM Performance µP SwitchSecure enginePerformance cores Hypervisor Processes Resource access control Intermediate address space Separation 1st-stage MMU Control flow integrity Hardware resource separation Physical address space separation 2nd-stage MMU Scheduling domains Resource constraints Control flow integrity Virtual address space ASLR, sanitizers, etc. Crypto accelerators 3 core logic (Secure, Public & PKA) Dedicated RAM/ROM (key material) eFuses Life cycle management Hardware access protection HSM (EVITA medium) HIS SHE support DoS prevention VLAN tagging Static ARP tables Monitoring ports Crypto accelerators
- 15. 152018-09-19 | Linaro Connect 2018 | Public | © Elektrobit Automotive GmbH 2018 | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. Hypervisor use-cases EB corbos and the L4Re microhypervisor: Open-source automotive safety ECU Consolidation Increasing capabilities of nowadays performance controllers enable suppliers to consolidate multiple in-car applications to one single device Mixed Criticality Systems Virtualization brings in the key technology to build fail operational software systems with mixed safety integrity levels Network Separation Growing Car-2-X connectivity requires secure separation of out-bounded connections to the in-vehicle network Hardware Hypervisor VM VM VM … Hardware Hypervisor VM VM VM … Hardware Hypervisor VM VM VM … Your benefit
- 16. 2018-09-19 | Linaro Connect 2018 | Public | © Elektrobit Automotive GmbH 2018 | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. EB corbos Hypervisor Based on the L4Re microhypervisor
- 17. 172018-09-19 | Linaro Connect 2018 | Public | © Elektrobit Automotive GmbH 2018 | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. • Capabilities as references to kernel (and user-land) objects – Provides information hiding (local naming) and access control – Enables reasoning about isolation and freedom from interference – No capability to shared object No way to communicate or interfere • Designed to even allow preventing sharing 2nd-class kernel objects (allocators …) and invisible architectural state (not 100 % there yet…) Real-timeIsolation EB corbos and the L4Re microhypervisor: Open-source automotive safety Noteworthy L4Re features • Real-time per-CPU scheduler: Fixed priority round robin – Support for thread-group budget scheduling planned – WFQ (non-RT) also available – Cross-CPU thread / VCPU migration supported • Short critical sections w/ IRQs off, preemption points • Fine-granular wait-free locking Excellent interrupt-response times • No cross-CPU shared state in critical paths, no big kernel lock Excellent scalability
- 18. 182018-09-19 | Linaro Connect 2018 | Public | © Elektrobit Automotive GmbH 2018 | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. • Hardware-assisted virtualization – Untrusted (user-level) virtual-machine monitors (VMMs) for platform emulation • uvmm: Tiny VMM for Linux guests. Upstream ARM Linux “just works” • l4-kvm: Uses Qemu/KVM in a Linux guest to provide platform for Windows guests (x86 only) • Also available: Paravirtualization with L4Linux – A user-mode Linux kernel running on L4Re MicroappsVirtualization EB corbos and the L4Re microhypervisor: Open-source automotive safety Noteworthy L4Re features (II) • Microapps: Native L4Re applications – Small TCB: no dependency on any rich OS, no Dom0 – No dependency on VMM – No virtualization overhead • POSIX subset for microapps: L4Re Runtime Environment – Supports libc, C++ library, pthreads, etc. – Natural extension of kernel API with useful OS abstractions, e. g. for address-space management
- 19. 192018-09-19 | Linaro Connect 2018 | Public | © Elektrobit Automotive GmbH 2018 | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. • Device pass-through to VMs or driver microapps – DMA security via IOMMU (ARM: WIP) • Native drivers and multiplexing for various buses and devices – PCI, serial console, AHCI, framebuffer • Virtual networking among VMs supported – Virtual Ethernet switch or p2p connection – Virtual socket connections • Virtio supported Where to get it?I/O virtualization EB corbos and the L4Re microhypervisor: Open-source automotive safety Noteworthy L4Re features (III) • Go to www.kernkonzept.com/download.html • Or www.l4re.org • Early access at github.com/kernkonzept • (Mostly) GPL version 2 • Commercial licenses: Dual licensing capability – Require CLA for contributions, essential for attracting investments needed for certification – Also, a customer requirement in Automotive • Kernkonzept serves as maintainer & gatekeeper for contributions Licensing?
- 20. 202018-09-19 | Linaro Connect 2018 | Public | © Elektrobit Automotive GmbH 2018 | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. Solutions for interesting times EB corbos and the L4Re microhypervisor: Open-source automotive safety Machine learning Crowd-sourced data System of systems Third party access Evolution after SOP Personalization Shortened development cycles New topics new business models ? High-assurance security Automotive safety up to ASIL-D Real-time capable Based on open-source and established, well- proven implementations Long-term maintenance and operations
- 21. 2018-09-19 | Linaro Connect 2018 | Public | © Elektrobit Automotive GmbH 2018 | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. www.elektrobit.com alexander.much@elektrobit.com michael.hohmuth@kernkonzept.com adam.lackorzynski@kernkonzept.com Get in touch!