Securing Virtual Machines
Engineers creating life and mission-critical embedded systems that want to add Linux or Android environments must still satisfy requirements for safety, security and reliability. Important business-driven benefits include reduced platform cost, a scalable software foundation, separation of open-source software, and reduced software complexity.
Embedded designers are increasingly turning to system virtualization to dramatically transform development of complex systems. Virtualization consolidates disparate systems onto dedicated virtual machines, running on a single hardware platform. In addition, hardware abstraction enables platform reuse and rapid migration to new hardware.
Since 2003, INTEGRITY Multivisor has delivered on this promise for devices in automotive, industrial, avionics and mobile platforms.
INTEGRITY Multivisor has been the industry's only safe and secure certified architecture to simultaneously run one or more guest operating systems alongside life and mission-critical functions on a wide range of multicore SoCs.
Purpose-built to address the most difficult embedded challenges, INTEGRITY Multivisor enables rapid, optimized and cost effective complex system designs without compromising safety, security or performance.
As the diagram illustrates, the trusted real-time and separation partition architecture of the INTEGRITY RTOS executes multiple arbitrary guest operating systems alongside mission-critical real-time software functions. Applications and guest operating systems are efficiently scheduled across one or multiple cores, can communicate efficiently with each other and share system peripherals, such as GPU or Ethernet, according to a strict access control model.
INTEGRITY Multivisor is the optional virtualization service for the safety and security-certified INTEGRITY RTOS separation kernel. It enables general purpose operating systems, such as Linux or Android, to safely and securely run alongside life and mission-critical software on the same multicore processor.Click for larger view.
Virtualization features
- Shared devices and peripherals: allows devices and peripherals to be exclusively assigned or shared between guest operation systems and critical functions
- IPC: provides standards-based inter-process communications (IPC) between guest operation systems and critical functions
- Configurability: provision system resources, including memory and devices
- Hardware virtualization: use hardware virtualization acceleration, when available
- Health monitoring: enable performance monitoring, fault detection and restart guest operating system and applications
- Multicore guests: run multiple guest operating systems on multiple cores with overlapping configurations to take advantage of INTEGRITY's priority-based automatic load balancing
- Software Development Kit (SDK): includes groundbreaking MULTI debugger with its complete and unified visibility and control into all executing software components of a virtualized system
- Multicore Control: flexibility to either statically bind guest operating systems to cores in an Asymmetric Multiprocessing (AMP) model or dynamically schedule workloads in a Symmetric Multiprocessing (SMP) model, depending on system requirements
Safety & security pedigree
Global organizations trust the INTEGRITY separation kernel architecture for systems with the most demanding reliability requirements:
- ISO 26262 ASIL D automotive electronics
- NSA-certified secure mobile phones
- FAA DO-178B Level A-certified avionics controlling life-critical functions on passenger and military aircraft
- FDA Class III life-critical medical devices
- EN 50128 SWSIL 4-certified railway control and protection systems
- IEC-61508 SIL3-certified industrial control systems
Many hypervisors bundle the software required to support guest environments, such as device drivers and middleware, in a monolithic architecture. The results look much like a general purpose operating system with exposure to unknown vulnerabilities and many shared failure points. Numerous virtual machine “escapes” and other subversions have been discovered in other hypervisors such as Xen, VMware and commercial hypervisors.
In contrast, INTEGRITY Multivisor is a virtualization service for the safe and secure INTEGRITY RTOS separation kernel, already certified to isolate and protect software components in the most critical environments.
Customer use cases
INTEGRITY Multivisor enables engineers to innovate in ways not otherwise possible. The following examples come directly from Green Hills Software's customer base:
Automotive Integrated Cockpit- Consolidate infotainment, ADAS, secure gateway and digital instrument clusters to reduce automotive cost and footprint
- Run safety-critical applications such as cluster warning lights, rear view camera and guest OS fault monitoring
- Consolidate connected car communication with safety and security critical gateway applications
- Securely run corporate and personal environments on multiple instances of mobile operating systems
- Provide common smartphone functions while enabling next-generation security applications such as virtual credit card, virtual ticketing (e.g. public transportation), virtual keys and identification
- Securely consolidate corporate and personal desktop environments
- Consolidate multiple mixed-security workstations onto a single workstation in a secure, simple and cost-saving way
- Enable high-performance one-wire encrypted data communication
- Enable a tablet form factor with sophisticated Linux graphical interface
- Real-time applications provide trusted display of weapons state (securely multiplexed with Linux GUI) as well as safety-critical munitions programming
Advanced debugging and visualization for virtualized systems
A virtualized embedded system increases the number of software levels running simultaneously. Debugging the associated code and their interactions is far more complex than a traditional embedded system. Without straightforward visibility into the layers of executing code, the developer’s productivity plummets and new product schedules suffer.
In the early 1990s, the MULTI debugger was the first commercial graphical debugger capable of debugging multiple embedded operating systems, languages and processors running on various desktop operating systems. In this age of embedded virtualization, the MULTI debugger achieved another “first” by extending its deep visibility and control to this complex target environment.
Competing virtualization architectures require a hodgepodge of several different and disconnected debugging setups from different vendors. In contrast, the MULTI debugger simultaneously provides visibility and control for all execution levels:
- Applications on Linux and other guest operating systems
- Real-time applications
- Linux kernel and Linux device drivers
- Virtual Machine Monitor
- Real-time operating system kernel