Safetronic\'08: Hypervisor (common speech Wind River - TüV SüD)

1,282 views
1,178 views

Published on

Hypervisor - Virtualisation platform for separation of safety functions with different Safety Integrity Levels
Hypervisor, Virtualisierungsplattform zur Trennung von
Sicherheitsfunktionen verschiedener
Safety Integrity Level (SIL)

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,282
On SlideShare
0
From Embeds
0
Number of Embeds
27
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Safetronic\'08: Hypervisor (common speech Wind River - TüV SüD)

  1. 1. Hypervisor Virtualisierungsplattform zur Trennung von Sicherheitsfunktionen verschiedener Safety Integrity Level (SIL) Andreas Buchwieser (Wind River GmbH) Andreas Bärwald (TÜV SÜD Automotive GmbH) safetronic.’08 - München, 04.11.2008
  2. 2. Agenda • Motivation • Relevant Safety Standards • Use Cases • Definitions • Hypervisor Technology • Spatial Separation • Temporal Separation • Typical Steps • Outlook Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
  3. 3. Motivation: example body controller (1) Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
  4. 4. Motivation: example body controller (2) Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
  5. 5. Relevant Safety Standards: IEC 61508 • Adequate Independence ”Adequate independence between the safety functions of the different safety integrity levels can be shown in the design. The justification for independence shall be documented.” [source: IEC 61508 part 3: 1998] • ”It shall be demonstrated either (1) that independence is achieved both in the spatial and temporal domain, or (2) that any violation of independence is controlled.” [source: IEC 61508-3, ED.2. Version 4:2007, Dated: 2007] Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
  6. 6. Relevant Safety Standards: EN 50128 • „..Wenn unterschiedliche Softwarekomponenten unterschiedliche Software-Sicherheitsanforderungsstufen haben, so müssen diese in der Software-Architekturspezifikation beschrieben werden.“ • „Die Software Architektur muss den sicherheitsrelevanten Teil der Anwendung minimieren.“ • „..Softwareteile müssen so betrachtet werden, als würden sie der höchsten Software-Anforderungsstufe angehören, es sei denn, die Unabhängigkeit...ist klar ersichtlich“ [source:EN 50128, Dated: 2001] Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
  7. 7. Relevant Safety Standards: ISO 26262 ISO/CD 26262-6 Annex D “Freedom from interference by software partitioning” Goal: The objective is to prevent propagation of a failure in one software partition to any other software partition Micro controller Task A.1 Task B.1 Task A.2 Task B.2 Task A.n Task B.n Partition A Partition B Operating system Hardware Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
  8. 8. Impact on shared resources (1) CPU-time • Blocking of partitions: due to communication deadlocks; • Wrong allocation of processor execution time, e.g. by using – Time triggered scheduling; – Cycling execution scheduling policy; – Fixed priority based scheduling; – Monitoring of processor execution time of software partitions according to the allocation; – Program sequence; – Arrival rate monitoring. Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
  9. 9. Impact on shared resources (2) Memory • Memory protection mechanisms; • Verification of safety-related data; • Offline analysis of code and data of other partitions; • Restricted access to memory; • Static analysis; and • Static allocation Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
  10. 10. Impact on shared resources (3) I/O and communication • Failure of communication peer: communication peer is not available; • Blocking access to data bus • Continuous transmission of messages (babbling idiot) Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
  11. 11. Hypervisor Separation Concept Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
  12. 12. Motivation for Separation • Standardised Approach for Separation • Limit Software Development Costs Certification of safety critical parts only • Flexibility third party deliveries can be easily integrated by OEM • Maintenance less safety-relevant areas can be influenced through maintenance • Reusability Legacy code, Architectural approach Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
  13. 13. Use Case Separation Safety Related Application Functions Safe OS Hardware - Target Platform Virtualization Virtual Board 1 Virtual Board 2 Safety Related Application Functions Safe OS COTS OS Virtualization Mechanism - WR Hypervisor Hardware - Target Platform Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
  14. 14. Use Case Integration Safety Related Functions Application Safe OS COTS Hardware - Target Platform 1 Hardware - Target Platform 2 Virtualization Virtual Board 1 Virtual Board 2 Safety Related Application Functions Safe OS COTS OS Virtualization Mechanism - WR Hypervisor Hardware - Target Platform Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
  15. 15. Definitions • Virtualization Abstraction of computer resources, hiding the physical characteristics • Hypervisor Configurable supervisor program with both separation and scheduling that provides virtualization through software • Virtual Board (Software Partition in ISO/CD 26262-6) Environment for one operating system or bare application; has physical and/or virtual hardware controlled by the Hypervisor Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
  16. 16. Hypervisor Technology Virtual Board 1 Virtual Board 2 Virtual Board 3 CPU Memory Ethernet1 CPU Memory Serial CPU Memory Ethernet2 Hypervisor Physical Board CPU Memory Ethernet Serial Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
  17. 17. Non-interference on a single computer • Independence of execution Software elements will not adversely interfere with each other’s execution behaviour such that a dangerous failure would occur – Spatial Domain data used by a one element must not be changed by another element, in particular a non-safety related element – Spatial separation • MMU & I/OMMU to separate memory domains and I/O domains • VMMU to set up a system of virtual boards • Safe Inter Process Communication (SIPC) Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
  18. 18. Spatial Separation Virtual Board 1 Virtual Board 2 Virtual Board 3 Application Application User Mode Application Linux VxWorks Privileged Mode CPU Mem Eth CPU Mem ATA CPU Mem Serial Wind River Hypervisor VMMU Interrupt Exception System Mode Virtual Boards communication I/O resources Configuration Physical Board Serial ATA Ethernet Memory Core Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
  19. 19. Non-interference on a single computer • Independence of execution Software elements will not adversely interfere with each other’s execution behaviour such that a dangerous failure would occur – Temporal Domain one element must not cause another element to function incorrectly by taking too high a share of the available processor execution time, or by blocking execution of the other element by locking a shared resource of some kind – Temporal separation • Deterministic scheduling – Scheduling policy (time slice, priority) • Exception Handling • Cache and DMA Management Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
  20. 20. Temporal Separation VB 2 VB 2 VB 3 VB 2 Spare Time VB 1 VB 1 VB 1 VB 1 System Tick Minor Frame Major Frame Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
  21. 21. Typical Steps • Hardware Certification – Diagnostic measures -> Software Safety Requirements (SSR) • Allocation SSRs – Hypervisor BSP – SafeOS BSP – Safety Application • Implementation Hypervisor BSP Virtualization Hardware • Partitioning claim – Hypervisor and Hypervisor BSP • Implementation SafeOS BSP Virtual Board 1 – Consideration Safety Manual Hypervisor and Hypervisor BSP • Implementation Safety Application – Consideration Safety Manual SafeOS and SafeOS BSP • System Safety Manual Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
  22. 22. Outlook • Next Version of IEC 61508, Part3 specifies technics for separation (Annex G) • Virtualisation technics are deployed in Aerospace (e.g 787, A380, A400, C130-AMP...) (ARINC653, DO178B, DO297 / ED124) • Multi Core CPUs – Shared Resources (Cache, Bus, RAM, I/O devices) – Parallel Computing (SMP, AMP) • Device virtualization – Directed I/O Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
  23. 23. Contact Andreas Buchwieser Wind River GmbH Osterfeldstr. 84, 85737 Ismaning, Germany Tel.: +49 89 962445 432 andreas.buchwieser@windriver.com Andreas Bärwald TÜV SÜD Automotive GmbH Ridlerstr. 57, 80339 München, Germany Tel.: +49 89 5791 4441 andreas.baerwald@tuev-sued.de Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)

×