ACRN vMeet-Up EU 2021 - functional safety design and certification plan

1. ACRN Functional Safety Design and Certification Plan MAO, Junjie <junjie.mao@intel.com> ACRN vMeet-Up Europe 2021

2. Outline ▹Safety Concept ▹Development Model and Techniques ▹Inter-VM Interference and Mitigations ▹Certification Plan 5/28/2021 ACRN Functional Safety Design and Certification Plan 2

3. Safety Concept 5/28/2021 ACRN Functional Safety Design and Certification Plan 3 Safety App Safety VM BIOS Safety OS Non-safety VM APP Linux Kernel APP APP CPU Core LAPIC CPU Core LAPIC CPU Core LAPIC CPU Core LAPIC ACRN Hypervisor VT-d EPT VMX Virtual PCI / Host bridge Physical Platform Certified by Intel and/or customers Not certified IEC 61508 Certification Scope for ACRN • The “partition mode”: • 2 partitions with mixed-criticality • Static core & memory partitioning • Targeted SC 3

4. Development Model Supporting Process ACRN Market Requirements ACRN Software Safety Requirements ACRN Software Architecture Design ACRN Module Design Coding ACRN Module Test ACRN Integration Test ACRN Validation Test Change Management Configuration Management Document Management Tool Classification and Qualification Requirement Management Verification Output Verification 5/28/2021 ACRN Functional Safety Design and Certification Plan 4

5. Development Techniques 5/28/2021 ACRN Functional Safety Design and Certification Plan 5 Semi-formal notations Bi-directional traceability Modular design Event-driven architecture Failure mode and effect analysis Coding guidelines and static analysis Fault injection test Structural coverage

6. Requirement Categorization 5/28/2021 ACRN Functional Safety Design and Certification Plan 6 Functional Requirements • Virtual CPU capabilities • VM boot sequence • VM initial states Safety & Security Requirements • Interference mitigations • Side-channel vulnerability mitigations Assumptions of Use • Hardware capabilities • System-level mitigations to failures

7. Architecture Design Aspects Initialization • Hardware resources • Software data • Hardware virtualization extension Runtime • Handling of VM exits Error Mitigation • Error detection • Error handling Module decomposition and interface definitions 5/28/2021 ACRN Functional Safety Design and Certification Plan 7

8. Inter-VM Interference Spatial Temporal Memory Non-safety VM Read/write Memory Non-safety VM 1. program DMA Device 2. read/write Shared Cache Non-safety VM Safety VM 1. load 2. evict Non-safety VM Safety VM Local Cache Local Cache Coherency traffic Shared Cache / Memory Controller Non-safety VM Safety VM Shared Cache / Memory Controller / Peripheral Bus Non-safety VM Safety VM Device Non-safety VM 1. program interrupt Device 2. deliver interrupt Safety VM Reference: [1] O. Kotaba, J. Nowotsch, M. Paulitsch, S. Petters, H. Theiling. Multicore In Real-Time Systems – Temporal Isolation Challenges Due To Shared Resources. WICERT workshop as part of DATE 2013 5/28/2021 ACRN Functional Safety Design and Certification Plan 8

9. Mitigating Spatial Interference Memory Non-safety VM Read/write Memory Non-safety VM 1. program DMA Device 2. read/write Memory Non-safety VM EPT Memory Non-safety VM Device IOMMU 5/28/2021 ACRN Functional Safety Design and Certification Plan 9

10. Mitigating Temporal Interference Shared Cache Non-safety VM Safety VM 1. load 2. evict Non-safety VM 1. program interrupt Device 2. deliver interrupt Safety VM Shared Cache Non-safety VM Safety VM 1. load 2. evict Cache Partitioning Non-safety VM Device Safety VM IOMMU 5/28/2021 ACRN Functional Safety Design and Certification Plan 10

11. Residual Temporal Interference Non-safety VM Safety VM Local Cache Local Cache Coherency traffic Shared Cache / Memory Controller Non-safety VM Safety VM Shared Cache / Memory Controller / Peripheral Bus Non-safety VM Safety VM Device • No invalidation due to conherency • But the coherency traffic remains. • No way to prevent non-safety VM from locking cache/memory temporarily • Lack hardware support for bandwidth allocation The residual temporal interference is assumed to be mitigated by external watchdogs. 5/28/2021 ACRN Functional Safety Design and Certification Plan 11

12. ACRN Certification Plan Submit concept- phase work products to TÜV SÜD May 2020 Received the technical report on the concept stating that the ACRN Hypervisor Software Component from Intel Corporation is able to fulfil the requirements in accordance to SIL 3 of IEC 61508:2010. June 2020 Complete the submission of detailed-test phase work products to TÜV SÜD May 2021 (in the plan) Final audit June 2021 (in the plan) 5/28/2021 ACRN Functional Safety Design and Certification Plan 12

13. Concluding Remarks ▹ ACRN partition mode allows consolidation of mixed-critical workloads in safety-critical uses. ▹ ACRN leverages hardware mechanisms for interference mitigation. Residual temporal interference exists and requires system-level mitigations. ▹ ACRN is on the way to complete the certification1. 5/28/2021 ACRN Functional Safety Design and Certification Plan 13 1 The package of certified ACRN will be available under NDA (Non-Disclosure Agreement). Contact your sales representative for access.

14. THANK YOU

ACRN vMeet-Up EU 2021 - functional safety design and certification plan

You are reading a preview.

Check these out next

ACRN vMeet-Up EU 2021 - functional safety design and certification plan

More Related Content

Slideshows for you (20)

Similar to ACRN vMeet-Up EU 2021 - functional safety design and certification plan (20)

Recently uploaded (20)