The document outlines Intel's plan for designing and certifying the ACRN hypervisor for functional safety. It discusses the safety concept of using ACRN to partition mixed-criticality workloads with static isolation. It describes the development model and techniques used, including requirements management, modular design, and fault injection testing. It also analyzes sources of inter-VM interference like shared caches and I/O, and the mitigations used through hardware virtualization and partitioning. Finally, it presents ACRN's certification plan to achieve IEC 61508 SIL3 certification through a process of submitting work products to TUV Sud for review.

1. ACRN Functional Safety Design and
Certification Plan
MAO, Junjie <junjie.mao@intel.com>
ACRN vMeet-Up Europe 2021

2. Outline
▹Safety Concept
▹Development Model and Techniques
▹Inter-VM Interference and Mitigations
▹Certification Plan
5/28/2021 ACRN Functional Safety Design and Certification Plan 2

3. Safety Concept
5/28/2021 ACRN Functional Safety Design and Certification Plan 3
Safety
App
Safety VM
BIOS
Safety OS
Non-safety VM
APP
Linux Kernel
APP
APP
CPU Core
LAPIC
CPU Core
LAPIC
CPU Core
LAPIC
CPU Core
LAPIC
ACRN Hypervisor
VT-d EPT VMX
Virtual PCI /
Host bridge
Physical Platform
Certified
by
Intel
and/or
customers
Not
certified
IEC 61508 Certification
Scope for ACRN
• The “partition mode”:
• 2 partitions with mixed-criticality
• Static core & memory partitioning
• Targeted SC 3

4. Development Model
Supporting Process
ACRN Market
Requirements
ACRN Software
Safety Requirements
ACRN Software
Architecture Design
ACRN Module
Design
Coding
ACRN Module Test
ACRN Integration
Test
ACRN Validation
Test
Change
Management
Configuration
Management
Document
Management
Tool
Classification and
Qualification
Requirement
Management
Verification
Output
Verification
5/28/2021 ACRN Functional Safety Design and Certification Plan 4

5. Development Techniques
5/28/2021 ACRN Functional Safety Design and Certification Plan 5
Semi-formal
notations
Bi-directional
traceability
Modular design
Event-driven
architecture
Failure mode
and effect
analysis
Coding
guidelines and
static analysis
Fault injection
test
Structural
coverage

6. Requirement Categorization
5/28/2021 ACRN Functional Safety Design and Certification Plan 6
Functional
Requirements
• Virtual CPU capabilities
• VM boot sequence
• VM initial states
Safety & Security
Requirements
• Interference mitigations
• Side-channel vulnerability
mitigations
Assumptions of Use
• Hardware capabilities
• System-level mitigations
to failures

7. Architecture Design Aspects
Initialization
• Hardware
resources
• Software data
• Hardware
virtualization
extension
Runtime
• Handling of VM
exits
Error Mitigation
• Error detection
• Error handling
Module decomposition and interface definitions
5/28/2021 ACRN Functional Safety Design and Certification Plan 7

8. Inter-VM Interference
Spatial Temporal
Memory
Non-safety
VM
Read/write
Memory
Non-safety
VM
1. program DMA
Device
2. read/write
Shared Cache
Non-safety
VM
Safety VM
1. load 2. evict
Non-safety
VM
Safety VM
Local
Cache
Local
Cache
Coherency traffic
Shared Cache /
Memory Controller
Non-safety
VM
Safety VM
Shared Cache /
Memory Controller /
Peripheral Bus
Non-safety
VM
Safety VM
Device
Non-safety
VM
1. program
interrupt
Device
2. deliver
interrupt
Safety VM
Reference:
[1] O. Kotaba, J. Nowotsch, M. Paulitsch, S. Petters, H. Theiling. Multicore In Real-Time Systems – Temporal Isolation Challenges Due To Shared Resources. WICERT workshop as part of DATE 2013
5/28/2021 ACRN Functional Safety Design and Certification Plan 8

9. Mitigating Spatial Interference
Memory
Non-safety
VM
Read/write
Memory
Non-safety
VM
1. program DMA
Device
2. read/write
Memory
Non-safety
VM
EPT
Memory
Non-safety
VM
Device
IOMMU
5/28/2021 ACRN Functional Safety Design and Certification Plan 9

10. Mitigating Temporal Interference
Shared Cache
Non-safety
VM
Safety VM
1. load 2. evict
Non-safety
VM
1. program
interrupt
Device
2. deliver
interrupt
Safety VM
Shared Cache
Non-safety
VM
Safety VM
1. load 2. evict
Cache Partitioning
Non-safety
VM
Device
Safety VM
IOMMU
5/28/2021 ACRN Functional Safety Design and Certification Plan 10

11. Residual Temporal Interference
Non-safety
VM
Safety VM
Local
Cache
Local
Cache
Coherency traffic
Shared Cache /
Memory Controller
Non-safety
VM
Safety VM
Shared Cache /
Memory Controller /
Peripheral Bus
Non-safety
VM
Safety VM
Device
• No invalidation due to
conherency
• But the coherency
traffic remains.
• No way to prevent
non-safety VM from
locking cache/memory
temporarily
• Lack hardware support
for bandwidth
allocation
The residual temporal interference is assumed to be mitigated by external watchdogs.
5/28/2021 ACRN Functional Safety Design and Certification Plan 11

12. ACRN Certification Plan
Submit concept-
phase work
products to TÜV
SÜD
May 2020
Received the
technical report on
the concept stating
that the ACRN
Hypervisor Software
Component from
Intel Corporation is
able to fulfil the
requirements in
accordance to SIL 3
of IEC 61508:2010.
June 2020
Complete the
submission of
detailed-test phase
work products to
TÜV SÜD
May 2021 (in the
plan)
Final audit
June 2021 (in the
plan)
5/28/2021 ACRN Functional Safety Design and Certification Plan 12

13. Concluding Remarks
▹ ACRN partition mode allows consolidation of mixed-critical workloads in
safety-critical uses.
▹ ACRN leverages hardware mechanisms for interference mitigation.
Residual temporal interference exists and requires system-level
mitigations.
▹ ACRN is on the way to complete the certification1.
5/28/2021 ACRN Functional Safety Design and Certification Plan 13
1 The package of certified ACRN will be available under NDA (Non-Disclosure Agreement). Contact your sales representative for access.

14. THANK YOU