The document discusses integrating the Erika real-time operating system (RTOS) with Linux through the Xen hypervisor, focusing on its application in safety-critical systems like automotive and avionics. It outlines the motivations, ongoing work, and various steps needed to enable efficient inter-domain communication and memory access while ensuring task execution guarantees. The proposed Xen-based approach is examined for its benefits and challenges, including the guarantees of isolation and concerns regarding boot time and certification of the Xen hypervisor.

1. Integrating Linux and the real-time ERIKA OS
through the Xen hypervisor
Arianna Avanzini
Evidence Srl | University of Modena and Reggio Emilia
October 15, 2014

2. Preamble
Motivations
ERIKA as Xen-on-ARM domU
Ongoing and future work
This presentation
1 Motivations: use cases, Evidence Srl's previous solution
2 ERIKA Enterprise RTOS as a Xen-on-ARM domU
Status of the port
Communication between the ERIKA domU and a Linux dom0
3 Ongoing and future work
Arianna Avanzini Integrating Linux and ERIKA through Xen

3. Preamble
Motivations
ERIKA as Xen-on-ARM domU
Ongoing and future work
Use cases
Systems where infotainment services are provided as much as
safety-critical ones
Trend: complement general-purpose operating systems with
real-time ones
Interacting with each other
Automotive, avionics
Arianna Avanzini Integrating Linux and ERIKA through Xen

4. Preamble
Motivations
ERIKA as Xen-on-ARM domU
Ongoing and future work
Requirements
Guarantees on execution time for safety-critical tasks
Guarantees on boot time of the operating system
Protection of the integrity of the real-time OS
due to the general-purpose OS malfuncioning
High performance: multi-core platforms
Communication between the two operating systems
Arianna Avanzini Integrating Linux and ERIKA through Xen

5. Preamble
Motivations
ERIKA as Xen-on-ARM domU
Ongoing and future work
Evidence Srl's existing solution: outline
Dual-OS design implemented on a dual-core 1.2 GHz
Freescale i.mx6 board
Each operating system is assigned exclusively a core
Operating systems share memory
http://www.evidence.eu.com/embedded-linux-osekvdx-erika-
enterprise-dual-core-automotive-cpu-without-hypervisor.html
Arianna Avanzini Integrating Linux and ERIKA through Xen

6. Preamble
Motivations
ERIKA as Xen-on-ARM domU
Ongoing and future work
Existing solution: real-time OS
http://erika.tuxfamily.org
Small-footprint OS (1-4 Kb)
With hard real-time support
Supports multi-core platforms and stack sharing between tasks
-certi

7. ed
(GPLv2 + linking exception)
Arianna Avanzini Integrating Linux and ERIKA through Xen

8. Preamble
Motivations
ERIKA as Xen-on-ARM domU
Ongoing and future work
Existing solution: general-purpose OS
Fully-featured Linux operating system
Extended with a driver implementing interaction with ERIKA
Not certi

9. ed, but responsible only for non-safety-critical tasks
Arianna Avanzini Integrating Linux and ERIKA through Xen

10. Preamble
Motivations
ERIKA as Xen-on-ARM domU
Ongoing and future work
Existing solution: pros
Each OS runs on a dedicated core
No temporal interference, allowing for guarantees on response
time in safety-critical tasks
Able to provide guarantees on boot time of the real-time OS
Shared memory allows for very ecient communication
Arianna Avanzini Integrating Linux and ERIKA through Xen

11. Preamble
Motivations
ERIKA as Xen-on-ARM domU
Ongoing and future work
Existing solution: cons
Limited support to isolation
Access to shared memory is implemented with mutual
exclusion mechanisms...
... but a malfunctioning general-purpose OS could overwrite
the memory area assigned to the safety-critical OS
Conversely, a failure in the real-time OS could pollute the
memory area assigned to the non-safety-critical OS
Arianna Avanzini Integrating Linux and ERIKA through Xen

12. Preamble
Motivations
ERIKA as Xen-on-ARM domU
Ongoing and future work
Introducing Xen
Main idea: use the Xen hypervisor to guarantee isolation
The hypervisor guarantees protected access to memory
Further ideas:
avoid temporal interference even if OSes run on virtual CPUs
exploit mechanisms provided by Xen to implement
communication
Arianna Avanzini Integrating Linux and ERIKA through Xen

13. Preamble
Motivations
ERIKA as Xen-on-ARM domU
Ongoing and future work
Roadmap
Goal: proof-of-concept dual-OS system running on top of Xen
! Selected platform: SUNXI Allwinner A20 (cubieboard2)
1 Have Linux as a dom0, ERIKA as a domU
Port ERIKA as a Xen-on-ARM domU
2 Allow ERIKA to access I/O memory of devices
3 Have the hypervisor assign statically a core to each domain
Can be achieved with system con

14. guration
4 Implement communication between dom0 and domU
Exploit grant table references, event channels
Arianna Avanzini Integrating Linux and ERIKA through Xen

15. Preamble
Motivations
ERIKA as Xen-on-ARM domU
Ongoing and future work
Step 1/4: working domU (a)
Sub-goal: have ERIKA actually running as Xen-on-ARM domU
Starting point: pilot MiniOS ARM port, Linux ARM
Perform changes on ERIKA core and build system
zImage preamble, image start address, work around
instructions not allowed for domUs, ...
Add basic debugging framework
Add Generic Interrupt Controller driver
Arianna Avanzini Integrating Linux and ERIKA through Xen

16. Preamble
Motivations
ERIKA as Xen-on-ARM domU
Ongoing and future work
Step 1/4: working domU (b)
Arianna Avanzini Integrating Linux and ERIKA through Xen

17. Preamble
Motivations
ERIKA as Xen-on-ARM domU
Ongoing and future work
Step 2/4: I/O-memory access (a)
Sub-goal: enable ERIKA to use I/O memory of peripherals
Chosen peripheral for the proof of concept: GPIO controller
Starting point: SUNXI GPIO driver, ported to ERIKA
Use of the memory mapping Xen DOMCTL to allow to the
ERIKA domU access to the needed I/O-memory ranges
Arianna Avanzini Integrating Linux and ERIKA through Xen

18. Preamble
Motivations
ERIKA as Xen-on-ARM domU
Ongoing and future work
Step 2/4: I/O-memory access (b)
Arianna Avanzini Integrating Linux and ERIKA through Xen

19. Preamble
Motivations
ERIKA as Xen-on-ARM domU
Ongoing and future work
Step 3/4: static assignment of CPU cores (a)
Sub-goal: provide ERIKA with exclusive use of a CPU core
Easily achievable via dom0 and domU con

20. guration, by
assigning statically one physical CPU to dom0 and mapping
the domU's vCPU to the remaining core
Arianna Avanzini Integrating Linux and ERIKA through Xen

21. Preamble
Motivations
ERIKA as Xen-on-ARM domU
Ongoing and future work
Step 3/4: static assignment of CPU cores (b)
Arianna Avanzini Integrating Linux and ERIKA through Xen

22. Preamble
Motivations
ERIKA as Xen-on-ARM domU
Ongoing and future work
Step 4/4: implement inter-domain communication (a)
Sub-goal: enable Linux to trigger the execution of an ERIKA task
Communication must be:
synchronous for the Linux dom0
asyncronous and non-preemptive for the ERIKA domU
Exploit the event channel inter-domain noti

23. cation
mechanism provided by Xen
event channels can be masked, ensuring that high-priority
tasks are not preempted
Arianna Avanzini Integrating Linux and ERIKA through Xen

24. Preamble
Motivations
ERIKA as Xen-on-ARM domU
Ongoing and future work
Step 4/4: implement inter-domain communication (b)
Sub-goal: enable Linux to trigger the execution of an ERIKA task
Communication must be as ecient as possible
share memory
A dedicated set of memory pages is explicitly shared by the
ERIKA domU
exploiting the memory granting mechanism provided by Xen
access permissions are granted only to dom0
Arianna Avanzini Integrating Linux and ERIKA through Xen

25. Preamble
Motivations
ERIKA as Xen-on-ARM domU
Ongoing and future work
Step 4/4: inter-domain communication setup (a)
Arianna Avanzini Integrating Linux and ERIKA through Xen

26. Preamble
Motivations
ERIKA as Xen-on-ARM domU
Ongoing and future work
Step 4/4: inter-domain communication setup (b)
Arianna Avanzini Integrating Linux and ERIKA through Xen

27. Preamble
Motivations
ERIKA as Xen-on-ARM domU
Ongoing and future work
Step 4/4: inter-domain communication setup (c)
Arianna Avanzini Integrating Linux and ERIKA through Xen

28. Preamble
Motivations
ERIKA as Xen-on-ARM domU
Ongoing and future work
Step 4/4: implement inter-domain communication (a)
Basic driver implemented in Linux
Allows Linux to trigger the execution of an ERIKA task
Exposes two tunables in the dom0's sysfs
pin number and pin value
Triggers the assignment of a value to a certain GPIO pin
through ERIKA
Arianna Avanzini Integrating Linux and ERIKA through Xen

29. Preamble
Motivations
ERIKA as Xen-on-ARM domU
Ongoing and future work
Step 4/4: implement inter-domain communication (b)
Arianna Avanzini Integrating Linux and ERIKA through Xen

30. Preamble
Motivations
ERIKA as Xen-on-ARM domU
Ongoing and future work
Step 4/4: implement inter-domain communication (c)
Arianna Avanzini Integrating Linux and ERIKA through Xen

31. Preamble
Motivations
ERIKA as Xen-on-ARM domU
Ongoing and future work
Step 4/4: inter-domain communication protocol (a)
The shared memory area is used as a container for a message
The dom0 writes a command to be executed by the domU
The command is a set of values: (pin number, pin value)
The domU writes a return value for the operation as soon as
it's completed
Arianna Avanzini Integrating Linux and ERIKA through Xen

32. Preamble
Motivations
ERIKA as Xen-on-ARM domU
Ongoing and future work
Step 4/4: inter-domain communication protocol (b)
Arianna Avanzini Integrating Linux and ERIKA through Xen

33. Preamble
Motivations
ERIKA as Xen-on-ARM domU
Ongoing and future work
Step 4/4: inter-domain communication protocol (c)
Arianna Avanzini Integrating Linux and ERIKA through Xen

34. Preamble
Motivations
ERIKA as Xen-on-ARM domU
Ongoing and future work
Xen-based design
The proposed solution matches Evidence Srl's dual-OS design
adding the Xen hypervisor as an extra layer
Pros and cons ahead
Arianna Avanzini Integrating Linux and ERIKA through Xen

35. Preamble
Motivations
ERIKA as Xen-on-ARM domU
Ongoing and future work
Xen-based design: pros
The Xen-based design guarantees the isolation of the
operating systems
Communication is still possible
with safe use of shared memory, mediated by Xen
and Xen's synchronous, maskable inter-domain interrupts
(events)
Arianna Avanzini Integrating Linux and ERIKA through Xen

36. Preamble
Motivations
ERIKA as Xen-on-ARM domU
Ongoing and future work
Xen-based design: cons
ERIKA runs as an unprivileged domain
must wait for the Linux dom0 to boot
No guarantees about its boot times!
Actually, no guarantees that it boots at all...
Xen is not certi

37. ed
(and apparently not easily certi

38. able above DAL-E/D)
Arianna Avanzini Integrating Linux and ERIKA through Xen

39. Preamble
Motivations
ERIKA as Xen-on-ARM domU
Ongoing and future work
Further steps
Port ERIKA Enterprise as a Xen-on-ARM dom0
Consequently, port Xen's toolstack (or part of it) to ERIKA
Investigate the possibility of an ASIL or DAL-B/A certi

40. cation
for Xen
There is in-progress work to certify the core subset of the Xen
codebase
Arianna Avanzini Integrating Linux and ERIKA through Xen

41. Preamble
Motivations
ERIKA as Xen-on-ARM domU
Ongoing and future work
Thank you
Questions are welcome
Also oine:
ask Paolo Valente conceptual questions here,
mail me at avanzini.arianna@gmail.com for low level details.
Arianna Avanzini Integrating Linux and ERIKA through Xen