SlideShare a Scribd company logo

Xen for Embedded, IoT and Edge Runtime

S
Stefano Stabellini

This document discusses Xen for embedded and IoT applications. It proposes ViryaOS, a new Xen Project sub-project that would provide a secure Xen-based container runtime and build system for embedded and IoT use cases. ViryaOS would allow building and deploying multiple VMs and secure containers on embedded targets more easily than current methods. It aims to support real-time requirements, hardware access from containers, and dynamic deployment of workloads.

Software
1 of 42
Download to read offline
© Copyright 2018 Xilinx Stefano Stabellini Xen Maintainer, Principal System Software Engineer 2018/09 Xen for Embedded, IoT, Edge
© Copyright 2018 Xilinx Lightning Xen Update
© Copyright 2018 Xilinx Very Embedded Requirements ˃Real Time Low Deterministic IRQ Latency Static Partitioning Real Time Schedulers ˃Short Boot Times ˃Device Virtualization Device Assignment Device Sharing Driver Domains VM to VM communications ˃Certifications Small Code Base Type-1 >> 3
© Copyright 2018 Xilinx Static Partitioning >> 4 sched=null vwfi=native
© Copyright 2018 Xilinx Static Partitioning >> 5 sched=null vwfi=native 2.5 us
© Copyright 2018 Xilinx VM to VM communication mechanisms ˃Libvchan Linux LIbrary Direct VM to VM channel based on a ring on shared memory libxenvchan_send and libxenvchan_recv ˃PVCalls Socket API virtualization VM to VM communications mediated by the backend domain (dom0) “lo” as an inter-VMs communication namespace ˃V4V Linux library and hypercall VM to VM communication mediated by Xen Trivial to implement in your kernel Not fully upstream >> 6
© Copyright 2018 Xilinx Shared Memory ˃Completely Configurable Support any memory attributes including cacheable memory ˃No need for Xen support to use it ˃Can export the memory to Linux userspace and use OpenAMP >> 7 static_shm = ["id=ID1, begin=0x40000000, size=0x1000, role=master"] static_shm = ["id=ID1, offset=0, begin=0x48000000, size=0x1000, role=slave"] DomU DomU Xen OpenAMP
© Copyright 2018 Xilinx Reducing Code Size >> 8
© Copyright 2018 Xilinx Certifications >> 9 Make xen.git certifiable: • Reduce code size • Fix compliance violations reported by PRQA Ideas on how to do certifications in a Xen Project (Linux Foundation) context
© Copyright 2018 Xilinx Dom0-less >> 10>> 10 U-Boot Xen Dom0 / DomU DomU 1 DomU 2 CPU0 CPU1 CPU2 loads into memoryloads into memory
© Copyright 2018 Xilinx Dom0-less >> 11>> 11 U-Boot Xen Dom0 / DomU DomU 1 DomU 2 CPU0 CPU1 CPU2 boots boots
© Copyright 2018 Xilinx Secure Containers at the Edge
© Copyright 2018 Xilinx The Problem >> 13 Package applications for the target Contain all dependencies Easy to update Independent lifecycle Run applications on the target Run in isolation No interference between applications
© Copyright 2018 Xilinx The Problem >> 14 Package applications for the target Contain all dependencies Easy to update Independent lifecycle Run applications on the target Run in isolation No interference between applications
© Copyright 2018 Xilinx The Problem >> 15 Package applications for the target Contain all dependencies Easy to update Independent lifecycle Run applications on the target Run in isolation No interference between applications
© Copyright 2018 Xilinx Packaging vs. Runtime OCI Image Spec vs. OCI Runtime Spec
© Copyright 2018 Xilinx The problem with Linux namespaces
© Copyright 2018 Xilinx Cloud- native App Malicious App Linux kernel POSIX Cloud- native App Large surface of attack On average, 3 privilege escalation vulnerabilities per Linux release!
© Copyright 2018 Xilinx Cloud- native App Malicious App Linux kernel POSIX Cloud- native App Large surface of attack On average, 3 privilege escalation vulnerabilities per Linux release!
© Copyright 2018 Xilinx Cloud- native App Malicious App Linux kernel POSIX Cloud- native App Large surface of attack On average, 3 privilege escalation vulnerabilities per Linux release!
© Copyright 2018 Xilinx From “Understanding and Hardening Linux Containers”by NCC Group: • Run unprivileged containers (user namespaces, root capability, dropping) • Apply a Mandatory Access Control system, such as SELinux • Build a custom kernel binary with as few modules as possible • Apply sysctl hardening • Apply disk and storage limits • Control device access and limit resource usage with cgroups • Drop any capabilities which are not required for the application within the container [...] Security hardening techniques
© Copyright 2018 Xilinx [...] • Use custom mount options to increase defense in depth • Apply GRSecurity and PAX patches to Linux • Reduce Linux attack surface with Seccomp-bpf • Isolate containers based on trust and exposure • Logging, auditing and monitoring is important for container deployment • Use hardware virtualization along application trust zones Security hardening techniques
© Copyright 2018 Xilinx Security hardening techniques >> 23 Securing Linux Namespaces is possible but very difficult It requires specific knowledge of the cloud native app Auditing and monitoring should performed everywhere Using virtualization for isolation is still recommended
© Copyright 2018 Xilinx Linux Namespaces: very embedded problems ˃Mixed-criticality is not supported ˃Limits on resource utilization are hard to enforce ˃Real-Time support is difficult ˃Certifications are very difficult >> 24
© Copyright 2018 Xilinx The Solution: Xen as Container Runtime ˃Security, Isolation and Partitioning Multi-Tenancy Mixed-Criticality Workloads ˃HardwareAccess to Applications ˃Real-Time Support ˃ ViryaOS: a ready-to-use runtime environment for VMs and Secure Containers >> 25
© Copyright 2018 Xilinx The Problem #2 ˃Cross-building multipleVMs is difficult ˃Assembling the output in a single runnable image is a manual process >> 26
© Copyright 2018 Xilinx Embedded and IoT use pattern ˃Typically users know all the VMs they need beforehand ˃They still need to: Build them all, plus Xen and Dom0 Install all images on target Partition the hardware using device assignment - Edit the Dom0 device tree - Generate appropriate device trees for DomUs with device nodes Plan for images upgrades and security fixes >> 27
© Copyright 2018 Xilinx It’s a lot of work!
© Copyright 2018 Xilinx You think this is bad enough... ...then you try disaggregation
© Copyright 2018 Xilinx Current Status ˃Everybodyhas their own scripts and handcrafted solutions They are limited Only target one use-case Limited support for driver domains and service domains Only support one hardware platform ˃ We would all benefit from a unifying effort >> 30
© Copyright 2018 Xilinx ViryaOS A proposal for a new Xen Project sub-project
© Copyright 2018 Xilinx ViryaOS ˃a Secure Xen based runtime ˃Containers supported natively ˃a turnkey solution ˃a Flexible build system ˃support aarch64 and x86_64 ˃Targeted at embedded and IoT >> 32
© Copyright 2018 Xilinx BUILD RUNTIME User AppUser App ViryaOS Build App ViryaOS
© Copyright 2018 Xilinx ViryaOS: Runtime ˃Dynamicallydeploy VMs and Secure Containers ˃Containers are run securely, transparently as Xen VMs 1 Kubernetes Pod per VM See KataContainers and stage1-xen ˃Measure Boot ˃System Software updates and Containers updates ˃Uses Disaggregation, Service Domains, and Driver Domains >> 34
© Copyright 2018 Xilinx VIRYA OS Xen Dom0 Containers/ DomUs Hardware Secure Containers Runtime ViryaOS: Runtime
© Copyright 2018 Xilinx Xen Dom0 Domain Manager DomUs Hardware Secure Containers Runtime Internal API
© Copyright 2018 Xilinx Xen Dom0 Domain Manager DomUs Hardware TPM Network Manager NIC TPM Manager Secure Containers Runtime Internal API
© Copyright 2018 Xilinx ViryaOS: Build ˃a multi-domain build system builds multiple domains in one go ˃Create a runnable SD Card image from multiple domain builds ˃Each domain build is independentand run in a Container ˃Pre-configures device assignments to VMs ˃Made for disaggregated architectures >> 38
© Copyright 2018 Xilinx Image Builder SD Card Image apks Image. gz Dom0 - Alpine Linux Dom0 kernel - Yocto Dom1 DriverD - Yocto Rootfs Dom2 DriverD - Alpine Linux apks ViryaOS: Build
© Copyright 2018 Xilinx ViryaOS: Build ˃Everything builds in a Container ˃Support cross-builds (aarch64 on x86) with qemu-user ˃Support any build systems for domain builds Enable mixed Alpine Linux / Yocto environments Rootfs and kernel can be built independently ˃Support multiple DomU build output formats ˃The DomU build output is stored in a container Intermediate artifacts can be pulled from the Docker Hub to speed up the build >> 40
© Copyright 2018 Xilinx Status ˃Very early stage, experimental ˃Interest, but no company backers yet, community driver ˃Subscribe to the mailing list to learn more and participate! ˃Initial implementation available for: SDK Containers-driven build Yocto kernel build Imagebuilder >> 41
Adaptable. Intelligent. © Copyright 2018 Xilinx sstabellini@kernel.org stefanos@xilinx.com

Recommended

Static Partitioning with Xen, LinuxRT, and Zephyr: A Concrete End-to-end Exam...
Static Partitioning with Xen, LinuxRT, and Zephyr: A Concrete End-to-end Exam...Static Partitioning with Xen, LinuxRT, and Zephyr: A Concrete End-to-end Exam...
Static Partitioning with Xen, LinuxRT, and Zephyr: A Concrete End-to-end Exam...Stefano Stabellini
 
ELC21: VM-to-VM Communication Mechanisms for Embedded
ELC21: VM-to-VM Communication Mechanisms for EmbeddedELC21: VM-to-VM Communication Mechanisms for Embedded
ELC21: VM-to-VM Communication Mechanisms for EmbeddedStefano Stabellini
 
Xen and the art of embedded virtualization (ELC 2017)
Xen and the art of embedded virtualization (ELC 2017)Xen and the art of embedded virtualization (ELC 2017)
Xen and the art of embedded virtualization (ELC 2017)Stefano Stabellini
 
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, XilinxXPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, XilinxThe Linux Foundation
 
Xen in Safety-Critical Systems - Critical Summit 2022
Xen in Safety-Critical Systems - Critical Summit 2022Xen in Safety-Critical Systems - Critical Summit 2022
Xen in Safety-Critical Systems - Critical Summit 2022Stefano Stabellini
 
System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022Stefano Stabellini
 
ALSS14: Xen Project Automotive Hypervisor (Demo)
ALSS14: Xen Project Automotive Hypervisor (Demo)ALSS14: Xen Project Automotive Hypervisor (Demo)
ALSS14: Xen Project Automotive Hypervisor (Demo)The Linux Foundation
 
XPDDS18: Design and Implementation of Automotive: Virtualization Based on Xen...
XPDDS18: Design and Implementation of Automotive: Virtualization Based on Xen...XPDDS18: Design and Implementation of Automotive: Virtualization Based on Xen...
XPDDS18: Design and Implementation of Automotive: Virtualization Based on Xen...The Linux Foundation
 

Recommended

Static Partitioning with Xen, LinuxRT, and Zephyr: A Concrete End-to-end Exam...
Static Partitioning with Xen, LinuxRT, and Zephyr: A Concrete End-to-end Exam...Static Partitioning with Xen, LinuxRT, and Zephyr: A Concrete End-to-end Exam...
Static Partitioning with Xen, LinuxRT, and Zephyr: A Concrete End-to-end Exam...Stefano Stabellini
 
ELC21: VM-to-VM Communication Mechanisms for Embedded
ELC21: VM-to-VM Communication Mechanisms for EmbeddedELC21: VM-to-VM Communication Mechanisms for Embedded
ELC21: VM-to-VM Communication Mechanisms for EmbeddedStefano Stabellini
 
Xen and the art of embedded virtualization (ELC 2017)
Xen and the art of embedded virtualization (ELC 2017)Xen and the art of embedded virtualization (ELC 2017)
Xen and the art of embedded virtualization (ELC 2017)Stefano Stabellini
 
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, XilinxXPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, XilinxThe Linux Foundation
 
Xen in Safety-Critical Systems - Critical Summit 2022
Xen in Safety-Critical Systems - Critical Summit 2022Xen in Safety-Critical Systems - Critical Summit 2022
Xen in Safety-Critical Systems - Critical Summit 2022Stefano Stabellini
 
System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022Stefano Stabellini
 
ALSS14: Xen Project Automotive Hypervisor (Demo)
ALSS14: Xen Project Automotive Hypervisor (Demo)ALSS14: Xen Project Automotive Hypervisor (Demo)
ALSS14: Xen Project Automotive Hypervisor (Demo)The Linux Foundation
 
XPDDS18: Design and Implementation of Automotive: Virtualization Based on Xen...
XPDDS18: Design and Implementation of Automotive: Virtualization Based on Xen...XPDDS18: Design and Implementation of Automotive: Virtualization Based on Xen...
XPDDS18: Design and Implementation of Automotive: Virtualization Based on Xen...The Linux Foundation
 
Safety-Certifying Open Source Software: The Case of the Xen Hypervisor
Safety-Certifying Open Source Software: The Case of the Xen HypervisorSafety-Certifying Open Source Software: The Case of the Xen Hypervisor
Safety-Certifying Open Source Software: The Case of the Xen HypervisorStefano Stabellini
 
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...The Linux Foundation
 
XPDS16: Porting Xen on ARM to a new SOC - Julien Grall, ARM
XPDS16: Porting Xen on ARM to a new SOC - Julien Grall, ARMXPDS16: Porting Xen on ARM to a new SOC - Julien Grall, ARM
XPDS16: Porting Xen on ARM to a new SOC - Julien Grall, ARMThe Linux Foundation
 
Xen Memory Management
Xen Memory ManagementXen Memory Management
Xen Memory ManagementThe Linux Foundation
 
RunX: deploy real-time OSes as containers at the edge
RunX: deploy real-time OSes as containers at the edgeRunX: deploy real-time OSes as containers at the edge
RunX: deploy real-time OSes as containers at the edgeStefano Stabellini
 
OSSNA18: Xen Beginners Training
OSSNA18: Xen Beginners Training OSSNA18: Xen Beginners Training
OSSNA18: Xen Beginners Training The Linux Foundation
 
XPDS13: Xen in OSS based In–Vehicle Infotainment Systems - Artem Mygaiev, Glo...
XPDS13: Xen in OSS based In–Vehicle Infotainment Systems - Artem Mygaiev, Glo...XPDS13: Xen in OSS based In–Vehicle Infotainment Systems - Artem Mygaiev, Glo...
XPDS13: Xen in OSS based In–Vehicle Infotainment Systems - Artem Mygaiev, Glo...The Linux Foundation
 
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM SystemsXPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM SystemsThe Linux Foundation
 
Reconnaissance of Virtio: What’s new and how it’s all connected?
Reconnaissance of Virtio: What’s new and how it’s all connected?Reconnaissance of Virtio: What’s new and how it’s all connected?
Reconnaissance of Virtio: What’s new and how it’s all connected?Samsung Open Source Group
 
LFCollab14: Xen vs Xen Automotive
LFCollab14: Xen vs Xen AutomotiveLFCollab14: Xen vs Xen Automotive
LFCollab14: Xen vs Xen AutomotiveThe Linux Foundation
 
Cache coloring Xen Summit 2020
Cache coloring Xen Summit 2020Cache coloring Xen Summit 2020
Cache coloring Xen Summit 2020Stefano Stabellini
 
ALSF13: Xen on ARM - Virtualization for the Automotive Industry - Stefano Sta...
ALSF13: Xen on ARM - Virtualization for the Automotive Industry - Stefano Sta...ALSF13: Xen on ARM - Virtualization for the Automotive Industry - Stefano Sta...
ALSF13: Xen on ARM - Virtualization for the Automotive Industry - Stefano Sta...The Linux Foundation
 
Linux Crash Dump Capture and Analysis
Linux Crash Dump Capture and AnalysisLinux Crash Dump Capture and Analysis
Linux Crash Dump Capture and AnalysisPaul V. Novarese
 
Making Linux do Hard Real-time
Making Linux do Hard Real-timeMaking Linux do Hard Real-time
Making Linux do Hard Real-timeNational Cheng Kung University
 
Embedded Virtualization applied in Mobile Devices
Embedded Virtualization applied in Mobile DevicesEmbedded Virtualization applied in Mobile Devices
Embedded Virtualization applied in Mobile DevicesNational Cheng Kung University
 
Xen Debugging
Xen DebuggingXen Debugging
Xen DebuggingThe Linux Foundation
 
Linux Kernel Crashdump
Linux Kernel CrashdumpLinux Kernel Crashdump
Linux Kernel CrashdumpMarian Marinov
 
Fosdem 18: Securing embedded Systems using Virtualization
Fosdem 18: Securing embedded Systems using VirtualizationFosdem 18: Securing embedded Systems using Virtualization
Fosdem 18: Securing embedded Systems using VirtualizationThe Linux Foundation
 
Booting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot imagesBooting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot imagesChris Simmonds
 
2018 Genivi Xen Overview Nov Update
2018 Genivi Xen Overview Nov Update2018 Genivi Xen Overview Nov Update
2018 Genivi Xen Overview Nov UpdateThe Linux Foundation
 
XDF18: Heterogeneous Real-Time SoC Software Architecture - Stefano Stabellini...
XDF18: Heterogeneous Real-Time SoC Software Architecture - Stefano Stabellini...XDF18: Heterogeneous Real-Time SoC Software Architecture - Stefano Stabellini...
XDF18: Heterogeneous Real-Time SoC Software Architecture - Stefano Stabellini...The Linux Foundation
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryBlack Duck by Synopsys
 

More Related Content

What's hot

Safety-Certifying Open Source Software: The Case of the Xen Hypervisor
Safety-Certifying Open Source Software: The Case of the Xen HypervisorSafety-Certifying Open Source Software: The Case of the Xen Hypervisor
Safety-Certifying Open Source Software: The Case of the Xen HypervisorStefano Stabellini
 
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...The Linux Foundation
 
XPDS16: Porting Xen on ARM to a new SOC - Julien Grall, ARM
XPDS16: Porting Xen on ARM to a new SOC - Julien Grall, ARMXPDS16: Porting Xen on ARM to a new SOC - Julien Grall, ARM
XPDS16: Porting Xen on ARM to a new SOC - Julien Grall, ARMThe Linux Foundation
 
RunX: deploy real-time OSes as containers at the edge
RunX: deploy real-time OSes as containers at the edgeRunX: deploy real-time OSes as containers at the edge
RunX: deploy real-time OSes as containers at the edgeStefano Stabellini
 
XPDS13: Xen in OSS based In–Vehicle Infotainment Systems - Artem Mygaiev, Glo...
XPDS13: Xen in OSS based In–Vehicle Infotainment Systems - Artem Mygaiev, Glo...XPDS13: Xen in OSS based In–Vehicle Infotainment Systems - Artem Mygaiev, Glo...
XPDS13: Xen in OSS based In–Vehicle Infotainment Systems - Artem Mygaiev, Glo...The Linux Foundation
 
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM SystemsXPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM SystemsThe Linux Foundation
 
Reconnaissance of Virtio: What’s new and how it’s all connected?
Reconnaissance of Virtio: What’s new and how it’s all connected?Reconnaissance of Virtio: What’s new and how it’s all connected?
Reconnaissance of Virtio: What’s new and how it’s all connected?Samsung Open Source Group
 
Cache coloring Xen Summit 2020
Cache coloring Xen Summit 2020Cache coloring Xen Summit 2020
Cache coloring Xen Summit 2020Stefano Stabellini
 
ALSF13: Xen on ARM - Virtualization for the Automotive Industry - Stefano Sta...
ALSF13: Xen on ARM - Virtualization for the Automotive Industry - Stefano Sta...ALSF13: Xen on ARM - Virtualization for the Automotive Industry - Stefano Sta...
ALSF13: Xen on ARM - Virtualization for the Automotive Industry - Stefano Sta...The Linux Foundation
 
Linux Crash Dump Capture and Analysis
Linux Crash Dump Capture and AnalysisLinux Crash Dump Capture and Analysis
Linux Crash Dump Capture and AnalysisPaul V. Novarese
 
Linux Kernel Crashdump
Linux Kernel CrashdumpLinux Kernel Crashdump
Linux Kernel CrashdumpMarian Marinov
 
Fosdem 18: Securing embedded Systems using Virtualization
Fosdem 18: Securing embedded Systems using VirtualizationFosdem 18: Securing embedded Systems using Virtualization
Fosdem 18: Securing embedded Systems using VirtualizationThe Linux Foundation
 
Booting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot imagesBooting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot imagesChris Simmonds
 
2018 Genivi Xen Overview Nov Update
2018 Genivi Xen Overview Nov Update2018 Genivi Xen Overview Nov Update
2018 Genivi Xen Overview Nov UpdateThe Linux Foundation
 

What's hot (20)

Safety-Certifying Open Source Software: The Case of the Xen Hypervisor
Safety-Certifying Open Source Software: The Case of the Xen HypervisorSafety-Certifying Open Source Software: The Case of the Xen Hypervisor
Safety-Certifying Open Source Software: The Case of the Xen Hypervisor
 
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...
 
XPDS16: Porting Xen on ARM to a new SOC - Julien Grall, ARM
XPDS16: Porting Xen on ARM to a new SOC - Julien Grall, ARMXPDS16: Porting Xen on ARM to a new SOC - Julien Grall, ARM
XPDS16: Porting Xen on ARM to a new SOC - Julien Grall, ARM
 
Xen Memory Management
Xen Memory ManagementXen Memory Management
Xen Memory Management
 
RunX: deploy real-time OSes as containers at the edge
RunX: deploy real-time OSes as containers at the edgeRunX: deploy real-time OSes as containers at the edge
RunX: deploy real-time OSes as containers at the edge
 
OSSNA18: Xen Beginners Training
OSSNA18: Xen Beginners Training OSSNA18: Xen Beginners Training
OSSNA18: Xen Beginners Training
 
XPDS13: Xen in OSS based In–Vehicle Infotainment Systems - Artem Mygaiev, Glo...
XPDS13: Xen in OSS based In–Vehicle Infotainment Systems - Artem Mygaiev, Glo...XPDS13: Xen in OSS based In–Vehicle Infotainment Systems - Artem Mygaiev, Glo...
XPDS13: Xen in OSS based In–Vehicle Infotainment Systems - Artem Mygaiev, Glo...
 
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM SystemsXPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
 
Reconnaissance of Virtio: What’s new and how it’s all connected?
Reconnaissance of Virtio: What’s new and how it’s all connected?Reconnaissance of Virtio: What’s new and how it’s all connected?
Reconnaissance of Virtio: What’s new and how it’s all connected?
 
LFCollab14: Xen vs Xen Automotive
LFCollab14: Xen vs Xen AutomotiveLFCollab14: Xen vs Xen Automotive
LFCollab14: Xen vs Xen Automotive
 
Cache coloring Xen Summit 2020
Cache coloring Xen Summit 2020Cache coloring Xen Summit 2020
Cache coloring Xen Summit 2020
 
ALSF13: Xen on ARM - Virtualization for the Automotive Industry - Stefano Sta...
ALSF13: Xen on ARM - Virtualization for the Automotive Industry - Stefano Sta...ALSF13: Xen on ARM - Virtualization for the Automotive Industry - Stefano Sta...
ALSF13: Xen on ARM - Virtualization for the Automotive Industry - Stefano Sta...
 
Linux Crash Dump Capture and Analysis
Linux Crash Dump Capture and AnalysisLinux Crash Dump Capture and Analysis
Linux Crash Dump Capture and Analysis
 
Making Linux do Hard Real-time
Making Linux do Hard Real-timeMaking Linux do Hard Real-time
Making Linux do Hard Real-time
 
Embedded Virtualization applied in Mobile Devices
Embedded Virtualization applied in Mobile DevicesEmbedded Virtualization applied in Mobile Devices
Embedded Virtualization applied in Mobile Devices
 
Xen Debugging
Xen DebuggingXen Debugging
Xen Debugging
 
Linux Kernel Crashdump
Linux Kernel CrashdumpLinux Kernel Crashdump
Linux Kernel Crashdump
 
Fosdem 18: Securing embedded Systems using Virtualization
Fosdem 18: Securing embedded Systems using VirtualizationFosdem 18: Securing embedded Systems using Virtualization
Fosdem 18: Securing embedded Systems using Virtualization
 
Booting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot imagesBooting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot images
 
2018 Genivi Xen Overview Nov Update
2018 Genivi Xen Overview Nov Update2018 Genivi Xen Overview Nov Update
2018 Genivi Xen Overview Nov Update
 

Similar to Xen for Embedded, IoT and Edge Runtime

XDF18: Heterogeneous Real-Time SoC Software Architecture - Stefano Stabellini...
XDF18: Heterogeneous Real-Time SoC Software Architecture - Stefano Stabellini...XDF18: Heterogeneous Real-Time SoC Software Architecture - Stefano Stabellini...
XDF18: Heterogeneous Real-Time SoC Software Architecture - Stefano Stabellini...The Linux Foundation
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryBlack Duck by Synopsys
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryTim Mackey
 
Containers vs. VMs: It's All About the Apps!
Containers vs. VMs: It's All About the Apps!Containers vs. VMs: It's All About the Apps!
Containers vs. VMs: It's All About the Apps!Steve Wilson
 
Governance for your Modern Application Platform - November 4, 2020
Governance for your Modern Application Platform - November 4, 2020Governance for your Modern Application Platform - November 4, 2020
Governance for your Modern Application Platform - November 4, 2020VMware Tanzu
 
VMware Tanzu Introduction
VMware Tanzu IntroductionVMware Tanzu Introduction
VMware Tanzu IntroductionVMware Tanzu
 
Deploying A Proof Of Stake App On IBM Cloud Using Tendermint
Deploying A Proof Of Stake App On IBM Cloud Using TendermintDeploying A Proof Of Stake App On IBM Cloud Using Tendermint
Deploying A Proof Of Stake App On IBM Cloud Using TendermintKunal Malhotra
 
"Current and Planned Standards for Computer Vision and Machine Learning," a P...
"Current and Planned Standards for Computer Vision and Machine Learning," a P..."Current and Planned Standards for Computer Vision and Machine Learning," a P...
"Current and Planned Standards for Computer Vision and Machine Learning," a P...Edge AI and Vision Alliance
 
Kubernetes for the VI Admin
Kubernetes for the VI AdminKubernetes for the VI Admin
Kubernetes for the VI AdminKendrick Coleman
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementTim Mackey
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementBlack Duck by Synopsys
 
Executive Briefing: The Why, What, and Where of Containers
Executive Briefing: The Why, What, and Where of ContainersExecutive Briefing: The Why, What, and Where of Containers
Executive Briefing: The Why, What, and Where of ContainersNVISIA
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Black Duck by Synopsys
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Tim Mackey
 
Containerized Cloud Computing - Redhat
Containerized Cloud Computing - RedhatContainerized Cloud Computing - Redhat
Containerized Cloud Computing - RedhatAmazon Web Services
 
Arm tech con 2014 slides - sallam-public
Arm tech con 2014 slides - sallam-publicArm tech con 2014 slides - sallam-public
Arm tech con 2014 slides - sallam-publicAhmed Sallam
 
wisecloud based open cloud implementation guide
wisecloud based open cloud implementation guidewisecloud based open cloud implementation guide
wisecloud based open cloud implementation guidebizmerce
 
Transformace IT s technologiemi VMware
Transformace IT s technologiemi VMwareTransformace IT s technologiemi VMware
Transformace IT s technologiemi VMwareMarketingArrowECS_CZ
 
Protecting Pipeline DevOps and IaC
Protecting Pipeline DevOps and IaCProtecting Pipeline DevOps and IaC
Protecting Pipeline DevOps and IaCFernando Cardoso
 
What’s new in XenClient
What’s new in XenClientWhat’s new in XenClient
What’s new in XenClientCitrix
 

Similar to Xen for Embedded, IoT and Edge Runtime (20)

XDF18: Heterogeneous Real-Time SoC Software Architecture - Stefano Stabellini...
XDF18: Heterogeneous Real-Time SoC Software Architecture - Stefano Stabellini...XDF18: Heterogeneous Real-Time SoC Software Architecture - Stefano Stabellini...
XDF18: Heterogeneous Real-Time SoC Software Architecture - Stefano Stabellini...
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
 
Containers vs. VMs: It's All About the Apps!
Containers vs. VMs: It's All About the Apps!Containers vs. VMs: It's All About the Apps!
Containers vs. VMs: It's All About the Apps!
 
Governance for your Modern Application Platform - November 4, 2020
Governance for your Modern Application Platform - November 4, 2020Governance for your Modern Application Platform - November 4, 2020
Governance for your Modern Application Platform - November 4, 2020
 
VMware Tanzu Introduction
VMware Tanzu IntroductionVMware Tanzu Introduction
VMware Tanzu Introduction
 
Deploying A Proof Of Stake App On IBM Cloud Using Tendermint
Deploying A Proof Of Stake App On IBM Cloud Using TendermintDeploying A Proof Of Stake App On IBM Cloud Using Tendermint
Deploying A Proof Of Stake App On IBM Cloud Using Tendermint
 
"Current and Planned Standards for Computer Vision and Machine Learning," a P...
"Current and Planned Standards for Computer Vision and Machine Learning," a P..."Current and Planned Standards for Computer Vision and Machine Learning," a P...
"Current and Planned Standards for Computer Vision and Machine Learning," a P...
 
Kubernetes for the VI Admin
Kubernetes for the VI AdminKubernetes for the VI Admin
Kubernetes for the VI Admin
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability Management
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability Management
 
Executive Briefing: The Why, What, and Where of Containers
Executive Briefing: The Why, What, and Where of ContainersExecutive Briefing: The Why, What, and Where of Containers
Executive Briefing: The Why, What, and Where of Containers
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...
 
Containerized Cloud Computing - Redhat
Containerized Cloud Computing - RedhatContainerized Cloud Computing - Redhat
Containerized Cloud Computing - Redhat
 
Arm tech con 2014 slides - sallam-public
Arm tech con 2014 slides - sallam-publicArm tech con 2014 slides - sallam-public
Arm tech con 2014 slides - sallam-public
 
wisecloud based open cloud implementation guide
wisecloud based open cloud implementation guidewisecloud based open cloud implementation guide
wisecloud based open cloud implementation guide
 
Transformace IT s technologiemi VMware
Transformace IT s technologiemi VMwareTransformace IT s technologiemi VMware
Transformace IT s technologiemi VMware
 
Protecting Pipeline DevOps and IaC
Protecting Pipeline DevOps and IaCProtecting Pipeline DevOps and IaC
Protecting Pipeline DevOps and IaC
 
What’s new in XenClient
What’s new in XenClientWhat’s new in XenClient
What’s new in XenClient
 

More from Stefano Stabellini

Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfStefano Stabellini
 
System Device Tree update: Bus Firewalls and Lopper
System Device Tree update: Bus Firewalls and LopperSystem Device Tree update: Bus Firewalls and Lopper
System Device Tree update: Bus Firewalls and LopperStefano Stabellini
 
Xen Cache Coloring: Interference-Free Real-Time System
Xen Cache Coloring: Interference-Free Real-Time SystemXen Cache Coloring: Interference-Free Real-Time System
Xen Cache Coloring: Interference-Free Real-Time SystemStefano Stabellini
 
Dom0less - Xen Developer Summit 2019
Dom0less - Xen Developer Summit 2019Dom0less - Xen Developer Summit 2019
Dom0less - Xen Developer Summit 2019Stefano Stabellini
 

More from Stefano Stabellini (9)

Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdf
 
RunX ELCE 2020
RunX ELCE 2020RunX ELCE 2020
RunX ELCE 2020
 
System Device Tree update: Bus Firewalls and Lopper
System Device Tree update: Bus Firewalls and LopperSystem Device Tree update: Bus Firewalls and Lopper
System Device Tree update: Bus Firewalls and Lopper
 
Xen Cache Coloring: Interference-Free Real-Time System
Xen Cache Coloring: Interference-Free Real-Time SystemXen Cache Coloring: Interference-Free Real-Time System
Xen Cache Coloring: Interference-Free Real-Time System
 
Dom0less - Xen Developer Summit 2019
Dom0less - Xen Developer Summit 2019Dom0less - Xen Developer Summit 2019
Dom0less - Xen Developer Summit 2019
 
Xen Project for ARM Servers
Xen Project for ARM ServersXen Project for ARM Servers
Xen Project for ARM Servers
 
Xen and OpenStack
Xen and OpenStackXen and OpenStack
Xen and OpenStack
 
XDS15: Project Raisin
XDS15: Project RaisinXDS15: Project Raisin
XDS15: Project Raisin
 
OpenStack and Xen
OpenStack and XenOpenStack and Xen
OpenStack and Xen
 

Recently uploaded

XpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsXpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsMehedi Hasan Shohan
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyFrank van der Linden
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 

Recently uploaded (20)

Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
XpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsXpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software Solutions
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The Ugly
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 

Xen for Embedded, IoT and Edge Runtime

  • 1. © Copyright 2018 Xilinx Stefano Stabellini Xen Maintainer, Principal System Software Engineer 2018/09 Xen for Embedded, IoT, Edge
  • 2. © Copyright 2018 Xilinx Lightning Xen Update
  • 3. © Copyright 2018 Xilinx Very Embedded Requirements ˃Real Time Low Deterministic IRQ Latency Static Partitioning Real Time Schedulers ˃Short Boot Times ˃Device Virtualization Device Assignment Device Sharing Driver Domains VM to VM communications ˃Certifications Small Code Base Type-1 >> 3
  • 4. © Copyright 2018 Xilinx Static Partitioning >> 4 sched=null vwfi=native
  • 5. © Copyright 2018 Xilinx Static Partitioning >> 5 sched=null vwfi=native 2.5 us
  • 6. © Copyright 2018 Xilinx VM to VM communication mechanisms ˃Libvchan Linux LIbrary Direct VM to VM channel based on a ring on shared memory libxenvchan_send and libxenvchan_recv ˃PVCalls Socket API virtualization VM to VM communications mediated by the backend domain (dom0) “lo” as an inter-VMs communication namespace ˃V4V Linux library and hypercall VM to VM communication mediated by Xen Trivial to implement in your kernel Not fully upstream >> 6
  • 7. © Copyright 2018 Xilinx Shared Memory ˃Completely Configurable Support any memory attributes including cacheable memory ˃No need for Xen support to use it ˃Can export the memory to Linux userspace and use OpenAMP >> 7 static_shm = ["id=ID1, begin=0x40000000, size=0x1000, role=master"] static_shm = ["id=ID1, offset=0, begin=0x48000000, size=0x1000, role=slave"] DomU DomU Xen OpenAMP
  • 8. © Copyright 2018 Xilinx Reducing Code Size >> 8
  • 9. © Copyright 2018 Xilinx Certifications >> 9 Make xen.git certifiable: • Reduce code size • Fix compliance violations reported by PRQA Ideas on how to do certifications in a Xen Project (Linux Foundation) context
  • 10. © Copyright 2018 Xilinx Dom0-less >> 10>> 10 U-Boot Xen Dom0 / DomU DomU 1 DomU 2 CPU0 CPU1 CPU2 loads into memoryloads into memory
  • 11. © Copyright 2018 Xilinx Dom0-less >> 11>> 11 U-Boot Xen Dom0 / DomU DomU 1 DomU 2 CPU0 CPU1 CPU2 boots boots
  • 12. © Copyright 2018 Xilinx Secure Containers at the Edge
  • 13. © Copyright 2018 Xilinx The Problem >> 13 Package applications for the target Contain all dependencies Easy to update Independent lifecycle Run applications on the target Run in isolation No interference between applications
  • 14. © Copyright 2018 Xilinx The Problem >> 14 Package applications for the target Contain all dependencies Easy to update Independent lifecycle Run applications on the target Run in isolation No interference between applications
  • 15. © Copyright 2018 Xilinx The Problem >> 15 Package applications for the target Contain all dependencies Easy to update Independent lifecycle Run applications on the target Run in isolation No interference between applications
  • 16. © Copyright 2018 Xilinx Packaging vs. Runtime OCI Image Spec vs. OCI Runtime Spec
  • 17. © Copyright 2018 Xilinx The problem with Linux namespaces
  • 18. © Copyright 2018 Xilinx Cloud- native App Malicious App Linux kernel POSIX Cloud- native App Large surface of attack On average, 3 privilege escalation vulnerabilities per Linux release!
  • 19. © Copyright 2018 Xilinx Cloud- native App Malicious App Linux kernel POSIX Cloud- native App Large surface of attack On average, 3 privilege escalation vulnerabilities per Linux release!
  • 20. © Copyright 2018 Xilinx Cloud- native App Malicious App Linux kernel POSIX Cloud- native App Large surface of attack On average, 3 privilege escalation vulnerabilities per Linux release!
  • 21. © Copyright 2018 Xilinx From “Understanding and Hardening Linux Containers”by NCC Group: • Run unprivileged containers (user namespaces, root capability, dropping) • Apply a Mandatory Access Control system, such as SELinux • Build a custom kernel binary with as few modules as possible • Apply sysctl hardening • Apply disk and storage limits • Control device access and limit resource usage with cgroups • Drop any capabilities which are not required for the application within the container [...] Security hardening techniques
  • 22. © Copyright 2018 Xilinx [...] • Use custom mount options to increase defense in depth • Apply GRSecurity and PAX patches to Linux • Reduce Linux attack surface with Seccomp-bpf • Isolate containers based on trust and exposure • Logging, auditing and monitoring is important for container deployment • Use hardware virtualization along application trust zones Security hardening techniques
  • 23. © Copyright 2018 Xilinx Security hardening techniques >> 23 Securing Linux Namespaces is possible but very difficult It requires specific knowledge of the cloud native app Auditing and monitoring should performed everywhere Using virtualization for isolation is still recommended
  • 24. © Copyright 2018 Xilinx Linux Namespaces: very embedded problems ˃Mixed-criticality is not supported ˃Limits on resource utilization are hard to enforce ˃Real-Time support is difficult ˃Certifications are very difficult >> 24
  • 25. © Copyright 2018 Xilinx The Solution: Xen as Container Runtime ˃Security, Isolation and Partitioning Multi-Tenancy Mixed-Criticality Workloads ˃HardwareAccess to Applications ˃Real-Time Support ˃ ViryaOS: a ready-to-use runtime environment for VMs and Secure Containers >> 25
  • 26. © Copyright 2018 Xilinx The Problem #2 ˃Cross-building multipleVMs is difficult ˃Assembling the output in a single runnable image is a manual process >> 26
  • 27. © Copyright 2018 Xilinx Embedded and IoT use pattern ˃Typically users know all the VMs they need beforehand ˃They still need to: Build them all, plus Xen and Dom0 Install all images on target Partition the hardware using device assignment - Edit the Dom0 device tree - Generate appropriate device trees for DomUs with device nodes Plan for images upgrades and security fixes >> 27
  • 28. © Copyright 2018 Xilinx It’s a lot of work!
  • 29. © Copyright 2018 Xilinx You think this is bad enough... ...then you try disaggregation
  • 30. © Copyright 2018 Xilinx Current Status ˃Everybodyhas their own scripts and handcrafted solutions They are limited Only target one use-case Limited support for driver domains and service domains Only support one hardware platform ˃ We would all benefit from a unifying effort >> 30
  • 31. © Copyright 2018 Xilinx ViryaOS A proposal for a new Xen Project sub-project
  • 32. © Copyright 2018 Xilinx ViryaOS ˃a Secure Xen based runtime ˃Containers supported natively ˃a turnkey solution ˃a Flexible build system ˃support aarch64 and x86_64 ˃Targeted at embedded and IoT >> 32
  • 33. © Copyright 2018 Xilinx BUILD RUNTIME User AppUser App ViryaOS Build App ViryaOS
  • 34. © Copyright 2018 Xilinx ViryaOS: Runtime ˃Dynamicallydeploy VMs and Secure Containers ˃Containers are run securely, transparently as Xen VMs 1 Kubernetes Pod per VM See KataContainers and stage1-xen ˃Measure Boot ˃System Software updates and Containers updates ˃Uses Disaggregation, Service Domains, and Driver Domains >> 34
  • 35. © Copyright 2018 Xilinx VIRYA OS Xen Dom0 Containers/ DomUs Hardware Secure Containers Runtime ViryaOS: Runtime
  • 36. © Copyright 2018 Xilinx Xen Dom0 Domain Manager DomUs Hardware Secure Containers Runtime Internal API
  • 37. © Copyright 2018 Xilinx Xen Dom0 Domain Manager DomUs Hardware TPM Network Manager NIC TPM Manager Secure Containers Runtime Internal API
  • 38. © Copyright 2018 Xilinx ViryaOS: Build ˃a multi-domain build system builds multiple domains in one go ˃Create a runnable SD Card image from multiple domain builds ˃Each domain build is independentand run in a Container ˃Pre-configures device assignments to VMs ˃Made for disaggregated architectures >> 38
  • 39. © Copyright 2018 Xilinx Image Builder SD Card Image apks Image. gz Dom0 - Alpine Linux Dom0 kernel - Yocto Dom1 DriverD - Yocto Rootfs Dom2 DriverD - Alpine Linux apks ViryaOS: Build
  • 40. © Copyright 2018 Xilinx ViryaOS: Build ˃Everything builds in a Container ˃Support cross-builds (aarch64 on x86) with qemu-user ˃Support any build systems for domain builds Enable mixed Alpine Linux / Yocto environments Rootfs and kernel can be built independently ˃Support multiple DomU build output formats ˃The DomU build output is stored in a container Intermediate artifacts can be pulled from the Docker Hub to speed up the build >> 40
  • 41. © Copyright 2018 Xilinx Status ˃Very early stage, experimental ˃Interest, but no company backers yet, community driver ˃Subscribe to the mailing list to learn more and participate! ˃Initial implementation available for: SDK Containers-driven build Yocto kernel build Imagebuilder >> 41
  • 42. Adaptable. Intelligent. © Copyright 2018 Xilinx sstabellini@kernel.org stefanos@xilinx.com