PRODUCT HOW-TO: Virtualizing and securing your apps with a time-partitioned RTOS
By Arun Subbarao
Embedded.com
(12/22/08, 09:05:00 PM EST)

The advances made in multi-core technology and associated middleware allow developers to combine the best principles of multi-processing, virtualisation, real-time and hard partitioning to create a highly optimised execution environment for embedded applications. Here we look at the technology impact of multi-core processors on operating system and application software design.

Of late, innovation in processor architecture has been focused on creating multi-core processors. These multi-core processors introduce two or more processing cores in a single chip, thereby giving operating systems and applications access to increased computing power.

One of the significant advantages of these multi-core processors is the additional computing resources without any significant increase in size and weight; previous generations of multiTextprocessing configurations involved two or more physical chips that required additional real estate on processor boards.

The immediate benefits are obvious; applications that were designed around uni-processor configurations can replace uni-processor cores with dual or quad core processors. The computing power of these configurations increases dramatically with no appreciable change in its physical configuration.

The software impact of multi-core processors is fairly immediate on operating systems design. The OS has to adapt to support symmetric multi-processing (SMP) or asymmetric multi-processing (AMP), two major approaches for support of multi-core processors.

The operating system design has to adapt in the areas of scheduling, interrupt handling, synchronisation and load balancing. Application programs can also be affected by multi-core processors based on the ability of the OS to provide fine-grained control of process scheduling to applications.

For example, an application can make a request to execute on a specific processor core only. However, the increase in compute power through multi-core processors can be better harnessed through another recent trend in OS design, namely virtualisation.

Virtualize with binary compatibility layers
Virtualisation is a technique used to create an execution environment for software that is similar to the one it was originally designed for, but on a different hardware or operating system. It can be achieved usually at two levels; OS virtualisation and hardware virtualisation.

Operating System virtualisation is done using binary compatibility layers that run on heterogeneous operating system environments, while presenting an interface similar to the original OS environment. This is most often done to achieve migration and execution of applications across multiple heterogeneous operating system environments. For example, the ability to run Windows applications on Linux uses a virtualisation technique that simulates the behaviour of the Windows operating system on Linux.

Hardware virtualisation involves the emulation of the underlying hardware capabilities to allow operating systems themselves to run in a hardware environment different from its original environment. Software programs that emulate the underlying hardware capabilities are called virtual machines (VM) or virtual machine monitors (VMM).

A VM abstracts the capabilities of hardware and makes it available in environ-ments different from the original hardware. Some of the well known virtual machines are VMware, which emulates a standard Intel x86 PC architecture on a Macintosh environment, and the Java Virtual Machine (JVM), that emulates a specialised byte-code for a pseudo-processor.

Hardware virtualisation can also be extended to allow multiple heterogeneous operating systems to execute on single physical machine. The ample computing resources of modern multi-core processors make this extension possible. However, these multiple instances of heterogeneous operating systems need to execute in a resource isolated environment, with no functional impact to other instances of operating systems. This is essential since they will be sharing computing resources.

Hardware virtualisation for an OS
Enabling multiple instances of heterogeneous operating systems on a single machine involves solving technical challenges in virtualisation and resource isolation, while retaining complete binary compatibility and acceptable level of performance.

Virtualising multiple instances of an operating system can be done using either full virtualisation or partial virtualisation. The virtual machine in either case virtualises the hardware to provide the illusion of real hardware for the operating systems executing on this virtual machine. However, both full and partial virtualisations have some key differences in their overall architecture, leading to a different set of trade-offs.

Full virtualisation of the underlying hardware requires virtualising all the capabilities of the processor and board. This involves complex manipulations of memory management and privilege levels that are computationally intensive on commodity processors.

This leads to performance overheads that are much higher than the non-virtualised versions of the OS. However, the biggest benefit of full virtualisation is to allow operating systems to run unmodified, although at the cost of a significant performance overhead.

Figure 1: Virtualized OS architecture on a multi-core processor

Partial or para-virtualisation is usually a technique where the underlying hardware is not completely simulated in software. This architecture allows commodity operating systems to be easily virtualised on commodity processors, although with the requirement that the virtualised operating system requires code modifications to adhere to the partially virtualised architecture. However, the performance of partially virtualised architectures is much better than the fully virtualised machines, usually within a few percent of the non-virtualised versions.

The other key requirement for running multiple operating systems in the context of a virtual machine is the ability to isolate the physical resources of a computer. This is achieved by time-space partitioning, a concept used extensively in safety-critical and secure systems. In a time-space partitioned system, the virtual machine sub-divides two key computing resources: CPU time and physical memory.

The physical memory is divided into unique, non-overlapping ranges, and assigned to individual heterogeneous virtualised operating systems. The time scheduler allocates periods of CPU time to each virtualised OS that is usually fixed and cyclic. This gives the illusion of exclusive access to computing resources for the virtualised operating systems. The ability of the virtual machine to support time-space partitioning is a basic prerequisite for the execution of multiple virtualised operating systems on a single machine.

Both full and partial virtualisations support 100% binary compatibility with the stand-alone version of the operating system. It also allows the ability to retain the benefits of multiple address spaces within a single operating system instance.

One significant difference between a stand-alone operating system and a virtualised version is that the virtualised OS runs in a less privileged mode (user mode). This is necessary since the virtual machine that provides the virtualised architecture is the sole entity that is running at highest privileged level (supervisor mode). Figure 1 above shows the generic architecture supporting multiple heterogeneous operating systems running on a virtual machine.

One of the key benefits of creating a virtualised OS architecture is the addition of security capabilities into embedded design. The time-space partitioning capabilities provided in this architecture form a natural foundation for creating secure applications in embedded design. The MILS architecture based on time-space partitioning design is an approach that naturally evolves from the time-space partitioning paradigm.

The MILS (Multiple Independent Levels of Security/Safety) architecture adopts the best principles of security and safety-critical design to define a hard real-time, secure embedded OS that can be evaluated to the highest levels of security (EAL7) and safety assurance (DO178B), while preserving the flexibility to support diverse security policies. The architecture identifies four key security policies: Information Flow; Data Isolation; Residual Information Protection, and; Damage Limitation.

Information Flow policy states that only authorised subjects can exchange information using pre-configured communication channels. Data Isolation policy states that objects can be isolated into separate partitions, such that subjects can only gain access to objects they are authorised to access. Residual Information Protection policy states that covert channels cannot exist through unintended transfer of residual state information. Damage limitation policy states that fault isolation is present and faults in one partition do not propagate to other partitions

The MILS architecture uses a small partitioning kernel (RTOS) that runs in supervisor mode and provides brick-wall partitioning of memory, time and I/O resources. The partitioning kernel only provides the basic functionality needed to support the underlying hardware. Within each partition, the traditional OS functionality executes in user mode com-pletely isolated from other partitions.

The middleware and appli-cations make up the rest of the components that may execute in a single partition. The MILS archi-tecture is an example of component layering (kernel, middleware and application), and provides a platform for virtualisation of commodity OSes. This architecture provides flexible security capabilities and can be the basis of several secure embedded designs on multi-core processors.

Figure 2: LynuxSecure RTOS on a multi-core processor

Example architecture
An example architecture that exemplifies the principles of virtualisation, real-time and security on multi-core processors is the LynxSecure architecture from LynuxWorks (Figure 2, above).

The LynxSecure RTOS combines time-space partitioning and virtualisation to allow multiple, heterogeneous operating systems to execute in a robust, highly secure environment on 64bit, multi-core processors. It allows safety-critical and secure operating systems to function alongside non-secure operating systems without compromising the entire system's security, reliability and data integrity.

This separation kernel is also a virtual machine monitor that is certifiable to Common Criteria EAL-7 Security certification (Evaluated Assurance Level 7). This is a level of certification not attained by any known operating system to date. It is also certifiable to DO-178B Level A, the highest level of FAA certification for mission-critical avionics applications.

It is designed to provide a virtualised hardware interface to allow multiple guest operating systems to run in a context of a single physical machine. To achieve this the separation kernel creates a virtualisation layer that maps physical system resources to each guest operating system, thereby virtualising operating systems like Linux, Windows, and LynxOS-SE to run within ultra-secure partitions.

This virtualisation technique provides superior performance for virtualised operating systems and its applications, while preserving 100% application binary compatibility with its non-virtualised instance.

In addition, it guarantees resource availability, such as memory- and processor-execution resources, to each partition, so that no software can fully exhaust or consume the scheduled memory or time resources of other partitions. There is support for simultaneous use of system interfaces, including multiple instances of the same or different operating systems in different partitions.

A fixed-cyclic ARINC653-based scheduler to ensure that all partitions are allocated adequate CPU time to prevent starvation for any partition, as well as dynamism in its scheduling policy to allow maximum flexibility are additional capabilities of this architecture.

This example separation kernel provides the essential components for a complete implementation of a scalable, multithreaded and secure architecture through support for Symmetric multi-processing (SMP) for optimal resource utilisation and load balancing on multi-core processors. It also provides additional high-end scalability and memory support through 64bit execution mode and addressing capabilities.

As the complexity of embedded applications continue to grow, the need for greater computing power continues to drive advances in processor architecture. The emergence of multi-core processors marks a strategic inflection point in the embedded industry.

The confluence of innovation in operating system design in the areas of virtualisation, real-time and security on these newer processors is enabling new paradigms in embedded application design, the effects of which will propel further advances in application design in the embedded marketplace.

The design of embedded applications is becoming a complex endeavour. The need for advanced operating systems and tools to enable application designers to take advantage of these hardware innovations has never been greater. The technology issues outlined in this article should help embedded designers make appropriate choices for their embedded software needs, as the embedded industry moves into the 21st century.

Arun Subbarao is Vice President of Engineering at LynuxWorks, where he is  responsible for the development of operating system and tools products, as well as consulting services.