The system virtual machine can be used to make Linux-based applications faster and more responsive and secure. Here's a primer to get you started.
Linux is rapidly becoming the operating system of choice in a wide array of embedded applications, ranging from mobile handsets and network/telecom infrastructure apps to media-rich consumer electronics devices such as portable media players and digital video systems.
Many embedded systems developers are already using Linux in their designs or are considering doing so. The perception among developers is that it's easier to develop applications for Linux than it is to develop for proprietary operating systems and that using Linux reduces costs because it's open source.
However, Linux still presents a number of problems in the embedded space.
First, the nature of the programming environment is often bifurcated. For example, in many media-rich consumer applications, Linux is used to run high-level application code that is similar--and often identical--to application code used on personal computers. Such code is typically developed by application programmers who normally are not experts in programming low-level embedded systems.
But such applications have much real-time functionality that requires low and predictable interrupt latency. In the case of the mobile phone terminal, the cellular communication subsystem has real-time requirements. And while embedded Linux has certainly improved, these requirements are best met by a small and highly efficient real-time operating system (RTOS).
Second is the problem of security. In a mobile-phone handset, for example, the communication stack is of critical importance--if it is subverted by an attacker, the phone could be turned into a jammer that disables communication in the whole cell. Similarly, an encryption subsystem needs to be strongly protected from being compromised.
It's no insignificant challenge to create a secure system that runs millions of lines of code; inevitably, the code contain tens of thousands of bugs, many of which can compromise the system's security. Increasingly prone to attacks, embedded Linux implementations are large enough (hundreds of thousands of lines of code) to contain as many as a thousand bugs. Because the Linux operating system normally runs in privileged mode, once it is compromised, attacks on any part of the system are possible.
Third is the issue of license separation. Linux is a frequently deployed high-level operating system. Among its advantages are the royalty-free status, independence from specific vendors, widespread deployment, and a strong and vibrant developer community.
A frequent concern about Linux is that it's distributed under the GPL license, which requires that all derived code is subject to the same license and thus becomes open source. Some legal arguments claim that the license applies even to device drivers that are loaded into the kernel as binaries at run time.
This restriction creates a potential problem for chipmakers who consider device interfaces valuable proprietary IP. An open-source device driver will effectively publish those device interfaces, a strong disincentive for using Linux in many embedded systems scenarios.
Virtualization to the rescue?
As is the trend with desktop applications developers, many embedded systems developers are looking to the use of system virtualization environments, also called system virtual machines, to resolve, or at least minimize, such problems.
Unlike process virtual machine environments specific to particular programming languages, such as the Java VM, system virtual machines correspond to actual hardware and can execute complete operating systems in isolation from other similar instantiations in the same computing environment.
This article will explain embedded-system virtual machine models and explores where and how they can be used to make Linux-based applications faster and more responsive and secure.
The basics of virtualization
Virtualization refers to providing a software environment in which programs (including operating systems) can run as if on bare hardware, as Figure 1 shows. Such an environment is called a virtual machine. A virtual machine is an efficient, isolated duplicate of the real machine.
The software layer that provides the virtual machine environment is called the virtual machine monitor (VMM), or hypervisor. The VMM has three essential characteristics:
1. It provides an environment for programs that is essentially identical to the original machine;
2. Programs that run in this environment show, at worst, minor decreases in speed; and
3. The VMM is in complete control of system resources.
All three characteristics are important and contribute to making virtualization highly useful. The first (similarity) ensures that software that runs on the real machine will run on the virtual machine. The second (efficiency) ensures that virtualization is practical from the performance point of view.
The efficiency feature requires that the vast majority of instructions be directly executed by the hardware: any form of emulation or interpretation replaces a single virtual-machine instruction by several instructions of the underlying hardware.
This requires that the virtual hardware be almost identical to the physical hardware on which the VMM is hosted. Small differences are possible, such as the physical hardware may miss some instructions of the virtual hardware (as long as they aren't heavily used), the memory-management unit may be different, or devices may differ.
However, not all instructions can be directly executed. The resource-control feature requires that all instructions that deal with resources must access the virtual rather than the physical resources. This means such instructions must be interpreted by the VMM, as otherwise virtualization is violated.
Specifically, the virtual machine must interpret two classes of instructions: (1) control-sensitive instructions modify the privileged machine state and therefore interfere with the hypervisor's control over resources; and (2) behavior-sensitive instructions access (read) the privileged machine state. While these instructions can't change resource allocations, they reveal the state of real resources, specifically when they differ from the virtual resources and therefore break the illusion provided by virtualization.
Benefits of virtualization
The key attraction of virtualization for embedded systems developers is that it supports the concurrent existence and operation of multiple operating systems on the same hardware platform.
Virtualization helps overcome the challenges caused by the bifurcated programming environments by running appropriate operating systems concurrently on the same processor core, as shown in Figure 2. The same effect could be achieved by using separate cores for the real-time and application software stacks, combined with hardware mechanisms for partitioning memory.
