a virtualized separation kernel for mixed criticality
play

A Virtualized Separation Kernel for Mixed Criticality Systems Ye - PowerPoint PPT Presentation

Feb 13, 2023 •221 likes •449 views

Introduction Architecture Performance Conclusions Ongoing and Future Work A Virtualized Separation Kernel for Mixed Criticality Systems Ye Li, Richard West and Eric Missimer Boston University March 2nd, 2014 Introduction Architecture

  1. Introduction Architecture Performance Conclusions Ongoing and Future Work A Virtualized Separation Kernel for Mixed Criticality Systems Ye Li, Richard West and Eric Missimer Boston University March 2nd, 2014

  2. Introduction Architecture Performance Conclusions Ongoing and Future Work Motivation ◮ Mixed criticality systems requires component isolation for safety and security ◮ Integrated Modular Avionics (IMA), Automobiles ◮ Multi-/many-core processors are increasingly popular in embedded systems ◮ Multi-core processors can be used to consolidate services of different criticality onto a single platform

  3. Introduction Architecture Performance Conclusions Ongoing and Future Work Motivation ◮ Many processors now feature hardware virtualization ◮ ARM Cortex A15, Intel VT-x, AMD-V ◮ Hardware virtualization provides opportunity to efficiently partition resources amongst guest VMs H/W Virtualization + Resource Partitioning = Platform for Mixed Criticality Systems

  4. Introduction Architecture Performance Conclusions Ongoing and Future Work Related Work Existing virtualized solutions for resource partitioning ◮ Wind River Hypervisor, XtratuM, PikeOS ◮ Xen, PDOM, LPAR Traditional Virtual Machine approaches too expensive ◮ Require traps to VMM (a.k.a. hypervisor) to multiplex and manage machine resources for multiple guests ◮ e.g., 1500 clock cycles VM-Enter/Exit on Xeon E5506 We want to eliminates hypervisor intervention during normal virtual machine operations

  5. Introduction Architecture Performance Conclusions Ongoing and Future Work Contribution Quest-V Separation Kernel ◮ Uses H/W virtualization to partition resources amongst services of different criticalities ◮ Each partition, or sandbox , manages its own CPU, memory, and I/O resources without hypervisor intervention ◮ Hypervisor only needed for bootstrapping system + managing communication channels between sandboxes

  6. Introduction Architecture Performance Conclusions Ongoing and Future Work Overview

  7. Introduction Architecture Performance Conclusions Ongoing and Future Work Memory Partitioning ◮ Guest kernel page tables for GVA-to-GPA translation ◮ EPTs (a.k.a. shadow page tables) for GPA-to-HPA translation ◮ EPTs modifiable only by monitors ◮ Intel VT-x: 1GB address spaces require 12KB EPTs with 2MB superpaging

  8. Introduction Architecture Performance Conclusions Ongoing and Future Work Memory Partitioning

  9. Introduction Architecture Performance Conclusions Ongoing and Future Work Quest-V Linux Memory Layout

  10. Introduction Architecture Performance Conclusions Ongoing and Future Work I/O Partitioning ◮ I/O devices statically partitioned ◮ Device interrupts directed to each sandbox ◮ Eliminates monitor from control path ◮ I/O APIC redirection tables protected by EPT ◮ EPTs prevent illegal access to memory mapped I/O registers ◮ Port-addressed I/O registers protected by bitmap in VMCS ◮ Monitor maintains PCI device ”blacklist” for each sandbox ◮ (Bus No., Device No., Function No.) of restricted PCI devices

  11. Introduction Architecture Performance Conclusions Ongoing and Future Work I/O Partitioning PCI devices in blacklist hidden from guest during enumeration ◮ Data Port: 0 xCFC Address Port: 0 xCF 8

  12. Introduction Architecture Performance Conclusions Ongoing and Future Work CPU Partitioning ◮ Scheduling local to each sandbox ◮ Avoids monitor intervention ◮ Partitioned rather than global ◮ Native Quest kernel uses VCPU real-time scheduling framework (RTAS ’11)

  13. Introduction Architecture Performance Conclusions Ongoing and Future Work Linux Front End ◮ Most likely serving low criticality legacy services ◮ Based on Puppy Linux 3.8.0 ◮ Runs entirely out of RAM including root filesystem ◮ Low-cost paravirtualization ◮ Less than 100 lines ◮ Restrict observable memory ◮ Adjust DMA offsets ◮ Grant access to VGA framebuffer + GPU ◮ Quest native SBs tunnel terminal I/O to Linux via shared memory using special drivers

  14. Introduction Architecture Performance Conclusions Ongoing and Future Work Quest-V Linux Screenshot

  15. Introduction Architecture Performance Conclusions Ongoing and Future Work Quest-V Linux Screenshot

  16. Introduction Architecture Performance Conclusions Ongoing and Future Work Monitor Intervention During normal operation, we observed only one monitor trap every 3 to 5 minutes caused by c puid. No I/O Partitioning I/O Partitioning (Block COM and NIC) Exception 0 9785 CPUID 502 497 VMCALL 2 2 I/O Inst 0 11412 EPT Violation 0 388 XSETBV 1 1 Table : Monitor Trap Count During Linux Sandbox Initialization

  17. Introduction Architecture Performance Conclusions Ongoing and Future Work Quest-V Performance Overhead ◮ Measured time to play back 1080P MPEG2 video from the x264 HD video benchmark ◮ Intel Core i5-2500K HD3000 Graphics VC (VO=NULL) VO 35 VC 30 Time (second) 25 20 15 10 5 0 Linux Quest Linux Quest Linux 4SB

  18. Introduction Architecture Performance Conclusions Ongoing and Future Work Memory Virtualization Cost ◮ Example Data TLB overheads ◮ Intel Core i5-2500K 4-core, shared 2nd-level TLB (4KB pages, 512 entries) 300000 Quest-V VM Exit Quest-V TLB Flush 250000 Quest TLB Flush Quest-V Base Time (CPU Cycles) Quest Base 200000 150000 100000 50000 0 0 100 200 300 400 500 600 700 800 Number of Pages

  19. Introduction Architecture Performance Conclusions Ongoing and Future Work Conclusions ◮ Quest-V separation kernel built from scratch ◮ Distributed system on a chip ◮ Uses (optional) hardware virtualization to partition resources into sandboxes ◮ Protected communication channels between sandboxes ◮ Sandboxes can have different criticalities ◮ Native Quest sandbox for critical services ◮ Linux front-end for less critical legacy services ◮ Sandboxes responsible for local resource management ◮ Avoids monitor involvement

  20. Introduction Architecture Performance Conclusions Ongoing and Future Work Ongoing and Future Work ◮ Online fault detection and recovery ◮ Technologies for secure monitors ◮ e.g., Intel TXT, Intel VT-d ◮ Micro-architectural Resource Partitioning ◮ e.g., shared caches, memory bus

  21. Introduction Architecture Performance Conclusions Ongoing and Future Work Thank You! For more details, preliminary results, Quest-V source code and forum discussions. Please visit: www.questos.org

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Mixed Criticality A Personal View Alan Burns Contents Some discussion on the notion of mixed

Mixed Criticality A Personal View Alan Burns Contents Some discussion on the notion of mixed

Mixed Criticality A Personal View Alan Burns Contents Some discussion on the notion of mixed criticality A brief overview of the literature An augmented system model Open issues (as I see it) What is Criticality A

568 views • 25 slides
Programming with Time for Mixed Criticality Systems Dagstuhl Seminar, March 16-20, 2015 Mixed

Programming with Time for Mixed Criticality Systems Dagstuhl Seminar, March 16-20, 2015 Mixed

Programming with Time for Mixed Criticality Systems Dagstuhl Seminar, March 16-20, 2015 Mixed Criticality on Multicore/Manycore Platforms David Broman Associate Professor, KTH Royal Institute of Technology Assistant Research Engineer,

202 views • 6 slides
Bounding and Shaping the Demand of Mixed-Criticality Sporadic Tasks Pontus Ekberg & Wang Yi

Bounding and Shaping the Demand of Mixed-Criticality Sporadic Tasks Pontus Ekberg & Wang Yi

Bounding and Shaping the Demand of Mixed-Criticality Sporadic Tasks Pontus Ekberg & Wang Yi Uppsala University, Sweden ECRTS 2012 Mixed-criticality sporadic tasks D i : Relative deadline T i : Period L i : Criticality (lo or hi) Pontus

801 views • 39 slides
AdaptMC A Control-Theoretic Approach for Achieving Resilience in Mixed-Criticality Systems

AdaptMC A Control-Theoretic Approach for Achieving Resilience in Mixed-Criticality Systems

AdaptMC A Control-Theoretic Approach for Achieving Resilience in Mixed-Criticality Systems Alessandro V. Papadopoulos, Enrico Bini, Sanjoy Baruah, Alan Burns Embedded system ! 2 Mixed-criticality system C Each task has its Monitoring

456 views • 27 slides
Mixed Criticality Systems: Beyond Transient Faults Abhilash Thekkilakattil, Alan Burns, Radu

Mixed Criticality Systems: Beyond Transient Faults Abhilash Thekkilakattil, Alan Burns, Radu

Mixed Criticality Systems: Beyond Transient Faults Abhilash Thekkilakattil, Alan Burns, Radu Dobrin and Sasikumar Punnekkat Motivation and Contribution State of the art of mixed criticality scheduling mainly focuses on WCET overruns WCET

258 views • 23 slides
The Quest-V Separation Kernel Richard West richwest@cs.bu.edu Computer Science Goals

The Quest-V Separation Kernel Richard West richwest@cs.bu.edu Computer Science Goals

The Quest-V Separation Kernel Richard West richwest@cs.bu.edu Computer Science Goals Develop system for high-confidence (embedded) systems Mixed criticalities (timeliness and safety) Predictable real-time support

547 views • 41 slides
State-Based Mode Switching with Applications to Mixed-Criticality Systems Pontus Ekberg , Martin

State-Based Mode Switching with Applications to Mixed-Criticality Systems Pontus Ekberg , Martin

State-Based Mode Switching with Applications to Mixed-Criticality Systems Pontus Ekberg , Martin Stigge, Nan Guan & Wang Yi Uppsala University, Sweden WMC 2013 Mixed Criticality as Mode Switching At a switch between modes (e.g., lo to hi),

627 views • 48 slides
Regarding the Optimality of Speedup Bounds of Mixed-Criticality Schedulability Tests Zhishan Guo

Regarding the Optimality of Speedup Bounds of Mixed-Criticality Schedulability Tests Zhishan Guo

Regarding the Optimality of Speedup Bounds of Mixed-Criticality Schedulability Tests Zhishan Guo Department of Computer Science, Missouri S&T Presented at Dagstuhl Seminar 17131 Mar. 29, 2017 MC & Vestals Interpretation Mixed

513 views • 23 slides
Mixed Criticality Systems view from the industry side MAXI M Cristia n Airb us Ope ra tio

Mixed Criticality Systems view from the industry side MAXI M Cristia n Airb us Ope ra tio

Mixed Criticality Systems view from the industry side MAXI M Cristia n Airb us Ope ra tio ns S.A.S Da g stuhl Se mina r - 27/ 03/ 2017 Criticality (notions) itic ality is a de sig na tio n o f the le ve l o f a ssura nc e Cr a g

287 views • 24 slides
A Practical Degradation Model for Mixed Criticality Systems Vijaya Kumar Sundar, Arvind Easwaran

A Practical Degradation Model for Mixed Criticality Systems Vijaya Kumar Sundar, Arvind Easwaran

A Practical Degradation Model for Mixed Criticality Systems Vijaya Kumar Sundar, Arvind Easwaran Nanyang Technological University (NTU), Singapore May 8, 2019 Research Outline Research Objective: A new degradation model for Mixed Criticality

1.02k views • 87 slides
mixed criticality systems (Experience from MultiPARTES, DREAMS and PROXIMA FP7) Dr. Jon Perez

mixed criticality systems (Experience from MultiPARTES, DREAMS and PROXIMA FP7) Dr. Jon Perez

Road to certification in multicore partitioned mixed criticality systems (Experience from MultiPARTES, DREAMS and PROXIMA FP7) Dr. Jon Perez Dr. Alfons Crespo November 04 th , 2014. Berlin. AUTOSAR Working Group Agenda Introduction

595 views • 31 slides
for Real-Time and Mixed Criticality Applications Author: Vittoriano Muttillo

for Real-Time and Mixed Criticality Applications Author: Vittoriano Muttillo

CPS Summer School 2017 Designing Cyber-Physical Systems From concepts to implementation System-Level HW/SW Co-Design Methodology for Real-Time and Mixed Criticality Applications Author: Vittoriano Muttillo

486 views • 7 slides
The Feasibility Analysis of Mixed-Criticality Systems Saravanan Ramanathan, Xiaozhe Gu, Arvind

The Feasibility Analysis of Mixed-Criticality Systems Saravanan Ramanathan, Xiaozhe Gu, Arvind

Motivation Open Problem Possible Solution Design Methodology The Feasibility Analysis of Mixed-Criticality Systems Saravanan Ramanathan, Xiaozhe Gu, Arvind Easwaran Nanyang Technological University, Singapore July 5, 2016 NTU RTSOPS2016 1

1.67k views • 18 slides
Mixed-Criticality Systems with Permitted Failure Probability Zhishan Guo , Luca Santinelli * , and

Mixed-Criticality Systems with Permitted Failure Probability Zhishan Guo , Luca Santinelli * , and

EDF Schedulability Analysis on Mixed-Criticality Systems with Permitted Failure Probability Zhishan Guo , Luca Santinelli * , and Kecheng Yang Department of Computer Science, UNC Chapel Hill *ONERA The French Aerospace Lab at Toulouse The

432 views • 42 slides
Guaranteeing some service upon mode switch in mixed-criticality systems Zhishan Guo Department

Guaranteeing some service upon mode switch in mixed-criticality systems Zhishan Guo Department

Guaranteeing some service upon mode switch in mixed-criticality systems Zhishan Guo Department of Computer Science, Missouri S&T Presented at Dagstuhl Seminar 17131 Mar. 28, 2017 MC & Vestals Interpretation MC: functionalities

570 views • 15 slides
Mixed Criticality Systems and Multicore Roman Obermaisser Agenda 09:00 09:30 Welcome and

Mixed Criticality Systems and Multicore Roman Obermaisser Agenda 09:00 09:30 Welcome and

Mixed Criticality Systems and Multicore Roman Obermaisser Agenda 09:00 09:30 Welcome and Introductions Prof Dr Roman Obermaisser, University of Siegen Short keynote address Prof Dr Heinrich Daembkes, ARTEMIS IA President The

671 views • 12 slides
Long term test of LED Long term test of LED pulsing pulsing Long time LED system stability

Long term test of LED Long term test of LED pulsing pulsing Long time LED system stability

Long term test of LED Long term test of LED pulsing pulsing Long time LED system stability measurement Aging of part of optical system Future plans Jaroslav Zalesak, Jan Smolik Institute of Physics ASCR, Prague Sep 13, 2007 CALICE

298 views • 11 slides
CAN/CANopen Tools, Interfaces and I/O Modules Pierre Baehler CERN/IT-Division December 9, 1998

CAN/CANopen Tools, Interfaces and I/O Modules Pierre Baehler CERN/IT-Division December 9, 1998

CAN/CANopen Tools, Interfaces and I/O Modules Pierre Baehler CERN/IT-Division December 9, 1998 CAN/CANopen Tools CAN/CANopen analyzer CANalyzer CANopen from Vector (Softing), (stzp) CANopen Electronic Data Sheet editor

239 views • 7 slides
topology detection Screenshot (und Demo?) hwloc /proc/cpuinfo processor : 0 vendor_id

topology detection Screenshot (und Demo?) hwloc /proc/cpuinfo processor : 0 vendor_id

topology detection Screenshot (und Demo?) hwloc /proc/cpuinfo processor : 0 vendor_id : GenuineIntel model name : Intel(R) Xeon(R) CPU E5-2620 0 @ 2.00GHz cache size : 15360 KB physical id : 0 siblings :

323 views • 29 slides
Cap6 Snoop-based Multiprocessor Design Design Goals Adaptado dos slides da editora por Mario

Cap6 Snoop-based Multiprocessor Design Design Goals Adaptado dos slides da editora por Mario

Cap6 Snoop-based Multiprocessor Design Design Goals Adaptado dos slides da editora por Mario Crtes IC/Unicamp 2009s2 Performance and cost depend on design and implementation too Goals Correctness High Performance Minimal

733 views • 58 slides
The Development Of DAQ System For J-PARC K O TO Experiment Yasuyuki Sugiyama D1@Yamanaka Taku

The Development Of DAQ System For J-PARC K O TO Experiment Yasuyuki Sugiyama D1@Yamanaka Taku

The Development Of DAQ System For J-PARC K O TO Experiment Yasuyuki Sugiyama D1@Yamanaka Taku Lab. Year End report meeting 2010/12/19(Mon) 1 2011 12 19 1 Contents KOTO Experiment Trigger/Data Acquisition(DAQ)

735 views • 32 slides
You dont hear me but your phones voice interface does Jos L OPES E STEVES & Chaouki K

You dont hear me but your phones voice interface does Jos L OPES E STEVES & Chaouki K

You dont hear me but your phones voice interface does Jos L OPES E STEVES & Chaouki K ASMI Hack In Paris - 18/06/2015 WHO WE ARE Jos Lopes Esteves and Chaouki Kasmi ANSSI-FNISA / Wireless Security Lab Electromagnetic

838 views • 40 slides
Automatic Speech Recognition (CS753) Automatic Speech Recognition (CS753) Lecture 9: Brief

Automatic Speech Recognition (CS753) Automatic Speech Recognition (CS753) Lecture 9: Brief

Automatic Speech Recognition (CS753) Automatic Speech Recognition (CS753) Lecture 9: Brief Introduction to Neural Networks Instructor: Preethi Jyothi Feb 2, 2017 Final Project Landscape Tabla bol transcription Voice-based music Sanskrit

409 views • 17 slides
EN. 601.467/667 Introduc3on to Human Language Technology Deep Learning I Shinji Watanabe 1

EN. 601.467/667 Introduc3on to Human Language Technology Deep Learning I Shinji Watanabe 1

EN. 601.467/667 Introduc3on to Human Language Technology Deep Learning I Shinji Watanabe 1 Todays agenda Introduction of deep neural network Basics of neural network 2 Short bio Research interests Automatic speech

1.71k views • 62 slides

More recommend