Leveraging Intel VT
The benefits of a secure hypervisor are significantly enhanced with Intel Virtualization Technology (Intel VT). Intel VT provides hardware assist mechanisms that improve the performance and security of a virtualized system. Key elements of Intel VT include:
- Processor virtualization enhancements. Intel® Virtualization Technology for IA-32, Intel® 64, and Intel® Architecture (Intel® VT-x) speeds up the transfer of control between the hypervisor and the guest OSs. It uses hardware assist to trap and execute certain instructions for the guest OS. In addition to accelerating performance, Intel VT-x also enables implementation of certain hypervisor security features.
- Memory and I/O virtualization. Intel® Virtualization Technology for Directed I/O (Intel® VT-d) enables the hypervisor to assign specific I/O devices to each guest OS. Each device is given a specific area in memory that is only accessible by the device and the designated guest OS. Once again, hardware assist accelerates performance, as the hypervisor no longer has to be involved in every I/O transaction.
Wind River Hypervisor is an example of a secure hypervisor that supports both Intel VT-x and Intel VT-d. By using Wind River Hypervisor in combination with an Intel VT-enabled processor, developers can create partitioned systems that achieve high levels of security and performance.
Partitioning is No Silver Bullet
Partitioning using hypervisor technology can enable the development of secure smart grid devices that are cost-effective to manufacture and validate. However, security is much more than just partitioning. Many other practices such as secure software design are needed to ensure security of the device as a whole.
Vulnerabilities in the non-critical portions may reduce the usability of the product even if these vulnerabilities do not pose a threat to the grid. For example, corrupting the user interface of a smart grid device may render it useless or may require bothersome resets to clear the problem. To avoid such problems, proper security practices should be used in all parts of the system, both trusted and not trusted. Partitioning is a key tool, but just one part of an overall secure architecture.
Smart grid devices are susceptible to cyber attacks, especially if they are placed on public networks such as the Internet. To deal with these vulnerabilities, developers can turn to embedded virtualization using secure hypervisors and Intel VT. There are several compelling reasons to consider virtualization for smart grid devices:
- Virtualization enables developers to consolidate several systems into one, which can save bill of material costs, reduce size, weight, and power, and reduce supply chain costs and complexity.
- Separating secure portions of the system from non-critical parts greatly reduces the costs of verification and validation of the security of the system.
- Partitioning allows smart grid devices to grow in complexity and functionality (for example, by adding GUIs and new applications) while keeping the trusted partition simpler and easier to maintain.
- Secure virtualization can improve network security and reduce vulnerability to attack.
Although it does not solve every design problem, secure virtualization gives developers a critical set of tools to meet the evolving needs of this new market segment. With these tools in hand, developers have the opportunity to produce innovative designs that give them a competitive advantage.
System Virtualization methods and applications using Intel VT
Robust design principles for home smart grid metering
Getting basic utility meter designs ready for the Smart Grid
Hypervisors present new design challenges for embedded developers