Type-1 hypervisors also provide functional completeness and concurrent execution of the multiple personas. However, because the hypervisor runs on the bare metal, persona isolation cannot be violated by weaknesses in the persona operating systems. Thus, a Type-1 hypervisor represents a promising approach from both a functionality and safety perspective. However, the hypervisor vulnerability threat still exists, and not all Type-1 hypervisors are designed to meet high levels of safety and security.
One particular variant, the microkernel-based Type-1 hypervisor, is specifically designed to meet the demanding real-time, fast-boot, safety requirements of modern infotainment environments. Microkernels provide a superior architecture for safety and security than large, general-purpose operating systems such as Linux, MeeGo, Android, and Windows.
A microkernel runs only a minimal set of critical system services, such as process management, exception handling, and inter-process communication, in supervisor mode and provides an architecture that enables complex systems software to run in user mode where they are permitted access only to the resources deemed appropriate by the system designer. A vulnerability or fault in one component cannot cause damage to a critical component because the infected subsystem simply does not have access to that resource. Because the microkernel is relatively simple, it can be formally verified and certified by independent regulators to the highest levels of safety and security.
In a microkernel Type-1 hypervisor, system virtualisation is built as a service on the microkernel. Thus, in addition to isolated virtual machines, the microkernel provides an open standard interface for lightweight critical applications, such as driver information clusters, cryptographic subsystems, and CAN bus drivers, which cannot be entrusted to a general-purpose guest. The microkernel Type-1 architecture is shown in Figure 5.
Figure 5 - Microkernel Type-1 hypervisor architecture
One example of microkernel Type-1 hypervisor is Green Hills Software's INTEGRITY Multivisor, built upon the INTEGRITY microkernel, used extensively in automotive infotainment and other real-time, safety-critical applications.
Applying the microkernel Type-1 hypervisor architecture to the aforementioned mixed criticality infotainment system, consisting of the main infotainment OS and safety-critical applications for rear-view camera and driver information cluster, results in the architecture shown in Figure 6.
Figure 6 –Microkernel Type-1 architecture for next-generation infotainment systems
Secure Network Transactions
Figure 6 also shows a manageability application. Another useful application of the microkernel Type-1 architecture is to host secure remote communication subsystems natively on the microkernel. Examples of next-generation secure network transactions in infotainment systems include protected multimedia content and digital rights conveyance and remote system management (e.g. firmware upgrades and remote diagnostic commands) by technicians and OEMs.
A key idea here is that this solution creates a protected connection, logically out-of-band from the main system. Because encryption keys, server certificates, and protocol software are managed within native lightweight processes, these critical data cannot be stolen or corrupted by the guest operating system, regardless of malware infiltration.
Furthermore, the native security subsystem is able to take advantage of TPM (or equivalent) capabilities, if present, for hardware-based storage of keys and for platform attestation. The secure connection defeats man-in-the-middle attacks as well as malware attacks that would attempt to commandeer the cryptographic keys used for secure communications.
Genivi is an industry alliance promulgating in-vehicle infotainment reference platforms, with the goal of reducing time-to-market and development cost. These reference platforms include the pre-competitive features that every system is deemed to need, allowing individual organisations to concentrate on innovative features that drive competitive advantage.
A core principle towards meeting these goals is a focus on open standards and associated compliance certification. With the traditional infotainment system role fulfilled by powerful general-purpose operating systems, it should come as no surprise that Genivi’s initial reference platforms are focused on Linux distributions that meet the requirements of the Genivi compliance statement.
Looking forward, automotive infotainment stakeholders, including OEMs and their suppliers, government regulators, and passengers, must look beyond the multimedia system to a new world of mixed criticality requirements. Next-generation systems software architectures are required in order to ensure that future complex, feature-rich infotainment systems are delivered with the reliability, security, real-time performance, and controlled footprint that the automotive industry and consumers alike demand.
Future in-car systems will see a convergence of safety-critical functionality with traditional telematics and digital entertainment applications. Bringing these capabilities onto a single compute platform is critical in order to minimise size, weight, power, production cost, and electronics complexity. However, doing this safely requires a new systems architectural approach.
One promising sandboxing approach is Type-1 system virtualisation that can isolate and manage real-time, safety, and security-critical applications alongside powerful open source multimedia operating systems. In addition, the availability of virtualisation technology across a wide range of computing platforms provides developers and technologists with the ultimate open platform: the ability to run any flavour of operating system in any combination, creating an unprecedented flexibility for deployment and usage. This flexibility is as welcome in the automobile as it is in desktops and servers.
This article originally appeared on EE Times Europe.
For more articles like this and others related to designing for the embedded Internet, visit Embedded Internet Designline and/or subscribe to the biweekly Embedded Internet newsletter (free registration).