COQOS Hypervisor SDK

What is Hypervisor technology about?
COQOS Hypervisor SDK enables the convergence of several functionalities on a single System-on-Chip (SoC) while providing freedom from interference between systems of different criticality (assigned to different ASIL levels such as QM, A, B,). The core technology of COQOS Hypervisor SDK is the hypervisor. The hypervisor makes it possible to run several guest Operating Systems (including Linux, Android, AUTOSAR or other operating systems) in separated virtual machines. A typical use case is the safe cockpit controller that runs an instrument cluster and an in-vehicle infotainment system simultaneously, on a single processor.

First hypervisor complying to the new version of ISO 26262
OpenSynergy has developed a hypervisor – the COQOS Hypervisor. This typ-1 hypervisor has been designed as a low-complexity embedded hypervisor especially fitting to automotive applications. It allows customers to build highly compartmentalized systems that can be tailored to the specific requirements. It follows the multi-kernel architecture of the ARMv8 architecture and takes advantage of the hardware virtualization of the SOC using this architecture.The safety properties strongly rely on a systems supervisor component. TÜV SÜD has confirmed that the hypervisor complies to ISO 26262:2018 ASIL-B.

The hypervisor runs directly on the SoC application cores (at the highest privilege level) and creates several virtual machines (VMs). Each VM is isolated from the others and this separation (ISO 26262 calls it “freedom from interference”) supports some of the key integration requirements. The hypervisor supports the controlled interaction between the VMs and devices on the SoC and communication between the VMs.

The COQOS Hypervisor targets the specific needs of automotive devices such as a cockpit controller. COQOS Hypervisor is highly configurable so that customers can for example

  • change the number of VMs
  • assign to physical cores and temporal behavior
  • connect via inter-VM communication channels
  • grant access rights of VMs to devices
  • use it as security features of the hardware

It is minimalistic in its design and therefore is small, fast and certifiable.

 

Shared Display Feature
OpenSynergy’s Shared Display Feature gives full flexibility and control how information is rendered on multiple displays in the vehicle.To satisfy the Cockpit Controller requirements, the reference architecture introduces two key technologies:
Shared GPU: It enables several VMs to use the GPU of the SoC concurrently. This sharing mechanism must support the required quality-of-service.
Shared display: It decouples virtual from physical displays. Applications in VMs can be rendered in virtual displays. A central compositor controls how these virtual displays are rendered on the physical displays available to the cockpit controller.
As information flows within one SoC (and not over networks), efficient communication mechanisms, such as “zero-copy” shared memory, can be used.

Developed as an SEooC and ISO 26262 compliant
To address the safety requirements, OpenSynergy has developed the COQOS Hypervisor as a Safety Element out of Context (SEooC) according to ISO 26262. The SEooC approach means that we have assumed certain safety requirements that our product fulfills. These safety requirements have been derived from our reference architecture for the cockpit controller. Based on these assumed safety requirements, we have designed, implemented and tested the COQOS Hypervisor following the practices required by ISO 26262 up to the level ASIL-B.

Providing scalability and flexibility

COQOS Hypervisor SDK can scale across various applications. It can run on compact micro-processors as well as high-performance multi-core processors. It can be used for small, simple systems with just a few virtual machines (VMs).

At the same time, it is also perfect for complex infotainment systems with several guest operating systems, each running in its own virtual machine.

Using hardware more efficiently

The assignment of VMs to cores in a multi-core processor is highly flexible. Several VMs can access one core, or, vice versa, one VM can tap into the computing power of several cores. Due to the minimalistic Type-1 Hypervisor, it takes maximal advantage of hardware virtualization extensions.

Improving safety

Having separate VMs for isolated functions, COQOS Hypervisor SDK provides the benefit that functional disruptions cannot affect systems in other VMs. This architecture simplifies the challenge of high functional safety. The hypervisor is designed from the ground up for supporting applications with high requirements in terms of safety and security.

A configurable system supervisor (watchdog) in a separate VM can monitor the behavior of specific applications and intervene if the system does not respond properly. It has been developed developed according to A-SPICE level 3.

Providing security

Guest operating systems run independently of each other on the software VM in COQOS Hypervisor SDK. In this way, the partitioning functions as a firewall, offering protection from outside attacks.

Integrating AUTOSAR seamlessly

COQOS Hypervisor SDK contains a CAN Gateway which is integrated in a VM, that

• Enables seamless integration of the ECU running COQOS Hypervisor SDK into the in-vehicle network
• Offers the fastest option for installing standard AUTOSAR-compliant automotive services such as diagnostics
• Makes it possible to use AUTOSAR software components that implement real-time applications

Saving time and money

Using open source software makes it possible to reuse software systems from the field of consumer electronics. This reduces R&D costs and shortens the time required for development.

Efficient hypervisor

The COQOS hypervisor

  • has a lean and innovative design providing high performance, safety and security without legacy burdens. It supports full virtualization of the CPU for the guest OS.
  • has been developed according to Automotive SPICE and ISO26262 ASIL-B practices, building upon years of experience in research and automotive mass production
  • has no open source components
  • Supports full automotive use-cases and automotive multi-core SoCs.

Adaptive AUTOSAR on COQOS HV SDK

Hardware Support

Target processor architectures

  • ARMv7VE-A
  • ARMv8-A
  • Intel® x86-64

 

SoCs

  • NXP i.MX 8
  • Texas Instruments Jacinto 6
  • Qualcomm Snapdragon™ 820A
  • Renesas R-Car H3
  • Intel® Atom™ E3826
  • For target support packages please contact OpenSynergy

 

Hypervisor

The hypervisor creates virtual machines (VMs):

  • Type-1 hypervisor which runs directly on the host’s hardware to control the hardware and to manage guest operating systems
  • Hardware virtualization enables: ◦ shorter development time ◦ guest OS can run unmodified ◦ better performance
  • Partitioning of processor resources (execution time and memory)
  • Periphery only visible from the VM it is assigned to
  • Scheduling enables several virtual cores to run on a single physical core


Android and Linux

COQOS SDK supports the following guest
operating systems:

  • Latest Linux versions (following roadmap of chipset vendors)
  • Latest Androirsd veions (following roadmap of chipset vendors)

CAN Gateway

The CAN Gateway is a minimalistic AUTOSAR stack, that contains:

  • a full AUTOSAR OS implementation
  • a full CAN Driver
  • partial AUTOSAR CAN stack (Com, PduR, CanIf)
  • minimalistic RTE implementation
  • OpenSynergy’s AUTOSAR Configurator automatically configures the CAN Gateway stack based on a CAN-CFG file (DSL describing the CAN DB)
  • ACF “Automotive Communication Framework” which is a CDD responsible on communication between AUTOSAR and non-AUTOSAR partitions.

Features

Fast-boot
COQOS SDK includes a fast-boot loader and a modular-boot mechanism, which allows VMs to load and start sequentially.


Shared Graphics and GPU
Several VMs with graphic-intensive applications fulfilling different requirements on safety and real-time Performance, can share one display surface (Shared Graphics) and use the same Graphics Processing Unit (GPU) and display hardware concurrently (Shared GPU).


Shared Hardware
Many important use cases require that a single hardware resource is shared among multiple VMs. OpenSynergy’s approach enables graphical output of VMs that run on top of a hypervisor with different requirements in terms of safety and real time performance on one or multiple displays.

ISO 26262
TÜV-Süd has confirmed that the COQOS Hypervisor as part of the COQOS Hypervisor SDK meets the requirements of ISO 26262 up to ASIL-B and has issued an associated Technical Report.

Inter-X Communication Framework (IXCF)
IXCF transfers data between VMs running multi-purpose or real time operating systems. IXCF consist of:

  • Automotive Communication Framework (ACF)
  • Virtual Network (VNET)
  • Virtual Character Driver (VCHAR)


System Supervisor
A configurable watchdog (contained in a separate VM) can observe the behavior of specific applications and take action when the system does not perform correctly.

Datasheet

COQOS Hypervisor
COQOS Hypervisor SDK Release v9.3.0

Product Flyer

COQOS Hypervisor SDK

x
[contact-form-7 404 "Not Found"]
close