COQOS Micro SDK

Virtualization on Microcontrollers

Embedded virtualization, already in production on application processors, in vehicle domains such as connectivity and infotainment, is now coming to microcontrollers and real-time processors. The reason is that domain controllers running on a microcontroller or real-time processor need to integrate an ever-increasing amount of software.  This software is often developed according to different functional safety levels or sourced from different suppliers so that freedom from interference must be insured.

Virtualization technology will enable the integration of more complex software functions on domain controllers that cannot only use application processors.  It provides freedom from interference between these functions although they require different safety levels (QM, ASIL-, -B, -C, -D). Some upcoming generations of microcontrollers, such as the ones based on the ARMv8-R architecture, have built-in hardware extensions to make virtualization easier and more effective.  The software technology will be available as these new processors hit the market. They will typically be used to run classic AUTOSAR-based systems or specialized real-time operating systems.

COQOS Micro SDK

OpenSynergy has developed a variant of its hypervisor to be used for automotive virtualization on microcontroller. This product, called COQOS Micro SDK, is the first hypervisor to take advantage of the virtualization extensions in the ARMv8-R architecture and will support the next generation of microcontrollers built on that architecture.

The Hypervisor

The central component of the COQOS Micro SDK is the hypervisor. It runs directly on the microcontroller and creates several virtual machines (VMs). It provides spatial separation between virtual machines by using a dedicated memory protection unit (MPU). Each VM is isolated from the others as the key goal of the hypervisor is to ensure freedom from interference (as specified by ISO 26262) up to the highest level ASIL-D between virtual machines.

Freedom form Interference

This isolation of VMs means that software systems with different safety levels (ASIL) or functions and environments of different vendors with different security standards, run concurrently on a single processor. Also, new innovative functions with a high potential for change can be integrated together with relatively stable functions.

The hypervisor is highly configurable so that customers can for example change the number of VMs, the assignment to physical cores and temporal behavior, the inter-VM communication channels, the access rights of VMs to devices and to security features of the microcontroller. It is minimalistic in its design and therefore is small, fast and certifiable.

Virtualization is also a step towards more modular software updates. Unlike AUTOSAR OS-Applications, virtual machines can be built independently, and the respective binary code can be updated independently on the target.

Developped as an SEooC and ISO  26262 compliant

OpenSynergy has developed the COQOS Micro SDK as a Safety Element out of Context (SEooC) according to ISO 26262. The SEooC approach means that OpenSynergy assumes certain safety requirements that its product fulfills.

Typical Use Cases

Typical application domains for COQOS Micro SDK are powertrain, chassis, body, gateway and ADAS control units, which implies the separation kernel must achieve a high safety level of ASIL-D. This requires temporal and spatial separation of virtual machines.

One concrete example can be found in the body domain.  Such a domain controller will run, on a single microcontroller, functions that are safety-critical (such as power-management of the entire body domain), security-critical (such as unlocking the car) and functions that are neither (such as interior lighting).  Ideally these functions can be developed independently and integrated easily.  It should be possible to do a software update of uncritical functions (such as the interior lighting) without affecting safety relevant functions (such as managing power).

Find more information about Multi-functional Body Controller here.


  • Provides Virtual Machines (VMs) for functional blocks, which:
    • have different requirements on real-time behavior
    • have different safety risk levels (ASIL)
    • are supplied by different vendors
  • Eases and accelerates the AUTOSAR integration and configuration challenge
  • Enables the integration of several functions on a single device (virtual ECU concept)
  • Supports independent modular software update.

Main Features

  • Hardware assisted virtualization
  • Memory separation/protection
  • Multi-core support
  • Inter-VM communication
  • VM restart and update
  • Error reporting and recovery
  • AUTOSAR integrated configuration tool (at HV level)
  • ASIL-D based development (SEooC)

Target ECU/Application

  • Safety application:
    • Breaking System
    • ADAS (as a companion)
    • Power Train
    • Motor and Chassis Control
  • Real time:
    • Gateway
    • Body Control
    • Energy Management
    • Domain Control

Datasheet

Whitepaper

COQOS Micro SDK
x

Your Request Whitepaper COQOS Micro SDK

Thank you for your interest in our subsequent technical documents. We offer you the possibility to download the document and would be pleased to send you further information regarding the whitepaper at the e-mail address provided. By providing your email address, you confirm that we may contact you regarding this matter.





You can revoke this consent at any time with effect for the future. Please send us an e-mail to datenschutz[at]opensynergy.com. Further information on data protection can be found in our data protection declaration.

close