Virtualization on Microcontrollers
Embedded virtualization, already in production on application processors, in vehicle domains such as connectivity and infotainment, is now coming to microcontrollers and real-time processors. The reason is that domain controllers running on a microcontroller or real-time processor need to integrate an ever-increasing amount of software. This software is often developed according to different functional safety levels or sourced from different suppliers so that freedom from interference must be insured.
Virtualization technology will enable the integration of more complex software functions on domain controllers that cannot only use application processors. It provides freedom from interference between these functions although they require different safety levels (QM, ASIL-, -B, -C, -D). Some upcoming generations of microcontrollers, such as the ones based on the ARMv8-R architecture, have built-in hardware extensions to make virtualization easier and more effective. The software technology will be available as these new processors hit the market. They will typically be used to run classic AUTOSAR-based systems or specialized real-time operating systems.
COQOS Micro SDK
OpenSynergy has developed a variant of its hypervisor to be used for automotive virtualization on microcontroller. This product, called COQOS Micro SDK, is the first hypervisor to take advantage of the virtualization extensions in the ARMv8-R architecture and will support the next generation of microcontrollers built on that architecture.
The central component of the COQOS Micro SDK is the hypervisor. It runs directly on the microcontroller and creates several virtual machines (VMs). It provides spatial separation between virtual machines by using a dedicated memory protection unit (MPU). Each VM is isolated from the others as the key goal of the hypervisor is to ensure freedom from interference (as specified by ISO 26262) up to the highest level ASIL-D between virtual machines.
Freedom form Interference
This isolation of VMs means that software systems with different safety levels (ASIL) or functions and environments of different vendors with different security standards, run concurrently on a single processor. Also, new innovative functions with a high potential for change can be integrated together with relatively stable functions.
The hypervisor is highly configurable so that customers can for example change the number of VMs, the assignment to physical cores and temporal behavior, the inter-VM communication channels, the access rights of VMs to devices and to security features of the microcontroller. It is minimalistic in its design and therefore is small, fast and certifiable.
Virtualization is also a step towards more modular software updates. Unlike AUTOSAR OS-Applications, virtual machines can be built independently, and the respective binary code can be updated independently on the target.
Developped as an SEooC and ISO 26262 compliant
OpenSynergy has developed the COQOS Micro SDK as a Safety Element out of Context (SEooC) according to ISO 26262. The SEooC approach means that OpenSynergy assumes certain safety requirements that its product fulfills.
Typical Use Cases
Typical application domains for COQOS Micro SDK are powertrain, chassis, body, gateway and ADAS control units, which implies the separation kernel must achieve a high safety level of ASIL-D. This requires temporal and spatial separation of virtual machines.
One concrete example can be found in the body domain. Such a domain controller will run, on a single microcontroller, functions that are safety-critical (such as power-management of the entire body domain), security-critical (such as unlocking the car) and functions that are neither (such as interior lighting). Ideally these functions can be developed independently and integrated easily. It should be possible to do a software update of uncritical functions (such as the interior lighting) without affecting safety relevant functions (such as managing power).
Find more information about Multi-functional Body Controller here.