Aerospace & Defense Technology - April 2022 - 21

Mission-Critical Systems
minimally configured, the BSC suite of
microbenchmarks are used to stress the
use-case application. Various combinations
of benchmarks are run bare-metal
on processor cores inside hypervisor partitions.
In this setup, robust space partitioning
is provided by the separation
kernel hypervisor and time partitioning
can be precisely tested in isolation.
Leveraging Modern Hardware
Modern multicore processors contain
a rich set of resources. As well as multiple
cores, they include peripherals,
memory, and advanced virtualization
features that enable them to be treated
like a LEGO set of components for building
configurations of virtual machines
(VMs). Although heavily used in cloud
data centers, these modern hardware
technologies are often poorly supported
by RTOSes and embedded hypervisors.
Separation kernels can be used to partition
processor hardware resources into
high assurance VMs that are both tamper-proof
and non-bypassable, and to set
up strictly controlled information flows
between VMs and peripherals so that
VMs are isolated except where explicitly
allowed. Effectively, a separation kernel
is a " processor partitioning system " that
allows builders of embedded systems to
unlock the benefits of modern full-featured
multi-core processors.
The advantage of a separation kernel
hypervisor lies in the simplicity of its derivation
from a static partitioning system
that leverages a configured hardware
platform to create independent, isolated
hardware instances (or subsystems) for
VMs. Systems become partitioned in a
way where the amount of code that
needs to be certified is minimized as it's
isolated from other applications.
The VM platform model is regarded
as the superior architecture for safety
due to this simplicity. It makes development,
timing adjustments and analysis
a straightforward exercise with minimal
surprises and fewer engineering challenges.
Also of note, major improvements
to hardware virtualization in
both the processors and peripherals
have significantly reduced negative
attributes of the VM model, reinforcing
the RTOS and separation kernel hypervisor
yin and yang relationship.
Aerospace & Defense Technology, April 2022
Z-Functions
zFn1 returns early,
Z-Scheduler goes idle
until time to run zFn2
zFn2
zFn1
zFn0
zFn0
zFn2 exeeds time budget,
HW timer event pulls
control back to Z-Scheduler
Execution of zFn0
unaffected by
zFn2's overrun
Z-Scheduler
Time (x)
Figure 4. Z-scheduler implementation of a periodic scheduler with HW timer-enforced budgets.
Z-scheduler
Core Owner Guest
/ Some code /
rv = remoteGuest_remoteFunction(&argStruct, sizeof(argStruct_t));
Z-function
/ Do something with rv /
Return Value
in shared
memory
Arguments
in shared
memory
Guest in Remote Room
Figure 5. Time donation functionality is available to each Z-function.
Proven to operate in the intended
deterministic, real-time way, a separation
kernel hypervisor remains the only
way to keep operational costs and hours
down while ensuring security and safety
are airtight.
Another consideration being made
by many is securing the ability to
deploy safety-critical control algorithms
as independent bare metal
applications - that is, an application
that uses no operating system at all.
This enables developers and evaluators
to measure the interference between
software components and means that
critical applications will meet their
timing deadlines. With a separation
kernel hypervisor, each VM is able to
run just enough RTOS to get its job
done. At one extreme, a VM might
host an entire open source RTOS such
as FreeRTOS or Micrium µC/OS.
Another, separate VM might host a
bare metal application. Any combination
of these VMs can be combined
into a system.
www.aerodefensetech.com
ADT Feature 4 - Mission-Critical Systems 0422_1.indd 21 Intro
Cov
ToC
+
-
A
µ
Therefore, it can be concluded that
separating the OS makes sense now and
it'll continue to make sense into the
future, regardless of industry certification
rules.
Enter the Z-Application
A " Z-app " (short for Z-application) is
a collection of separation kernel virtual
machines. The Z-app concept addresses
the needs of application developers
looking to achieve sophisticated, hard
real-time behavior complete with function
protection and domain separation,
while avoiding the overheads inherent
in RTOS use.
Z-app was originally conceived by
Lynx Software Technologies to address
an issue in the automotive sector. The
classic AUTOSAR stack implementation
used in that industry runs all functions
in a flat address space and uses a microcontroller
RTOS (typified by the ETAS
RTA-OS) to schedule them. Such an
approach offers no domain separation
or function protection.
21
3/15/22 9:39 AM
È

http://www.aerodefensetech.com http://info.hotims.com/82320-869

Aerospace & Defense Technology - April 2022

Table of Contents for the Digital Edition of Aerospace & Defense Technology - April 2022