Embedded Hypervisor
Encyclopedia
Software virtualization has been a major topic in the enterprise space for quite some time, but has become an important technology for embedded systems only in the last few years. The application of the technology to the enterprise space has been well described elsewhere by companies such as Citrix Systems
, IBM
& VMware
. The situation is less well defined for developers of embedded systems. Most importantly, the use of virtualization and its implementation in the form of a hypervisor in embedded systems are very different from enterprise applications.
An effective implementation of an embedded hypervisor must deal with a number of issues specific to such applications. These issues include the highly integrated nature of embedded systems, the requirement for isolated functional blocks within the system to communicate rapidly, the need for real-time/deterministic performance, the resource-constrained target environment and the wide range of security and reliability requirements.
provides a software virtualization environment in which other software, including operating system
s, can run with the appearance of full access to the underlying system hardware, but in fact such access is under the complete control of the hypervisor. The software running in such a hypervisor managed environment is said to be executing within a virtual machine
(VM). Multiple VMs may be managed simultaneously by a hypervisor. Hypervisors are generally classed as type 1 or type 2, depending on whether the hypervisor is running in supervisor mode or privileged mode on “bare metal” (type 1) or is itself hosted by an operating system (type 2).
s development and is designed into the embedded device from the outset, rather than loaded subsequent to device deployment. The requirements for a hypervisor architecture suitable for embedded applications is quite distinct from hypervisors aimed at enterprise applications, which have a fundamentally different set of requirements. See references & for a more detailed discussion. These requirements are summarized below.
Implementations for embedded systems applications have been most commonly based on the use of a microkernel
or small separation kernel
, with virtualization built-in as an integral capability. This was introduced with PikeOS
in 2005. Examples of these approaches have been produced by companies such as Open Kernel Labs
(microkernel) and LynuxWorks
(small separation kernel). VirtualLogix
appears to take the position that an approach based on a dedicated Virtual Machine
Monitor (VMM) would be even smaller and more efficient. This issue is the subject of some ongoing debate; see references , & . However, the main point at issue is the same on all sides of the discussion – the speed and size of the implementation (for a given level of functionality) are of major importance. For example: " . . . hypervisors for embedded use must be real-time capable, as well as resource-miserly."
The small code size generated by these approaches is of such great importance since system resources such as memory are typically highly constrained in embedded applications, compared to enterprise systems. Thus embedded hypervisors usually have a memory footprint
from several tens to several hundred kilobytes, depending on the efficiency of the implementation and the level of functionality provided. An implementation requiring several megabytes of memory (or more) is generally not acceptable.
The small size of the hypervisor also provides the basis for a minimal trusted computing base
(TCB). This TCB is the only part of the entire system code which is allowed to run in privileged mode, thus enhancing the inherent security of the system. The amount of trusted user-mode code can be kept to an absolute minimum with this approach. This is in contrast to type 2 hypervisors, which are commonly designed to be used with a guest OS underneath any other software.
This approach also means that the TCB can be made highly secure & reliable . Standard software-engineering techniques, such as code inspections and systematic testing, can be used to reduce the number of bugs in such a small code base to a tiny fraction of the defects that must be expected for a hypervisor and guest OS combination that may be 100,000–300,000 lines in total.
One of the most important functions required in an embedded hypervisor is a secure message-passing mechanism, which is needed to support real-time communication between processes. In the embedded environment, a system will typically have a number of closely coupled tasks, some of which may require secure isolation from each other. In a virtualized environment, the embedded hypervisor will support and enforce this isolation between multiple VMs. These VMs will therefore require access to a mechanism that provides low-latency communication between the tasks.
An inter-process communication
(IPC) mechanism can be used to provide these functions, as well as invoking all system services, and implemented in a manner which ensures that the desired level of VM isolation is maintained. Also, due to its significant impact on system performance, such an IPC mechanism should be highly optimised for minimal latency.
Lastly, an embedded hypervisor needs to be in complete control of system resources, including memory accesses, to ensure that software cannot break out of the VM. So an embedded hypervisor requires the target CPU
to provide memory management
support (typically using an MMU
). However, unlike the enterprise space, a number of processors aimed at embedded applications do not provide such support, so selection of a suitable target architecture able to support a Type 1 hypervisor may be an issue.
1. OS independence
Designers of embedded systems may have many hardware drivers and system services which are specific to a target platform. If support for more than one OS is required on the platform, either concurrently or consecutively using a common hardware design, an embedded hypervisor can greatly simplify the task. Such drivers and system services can be implemented just once for the virtualized environment; these services are then available to any hosted OS. This level of abstraction also allows the embedded developer to implement or change a driver or service in either hardware or software at any point, without this being apparent to the hosted OS.
2. Support for multiple operating systems on a single processor
Typically this is used to run a real-time operating system
(RTOS) for low-level real-time functionality (such as the communication stack) while at the same time running a high-level OS, (HLOS) like Linux
or Windows
, to support user applications, such as a web browser or calendar. The objective might be to upgrade an existing design without the added complexity of a second processor, or simply to minimize the bill of materials
(BoM).
3. System security
An embedded hypervisor is able to provide secure encapsulation for any subsystem defined by the developer, so that a compromised subsystem cannot interfere with other subsystems. For example, an encryption subsystem needs to be strongly shielded from attack to prevent leaking the information the encryption is supposed to protect. As the embedded hypervisor can encapsulate a subsystem in a VM, it can then enforce the required security policies for communication to and from that subsystem.
4. System reliability
The encapsulation of a subsystem components into a VM ensures that failure of any subsystem cannot impact other subsystems. This encapsulation keeps faults from propagating from a subsystem in one VM to a subsystem in another VM, improving reliability. This may also allow a subsystem to be automatically shut down and restarted on fault detection. This can be particularly important for embedded device drivers, as this is where the highest density of fault conditions is seen to occur, and is thus the most common cause of OS failure and system instability. It also allows the encapsulation of operating systems that were not necessarily built to the reliability standards demanded of the new system design.
5. Dynamic update of system software
Subsystem software or applications can be securely updated and tested for integrity, by downloading to a secure VM before “going live” in an executing system. Even if this process then fails, the system can revert to its former state by restarting the original software subsystem/application, without halting system operation.
6. Legacy code re-use
Virtualization allows legacy embedded code to be used with the OS environment it has been developed and validated with, while freeing the developer to use a different OS environment in a separate VM for new services and applications. Legacy embedded code, written for a particular system configuration may assume exclusive control of all system resources of memory, I/O and processor. This code base can be re-used unchanged on alternative system configurations of I/O and memory through the use of a VM to present a resource map and functionality that is consistent with the original system configuration, effectively de-coupling the legacy code from the specifics of a new or modified hardware design.
Where access to the operating system source code is available, paravirtualization
is commonly used to virtualize the OS’s on processors without hardware virtualization support, and thus the applications supported by the OS can also run unmodified and without re-compilation in new hardware platform designs.
Even without source access, legacy binary code can be executed in systems running on processors with hardware virtualization support such as the AMD-V, Intel VT technologies and the latest ARM
processors with virtualization support. The legacy binary code could run completely unmodified in a VM with all resource mapping handled by the embedded hypervisor, assuming the system hardware provides equivalent functionality.
7. IP protection
Valuable proprietary IP
may need protection from theft or misuse when an embedded platform is being shipped for further development work by (for example) an OEM
customer. An embedded hypervisor makes it possible to restrict access by other system software components to a specific part of the system containing IP that needs to be protected.
8. Software license segregation
Software IP operating under one licensing scheme can be separated from other software IP operating under a different scheme. For example, the embedded hypervisor can provide an isolated execution environment for proprietary software sharing the processor with open source software subject to the GPL .
9. Migration of applications from uni-core to multi-core systems
As new processors utilise multi-core architectures to increase performance, the embedded hypervisor can manage the underlying architecture and present a uni-processor environment to legacy applications and operating systems while efficiently using the new multiprocessor system design. In this way a change in hardware environment does not require a change to the existing software.
Citrix Systems
Citrix Systems, Inc. is a multinational corporation founded in 1989, that provides server and desktop virtualization, networking, software-as-a-service , and cloud computing technologies, including Xen open source products....
, IBM
IBM
International Business Machines Corporation or IBM is an American multinational technology and consulting corporation headquartered in Armonk, New York, United States. IBM manufactures and sells computer hardware and software, and it offers infrastructure, hosting and consulting services in areas...
& VMware
VMware
VMware, Inc. is a company providing virtualization software founded in 1998 and based in Palo Alto, California, USA. The company was acquired by EMC Corporation in 2004, and operates as a separate software subsidiary ....
. The situation is less well defined for developers of embedded systems. Most importantly, the use of virtualization and its implementation in the form of a hypervisor in embedded systems are very different from enterprise applications.
An effective implementation of an embedded hypervisor must deal with a number of issues specific to such applications. These issues include the highly integrated nature of embedded systems, the requirement for isolated functional blocks within the system to communicate rapidly, the need for real-time/deterministic performance, the resource-constrained target environment and the wide range of security and reliability requirements.
Hypervisor
A hypervisorHypervisor
In computing, a hypervisor, also called virtual machine manager , is one of many hardware virtualization techniques that allow multiple operating systems, termed guests, to run concurrently on a host computer. It is so named because it is conceptually one level higher than a supervisory program...
provides a software virtualization environment in which other software, including operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
s, can run with the appearance of full access to the underlying system hardware, but in fact such access is under the complete control of the hypervisor. The software running in such a hypervisor managed environment is said to be executing within a virtual machine
Virtual machine
A virtual machine is a "completely isolated guest operating system installation within a normal host operating system". Modern virtual machines are implemented with either software emulation or hardware virtualization or both together.-VM Definitions:A virtual machine is a software...
(VM). Multiple VMs may be managed simultaneously by a hypervisor. Hypervisors are generally classed as type 1 or type 2, depending on whether the hypervisor is running in supervisor mode or privileged mode on “bare metal” (type 1) or is itself hosted by an operating system (type 2).
Embedded hypervisor
An embedded hypervisor is a type 1 hypervisor that supports the requirements of embedded systemEmbedded system
An embedded system is a computer system designed for specific control functions within a larger system. often with real-time computing constraints. It is embedded as part of a complete device often including hardware and mechanical parts. By contrast, a general-purpose computer, such as a personal...
s development and is designed into the embedded device from the outset, rather than loaded subsequent to device deployment. The requirements for a hypervisor architecture suitable for embedded applications is quite distinct from hypervisors aimed at enterprise applications, which have a fundamentally different set of requirements. See references & for a more detailed discussion. These requirements are summarized below.
- A small, fast type 1 hypervisor with support for multiple VMs;
- Support for lightweight but secure encapsulation of medium-grain subsystem components that interact strongly;
- High-bandwidth, low-latency communication between system components, subject to a configurable, system-wide security policy;
- Minimal impact on system resources & real-time performance;
- Ability to implement a scheduling policy between VMs and provide support for real-time system components;
Implementation
To meet the requirements typical of most embedded applications, an embedded hypervisor must provide multiple VMs, each of which is essentially indistinguishable from the underlying hardware to which the virtualised software needs access. This ensures that the embedded code that runs on the real machine will run on the virtual machine and vice versa. The size and efficiency of the implementation is also an issue for an embedded hypervisor, as it needs to maintain as closely as possible the native speed, real-time response and determinism and power efficiency of the underlying hardware platform.Implementations for embedded systems applications have been most commonly based on the use of a microkernel
Microkernel
In computer science, a microkernel is the near-minimum amount of software that can provide the mechanisms needed to implement an operating system . These mechanisms include low-level address space management, thread management, and inter-process communication...
or small separation kernel
Separation kernel
A separation kernel is a type of security kernel used to simulate a distributed environment. The concept was introduced by John Rushby in a 1981 paper...
, with virtualization built-in as an integral capability. This was introduced with PikeOS
PikeOS
PikeOS is a microkernel-based real-time operating system made by SYSGO AG. It is targeted at safety and security critical embedded systems. It provides a partitioned environment for multiple operating systems with different design goals, safety requirements, or security requirements to coexist in a...
in 2005. Examples of these approaches have been produced by companies such as Open Kernel Labs
Open Kernel Labs
Open Kernel Labs is a privately owned company that develops microkernel-based hypervisors and operating systems for embedded systems. The company was founded in 2006 by Steve Subar and Gernot Heiser as a spinout from NICTA...
(microkernel) and LynuxWorks
LynuxWorks
LynuxWorks, Inc. is a San Jose, California software company founded in 1988. LynuxWorks produces embedded operating systems and tools for using full virtualization and paravirtualization in embedded systems...
(small separation kernel). VirtualLogix
VirtualLogix
VirtualLogix, Inc. provides real-time virtualization software and related development tools for embedded systems. The company was founded in 2002.In September 2010, VirtualLogix was acquired by Red Bend Software.-Real-time hypervisors:...
appears to take the position that an approach based on a dedicated Virtual Machine
Virtual machine
A virtual machine is a "completely isolated guest operating system installation within a normal host operating system". Modern virtual machines are implemented with either software emulation or hardware virtualization or both together.-VM Definitions:A virtual machine is a software...
Monitor (VMM) would be even smaller and more efficient. This issue is the subject of some ongoing debate; see references , & . However, the main point at issue is the same on all sides of the discussion – the speed and size of the implementation (for a given level of functionality) are of major importance. For example: " . . . hypervisors for embedded use must be real-time capable, as well as resource-miserly."
The small code size generated by these approaches is of such great importance since system resources such as memory are typically highly constrained in embedded applications, compared to enterprise systems. Thus embedded hypervisors usually have a memory footprint
Memory footprint
Memory footprint refers to the amount of main memory that a program uses or references while running.This includes all sorts of active memory regions like code, static data sections , heap, as well as all the stacks, plus memory required to hold any additional data structures, such as symbol...
from several tens to several hundred kilobytes, depending on the efficiency of the implementation and the level of functionality provided. An implementation requiring several megabytes of memory (or more) is generally not acceptable.
The small size of the hypervisor also provides the basis for a minimal trusted computing base
Trusted computing base
The trusted computing base of a computer system is the set of all hardware, firmware, and/or software components that are critical to its security, in the sense that bugs or vulnerabilities occurring inside the TCB might jeopardize the security properties of the entire system...
(TCB). This TCB is the only part of the entire system code which is allowed to run in privileged mode, thus enhancing the inherent security of the system. The amount of trusted user-mode code can be kept to an absolute minimum with this approach. This is in contrast to type 2 hypervisors, which are commonly designed to be used with a guest OS underneath any other software.
This approach also means that the TCB can be made highly secure & reliable . Standard software-engineering techniques, such as code inspections and systematic testing, can be used to reduce the number of bugs in such a small code base to a tiny fraction of the defects that must be expected for a hypervisor and guest OS combination that may be 100,000–300,000 lines in total.
One of the most important functions required in an embedded hypervisor is a secure message-passing mechanism, which is needed to support real-time communication between processes. In the embedded environment, a system will typically have a number of closely coupled tasks, some of which may require secure isolation from each other. In a virtualized environment, the embedded hypervisor will support and enforce this isolation between multiple VMs. These VMs will therefore require access to a mechanism that provides low-latency communication between the tasks.
An inter-process communication
Inter-process communication
In computing, Inter-process communication is a set of methods for the exchange of data among multiple threads in one or more processes. Processes may be running on one or more computers connected by a network. IPC methods are divided into methods for message passing, synchronization, shared...
(IPC) mechanism can be used to provide these functions, as well as invoking all system services, and implemented in a manner which ensures that the desired level of VM isolation is maintained. Also, due to its significant impact on system performance, such an IPC mechanism should be highly optimised for minimal latency.
Lastly, an embedded hypervisor needs to be in complete control of system resources, including memory accesses, to ensure that software cannot break out of the VM. So an embedded hypervisor requires the target CPU
Central processing unit
The central processing unit is the portion of a computer system that carries out the instructions of a computer program, to perform the basic arithmetical, logical, and input/output operations of the system. The CPU plays a role somewhat analogous to the brain in the computer. The term has been in...
to provide memory management
Memory management
Memory management is the act of managing computer memory. The essential requirement of memory management is to provide ways to dynamically allocate portions of memory to programs at their request, and freeing it for reuse when no longer needed. This is critical to the computer system.Several...
support (typically using an MMU
Memory management unit
A memory management unit , sometimes called paged memory management unit , is a computer hardware component responsible for handling accesses to memory requested by the CPU...
). However, unlike the enterprise space, a number of processors aimed at embedded applications do not provide such support, so selection of a suitable target architecture able to support a Type 1 hypervisor may be an issue.
Use cases
Some of the most common use cases for an embedded hypervisor are:1. OS independence
Designers of embedded systems may have many hardware drivers and system services which are specific to a target platform. If support for more than one OS is required on the platform, either concurrently or consecutively using a common hardware design, an embedded hypervisor can greatly simplify the task. Such drivers and system services can be implemented just once for the virtualized environment; these services are then available to any hosted OS. This level of abstraction also allows the embedded developer to implement or change a driver or service in either hardware or software at any point, without this being apparent to the hosted OS.
2. Support for multiple operating systems on a single processor
Typically this is used to run a real-time operating system
Real-time operating system
A real-time operating system is an operating system intended to serve real-time application requests.A key characteristic of a RTOS is the level of its consistency concerning the amount of time it takes to accept and complete an application's task; the variability is jitter...
(RTOS) for low-level real-time functionality (such as the communication stack) while at the same time running a high-level OS, (HLOS) like Linux
Linux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
or Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
, to support user applications, such as a web browser or calendar. The objective might be to upgrade an existing design without the added complexity of a second processor, or simply to minimize the bill of materials
Bill of materials
A bill of materials is a list of the raw materials, sub-assemblies, intermediate assemblies, sub-components, components, parts and the quantities of each needed to manufacture an end product...
(BoM).
3. System security
An embedded hypervisor is able to provide secure encapsulation for any subsystem defined by the developer, so that a compromised subsystem cannot interfere with other subsystems. For example, an encryption subsystem needs to be strongly shielded from attack to prevent leaking the information the encryption is supposed to protect. As the embedded hypervisor can encapsulate a subsystem in a VM, it can then enforce the required security policies for communication to and from that subsystem.
4. System reliability
The encapsulation of a subsystem components into a VM ensures that failure of any subsystem cannot impact other subsystems. This encapsulation keeps faults from propagating from a subsystem in one VM to a subsystem in another VM, improving reliability. This may also allow a subsystem to be automatically shut down and restarted on fault detection. This can be particularly important for embedded device drivers, as this is where the highest density of fault conditions is seen to occur, and is thus the most common cause of OS failure and system instability. It also allows the encapsulation of operating systems that were not necessarily built to the reliability standards demanded of the new system design.
5. Dynamic update of system software
Subsystem software or applications can be securely updated and tested for integrity, by downloading to a secure VM before “going live” in an executing system. Even if this process then fails, the system can revert to its former state by restarting the original software subsystem/application, without halting system operation.
6. Legacy code re-use
Virtualization allows legacy embedded code to be used with the OS environment it has been developed and validated with, while freeing the developer to use a different OS environment in a separate VM for new services and applications. Legacy embedded code, written for a particular system configuration may assume exclusive control of all system resources of memory, I/O and processor. This code base can be re-used unchanged on alternative system configurations of I/O and memory through the use of a VM to present a resource map and functionality that is consistent with the original system configuration, effectively de-coupling the legacy code from the specifics of a new or modified hardware design.
Where access to the operating system source code is available, paravirtualization
Paravirtualization
In computing, paravirtualization is a virtualization technique that presents a software interface to virtual machines that is similar but not identical to that of the underlying hardware....
is commonly used to virtualize the OS’s on processors without hardware virtualization support, and thus the applications supported by the OS can also run unmodified and without re-compilation in new hardware platform designs.
Even without source access, legacy binary code can be executed in systems running on processors with hardware virtualization support such as the AMD-V, Intel VT technologies and the latest ARM
ARM architecture
ARM is a 32-bit reduced instruction set computer instruction set architecture developed by ARM Holdings. It was named the Advanced RISC Machine, and before that, the Acorn RISC Machine. The ARM architecture is the most widely used 32-bit ISA in numbers produced...
processors with virtualization support. The legacy binary code could run completely unmodified in a VM with all resource mapping handled by the embedded hypervisor, assuming the system hardware provides equivalent functionality.
7. IP protection
Valuable proprietary IP
Intellectual property
Intellectual property is a term referring to a number of distinct types of creations of the mind for which a set of exclusive rights are recognized—and the corresponding fields of law...
may need protection from theft or misuse when an embedded platform is being shipped for further development work by (for example) an OEM
Original Equipment Manufacturer
An original equipment manufacturer, or OEM, manufactures products or components that are purchased by a company and retailed under that purchasing company's brand name. OEM refers to the company that originally manufactured the product. When referring to automotive parts, OEM designates a...
customer. An embedded hypervisor makes it possible to restrict access by other system software components to a specific part of the system containing IP that needs to be protected.
8. Software license segregation
Software IP operating under one licensing scheme can be separated from other software IP operating under a different scheme. For example, the embedded hypervisor can provide an isolated execution environment for proprietary software sharing the processor with open source software subject to the GPL .
9. Migration of applications from uni-core to multi-core systems
As new processors utilise multi-core architectures to increase performance, the embedded hypervisor can manage the underlying architecture and present a uni-processor environment to legacy applications and operating systems while efficiently using the new multiprocessor system design. In this way a change in hardware environment does not require a change to the existing software.