#### AUTOMOTIVE · RAILWAY · AVIONICS MULTICORE SYSTEMS

# aramıs

Two Architecture Approaches for MILS Systems in Mobility Domains

HIPEAC-Conference, January 20, 2015 Daniel Adam (BMW R&T, Speaker), Sergey Tverdyshev (SYSGO), Timo Sandmann (KIT), Carsten Rolfes (Fraunhofer AISEC)

GEFÖRDERT VOM

Bundesministerium für Bildung und Forschung

## **ARAMIS - MAIN OBJECTIVES**

- **Objective 1 Common Solution across the domains:** The ARAMiS partners have common interest, to define the logical view on the safety critical embedded multicore computer architecture in a common form as much as possible.
- Objective 2 Use of standard-based modeling language: A modeling language shall be used/defined that allows to understand the constructed architecture easily and allows the definition of design methods which can be easily followed in order to define the architecture at the system scope and to refine it in the disciplines of software and hardware.
- Objective 3 Consequence of the constraints due to the safety requirements: A fault tree analysis must be
  performed on the defined system architecture, which results in safety requirements. These will impact the use of the multicore of the
  multicore computer. For example this will result in failure detection and management (redundancy management) functions and in the
  allocation of the safety levels of the defined system functions.
- Objective 4 Consequence of the constraints due to the security requirements: A threat analysis must be
  performed on the defined system architecture, which results in security requirements. These will impact the use of the multicore of the
  multicore computer. For example this will result in functions that will detect the of compromise system security and in the allocation of
  the security levels of the defined system functions
- Objective 5- Segregation of safety-critical functions grouped on a multi-core platform: The segregation of
  functions grouped on a multicore platform must be addressed particularly. Many new aspects are arising and are influencing the
  design of the logical architecture. These are e.g. safety requirements, like the decision to group system functions on the cores, the
  avoidance of propagation of errors across cores and thus applications, the realization of redundancy and redundancy management of
  system functions, and the need of independence for specific functions or mechanisms of monitoring.
- Objective 6 Efficient Parallelization: The technique and design for parallelization of application must be addressed to
  effectively gain significant performance by involving multicore platforms. This influences directly the decomposition and deployment
  strategies.
- Objective 7: Concurrent access to common resources: Solutions for the problem of the concurrent access of common resources and its consequences on the determinism must be provided. It must be particularly analyzed for race conditions, for the influence on the current communication strategies and patterns

2

#### 

# **AUTOMOTIVE INDUSTRY TOPICS**

- Environmental Protection and Energy-Efficiency
  - Increasing importance of emission reduction specially for congested areas result in complex engine and power management strategies (e.g. coordination of engine system hybrid vehicles, partial networking)
  - Legislative Process: Cost penalties when exceeding fleet consumption limits
  - Intermodal traffic management using networked vehicle information and infrastructure components which serves as a data collector. In the future intermodal transport scenarios are possible by proposing alternative cross domain transport solutions to reach the target destination I time.
- Active Safety and reduction of traffic accidents
  - Further reduction of traffic accidents results in an increasing number of assistance systems to control the vehicle and support the driver
  - In the future use adhoc Car2Car, Car2Infrastructure or Car2Backend networks for exchanging safety critical information
- Information and Communication ("Infotainment")
  - Networking the vehicle with backend systems ("Cloud") to improve driving experience and enable the availability of personalized data and services for a seamless living environment "atHome", "atWork", "atVacation"
  - Integration of mobile devices





Active Cruise control with stop and go, lane departure and lane change warning, approach control warning with brake activation, Night Vision with dynamic spot light, Headup-Display, Surround-View, Park-Assistant,...



# **AUTOMOTIVE DOMAIN CHARACTERISTICS**

| Chassis    | Data and communication for<br>the operation of the chassis<br>(stability, agility and dynamics<br>of the car) |
|------------|---------------------------------------------------------------------------------------------------------------|
| Powertrain | Data and communication for<br>the operation of the power                                                      |

#### **Challenges:**

- Mix ASIL QM ASIL B
- Resource-Sharing of GPU, I/O etc.
- Performance / Early Audio, Video, Grafics
- Security Isolation of Third Party Software
- Fail-Safe for ASIL I-Cluster functionality

|         | Car and driving unrelated<br>data; audio and video for<br>entertainment                                       |
|---------|---------------------------------------------------------------------------------------------------------------|
| Comfort | Non-driving related data and<br>communication concerning<br>well-being and access for<br>driver and passenger |

Runtime Environment: AUTOSAR 4.x

Static Configuration

Safety: ISO 26262 ASIL QM-ASIL D

Hard Realtime Requirements

Different Suppliers

Runtime Environment: Different GPOS, RTOS

Dynamic Configuration

Safety: ISO 26262 ASIL QM-ASIL B

Security Requirements

Early Audio, Video

**Different Suppliers** 

#### **VIRTUALIZED CAR TELEMATICS (VCT) DEMONSTRATOR - GOALS**







- Segregation: isolation of applications of different safety- or security-levels (MILS)
- Virtualization as key technology to use multicore platforms in embedded systems
- Centralization / consolidation of functions
   into infotainment domain unit
- Re-use of existing software



5

# VIRTUALIZED CAR TELEMATICS (VCT) DEMONSTRATOR



6



#### A DEEP FOCUS ON THE DEMONSTRATOR





#### **BOTH PLATFORMS AT A GLANCE**

|            | Platform A                                                                                                          | Platform B                                                                                                                                                                             |
|------------|---------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Main Goal  | <ul> <li>Isolation and resource sharing for<br/>applications of different safety-<br/>or security-levels</li> </ul> | <ul> <li>To implement a hardware based,<br/>low cost multi-context TPM that<br/>is capable of serving virtualized<br/>machines running on a multicore<br/>CPU architecture.</li> </ul> |
| Focus      | CoProcessor                                                                                                         | Security on Multicore without special hardware                                                                                                                                         |
| Hypervisor | Wind River                                                                                                          | SYSGO                                                                                                                                                                                  |
| Hardware   | Intel i7 + Xilinx FPGA                                                                                              | i.MX 6 + Xilinx FPGA                                                                                                                                                                   |

8



#### **PLATFORM A**

9



## **GOALS OF PLATFORM A**

- Isolation and resource sharing for applications of different safety- or securitylevels
- Dynamic mapping of user-oriented 3D-graphics on combi-display / headunit
- **Dynamic relocation** of content depending on vehicle status
- Usage of android-apps by providing of a segregated partition for "insecure" applications

## SHARED COPROCESSORS IN MULTICORE SYSTEMS

- Resource sharing mechanisms
  - a) time-based
  - b) request-based / cooperative
  - c) proxy partition / hypervisor
  - d) hardware scheduling, transparent for partitions
- Requirements in safety-critical systems
  - efficient usage of multicore architecture
  - different priorities of partitions
  - predictability of behavior at concurrent accesses
  - quality-of-service assertions
  - portability to different multicore architectures





#### VCT COMPUTER ARCHITECTURE





#### **PLATFORM B**



## **GOALS OF PLATFORM B**

- To implement a **hardware based**, **low cost** multi-context TPM that is capable of serving virtualized machines running on a multicore CPU architecture.
- Virtual Machine Manager an interface between TPM and application processors.
- Tasks of a VMM
  - Secure context switching
  - Scheduling the TPM
  - Part of the trusted software stack which is verified using trusted boot



#### **DEMONSTRATOR SETUP**

Hypervisor/ VMs





HSM



- i.MX6 quadcore
- Virtualized System: PikeOS Partitions running OS

• Xilinx Virtex5 FPGA

- LEON softcore with VMM +
   TPM 1.2
- H/W Accelerators(TRNG)



#### SYSTEM MILS ARCHITECTURE WITH PROXY



# SYSTEM ARCHITECTURE (MILS): FOCUS TPM





#### CONCLUSION

#### Successful integration multi-context TPM <> PikeOS

- No PikeOS Changes
- Only modification on the TrouSerS lib to support multi context TPMs

#### • Future Work

- Monitoring the number of writes in flash
- Fast flashes for storing context data
- Implement cryptographic modules of TPM 1.2 emulator in hardware
- Master key to be stored in a shielded region of the on-chip ROM



#### BACK

#### **GENERELL SUMMARY**

#### • MILS Systems will be part of future Automotive ECUs

- Increased computing power with better energy-efficiency
- Support for centralization and more degrees of freedom for new E/E-architectural approaches
- Automated Driving will increase the number of high-Peformance functionality
- Increased reliability separating functions on cores
- Increases safety supporting ASIL-decomposition
- Enable virtualization scenarios to support scalability

ARAMiS will focus on the challenges looking for comprehensive solutions for Automotive, Avionics and Railway.



# BACKUP



# **POTENTIAL USE-CASES**

#### Software activation/Electronic Payment

Establish a secure connection (SSL or TLS) Secure data exchange between users and merchant (vehicle <-> OEM) Manage user credentials related to payment account Certificate for software license has to be issued

#### Network Attestation

Only platforms owned by enterprise are allowed to access network Platform configuration of client verified (vehicle is in trusted state) Access granted to use network

#### VIRTUALIZED COPROCESSOR INTERFACE

- Generic interface architecture for shared coprocessors
  - PCIe connection for Virtex-7 FPGAs, PCIe SR-IOV compatible
  - Support for slaveand DMA-accesses
  - Interrupt handling
  - Porting to further platforms (Zynq) currently in progress
- Virtual interfaces to realize spatial segregation
- Scheduling modules enforce temporal segregation





#### AUTOMOTIVE E/E-ARCHITECTURE TODAY





#### **AUTOMOTIVE E/E-ARCHITECTURE TODAY**

#### Typical logical bus-topology without LIN-Subsystems



#### 

#### **ISO 26262 – FUNCTIONAL SAFETY IN AUTOMOTIVE**



#### **NON-INFOTAINMENT SOFTWARE-PLATTFORM: AUTOSAR**



- Safety Features in AUTOSAR
  - Memory Protection:
    - Separate SW-applications in "OS applications" (trusted, untrusted) – support from MMU/MPU
  - Timing Determinism Features:
     Execution time monitoring, synchronized time base, means for synchronized execution
  - End-to-End Protection Library: Data protection
  - Program Flow Monitoring: Controls the temporal and logical behavior of applications.

#### **INFOTAINMENT HEADUNIT SOFTWARE-PLATTFORM**



Example for an infotainment headunit characteristics

- Partitioning of Headunit regarding criticality of functions:
  - OEM-VM: Qualified OEM Apps.
  - Customer-VM: Standard OS with 3<sup>rd</sup>-party Software without validation
  - Safety-VM: Apps with safety or timing requirements.



Different multicore architecture are of interest for different automotive domains...

A particular software platform or multicore hardware-design has great influence on the whole system characteristics.

Based on the objectives ARAMiS will focus on the mapping process of logical architecture suggestions to technical solutions (SW, HW) under the conditions of existing designs and domain (Avionic, Automotive) requirements.



#### **MULTICORE AUTOSAR USAGE SCENARIOS**



| Usage<br>scenario | Centralization                                                                                                                                                                                                                                     |
|-------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Goal<br>Achieved  | <ul> <li>Reduce number of ECUs</li> <li>Decrease number of networks and bussystems</li> <li>Reduce complexity of networked functionality through domain specific functional centralization</li> <li>Increase Safety via Core separation</li> </ul> |
|                   |                                                                                                                                                                                                                                                    |



#### **MULTICORE AUTOSAR USAGE SCENARIOS**



| Usag<br>scen |          | ASIL-Decomposition                                                                                                                                                                                        |
|--------------|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Goal         | Achieved | <ul> <li>Lower development costs</li> <li>Better options for ASIL decomposition using intelligent app-<br/>distribution and "parallel redundancy"</li> <li>Increase Safety via Core separation</li> </ul> |

- Inheritance rules for integrity levels lead to a spread of the high integrity levels on the whole physical network
- ASIL decomposition and safety criticality analysis become absolutely necessary

#### **MULTICORE AUTOSAR USAGE SCENARIOS**



| Usage            | Dedicated Use Of Cores ( e.g. as I/O- |
|------------------|---------------------------------------|
| scenario         | controller and "number cruncher")     |
| Goal<br>Achieved | High Peformance                       |

| Application<br>Software<br>Component<br>AUTOSAR<br>Interface | Actuator<br>Software<br>Component<br>AUTOSAR<br>Interface | Sensor<br>Software<br>Component<br>AUTOSAR<br>Interface | AUTOSAR<br>Software                                         | Application<br>Software<br>Component<br>AUTOSAR<br>Interface | ł  | Application<br>Software<br>Component<br>AUTOSAR<br>Interface | Actuator<br>Software<br>Component<br>AUTOSAR<br>Interface | Sensor<br>Software<br>Component<br>AUTOSAR<br>Interface | AUTOSAR<br>Software                             | Applica<br>Softw<br>Compo<br>AUTOI<br>Interfe |
|--------------------------------------------------------------|-----------------------------------------------------------|---------------------------------------------------------|-------------------------------------------------------------|--------------------------------------------------------------|----|--------------------------------------------------------------|-----------------------------------------------------------|---------------------------------------------------------|-------------------------------------------------|-----------------------------------------------|
|                                                              |                                                           |                                                         |                                                             |                                                              |    |                                                              |                                                           |                                                         |                                                 |                                               |
| Standardized<br>Interface                                    | Standardized<br>AUTOSAR<br>Interface                      | Standardized<br>Interface                               | autosan<br>Interface                                        | AUTOSAR<br>Interface                                         |    | 1<br>Standardized<br>Interface                               | Standardized<br>AUTOSAR<br>Interface                      | Standardized<br>Interface                               | AUTOSAR<br>Interface                            | AUTOS                                         |
| Standard<br>Unterflar<br>System                              | Services<br>Standardized<br>Interface                     | Communication<br>Standardized<br>Interface              | ECU<br>Abstraction<br>Standardized<br>Interface             | Complex                                                      | i  | Operating Operating                                          | Services<br>Standardized<br>Interface                     | Communication<br>Standardized<br>Interface              | ECU<br>Abstraction<br>Standardized<br>Interface | Comp                                          |
| System Lice                                                  | Basic S                                                   | oftware                                                 | Standardized<br>Interface<br>Microcontroller<br>Abstraction | Uniters                                                      |    | System trob                                                  | Basic S                                                   | Basic Software                                          |                                                 | Drivers                                       |
|                                                              |                                                           |                                                         |                                                             | Нур                                                          | er | /isor                                                        |                                                           |                                                         |                                                 |                                               |
|                                                              |                                                           |                                                         |                                                             | Har                                                          | dw | /are                                                         |                                                           |                                                         |                                                 |                                               |

| Usage<br>scenario | <ul> <li>Safe Virtualization, Scalability</li> </ul>                            |
|-------------------|---------------------------------------------------------------------------------|
| Goal              | <ul> <li>Reduce configuration effort for scalability</li></ul>                  |
| Achieved          | scenarios <li>Supplier specific isolation</li> <li>ASIL specific isolation</li> |

#### SOME CHALLENGES WHEN CHANGE FROM SINGLE CORE -> MULTI-CORE

- Very often requests to shared resources on Autosar single core systems are realized by sounding the critical section with interrupt-blocking – this will not work with Multicore
  - Performant synchronization mechanism with hardware support is necessary (Spin lock with shared memory, message passing (IOC in Autosar), HW-support for atomic "test-andset" function.
- Support for cache coherency in hardware or software
- MPU/MMU should support IO Protection
- Optimized and safe inter-core communication
- Peripheral-Access should not be the bottleneck. Number of cores are limited by I/Os.
- Tooling: Support for SWC-mapping to optimize core load, minimize inter-core communication and allow energy management to power-down cores
- Energy-management mechanism on SW- and HW-level
- Reuse of existing code need for automated migration options



## SOME CHALLENGES FOR VIRTUALIZATION

- MPU/MMU support for spatial separation in the IO-space
- The MPU should contain sufficient registers to contain the architectural state (register sets) of the hypervisor and the guest.
- Hardware-support for shared IO-Devices (e.g. CAN-Bus)
- GPU should support scheduling and memory protection (IO-MMU)
- Hardware support that allows each interrupt or trap to be directed either to a guest or to the hypervisor with no time penalty
- Small trusted code base
- Hypervisor should allow qualification based on ISO 26262
- Self-Monitoring system to capture status of partitions and trigger fail-safe mechanism.

#### SUMMARY

- Multicore will be part of future Automotive ECUs
  - Increased computing power with better energy-efficiency
  - Support for centralization and more degrees of freedom for new E/E-architectural approaches
  - Automated Driving will increase the number of high-Peformance functionality
  - Increased reliability separating functions on cores
  - Increases safety supporting ASIL-decomposition
  - Enable virtualization scenarios to support scalability

There is still some homework to do for overall use in series production

ARAMiS will focus on the challenges looking for comprehensive solutions for Automotive, Avionics and Railway.

# VIRTUALIZED CAR TELEMATICS (VCT) DEMONSTRATOR

- Virtualization as key technology to use multicore platforms in embedded systems
- Centralization / consolidation of functions
   into infotainment domain unit
- Segregation: isolation of applications of different safety- or security-levels
- Re-use of existing software
- Goals
  - Dynamic mapping of user-oriented
     3D-graphics on combi-display / headunit
  - Dynamic relocation of content depending on vehicle status
  - Usage of android-apps by providing of a segregated partition for "insecure" applications





36

# VIRTUALIZED CAR TELEMATICS (VCT) DEMONSTRATOR





## VCT COMPUTER ARCHITECTURE



# SHARED COPROCESSORS IN MULTICORE SYSTEMS

- Resource sharing mechanisms
  - a) time-based
  - b) request-based / cooperative
  - c) proxy partition / hypervisor
  - d) hardware scheduling, transparent for partitions
- Requirements in safety-critical systems
  - efficient usage of multicore architecture
  - different priorities of partitions
  - predictability of behavior at concurrent accesses
  - quality-of-service assertions
  - portability to different multicore architectures



#### VIRTUALIZED COPROCESSOR INTERFACE

- Generic interface architecture for shared coprocessors
  - PCIe connection for Virtex-7 FPGAs, PCIe SR-IOV compatible
  - Support for slaveand DMA-accesses
  - Interrupt handling
  - Porting to further platforms (Zynq) currently in progress
- Virtual interfaces to realize spatial segregation
- Scheduling modules enforce temporal segregation





# SECURE CONTEXT SWITCHING ON-CHIP MASTER KEY APPROACH

