ST Developers Conference: How to Efficiently Separate … · Dynamic hypervisor • Virtualization...
Transcript of ST Developers Conference: How to Efficiently Separate … · Dynamic hypervisor • Virtualization...
ST Developers Conference:How to Efficiently Separate Automotive Functions Within a Multi-Core System with EB tresos AutoCore Hypervisor
Christoph Dietachmayr, Solution ManagerSeptember 12th, 2019
2© Elektrobit (EB) 2019 | Confidential information
• Motivation
• Challenge
• General solution
• Specific Implementation
– EB tresos AutoCore Hypervisor
– EB corbos Virtual Ethernet Switch
• Hypervisor Comparison
• Summary
Agenda
How to Efficiently Separate Automotive Functions within a Multi-Core System
3© Elektrobit (EB) 2019 | Confidential information
Motivation
How to Efficiently Separate Automotive Functions within a Multi-Core System
• New vehicle architectureMarket
• Software as a productBusiness model
• Shorter development cycleEfficiency
• New E/E architectureLegacy migration
• Distributed developmentDevelopment
4© Elektrobit (EB) 2019 | Confidential information
• Homologation of functional application sets (OBD/Non-OBD)
• Consolidation of functional application sets on one ECU
• Separation of safety criticality levels on one ECU (different ASIL levels)
The Challenge
How to Efficiently Separate Automotive Functions within a Multi-Core System
ApplicationSWC
Middleware stack
ApplicationSWC
ApplicationSWC
ApplicationSWC
Middleware stack
ApplicationSWC
ApplicationSWC
5© Elektrobit (EB) 2019 | Confidential information
Execute separate builds on selected cores
Assign available hardware resources to the specific partitions
Enable cross partition communication
Solution Concept with a Multi-Core Processor - Overview
How to Efficiently Separate Automotive Functions within a Multi-Core System
ApplicationSWC
Middleware stack
Application SWC
Application SWC
Application SWC
Middleware stack
Application SWC
Application SWC
Application SWC
Middleware stack
Application SWC
Application SWC
Virtual ECU
ApplicationBinary
Micro Controller
μC Core
6© Elektrobit (EB) 2019 | Confidential information
Static Separation Mechanism (w/o MMU)
How to Efficiently Separate Automotive Functions within a Multi-Core System
…
Application SWC Application SWC Application SWC
Runtime environment
Op
era
tin
g sy
ste
m
AUTOSAR BSW
MCAL
Hardware-independentHardware-dependent
Runtime environment
EHV EHV
Core-1 Core-2 Core-3 Core-4 Core-xμC
Core-5
EB tresos AutoCoreHypervisor
Application SWC Application SWC Application SWC
Op
era
tin
g sy
ste
m
AUTOSAR BSW
MCAL
Virtual ECU1 Virtual ECU2 Virtual ECU
7© Elektrobit (EB) 2019 | Confidential information
Core-1
Virtual ECU Communication with Virtual Ethernet Switch
How to Efficiently Separate Automotive Functions within a Multi-Core System
Virtual ECU1 Virtual ECU2
Virtual Eth. switch
Eth. driver
Virtual Ethernet
Ethernet
Virtual Ethernet
Application
AUTOSAR BSWAUTOSAR BSW
Op
erat
ing
Syst
em
Application
AUTOSAR Communication
stack
AUTOSAR Communication
stack
Op
erat
ing
Syst
em
AUTOSAR MCAL AUTOSAR MCAL
Core-2 Core-3 Core-4 Core-5
Hardware-independentHardware-dependentVirtual Ethernet
8© Elektrobit (EB) 2019 | Confidential information
General
• Transmission/reception from cores or from outside
• Support of QoS (Tx/Rx) and TimeSync
Performance
• Performance optimized data path for Tx/Rx (e.g. zero-copy/minimize copy operations, lock time)
• Deterministic Tx/Rx forwarding delay
Safety
• Freedom from interference (timing and execution, memory, communication)
• Support of coexistence with safety related components
Virtual Ethernet Switch
How to Efficiently Separate Automotive Functions within a Multi-Core System
9© Elektrobit (EB) 2019 | Confidential information
Allows to schedule multiple virtual cores on one physical core
Spatial freedom from interference of virtual cores
Cross partition communication
EB tresos AutoCore HypervisorFull support for Cortex-R52 like architectures
How to Efficiently Separate Automotive Functions within a Multi-Core System
Middleware stack
Virtual ECU
ApplicationBinary
physicalCore
Runtime Hypervisor
Middleware stack
App. SWCApp. SWC
Middleware stack
App. SWCApp. SWC
virtual Core
App. SWC App. SWC App. SWC
Middleware stack
App. SWCApp. SWC
…...…
10© Elektrobit (EB) 2019 | Confidential information
Allows to schedule multiple virtual cores on one physical core
Spatial freedom from interference of virtual cores
Cross partition communication
EB tresos AutoCore Hypervisor in ActionPotential Configuration on Stellar
How to Efficiently Separate Automotive Functions within a Multi-Core System
Application SWC
Middleware stack
Application SWC
Application SWC
Application SWC
Middleware stack
Application SWC
Application SWC
Virtual ECU
ApplicationBinary
physicalCore
Runtime Hypervisor
Middleware stack
App. SWCApp. SWC
Middleware stack
App. SWCApp. SWC
virtual Core
11© Elektrobit (EB) 2019 | Confidential information
• Freedom from interference between separation domains using hardware separation features such as registers, memory, peripherals, and code
• Support of coexistence with safety-related components
Further OS support• EB tresos Safety OS supports multiple
instantiations
• Support for containment domains with configurable number of CPU cores
• Library with static communication channels
• Communication via shared memory
• OS-independent inter-core locks
• Cross-core interrupt trigger
• Call-out functions
• Virtual ECU separation
• Containing individual code
• OBD/non OBD on separate cores
• Safety OS (ASIL-D) and AutoCore OS (QM) on same ECU but different cores
• Static configuration of memory regions
• Booting of separate OS instances
• Setup of virtual ECU containment
• Configuration of interrupts
SafetyInter-VECU communicationCore separation
Features – EB tresos AutoCore Hypervisor
How to Efficiently Separate Automotive Functions within a Multi-Core System
12© Elektrobit (EB) 2019 | Confidential information
The following features of μ controller are utilized:• Hypervisor EL2 MPU
• NOC-Firewall
• Interrupt controller
• Core-specific timer
• Shared and private memory
• Fast inter-core communication
• Inter-core locking
Integration of ST SR6x7 Centauri
How to Efficiently Separate Automotive Functions within a Multi-Core System
13© Elektrobit (EB) 2019 | Confidential information
• Hard real-time capable
• Usage of MPU
• Minimal virtualization
• Less processor overhead
Dynamic hypervisor • Virtualization of hardware resources
• Usage of MMU
• Overhead due to dynamic allocation
• Usage of dynamic OS (Linux/QNX)
Hypervisor comparison
How to Efficiently Separate Automotive Functions within a Multi-Core System
EB tresos AutoCore Hypervisor
14© Elektrobit (EB) 2019 | Confidential information
EB tresos AutoCore Hypervisor contributes towards:
• Reduction of ECUs in the vehicle
• Legal separation of software components
• Flexibility for peripherals (e.g. CAN, FR, …)
EB tresos AutoCore Hypervisor allows:
• Smooth inter-core communication also for inter-VECU communication
• Hard real-time behavior
• High hardware utilization
• Low power consumption
• Exchange of software on a single-core (VECU vs RECU)
Summary
How to Efficiently Separate Automotive Functions within a Multi-Core System
Get in touch!
Virtualization Approach on the ST
STELLAR MCUs
Khaldoun Albarazi
Market Development Engineer
Automotive Product Division
STMicroelectronics
Forewords – Embedded Virtualization Concept Introduction
17
State of the art SW Technology for Integration and Isolation of Multiple Applications onto one single
Processor (MCU/MPU),
allowing multiple SW with different ASIL levels to run on same MCU
There are other ways to isolate applications but virtualization offers additional key benefits:
• Reduce Interaction between different SW suppliers, easier integration of multiple independant SW
• Correspondingly easier SW updatability (each supplier / application SW independantly from each other)
Hypervisor
VM0(example Classic Autosar)
Virtual machine (VM)
SWC SWC...
RTE
OS BSW
AR MCAL
VM1..n
Virtual machine (VM)
...
MCU
Virtual Machines
Hypervisor
SW Layer
Supplier2Supplier1Drivers for embedded Virtualization in Automotive
SW complexity reduction taking advantage of the introduction of more performing
MCUs (STELLAR) and moderate to no cost advantage of technology beyond 40nm
• re-combine distributed functionality in a single ECU
• Domain Controller architecture to tackle multiple challenges
• SW modularity & update-ability
Implications
• Integrated software functions have different functional safety level missions and
are developed by different suppliers
• Freedom from interference must be insured in a simple manner
• Possibility to update one software function independently from the others (no risk
on the others and no need to fully requalify)
Requirement for real-time (boot & runtime) is maintained for embedded systems
Virtual ECU 0 Virtual ECU n
STELLAR Unique Hardware/Real-Time Virtualization
18
Hypervisor
VM0(example Classic Autosar)
Virtual machine (VM)
SWC SWC...
RTE
OS BSW
AR MCAL
VM1..n
Virtual machine (VM)
...
STELLAR MCUw. HW Virtualization
Virtual Machines
Hypervisor
SW Layer
Hypervisor
VM0(example Classic Autosar)
Virtual machine (VM)
SWC SWC...
RTE
OS BSW
AR MCAL
VM1..n
Virtual machine (VM)
...
Other MCUswo. HW Virtualization
(or w. only HW Virtualization Assistance)
High Performance Virtualization Big Overhead for Virtualization Support
Real-time Virtualization No Real-Time capability
Deterministic Virtualization Not Deterministic for none real-time CPU
Examples
Access
Protection
Applic. / Hypervisor
Interrupts
by STELLARBy SW
(Hypervisor)
LS
STELLAR Real-time Deterministic Virtualization Architecture19
Lock-Step
Cortex-R52
RAMPCM
Cortex
M4
RAMPCM
Cry
pto
Co
reA
ES
/ P
KA
/ S
HA
/ T
RN
G
data PCM
DMAs
RAM
RAMPCM
none CPU Masters
Lock-Step
Cortex
M4
Cortex
M4
R52 Core Clusters
arm CORTEX-R52 Clusters
only real-time CPU w. HW=real-time virtualization (new Hypervisor Exception Levels EL2)
EL1 MPU
&
EL2 MPU
RAMPCM
Peripherals, InterfacesVMID: Virtual Machine ID
NOC: Network on Chip
FW: NOC Firewall
Periph.
Bridge
MPU
SAFE NETWORK ON CHIP
FW FW FW
VMIDMgr
Periph.
Bridge
MPU
FW
... Assigns VMID for all
none CPU masters
FW FW
AES Light
HSM2
MPU for peripheral accesses
initiators
targets
LS AES Light
TC
M &
C
ache
Interrupt and Access Protection Infrastructure based on VMID / Master ID (VMID / Task ID for R52)
EL2 MPU
EL1 MPU
CPU
Lock-Step
Cortex-R52
TC
M &
C
ache
EL2 MPU
EL1 MPU
CPU
Lock-Step
Cortex-R52
TC
M &
C
ache
EL2 MPU
EL1 MPU
CPU
Lock-Step
Cortex-R52
TC
M &
C
ache
EL2 MPU
EL1 MPU
CPU
Split-Lock
Cortex-R52
TC
M &
C
ache
EL2 MPU
EL1 MPU
CPU
Cortex-R52
TC
M &
C
ache
EL2 MPU
EL1 MPU
CPUFR, ETH
GTM
Zipwires
...
FW FW
Virtual Machine ID + Master ID
FW
EL1 & EL2
InterruptsINTC INTC INTC INTC INTC INTC
...
...
Virtual
ECU 0
(supplier0)
STELLAR MCUs Integration Platform 20
Hypervisor
VM0(ex: Classic Autosar)
Virtual machine
SWC SWC...
RTE
OS BSW
AR MCAL ...
STELLAR MCUHigh Perf. Virtualization
1st Automotive MCU w. real-time Virtualization
Platform for ECU Integration & Domain Controllers
Unprecedented
Real time & Safe
PerformanceSTELLAR enabled
High Performance
Virtualization / Hypervisor
Turn-key Safety Isolation
Platform for mixed ASIL level Applications
(„modular „Safety“)
Multi SW vendor Platform
Modular Software
Development & Updates
Virtual
ECU 1
(supplier1)VM1
Virtual machine
Virtual
ECU n
(suppliern)VM1
Virtual machine
Secure Platform
ASIL D ASIL BQM
Thank You!
21
Contact
Khaldoun Albarazi
Market Development Engineer
Automotive Product Division
STMicroelectronics