AGL-µBinder Binding/Binder for small ECU and non AGL world
Tokyo ALS July/2019 Fulup Ar Foll Lead Architect [email protected] Who are we ?
● 25 Engineers dedicated to AGL ● Location: Lorient/Brittany/France/Europe LORIENT ● https://iot.bzh/en/ ● http://github.com/iotbzh
AGL µBinder Tokyo July 19 2/22 UBS/IoT.bzh Collaboration
● Technical Team – Internship: Aymeric Aillet – University tutor: Johann LAURENT – IoT.bzh tutors: Thierry BULTEL & Jose Bollo ● Technical Explorations – Zephyr/AGL architecture for commercial boat signal acquisition – Potential transport for µController2AGL IPC – Integration of µController within AGL microservices architecture – Downsizing of AGL AppFw – Integration of NMEA2000 inside AGL distributed security model, … ● Duration – 6 months (January→June 2019)
AGL µBinder Tokyo July 19 3/22 What’s an AGL Binder
● A standard component use to expose API from a binding ● An Abstraction on transport layer ● A security model ● A container
Binding/Binder is somehow similar to WebServer/Applet in the Java world
AGL µBinder Tokyo July 19 4/22 Micro Service Architecture
AGL µBinder Tokyo July 19 5/22 Security Mechanism
Legitimate application BlackHat application
GR D AN NIE TE DE LINUX D KERNEL Smack linux security module helps to protect resources Resource and data and data
D GR DENIE The permission ANTED database Cynara helps to protect Protected Service services
AGL µBinder Tokyo July 19 6/22 Binder is a Container for Bindings
● Connect services/applications together (UDS, WS/UDS, WS/TCP, HTTP, linked)
● High level flexible RPC mechanism (hide connections)
● Framework for event signalling
● Security and permissions facilities (Smack + Cynara)
● Builtin HTTP server support REST, WebSockets and TLS
● Management of client sessions and contexts
● Automatic Recovery from unexpected disconnections
● Handle dependencies and startup order
● Debugging, monitoring and supervision
AGL µBinder Tokyo July 19 7/22 Binding/Binder Connection
● HTTP+WS: common connection (Dbus legacy)
● Act as HTTP server & accept upgrade to websocket ● It exports API ● It manages sessions ● It checks security tokens ● API/WS: specific to API
● Only one API ● It manages sessions ● It doesn’t check tokens
AGL µBinder Tokyo July 19 8/22 Binder Remote Access
AGL domain (CAR) REMOTE ① CLIENT internet “HOME” AGL BROWSER ② ④ “HOME” APPFW ①
CLIENT REVERSE ③ BINDER BROWSER PROXY 23 APP 23
● Ask to launch APP 23 ● Returns the URL of the BINDER for APP 23 and its token (in the URI?) ● Connect to the binder with its token ● Check token validity with OpenIDconnect
AGL µBinder Tokyo July 19 9/22 Programming Model
Sample, call to get the verbosity level of API monitor { "verbosity": { monitor/get({“verbosity”: “monitor”}) "monitor":"info" }} The api (or The verb (or The request arguments is The reply is a service) method) of the api any JSON value JSON value Curl invocation $ curl -H ‘x-afb-token: HELLO’ \ localhost:1056/api/monitor/get?verbosity=monitor Javascript invocation afb.call(‘monitor/get’, {‘verbosity’: ‘monitor’}).then(gotapis);
C binding invocation
wrap_json_pack(&req, “{ss}”, “verbosity”, “monitor”); afb_api_call(myapi, “monitor”, “get”, req, gotpis, NULL);
AGL µBinder Tokyo July 19 10/22 Binder/Binding AGL vocabulary
● Binder: the process afb-daemon (change name in ps -ef)
● Binding: share object that implements one/multiple api
● Api: exportable set of verbs belonging to the same namespace and implemented within only and one binding
● Verb: A callable endpoint, accept arguments, return result, can be protected by ACL (Cynara)
● Shadow api: an imported remote api accessed like a local api
AGL µBinder Tokyo July 19 11/22 AGL MicroService Architecture
Cluster Entertainement Cloud
Head Unix Navigation My Car Portal Maintenance Portal Service Paiement Know Bugs Direction Indication Carte handling Subcriptions Maintenances Localistion management Preference Service Packs POI
Transport & ACL Transport & ACL Transport & ACL
Cluster CAN-BUS Geopositioning Preferences Log Virtual Signal Virtual Signal Virtual & Analytics Signal Custumisation
Engine-CAN-BUS CAN-BUS Gyro, Acelerometer MongoDB Engine No-SQL Engine CAN GPS ABS LIN-BUS Paiement Service Statistics & Analytics
Hard RealTime Multi ECUSoft & Cloud RealTime Aware Architecture
AGL µBinder Tokyo July 19 12/22 Why Zephyr as µController RTOS
● Opensource & hosted by the Linux Foundation ● Ongoing Safety Certification ● Modern Operating RTOS system
● TCP/IP, WIFI, Bluetooth ● CANbus (even if not working out of the box) ● Very clean and straightforward API ● Run on multiple boards
STM32F411RE NXP FRDM-K64F STM32L432KC
AGL µBinder Tokyo July 19 13/22 NMEA-2000 relies on CAN
● Based on CAN 2.0B
● Integrated to AGL LowCAN binding (PNGs ported from CanBoatJS project to OpenXC JSON model)
AGL µBinder Tokyo July 19 14/22 NMEA200 POC
AGL µBinder Tokyo July 19 15/22 Porting Binder/Binding beyond AGL
● Goal
● Make binding portable to expand AGL micro-services architecture to non AGL world ● Hide OS specificities within the binder ● Support multiple RTOS (imposes an OS abstraction layer µBinder) ● Expand to Windows, MacOS, Android, QNX, Trusted zone, Hypervisor, … ● Keep binder code generic enough to limit LTS maintenance cost ● Difficulties
● Partial or total lost of Posix API (especially ePool) ● Should work even without access to a filesystem ● Limited resources RAM+CPU ● Should support non TCP/IP connectivity model for remote access ● Lack of native operative system security mechanism ● Very different scheduling behaviour (threading, exception, events, …)
● AGL µBinder Tokyo July 19 16/22 µbinding POC
● µbinding for Zephyr
● Change AGL Binder architecture to select transport/options at compilation time ● Enable Transport as a plugin (today static config only) ● Enable Config as a plugin (eg: config from file, config from network, static config at compilation, ... ● Clean OS abstraction layer ● A lot of Work Still TBD
● Implement a genetic security model supporting multiple OS ● Realtime concept to Binding/API (as today Binding support ACL per API but no time/priority constrains) ● Merge µBinding code with mainstream AGL code (as today it’s a hack to prove it is possible) ● Expands beyond Zephyr (Android, Windows, QNX, Autosar, VxWorks, QNX, TrustZone, Hypervisor, ...)
AGL µBinder Tokyo July 19 17/22 µbinder Memory Usage ?
● Helloworld ● Binder + IPV4 – FLASH: 14544 B 256 KB 5.55% – FLASH: 94181 B 256 KB 35.93% – SRAM: 4152 B 64 KB 6.34% – SRAM: 18560 B 64 KB 28.32% – IDT_LIST: 120 B 2 KB 5.86% – IDT_LIST: 120 B 2 KB 5.86%
● TCP/IP ● Binder + IPV6 – FLASH: 31005 B 256 KB 11.83% – FLASH: 108077 B 256 KB 41.23% – SRAM: 17028 B 64 KB 25.98% – SRAM: 20460 B 64 KB 31.22% – IDT_LIST: 120 B 2 KB 5.86% – IDT_LIST: 120 B 2 KB 5.86%
µBinder with one transport (TCP webSocket) ~64KB
AGL µBinder Tokyo July 19 18/22 µBinder IPC Transport
● Added a console/serial transport abstraction
● Based on previous work done for L4RE hypervisor inter AGL domains ● Explored transport on Zephyr: TCP, UDP, I2C & MBUF ● Note: currently transport are statically selected at compilation only ● Difficulties
● Zephyr PoolFD is not as smart as the one from Linux ● No file system on the board we used ● AGL security model heavily relies on SMACK that is not available outside Linux ● Multiple things that anyone would expect existing by default are optional or not present ● No systemd to start services on demand or in the right order ● To be Solved in order to move beyond POC
● No AGL support for remote authorities (security/authentication) ● No discovery service (as today micro-services location are statically defined) ● No realtime support at API level (critical when resources are limited)
AGL µBinder Tokyo July 19 19/22 Supporting Multiple OS/RTOS
● OS abstraction: LibUV looks like promising
● Support Linux, Windows, MacOS, Zephyr, Android, … ● Ported to a couple of embedded projects (eg: JerryScript) ● WARNING: LibUV might not be a good choice for older generation of RTOS (VxWorks, QNX, ...) ● Distributed Security Model for a smaller footprint
● Create an abstraction for SMACK (eg: seLinux for Android) ● Enable remote access to Cynara ● Implement an security/authority delegation model (OpenIDconnect) ● Support of Tiny/Certified OS as AutoSAR ● Provide a mechanism for 100% alien systems to play a role within AGL micro-services architecture (eg: uart or buffer client model). ● Provide a support to enforce realtime constrains at API binding level
AGL µBinder Tokyo July 19 20/22 Conclusions
● µBinder POC shows that AGL Binder May:
● Skim down below 64KB and run on RTOS with 128/256KB ● Support Non-TCP/IP IPC transport (memory, UART, ...) ● Share a unique code base from µController to the cloud ● Allow customization without touching the core ● Support both static and dynamic model (config, transport, ...) ● Challenges before going to production
● Current code need to be significantly restructured in a modular way (plugins) ● Linux dependencies (Posix, SystemD, SMACK, …) should be abstracted ● Remote internal capabilities should be added (API discovery, ACL, Token, ...) ● Mapping to non AGL world (Android, TrustZone, QNX, …) would need sponsors
AGL µBinder Tokyo July 19 21/22 Visiting us in Lorient
AGL µBinder Tokyo July 19 22/22