Xen Automotive

2 CONFIDENTIAL Vehicles are Changing

• Car still bring us from point A to point B, but looks different inside • Ford Sync software today contains 10,000,000+ lines of code • Evolving industry • Short time to market • “Cloud” car • 3rd party applications • Cost reduction

3 CONFIDENTIAL Next Steps

• Combine different function on single computer • Modern SoCs are powerful to perform different functions • Cluster Display • Central Console Display • GPU • HW MM accelerators • Security – ARM Trust Zone

4 CONFIDENTIAL Requirements

Look and Feel Connected customization Car Services

Quick 3rd Party development Applications cycle

5 CONFIDENTIAL Open Source for Automotive – Gaps

Stability & Boot Time Security Reliability

6 CONFIDENTIAL Why Xen?

• Type 1 Hypervisor • Flexible Virtualization Mode • Driver disaggregation • ARM support • Open Source • ~ 9k lines of code • Mature since 2003 in general computing

7 CONFIDENTIAL Xen in Embedded

− With ARM support Xen is perfectly fit for embedded − TODO: applications − RT scheduler − Experimental PV ARM support on Nvidia made by Samsung − More PV drivers − Full ARM HVM support starting Xen 4.3 − Debug, fix, stabilize… − Added: − Interrupts mapping to DomU (for driver domains) − IOMEM mapping to DomU (for driver domains) − MMU SPT protection − PV drivers: HID, Audio, Framebuffer − Better DT support

8 CONFIDENTIAL GlobalLogic Corporate Update

Boot Time

− Xen boot time on J6 is 300ms − u-boot loads Xen device tree configuration and Dom0 kernel − all printouts are disabled − RAM wipeout is disabled − cold start to Xen start is less than 100ms − domain configuration, memory map, IRQ map passed to Xen trough device tree − Dom0 kernel boots in 800ms

9 CONFIDENTIAL Nautilus on TI J6 – Sample Layout

Dom0 DomU

Control Application (Boot Animation, RVC) Nautilus Qt Launcher

Automotive Grade Android (Fast Boot) GLSDK Linux

PV Backends SoC Android Components Xen Android Components Mirro Miracast ALSA HWC rLink MediaFW gralloc PVR HW HW Drivers Driv ers HW Drivers PV Frontends

Xen Hypervisor

USB HID Disk Network CAN MMUs WiFi P2P/WFD Audio FrameBuffer CAMERA IPU GPU

10 CONFIDENTIAL 11 CONFIDENTIAL PV Drivers

Sharing of peripherals is implemented using PVHVM − Audio model (Paravirtualized devices on the host, running in HVM mode) − NEW: kernelspace frontend and userspace − Filesystem partitions backend, based on tinyALSA − Standard Xen PV driver − Framebuffer − Network − NEW: kernelspace frontend and userspace − Standard Xen PV driver backend, deliver 30 FPS on J6, WIP on 60 FPS − USB − TO DO: − Based on old Xen 3.4 PV USB driver with major fixes − GPS − HID (touchscreen) − GPU − NEW: kernelspace frontend and userspace backend, can be used for any type of events

12 CONFIDENTIAL GlobalLogic Corporate Update

GL MMU SPT Approach

Xen Paravirtualization (PV) Xen Full virtualization (HVM) GL MMU SPT Approach − Paravirtualization is an efficient and − Fully virtualized aka HVM (Hardware − For the peripherals that do not have lightweight virtualization technique Virtual Machine) guests require CPU full SMMU protection but have own introduced by Xen, later adopted also virtualization extensions from the host MMU it still possible to implement by other virtualization solutions. CPU. CPU virtualization extensions are memory access protection and Paravirtualization doesn't require used to boost performance of the translation with SPT-like approach. virtualization extensions from the host emulation. Fully virtualized guests don't Generic implementation is provided CPU. However paravirtualized guests require special kernel, so for example to Xen by GL and ready for some require special kernel that is ported to Windows operating systems can be coprocessors like GPU, IPU, run natively on Xen, so the guests are used as Xen HVM guest. Xen can BB2D, etc. aware of the hypervisor and can run emulate HW or provide access using PV Xen intercepts PT access intermediate efficiently without emulation or virtual drivers to improve performance for pages creation/removal Kernel- Allocated emulated hardware. kernel maintained pages MMU PT

Xen intercepts MMU PTBR access for PT creation/removal Xen- physical maintained MMU SPT PTBR

13 CONFIDENTIAL Hypervisor vs. Monitor

Virtualization and TrustZone • TrustZone is also kind of virtualization Non-secure execution environment Secure execution environment – Coexists with VMM but of higher priviledge – Separated into 2 worlds only – Secure and non-Secure App App App App App App • Typical tasks for TrustZone SW: – System boot protection – Application signature validation Operating System Operating System Operating System – Firmware integrity check – External peripherals whiltelist

– Secured peripherals drivers Hypervisor – Closed crypto algorithms implementation (DRM) • Hypervisor integration notes

– Boots before non-secure SW, i.e. before Xen TrustZone Monitor – Xen shall allow domains to perform SMC calls – System control partitioning can be simplified with monitor mode (Power Management, etc.)

14 CONFIDENTIAL Future & Features

Xen branch for Automotive − “Micro-kernel” approach – DOM0 − PV Drivers packages SoC’s specific reference • TI J6, Renesas R-Car M2, Freescale i.MX 8, A15/A50 SoCs − Guest OSs • Android, QNX, Autosar, Ubuntu, Genivi Linux, Tizen, Yocto

15 CONFIDENTIAL Automotive VMs Layout

Dom0 – System DomU – Driver Domain DomU – Automotive DomU – Android HMI Control Nautilus Qt Launcher

Automotive Grade Android (Fast Boot)

SoC Android Control Application Instrumental Xen Android Components Components Watchdog service (Boot Animation, RVC) Cluster Mirror MediaFW OpenGL Miracast ALSA HWC Link Xen Linux Kernel GLSDK Linux kernel QNX/AUTOSAR PV Backends

HW Drivers PV Frontends HW Drivers PV Frontends Xen tools HW Drivers

Xen Hypervisor

USB HID Disk Network GPU CAN MMU WiFi P2P/WFD Audio FrameBuffer Camera IPU

16 CONFIDENTIAL OSS/Private

Android/QNX/Ubuntu/Tizen/Autosar User space PV PV PV PV PV PV Backend Kernel space FrontEnd FrontEnd FrontEnd FrontEnd FrontEnd Apps Backend HW AL

User Space User Space Xen User space PV PV PV PV PV Open Source Kernel space BackEnd BackEnd BackEnd BackEnd BackEnd Kernel Space Kernel Space

HW drv PV Frontend TI J6 R-Car M2 i.MX8 Tegra K1 A15/A50

DomU – Driver Domain DomU – Guest OS Open Source Private Source SoC’s reference design Provided by SoC’s vendor OSes − Xen Automotive – open source license − SoC’s vendors PV Drivers – private source license − IVI’s OEMs SW/HW adaptation – private source license

17 CONFIDENTIAL About GlobalLogic

− Technology services company − Headquartered in Silicon Valley − Design studios in the US and UK − Engineering centers in the US, Ukraine, India, Argentina, China − 1,000+ product releases − 250+ active clients − 7,000+ people 18 CONFIDENTIAL Alex Agizim Artem Mygaiev

CTO of Embedded Systems in GlobalLogic Inc. Program Director in GlobalLogic-Ukraine E-mail: [email protected] E-mail: [email protected] Skype: alexa1968 Skype: rosenkrantzguildenstern

CONFIDENTIAL Q&A

Alex Agizim VP Operations, CTO [email protected]