EB Corbos and the L4re Microhypervisor: Open-Source Automotive Safety

EB corbos and the L4Re microhypervisor: Open-source automotive safety

Alexander Much, Michael Hohmuth, Adam Lackorzynski 2018-09-19, Vancouver, Linaro Connect 2018

2018-09-19 | Linaro Connect 2018 | Public | © Elektrobit Automotive GmbH 2018 | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. EB corbos and the L4Re microhypervisor: Open-source automotive safety

About EB

Technical competencies Global presence EB’s technical core competencies are development Development and business offices in Austria, of automotive-grade (software) products and China, Finland, France, Germany, India, Israel, engineering services. Japan, Romania and USA.

Employees Continental AG More than 2200 employees worldwide. Wholly owned, independent subsidiary of Spans three continents and ten countries. Continental AG.

Consistent growth 100+ million Average growth (CAGR) > 10 % Over 90 million vehicles on the road and 1 billion embedded devices.

2018-09-19 | Linaro Connect 2018 | Public | © Elektrobit Automotive GmbH 2018 | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. 2 EB corbos and the L4Re microhypervisor: Open-source automotive safety

What we do

Automated driving Vehicle infrastructure Connected car User experience

• Hardware and software products for • AUTOSAR standard • Intelligent big data analytics & • Navigation client for connected use development, test, visualization, • Single- & multi-core OS online diagnostics cases and validation. • Functional Safety OS • Scalable backend infrastructures • Electronic horizon provider enabling • • • Key software components to bring Embedded Security Cyber security solutions plus map-based ADAS functions • • automated driving functions and Automotive networks, modular add-ons by Argus Model-based development of • systems to serial production. e.g. Ethernet Software updates over-the-air multimodal user interfaces • Augmented reality solutions

Consulting • Consulting services for Functional Safety and Software Architectures Verification • End-to-end testing of complex embedded software systems • Lean Software Development • Test concept development services • Established agile processes and validation • Independent verification and validation of software systems

2018-09-19 | Linaro Connect 2018 | Public | © Elektrobit Automotive GmbH 2018 | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. 3 EB corbos and the L4Re microhypervisor: Open-source automotive safety

Interesting times...

Machine learning Crowd-sourced data System of systems Third party access ?

Personalization Shortened Evolution after SOP New topics development cycles new business models

2018-09-19 | Linaro Connect 2018 | Public | © Elektrobit Automotive GmbH 2018 | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. 4 EB corbos and the L4Re microhypervisor: Open-source automotive safety

Mobile on wheels or wheels on mobile?

What comes first? We need to completely re-think the E/E architecture:

• Domain or zonal architectures

• Centralized computing units

• High-speed, reliable and dependable networking

• Connected vehicle within infrastructure eco-systems Cloud and mobile first!

Source: https://pxhere.com/en/photo/1064249, CC0 Public Domain

2018-09-19 | Linaro Connect 2018 | Public | © Elektrobit Automotive GmbH 2018 | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. 5 EB corbos and the L4Re microhypervisor: Open-source automotive safety

Phone and cloud vs. vehicle

What needs to be „more“ secure?

Most prominent answer: „Of course, my car!“

People don‘t realize: • How many security solutions are in today‘s phones • Cloud and phones set the „state-of-the-art“ • ... not cars!

Source: https://www.kompulsa.com/wordpress/wp-content/uploads/2018/06/bigstock-Cyber-security-information- pr-205808125.jpg, CC0 Creative Commons 2018-09-19 | Linaro Connect 2018 | Public | © Elektrobit Automotive GmbH 2018 | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. 6 EB corbos and the L4Re microhypervisor: Open-source automotive safety

Evolution of E/E architectures

Domain Architecture Centralized Architecture Zonal Architecture

Today Tomorrow Future

• Signal-based communication • Central computing nodes • IP/Ethernet communication • System of ECUs • Mix of signal based and service • Centralized applications / functions • Predictable communication orientated communication • Computing power for AD and AI • Function orientated topology • Partly centralized functions • Anything anywhere (sensors/actors) • Software upgradeability • Architecture follows software / system demands

2018-09-19 | Linaro Connect 2018 | Public | © Elektrobit Automotive GmbH 2018 | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. 7 EB corbos and the L4Re microhypervisor: Open-source automotive safety

Building blocks of the next architecture

HPC-1 HPC-2 HPC-3

Horizontal deployment of functions

“logic”-SW “logic”-SW “logic”-SW “logic”-SW “logic”-SW “logic”-SW

Computing Vehicle API / basic services / information layer layer Back-end

Every information anywhere – enables horizontal deployment Real time of services and updating service. RT-SW RT-SW RT-SW RT-SW and sensor/  But needs to be controlled for actuator layer safety and security reasons

HPC = High performance controller 2018-09-19 | Linaro Connect 2018 | Public | © Elektrobit Automotive GmbH 2018 | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. 8 EB corbos Safety, security and performance

EB corbos – The architecture

New CPU-intensive Reuse of existing Safety-relevant vehicle (safety-relevant) Novel user functions: vehicle functions from Secure startup, functions, monitoring functions: e.g. App Store Classic AUTOSAR authentication of performance e.g. sensor fusion (SWCs) partitions

Performance partitions Security partition Safety partition App App App App App

Trusted Execution Adaptive AUTOSAR Adaptive AUTOSAR Classic AUTOSAR Classic AUTOSAR Environment

POSIX OS POSIX OS AUTOSAR OS Trusted OS AUTOSAR Safety OS

Virtual machine Virtual machine Virtual machine Hypervisor Secure Boot Performance cores Safety cores

High-performance computer

2018-09-19 | Linaro Connect 2018 | Public | © Elektrobit Automotive GmbH 2018 | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. 10 EB corbos and the L4Re microhypervisor: Open-source automotive safety

EB corbos – The architecture (II)

Performance partitions Security partition Safety partition Tools

App App App App App EB tresos Studio

Configuration EB corbos EB corbos EB tresos Trusted Execution EB tresos Code generation AdaptiveCore AdaptiveCore AutoCore Environment AutoCore EB corbos Studio EB tresos EB tresos EB corbos Linux POSIX RTOS Trusted OS Application development AutoCore OS Safety OS Integration and deployment EB corbos Hypervisor Logging and debugging

Secure Boot Software

Performance cores Safety cores Hardware High-performance computer (SoC)

EB product line EB tresos EB corbos Services 3rd party

2018-09-19 | Linaro Connect 2018 | Public | © Elektrobit Automotive GmbH 2018 | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. 11 EB corbos and the L4Re microhypervisor: Open-source automotive safety

EB corbos AdaptiveCore

EB corbos EB corbos Studio AdaptiveCore Adaptive application Adaptive application Adaptive application Adaptive application Studio

Runtime for adaptive applications Application

Foundation Services Time Communication ManagementTime Execution Diagnostic Network Log & Trace management synchronization management management management ara::com/rest/dds*

Platform Persistency Cryptography* Update & Build PlatformHealth health Hardware Signal-2-service Persistency configuration environment Managementmanagement acceleration* Identity & Access mapping* management platform Adaptive management*

EB corbos Linux OS POSIX RTOS …

EB corbos Hypervisor

EB corbos Tools Generic HW-depend. Future content* 3rd Party Alternatives

2018-09-19 | Linaro Connect 2018 | Public | © Elektrobit Automotive GmbH 2018 | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. 12 EB corbos and the L4Re microhypervisor: Open-source automotive safety

Distributed safety management

Vehicle functions partition Privileged partition Classic AUTOSAR Classic AUTOSAR components components Container Container Container

Vehicle Vehicle Vehicle function function …. function Virtual Virtual Virtual resources resources resources Physical resources WDG WDG

Execution Health Diagnostic Pesistency Virtual Health Health Health manager manager manager manager manager resources control control

Adaptive AUTOSAR on Adaptive AUTOSAR on Linux Classic AUTOSAR Classic AUTOSAR Linux

Hypervisor Lockstep Lockstep Safety OS Safety OS Bootloader

Safety Safety Safety Safety Core …. Core Core Core Core Core Core core core core core

Monitor Control 2018-09-19 | Linaro Connect 2018 | Public | © Elektrobit Automotive GmbH 2018 | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. 13 EB corbos and the L4Re microhypervisor: Open-source automotive safety

Platform security layers

Control flow integrity Virtual address space Processes ASLR, sanitizers, etc. Scheduling domains Resource constraints Containers Resource access control Control flow integrity Intermediate address space Operating systems Separation Hardware resource separation st Physical address space separation 1 -stage MMU nd 2 -stage MMU Hypervisor

Classic HSM Performance cores Performance µP Secure engine Switch µC Hardware

Crypto accelerators Crypto accelerators DoS prevention HSM (EVITA medium) 3 core logic (Secure, Public & PKA) VLAN tagging HIS SHE support Life cycle management Dedicated RAM/ROM (key material) Static ARP tables Hardware access protection eFuses Monitoring ports

2018-09-19 | Linaro Connect 2018 | Public | © Elektrobit Automotive GmbH 2018 | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. 14 EB corbos and the L4Re microhypervisor: Open-source automotive safety

Hypervisor use-cases

… … …

VM VM VM VM VM VM VM VM VM Hypervisor Hypervisor Hypervisor Hardware Hardware Hardware ECU Consolidation Network Separation Mixed Criticality Systems Increasing capabilities of nowadays Growing Car-2-X connectivity requires Virtualization brings in the key performance controllers enable suppliers secure separation of out-bounded technology to build fail operational to consolidate multiple in-car connections to the in-vehicle network software systems with mixed safety applications to one single device integrity levels

Your benefit

2018-09-19 | Linaro Connect 2018 | Public | © Elektrobit Automotive GmbH 2018 | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. 15 EB corbos Hypervisor Based on the L4Re microhypervisor

Noteworthy L4Re features

Isolation Real-time • Capabilities as references to kernel (and user-land) • Real-time per-CPU scheduler: Fixed priority round robin objects – Support for thread-group budget scheduling planned – Provides information hiding (local naming) and access – WFQ (non-RT) also available control – Cross-CPU thread / VCPU migration supported – Enables reasoning about isolation and freedom from • Short critical sections w/ IRQs off, preemption points interference • Fine-granular wait-free locking – No capability to shared object  Excellent interrupt-response times  No way to communicate or interfere • No cross-CPU shared state in critical paths, no big kernel lock • Designed to even allow preventing sharing 2nd-class  Excellent scalability kernel objects (allocators …) and invisible architectural state (not 100 % there yet…)

2018-09-19 | Linaro Connect 2018 | Public | © Elektrobit Automotive GmbH 2018 | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. 17 EB corbos and the L4Re microhypervisor: Open-source automotive safety

Noteworthy L4Re features (II)

Virtualization Microapps • Hardware-assisted virtualization • Microapps: Native L4Re applications – Untrusted (user-level) virtual-machine monitors – Small TCB: no dependency on any rich OS, no Dom0 (VMMs) for platform emulation – No dependency on VMM • uvmm: Tiny VMM for Linux guests. – No virtualization overhead Upstream ARM Linux “just works” • POSIX subset for microapps: L4Re Runtime • l4-kvm: Uses Qemu/KVM in a Linux guest to provide Environment platform for Windows guests (x86 only) – Supports libc, C++ library, pthreads, etc. • Also available: Paravirtualization with L4Linux – Natural extension of kernel API with useful OS – A user-mode Linux kernel running on L4Re abstractions, e. g. for address-space management

2018-09-19 | Linaro Connect 2018 | Public | © Elektrobit Automotive GmbH 2018 | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. 18 EB corbos and the L4Re microhypervisor: Open-source automotive safety

Noteworthy L4Re features (III)

I/O virtualization Where to get it? • Device pass-through to VMs or driver microapps • Go to www.kernkonzept.com/download.html – DMA security via IOMMU (ARM: WIP) • Or www.l4re.org • Native drivers and multiplexing for various buses • Early access at github.com/kernkonzept and devices – PCI, serial console, AHCI, framebuffer Licensing? • Virtual networking among VMs supported • (Mostly) GPL version 2 – Virtual Ethernet switch or p2p connection • Commercial licenses: Dual licensing capability – Virtual socket connections – Require CLA for contributions, essential for attracting • Virtio supported investments needed for certification – Also, a customer requirement in Automotive • Kernkonzept serves as maintainer & gatekeeper for contributions

2018-09-19 | Linaro Connect 2018 | Public | © Elektrobit Automotive GmbH 2018 | All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. 19 EB corbos and the L4Re microhypervisor: Open-source automotive safety

Solutions for interesting times

Crowd-sourced data System of systems

Automotive safety up to Machine learning High-assurance security Third party access ASIL-D Long-term maintenance and operations Based on open-source and established, well- Real-time capable proven implementations ?

Personalization New topics new business models Shortened development Evolution after SOP cycles

[email protected] [email protected] [email protected] www.elektrobit.com