1 / 16

Isolation of Cores

Isolation of Cores. Claus Stellwag (Elektrobit), Thorsten Rosenthal (Delphi), Swapnil Gandhi (Delphi ) March 2013 – WICERT. Goal: Reduce costs of mixed-critical systems. Dedicated MCU. ?. Hypervisor. Certified OS. Isolation. Hardware: Meridian Board.

tala
Télécharger la présentation

Isolation of Cores

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Isolation of Cores Claus Stellwag (Elektrobit), Thorsten Rosenthal (Delphi), Swapnil Gandhi (Delphi) March 2013 – WICERT

  2. Goal: Reduce costs of mixed-critical systems Dedicated MCU ? Hypervisor Certified OS Isolation

  3. Hardware: Meridian Board • Development board for the Trusted Computing Platform • Supports all relevant bus systems (CAN, FlexRay, SPI, Ethernet) • Lot of I/O pins • Contains Multicore AURIX controller in FPGA • External SRAM as flash emulation • Debugging via JTEG or USB Source: http://www.recomp.eu/meridian/downloads/Meridian_Datasheet.pdf

  4. MCU Architecture: AURIX TC27x Note: Used FPGA based board has only 2 instead of 3 cores Source: http://www.infineon.com/dgdl/TriCore_Family-br-2013.pdf?folderId=db3a304412b407950112b409ae660342&fileId=db3a30431f848401011fc664882a7648

  5. AUTOSAR Overview AUTOSAR = Basic Software + Methodology + Application Interfaces AUTOSAR R4.0 building blocks: • Applications (SoftWareComponents - SWC) • OS • Run-Time Environment (RTE) • Basic SoftWare (BSW): • System Services (e.g. Ecu Manager, Watchdog Manager) • (Non-volatile-)Memory stack • Communication stack • Diagnostic modules • Microcontroller abstraction layer (MCAL) • Complex Device Drivers (CDD)

  6. AUTOSAR R4.0 + Multicore +Safety MCU ASIL SW Core0 Core1 SWC SWC SWC SWC SWC SWC QM SW RTE CDD BSW OS

  7. RECOMP: Automotive Cluster

  8. Delphi ASIL D Application: ESCL (Electrical Steering Column Lock) M

  9. ESCL: Safety Goals

  10. Building Blocks of ESCL ESCL Module 1: Power supply for ESCL if locking conditions fulfilled ESCL Module 2: Locking command to ESCL if locking conditions fulfilled Power Mode Manager (PMM): Takes care about power-off, sleep and other power related topics Driver Info: Supports info to driver of vehicle Other QM components

  11. Approach 1 : Cross Monitoring MCU ASIL SW Core0 Core1 ESCL2 Driver Info ESCL1 PMM QM SW RTE RTE OS BSW BSW OS C2C

  12. Approach 2: AUTOSAR MultiCore MCU ASIL SW Core0 Core1 PMM ESCL2 Driver Info ESCL1 QM SW RTE BSW OS

  13. Approach 3 : Isolated ESCL MCU ASIL SW Core0 Core1 SWC Driver Info PMM ESCL2 ESCL1 QM SW RTE RTE OS BSW BSW OS C2C

  14. Details of Implementation Each core run its own application (with a separate ELF image). There is no hard reference between the SW • This allows SW updates on the core running the legacy / QM parts without impact on the ASIL cores The hardware supports the approach by • dedicated core local memory • de-central access control to shared peripherals Core2Core Communication (C2C) allows exchange of data between cores. Special care has been taken that the C2C does not impact safety part (e.g. lock-free mechanism for communication buffers)

  15. Summary: Pros & Cons • Pro • Clear isolation simplifies design (safety is concentrated on dedicated core(s) – freedom from interference can be easier shown) • Divide and conquer principle eases handling of growing complexity • Legacy code needs less adoption (constraints from single core are preserved) • Less interaction between cores; No additional SW layers needed  better utilization of existing multicore performance • Contra • Requires more memory • Requires specific hardware features of the microcontroller

  16. Questions ?

More Related