System Protection for Multi-core Systems

Overview

Systems have become more complicated with the advancement in multifunctional and high-performance embedded systems, and more developers are looking into multi-core systems as a vital solution. However, going with multi-core does not automatically and necessarily mean you can attain the same level of reliability and security as in your current systems. A system-level protection mechanism is an ideal way to prevent illegal access to shared memory without compromising the seamless operation of each software program that makes up the whole system in the multi-core systems.

eT-Kernel Multi-Core Edition Memory Partitioning provides the highest level of reliability and security for multi-core systems. The Memory Partitioning option is best suited for automotive applications, aerospace instruments, high-end consumer electronics, and office automation products with memory management units (MMUs) to attain high reliability and high quality within the system.


Architecture

Though using a process-model OS such as eT-Kernel/Extended and eT-Kernel/POSIX can prevent kernel and other process memory corruptions caused by processes, there has been no effective means to protect the kernel and process memory from kernel applications such as device drivers, interrupt handlers, and middleware that operates in the CPU kernel-mode (privileged mode). eT-Kernel Multi-Core Edition Memory Partitioning solves this problem with two technologies, "Kernel Protection" and "Core Partitioning".




Kernel Protection

Kernel Protection is a technology that protects the kernel itself from kernel applications. In addition to the kernel mode (privileged mode) and user mode (non-privileged mode) that are offered by today's CPUs, the Kernel Protection adds a new "system mode". Although a program that operates in system mode can access process memory, it doesn't have the authority to access the kernel memory. The kernel application is operated in this system mode. If the kernel memory is accessed, the exception manager catches the error and executes the user-defined error processing. At this time, integrated error processing is possible by using the various types of exception information offered by the exception manager function. Because there is no need to change kernel applications, existing device drivers and middleware can be reused as-is.
As a result, because the software (except the kernel) that can destroy kernel memory doesn't exist, the kernel can achieve a completely protected state.




Core Partitioning

Core Partitioning is a technology to separate software into "Partitions", and to prevent memory access between partitions. As a result, memory corruption of other partitions can be prevented by the kernel applications executing in system mode. In the eT-Kernel Multi-Core Edition's Blended Scheduling Technology, which offers four scheduling modes, a task set that is scheduled in the same scheduling mode and operating on the same CPU core (or group of CPU cores) is defined as a "scheduling unit". In Core Partitioning, the area specified by the software for the partition and scheduling unit becomes the same, since a partition is created for each scheduling unit.



Similarly, tasks and processes can only be created in the same partition, since neither can access another partition's memory. You can only load programs in the partition where the load-processing task belongs. In addition, kernel applications from other partitions cannot be started here. A method of sharing kernel applications between partitions is provided separately.


Advantages

Securely integrates subsystems with different reliabilities

"Kernel Protection" and "Core Partitioning" enable secure integration of subsystems with different reliabilities


Promotes reuse of software assets

In eT-Kernel Multi-Core Edition Memory Partitioning, existing kernel applications can be reused without any change, and software programs designed for single processors and/or AMP-based programs can be easily reused. Since the exception manager catches the error if an unexpected behavior occurs, memory corruption in kernel and other partitions can be detected. This brings more system reliability and security at your finger-tips, and helps improve the overall system with easy detection of defects.


Provides seamless communication between partitions

eT-Kernel Multi-Core Edition Memory Partitioning provides two types of communication APIs between partitions.


APIs for communication API between tasks/processes

Inter-task synchronous communication and exclusion APIs similar to the ones intended for single cores can be used within tasks/processes. For instance, POSIX named services (such as named pipes and named semaphores) can be used, or you can mount several additional physical file system plug-ins into a logical file system (LFS), resulting in more transparent file access. You can use a POSIX API's memory-based objects (such as mutex, condvar) and message boxes using shared memory between partitions. From this, it is easy to reuse single-core software, or even multi-core software. Moreover, another advantage is the smooth migration of software components between partitions.

API for sharing memory between partitions

This is the shared memory that can be used between several partitions. A memory acquisition system call has been added in addition to the malloc library. You can make the best use of the cache-coherency feature of MPCore, etc.


Sharing of device drivers and middleware

As a general rule, kernel applications cannot be shared beyond partitions, as explained above. However, there are unique cases where you need to share the kernel applications, possibly because the system design requires it, or because it consumes more resources to have several copies of kernel applications in each partition. To meet such needs, the eT-Kernel Multi-Core Edition Memory Partitioning provides the "Kernel Link Area". Kernel applications are deployed in this area and can be used by applications from all partitions. Although this common program cannot access kernel memory, it can access the local memory of all partitions. Note that applications other than the kernel have no access to local memory. However, this approach requires detailed and very thought-out software design since the programs deployed in this area imposes a risk of destroying the memory in the partition.

Integrated debugging of all partitions by using the "eBinder" development environment

A single instance of the OS and a single debugging environment with eBinder makes multi-core based development very easy.



Advantages over Hypervisor

Although hypervisor, designed initially for the server environment, can be used to achieve system protection in operating systems, eT-Kernel Multi-Core Edition Memory Partitioning has the following features that hypervisor lacks:

  • Partitioning allows smoother collaboration between partitions
  • Easier software relocation/reuse between partitions
  • Reuse of kernel applications such as device drivers and middleware
  • System configuration by one eT-Kernel Multi-Core Edition OS

Contact Us