...
Title: What HV technology can do for future automotive systems.
Motivation: Why to use HV:
Opinions on the high level purpose of the paper.
...We need to explain why virtualization is actually needed. (It is still not fully accepted as necessary by all)
→ Certain concrete security/safety issues that can be shown clearly and that HV can solve
→ System flexibility is another very important point.
*
→ Idea: There could of course be multiple Whitepapers, if we want to concentrate on a certain area, and avoid others.
Interaction between general-purpose and dedicated cores is poorly understood.
...
SUMMARY: Optimize for (average) performance, not automotive requirements
Feedback: There is more diversity than this chapter suggests. Some may choose a more consumer-like processors but there are also modern multi-core processors that are automotive grade
some vendors create massive compute power but with high power needs (heat), others may be better at keeping low power.
(same, worded differently) Some cars choose more consumer-oriented hardware, but others choose are strict on using automotive grade hardware. Some vendors provide very high performance but with high power consumptions, others can create fairly good performance with still low power… Conclusion: We may need to describe this as more varied, but then to propose we need to solve as many as possible of these variations (i.e. also solve for the “worst-case”)
Moreover, deterministic timing for guaranteeing low service latencies even in worst-case scenarios is traded with service strategies which optimize the average ant not the worst caseMoreover, deterministic timing for guaranteeing low service latencies even in worst-case scenarios is traded with service strategies which optimize the average ant not the worst case. An example to this is as follows: in a manycore system with private L1 and a shared L2 cache, SW executing on different cores will mutually evict each other's cache entries.
...
This in turn will significantly add to their execution times, data and instructions must be re-fetched from the main memory, where modern on core pre-fetchers intend to lower the waiting times from core-perspective. Cache eviction is, however, not the only source of trouble. Each time when fetching an item from the main memory, the execution on a core is suspended until the actual memory fetch has been served. The resulting waiting time depends on the number of pending memory access requests from all the other cores and the complex memory access pattern implemented by modern DRAM controller. A common pattern prioritizes hits into the open row buffer, instead of serving memory read requests in a standard first-in-first-out manner. With a strategy for increasing the open row buffer hit rate, one allows memory read request to overtake each other inside the DRAM controller. Whilst this lowers the average service time as reads from an open memory bank row can be served faster, this may contribute to the waiting time of some other read.
SUMMARY: Details on the cache contention problem.cache contention problem.
Feedback: This info is very good but too many details come too early. This is better moved to a later chapter
Obviously, there is no free lunch and the increase in compute bandwidth comes a long with a significant increase in the complexity of the behavior of SW executing on such modern multi-core SoCs, put together with higher energy consumptions and higher thermal dissipations as these SoCs run on much higher frequencies. This clearly points to the question, what can we do with these processors as they are not only more powerful, but also much more costly?
...
SUMMARY: The challenges with these new systems include shared use of singe-use features, and bus contention, etc., and bus contention, etc.
"as it would require a porting" section - We could expand this a bit more. There is a list of different reasons for virtualization
– (the ability to reuse existing software with minimal changes - (instead of porting as mentioned here)
and another one is to reuse popular OS/environments that would be a very large job to recreate from scratch, e.g. Android)
Still, there is a difference between standard operating systems and such a supervisory SW-layer. The supervisory SW layer, also commonly denoted as hypervisor requires execution rights at a higher level of privileges as the operating systems running on top of it. This is as with any operating system, the latter executes at a higher level of privileges as its userspace applications. This is to execute privileged instructions, i.e, instructions which change the state of the processor or to restore the context of a shared resource whenever the latter is handed over to a different user, resp. application.
...
SUMMARY: Hardware support for virtualization is included in modern processors
Kai, Adam & Bernhard
This is directed towards the HV vendor to avoid the problems we have seen in the past.
Feedback: Is the above a comment, or part of the whitepaper text? If it is the rationale for why the chapter exists, then let's rewrite and expand itThis is directed towards the HV vendor to avoid the problems we have seen in the past.
Content: All modern processors, including Arm Cortex-A’s and Intel’s x86, support the virtualization of operating systems by means of providing adequate functionality for providing a virtual view of the system and having system software, the hypervisor, have full control of guest operating systems. A microkernel can offer support for this functionality. As already described, the microkernel will only offer the necessary functionality and all other support for running VMs shall be implemented in user-level functionality. For supporting virtualization extensions of the CPU, the microkernel provides the functionality to create VM containers and context switch those between other VMs and normal programs on the microkernel. The virtual platform, that is required to run a guest operating system, is provided by user-level virtual machine monitor (VMM). A common design pattern is to use one VMM per VM, using the isolation features of the microkernel to protect VMs among each other.
...
Dmitry mentions i.mx 8 has special features that simplify device sharing/assignment to VMs, e.g. USB that could be interesting case-study information.
Details pending (make sure to check what is public information first).information first).
Feedback: "in user-level functionality" is this emulation code in the HV or what is meant byzk user level? Can we clarify?
SurveillanceSurveillance,Monitoring, Isolation (Timing and Spatial) and all that
To establish well-defined behavior of SW at platform-level several design paradigms can be followed, where each prioritize different aspects, e.g., fault-detection versus information hiding, high-performance vs. good worst-case timing behavior. At the bottom-line it appears that one of the fundamental principles of establishing safe and secure execution environments is about isolation and surveillance.
...
Open Asymmetric Multiprocessing - OpenAMP - messaging standards built on top of this... Often the implementation uses the hardware capabilities for mailboxes/links etc.
Cache locking?
...
locking?
New ARM designs/solutions need to be considered - ARM engineers can help.
Sharing Devices (and VIRTIO)
Methods and implications
Artem wants to cover Performance issues on device sharing. General, not VIRTIO specific.
Maybe first chapter is rather named paravirtualization techniques?
and then VIRTIO is a sub chapter. Or its own chapter.
Kai & Gunnar
Content:
As already outlined, the VMM component in the system needs to provide a virtual platform to the guest operating system. This includes a set of common devices that a VM typically needs, including console, network and block devices. When an OS runs bare-metal on the hardware, a regular driver is used to drive, for example, the network interface controller (NIC). The interface between the NIC and the OS is based on memory-mapped IO which is the optimal way of communicating with a physical device. When providing a VM a virtual device, the memory-mapped approach is not the most efficient one. First, because this requires the so-called trap-and-emulate technique where each access to the MMIO-region is trapped into the VMM and second because the NIC needs to be emulated by the VMM which is actually more complicated than required for this use-case. It is much easier in terms of required software as well as offers more performance when using a device for a VM that is particularly made for being used in Vms.
...
Hypervisor-rooted device sharing also allows the provision of dedicated mechanisms, e.g., when copying a network packet from the receive queue to the receive buffer inside a VM, the hypervisor may ensure end-to-end protection. When using VirtIO-based device sharing, such mechanism can be implemented close to the driver, rather than using a coleoptera of methods inside the subsystems and re-implementing the Virtio-drivers for the hosted guest-OS. Therefore, it can be believed, that VirtIO does not only work for easy system integration, but also to improve security, timing predictability and safety within the resulting systems of systems.timing predictability and safety within the resulting systems of systems.
SUMMARY: More unique features possible with an HV
Security implications
SUMMARY: More unique features possible with an HVArtem has some objections to VIRTIO from security point of view. It could be included inside this text or as a sub-chapter of this chapter.
...
ALL SUMMARIES TOGETHER (AS OUTLINE)
...
SUMMARY: A HV must execute in higher privilege mode
What does the HW(vendor) to support platform virtualization
= PURPOSE 1 of the paper.
Introduction of concepts
...
= PURPOSE 2 of the paper.SUMMARY: Hardware support for virtualization is included in modern processors
Surveillance, Isolation (Timing and Spatial) and all that
= PURPOSE 2 of the paper.
SUMMARY: Explain isolation, timing, spatial
Inter-core communication
Matti, Dimitri to write (Dmitry suggested that Matti does it better)suggested that Matti does it better)
= PURPOSE 2 / 3 of the paper.
What does the HW(vendor) to support platform virtualization
(NOTE: Reordered chapters)
SUMMARY: Hardware support for virtualization is included in modern processors
= PURPOSE 3 of the paper.
Sharing Devices -- Virtio
SUMMARY: The need for virtual platform. Shortly compare full hardware virtualization/emulation with… not doing that.
SUMMARY: The current contents of VIRTIO spec
...
SUMMARY: More unique features possible with an HV
= PURPOSE 2 / 3 of the paper.
Additional work
(How to improve the future of virtualization usage)
Conclusions and wrapup
https://docs.google.com/document/d/18mTJw1DRqKmjIGoWcxFHZ8eodkWGGIEo/edit