RECOMP is made possible by funding from

the ARTEMIS Joint Undertaking.

Isolation of CoresClaus Stellwag (Elektrobit), Thorsten

Rosenthal (Delphi), Swapnil Gandhi (Delphi)March 2013 – WICERT

Goal: Reduce costs of mixed-critical systems

?Dedicated MCU

ISOLATIONCertified OS

Hypervisor

3/22/2013 2

Source: http://www.recomp.eu/meridian/downloads/Meridian_Datasheet.pdf

Hardware: Meridian Board

Development board for the Trusted Computing Platform

Supports all relevant bus systems (CAN, FlexRay, SPI, Ethernet)

Lot of I/O pins Contains Multicore

AURIX controller in FPGA

External SRAM as flash emulation

Debugging via JTEG or USB

3/22/2013 3

Source: http://www.infineon.com/dgdl/TriCore_Family-br-2013.pdf?folderId=db3a304412b407950112b409ae660342&fileId=db3a30431f848401011fc664882a7648

MCU Architecture: AURIX TC27x

Note: Used FPGA based board has only 2 instead of 3 cores

3/22/2013 4

AUTOSAR Overview

AUTOSAR = Basic Software + Methodology + Application Interfaces

AUTOSAR R4.0 building blocks:Applications (SoftWare Components - SWC)OS Run-Time Environment (RTE)Basic SoftWare (BSW):

System Services (e.g. Ecu Manager, Watchdog Manager) (Non-volatile-)Memory stack Communication stack Diagnostic modules Microcontroller abstraction layer (MCAL)

Complex Device Drivers (CDD)

3/22/2013 5

MCU

Core0 Core1

OS

BSW

RTE

SWC SWCSWC

AUTOSAR R4.0 + Multicore +Safety

SWC SWC SWC

CDD

ASIL SW

QM SW

3/22/2013 6

RECOMP: Automotive Cluster

3/22/2013 7

Delphi ASIL D Application: ESCL (Electrical Steering Column Lock)

M

3/22/2013 8

ESCL: Safety Goals

ESCL Risks

• Risk 1: Unintended locking while vehicle is in motion ASIL D

• Risk 2: Moving from rest with locked ESCL ASIL B

ESCL safety goals

• Risk 1 Goal 1: Unintended locking while vehicle is in motion shall be prevented

• Risk 2 Goal 2: Starting and rolling of vehicle with locked ESCL shall be prevented

ESCL Safe states

• Safe State 1 (for safety goal 1) • ESCL is

unlocked, not power supplied and locking functions is deactivated

• Safe State 2 (for safety goal 2) • No engine start

in case the SCL was not successfully unlocked

• Abort of start sequence / shut off of engine if ESCL power supply was not switched off after engine was started

3/22/2013 9

Building Blocks of ESCL

ESCL Module 1: Power supply for ESCL if locking conditions fulfilled

ESCL Module 2: Locking command to ESCL if locking conditions fulfilled

Power Mode Manager (PMM): Takes care about power-off, sleep and other power related topics

Driver Info: Supports info to driver of vehicle Other QM components

3/22/2013 10

MCU

RTE

Core0

OS

Core1ASIL SW

QM SW

BSW

RTE

ESCL2PMMESCL1DriverInfo

OS

Approach 1 : Cross Monitoring

C2CBSW

3/22/2013 11

MCU

Core0 Core1ASIL SW

QM SWESCL2 PMMESCL1

DriverInfo

Approach 2: AUTOSAR MultiCore

BSW OS

RTE

3/22/2013 12

MCU

RTE

Core0

OS

Core1ASIL SW

QM SW

BSW

RTE

OS

Approach 3 : Isolated ESCL

ESCL2 PMMESCL1DriverInfo

SWC

BSW C2C

3/22/2013 13

Details of ImplementationEach core run its own application (with a separate

ELF image). There is no hard reference between the SWThis allows SW updates on the core running the legacy /

QM parts without impact on the ASIL coresThe hardware supports the approach by

dedicated core local memoryde-central access control to shared peripherals

Core2Core Communication (C2C) allows exchange of data between cores. Special care has been taken that the C2C does not impact safety part (e.g. lock-free mechanism for communication buffers)

3/22/2013 14

Summary: Pros & Cons

ProClear isolation simplifies design (safety is concentrated

on dedicated core(s) – freedom from interference can be easier shown)

Divide and conquer principle eases handling of growing complexity

Legacy code needs less adoption (constraints from single core are preserved)

Less interaction between cores; No additional SW layers needed better utilization of existing multicore performance

ContraRequires more memoryRequires specific hardware features of the

microcontroller3/22/2013 15

Questions ?

3/22/2013 16