ST Developers Conference:How to Efficiently Separate Automotive Functions Within a Multi-Core System with EB tresos AutoCore Hypervisor

Christoph Dietachmayr, Solution ManagerSeptember 12th, 2019

2© Elektrobit (EB) 2019 | Confidential information

• Motivation

• Challenge

• General solution

• Specific Implementation

– EB tresos AutoCore Hypervisor

– EB corbos Virtual Ethernet Switch

• Hypervisor Comparison

• Summary

Agenda

How to Efficiently Separate Automotive Functions within a Multi-Core System

3© Elektrobit (EB) 2019 | Confidential information

Motivation

How to Efficiently Separate Automotive Functions within a Multi-Core System

• New vehicle architectureMarket

• Software as a productBusiness model

• Shorter development cycleEfficiency

• New E/E architectureLegacy migration

• Distributed developmentDevelopment

4© Elektrobit (EB) 2019 | Confidential information

• Homologation of functional application sets (OBD/Non-OBD)

• Consolidation of functional application sets on one ECU

• Separation of safety criticality levels on one ECU (different ASIL levels)

The Challenge

How to Efficiently Separate Automotive Functions within a Multi-Core System

ApplicationSWC

Middleware stack

ApplicationSWC

ApplicationSWC

ApplicationSWC

Middleware stack

ApplicationSWC

ApplicationSWC

5© Elektrobit (EB) 2019 | Confidential information

Execute separate builds on selected cores

Assign available hardware resources to the specific partitions

Enable cross partition communication

Solution Concept with a Multi-Core Processor - Overview

How to Efficiently Separate Automotive Functions within a Multi-Core System

ApplicationSWC

Middleware stack

Application SWC

Application SWC

Application SWC

Middleware stack

Application SWC

Application SWC

Application SWC

Middleware stack

Application SWC

Application SWC

Virtual ECU

ApplicationBinary

Micro Controller

μC Core

6© Elektrobit (EB) 2019 | Confidential information

Static Separation Mechanism (w/o MMU)

How to Efficiently Separate Automotive Functions within a Multi-Core System

…

Application SWC Application SWC Application SWC

Runtime environment

Op

era

tin

g sy

ste

m

AUTOSAR BSW

MCAL

Hardware-independentHardware-dependent

Runtime environment

EHV EHV

Core-1 Core-2 Core-3 Core-4 Core-xμC

Core-5

EB tresos AutoCoreHypervisor

Application SWC Application SWC Application SWC

Op

era

tin

g sy

ste

m

AUTOSAR BSW

MCAL

Virtual ECU1 Virtual ECU2 Virtual ECU

7© Elektrobit (EB) 2019 | Confidential information

Core-1

Virtual ECU Communication with Virtual Ethernet Switch

How to Efficiently Separate Automotive Functions within a Multi-Core System

Virtual ECU1 Virtual ECU2

Virtual Eth. switch

Eth. driver

Virtual Ethernet

Ethernet

Virtual Ethernet

Application

AUTOSAR BSWAUTOSAR BSW

Op

erat

ing

Syst

em

Application

AUTOSAR Communication

stack

AUTOSAR Communication

stack

Op

erat

ing

Syst

em

AUTOSAR MCAL AUTOSAR MCAL

Core-2 Core-3 Core-4 Core-5

Hardware-independentHardware-dependentVirtual Ethernet

8© Elektrobit (EB) 2019 | Confidential information

General

• Transmission/reception from cores or from outside

• Support of QoS (Tx/Rx) and TimeSync

Performance

• Performance optimized data path for Tx/Rx (e.g. zero-copy/minimize copy operations, lock time)

• Deterministic Tx/Rx forwarding delay

Safety

• Freedom from interference (timing and execution, memory, communication)

• Support of coexistence with safety related components

Virtual Ethernet Switch

How to Efficiently Separate Automotive Functions within a Multi-Core System

9© Elektrobit (EB) 2019 | Confidential information

Allows to schedule multiple virtual cores on one physical core

Spatial freedom from interference of virtual cores

Cross partition communication

EB tresos AutoCore HypervisorFull support for Cortex-R52 like architectures

How to Efficiently Separate Automotive Functions within a Multi-Core System

Middleware stack

Virtual ECU

ApplicationBinary

physicalCore

Runtime Hypervisor

Middleware stack

App. SWCApp. SWC

Middleware stack

App. SWCApp. SWC

virtual Core

App. SWC App. SWC App. SWC

Middleware stack

App. SWCApp. SWC

…...…

10© Elektrobit (EB) 2019 | Confidential information

Allows to schedule multiple virtual cores on one physical core

Spatial freedom from interference of virtual cores

Cross partition communication

EB tresos AutoCore Hypervisor in ActionPotential Configuration on Stellar

How to Efficiently Separate Automotive Functions within a Multi-Core System

Application SWC

Middleware stack

Application SWC

Application SWC

Application SWC

Middleware stack

Application SWC

Application SWC

Virtual ECU

ApplicationBinary

physicalCore

Runtime Hypervisor

Middleware stack

App. SWCApp. SWC

Middleware stack

App. SWCApp. SWC

virtual Core

11© Elektrobit (EB) 2019 | Confidential information

• Freedom from interference between separation domains using hardware separation features such as registers, memory, peripherals, and code

• Support of coexistence with safety-related components

Further OS support• EB tresos Safety OS supports multiple

instantiations

• Support for containment domains with configurable number of CPU cores

• Library with static communication channels

• Communication via shared memory

• OS-independent inter-core locks

• Cross-core interrupt trigger

• Call-out functions

• Virtual ECU separation

• Containing individual code

• OBD/non OBD on separate cores

• Safety OS (ASIL-D) and AutoCore OS (QM) on same ECU but different cores

• Static configuration of memory regions

• Booting of separate OS instances

• Setup of virtual ECU containment

• Configuration of interrupts

SafetyInter-VECU communicationCore separation

Features – EB tresos AutoCore Hypervisor

How to Efficiently Separate Automotive Functions within a Multi-Core System

12© Elektrobit (EB) 2019 | Confidential information

The following features of μ controller are utilized:• Hypervisor EL2 MPU

• NOC-Firewall

• Interrupt controller

• Core-specific timer

• Shared and private memory

• Fast inter-core communication

• Inter-core locking

Integration of ST SR6x7 Centauri

How to Efficiently Separate Automotive Functions within a Multi-Core System

13© Elektrobit (EB) 2019 | Confidential information

• Hard real-time capable

• Usage of MPU

• Minimal virtualization

• Less processor overhead

Dynamic hypervisor • Virtualization of hardware resources

• Usage of MMU

• Overhead due to dynamic allocation

• Usage of dynamic OS (Linux/QNX)

Hypervisor comparison

How to Efficiently Separate Automotive Functions within a Multi-Core System

EB tresos AutoCore Hypervisor

14© Elektrobit (EB) 2019 | Confidential information

EB tresos AutoCore Hypervisor contributes towards:

• Reduction of ECUs in the vehicle

• Legal separation of software components

• Flexibility for peripherals (e.g. CAN, FR, …)

EB tresos AutoCore Hypervisor allows:

• Smooth inter-core communication also for inter-VECU communication

• Hard real-time behavior

• High hardware utilization

• Low power consumption

• Exchange of software on a single-core (VECU vs RECU)

Summary

How to Efficiently Separate Automotive Functions within a Multi-Core System

www.elektrobit.comchristoph.dietachmayr@elektrobit.com

Get in touch!

Virtualization Approach on the ST

STELLAR MCUs

Khaldoun Albarazi

Market Development Engineer

Automotive Product Division

STMicroelectronics

Forewords – Embedded Virtualization Concept Introduction

17

State of the art SW Technology for Integration and Isolation of Multiple Applications onto one single

Processor (MCU/MPU),

allowing multiple SW with different ASIL levels to run on same MCU

There are other ways to isolate applications but virtualization offers additional key benefits:

• Reduce Interaction between different SW suppliers, easier integration of multiple independant SW

• Correspondingly easier SW updatability (each supplier / application SW independantly from each other)

Hypervisor

VM0(example Classic Autosar)

Virtual machine (VM)

SWC SWC...

RTE

OS BSW

AR MCAL

VM1..n

Virtual machine (VM)

...

MCU

Virtual Machines

Hypervisor

SW Layer

Supplier2Supplier1Drivers for embedded Virtualization in Automotive

SW complexity reduction taking advantage of the introduction of more performing

MCUs (STELLAR) and moderate to no cost advantage of technology beyond 40nm

• re-combine distributed functionality in a single ECU

• Domain Controller architecture to tackle multiple challenges

• SW modularity & update-ability

Implications

• Integrated software functions have different functional safety level missions and

are developed by different suppliers

• Freedom from interference must be insured in a simple manner

• Possibility to update one software function independently from the others (no risk

on the others and no need to fully requalify)

Requirement for real-time (boot & runtime) is maintained for embedded systems

Virtual ECU 0 Virtual ECU n

STELLAR Unique Hardware/Real-Time Virtualization

18

Hypervisor

VM0(example Classic Autosar)

Virtual machine (VM)

SWC SWC...

RTE

OS BSW

AR MCAL

VM1..n

Virtual machine (VM)

...

STELLAR MCUw. HW Virtualization

Virtual Machines

Hypervisor

SW Layer

Hypervisor

VM0(example Classic Autosar)

Virtual machine (VM)

SWC SWC...

RTE

OS BSW

AR MCAL

VM1..n

Virtual machine (VM)

...

Other MCUswo. HW Virtualization

(or w. only HW Virtualization Assistance)

High Performance Virtualization Big Overhead for Virtualization Support

Real-time Virtualization No Real-Time capability

Deterministic Virtualization Not Deterministic for none real-time CPU

Examples

Access

Protection

Applic. / Hypervisor

Interrupts

by STELLARBy SW

(Hypervisor)

LS

STELLAR Real-time Deterministic Virtualization Architecture19

Lock-Step

Cortex-R52

RAMPCM

Cortex

M4

RAMPCM

Cry

pto

Co

reA

ES

/ P

KA

/ S

HA

/ T

RN

G

data PCM

DMAs

RAM

RAMPCM

none CPU Masters

Lock-Step

Cortex

M4

Cortex

M4

R52 Core Clusters

arm CORTEX-R52 Clusters

only real-time CPU w. HW=real-time virtualization (new Hypervisor Exception Levels EL2)

EL1 MPU

&

EL2 MPU

RAMPCM

Peripherals, InterfacesVMID: Virtual Machine ID

NOC: Network on Chip

FW: NOC Firewall

Periph.

Bridge

MPU

SAFE NETWORK ON CHIP

FW FW FW

VMIDMgr

Periph.

Bridge

MPU

FW

... Assigns VMID for all

none CPU masters

FW FW

AES Light

HSM2

MPU for peripheral accesses

initiators

targets

LS AES Light

TC

M &

C

ache

Interrupt and Access Protection Infrastructure based on VMID / Master ID (VMID / Task ID for R52)

EL2 MPU

EL1 MPU

CPU

Lock-Step

Cortex-R52

TC

M &

C

ache

EL2 MPU

EL1 MPU

CPU

Lock-Step

Cortex-R52

TC

M &

C

ache

EL2 MPU

EL1 MPU

CPU

Lock-Step

Cortex-R52

TC

M &

C

ache

EL2 MPU

EL1 MPU

CPU

Split-Lock

Cortex-R52

TC

M &

C

ache

EL2 MPU

EL1 MPU

CPU

Cortex-R52

TC

M &

C

ache

EL2 MPU

EL1 MPU

CPUFR, ETH

GTM

Zipwires

...

FW FW

Virtual Machine ID + Master ID

FW

EL1 & EL2

InterruptsINTC INTC INTC INTC INTC INTC

...

...

Virtual

ECU 0

(supplier0)

STELLAR MCUs Integration Platform 20

Hypervisor

VM0(ex: Classic Autosar)

Virtual machine

SWC SWC...

RTE

OS BSW

AR MCAL ...

STELLAR MCUHigh Perf. Virtualization

1st Automotive MCU w. real-time Virtualization

Platform for ECU Integration & Domain Controllers

Unprecedented

Real time & Safe

PerformanceSTELLAR enabled

High Performance

Virtualization / Hypervisor

Turn-key Safety Isolation

Platform for mixed ASIL level Applications

(„modular „Safety“)

Multi SW vendor Platform

Modular Software

Development & Updates

Virtual

ECU 1

(supplier1)VM1

Virtual machine

Virtual

ECU n

(suppliern)VM1

Virtual machine

Secure Platform

ASIL D ASIL BQM

Thank You!

21

Contact

Khaldoun Albarazi

Market Development Engineer

Automotive Product Division

STMicroelectronics

Khaldoun.Albarazi@st.com