ARINC 653 HYPERVISOR

ARINC 653 HYPERVISOR

Steven H. VanderLeest, DornerWorks, Ltd. 

Abstract

In this paper we share lessons learned from adding to our prototype both an ARINC 653 CPU scheduler and a simple ARINC 653 serial I/O driver.

The paper covers three topics. First, we start with an overview of the ARINC 653 standard, which is important because it reduces development costs, reduces system weight, and lowers certification costs. The standard focuses on resource partitioning of time and space on an avionics computer, managing the three primary subsystems of the computer: Central Processing Unit (CPU), Memory, and Input/Output (I/O). Second, we will review virtualization technology, an established method of sharing a computing resource, considering it for adaptation to ARINC 653. Third, as a case study, we will examine our prototype implementation of the ARINC 653 standard using the Xen open source hypervisor.

Introduction

Overview of ARINC 653 

History and Current Implementations 

Ideally, the partitions provide mutually-exclusive access to all necessary system resources so that (a) the presence of a partition does not affect the performance of an unrelated partition and (b) faults within a partition are isolated from other partitions. Partitioning of shared resources is performed spatially and/or temporally.

An example of temporal partitioning would be a single core CPU that must be shared between partitions by giving each partition a deterministic time-slice of the overall CPU schedule. An example of spatial partitioning would be main memory that must be divided amongst the partitions (with hardware restrictions to prevent unauthorized access to a partition’s allocated memory by unrelated partitions). // 공간 분리를 위해서는 하드웨어 기능이 필요하다는 전제가 있다. (MMU, MPU)

An example of temporal partitioning would be a single core CPU that must be shared between partitions by giving each partition a deterministic time-slice of the overall CPU schedule. An example of spatial partitioning would be main memory that must be divided amongst the partitions (with hardware restrictions to prevent unauthorized access to a partition’s allocated memory by unrelated partitions).This also benefits new projects that reuse an 

existing ARINC 653 system by inheriting its certification and verification artifacts. // IMA 장점 두가지 애플리케이션 의 검증 관련된.

ideally, as 

tightly as in an equivalent federated system with dedicated resources // 논문 5번 

The glossary of the ARINC 653 standard defines the objective of robust partitioning “is to provide the same level of functional isolation as a federated implementation (i.e., applications individually residing on separate computing elements).

Each partition is assigned a DO-178B criticality level (level A is the highest, down to level E, the lowest). //파티션의 등급 체제도 정의 되어 있다. (실험 할 때 참고)

This implies that the underlying ARINC 653 partitioning environment of an IMA system must be certified to at least the highest level of criticality of any of the supported partitions. // 최고 보안 등급을 기준으로 파티션이 이루어줘야 한다. 

Arinc-653은 다음 그림과 같이 3가지 계층으로 이루어져 있다. 

hardware (processor, memory, I/O devices, etc.), the hardware interface system (sometimes called the board support package), and operating system. The partitions access the services of the partitioned environment via a well-defined interface called the Application/Executive (APEX) interface. 

ARINC 653 services are divided into the following categories of functionality:

Partition Management: 

services to get and set the partition mode. 

Process Management: 

services to get process ID and status. 

Time Management: 

services for timed-wait and periodic processes

Interpartition Communication:

services for creating and using interface ports for fixed-sized messages (sampling ports) and variable-sized messages (queuing ports).

Intrapartition Communication:

services for creating and using interprocess communication mechanisms such as unqueued messages (blackboards) and queued messages (buffers), as well as interprocess synchronization mechanisms such as signaling (events) and control of resources (semaphores).

Health Monitor:

defines errors and response mechanisms at the process, partition, and module (system) level.

Research Literature on ARINC 653

Goiffon and Gaufillet performed a research study implementing ARINC 653 using Linux 

//http://link.springer.com/chapter/10.1007/978-1-4020-8157-6_72#page-1 유료

Approaches to Resource Sharing 

A central point of the ARINC 653 standard is to maintain safety and fault isolation while allowing deterministic, managed sharing of resources.

All resources on an avionics computer system are either exclusive to one partition or shared by two or more partitions.
If a resource is exclusive, then only the owning partition may use the resource and all other partitions must be prevented from access.

If the resource is shared, the sharing arrangement must be enforced so that no partition can use more than its configured portion.

ARINC 653 requires partitioning of any shared resources in time and/or space.

Time partitioning provides periodic, exclusive access to a resource. Space partitioning provides exclusive access to a portion of a resource.

Partitioning occurs across the three basic subsystems of any computing platform, which must each considered as potentially shared resources: the Central Processing Unit (CPU), memory, and Input/Output (I/O). 

CPU Sharing

The partitioning environment must provide a means to configure the schedule of partition windows (minor frames) within the major time frame. It must also provide the mechanism to switch between partitions at the configured times.

Memory Sharing

The memory system is shared amongst partitions, with the partitioning environment providing a deterministic and bounded amount of memory for each.

Cache memory is particularly thorny because it is essential for high performance, yet processors do not provide partitioned cache where portions would be exclusively dedicated to partitions.Since CPU hardware does not provide the option of space-multiplexing with each partition simultaneously getting a slice of the CPU time multiplexing must be used to share the processor.

In a non-partitioned OS, the state of the cache memory need not be saved out because new entries from the new partition simply replace old entries from the old partition as needed. However, in a partitioned system, a partition that had no “competitors” in the schedule would begin a partition window with a pre-loaded cache that quickly provided the needed data, while the same partition would see lower performance when other partitions were present that had replaced some cache lines with their own data. // 파티션 교체시 캐쉬에 남아 있는 이전 파티션의 데이터의 문제 

would be ideal, in practice, the cache contents must be flushed at the end of each partition window so that each partition always begins with the same empty cache. // 파티션 교체시 캐쉬는 플래쉬하는게 좋다. 

Paging from main memory to a backing store would cause similar non-determinism for partitions, except embedded avionics RTOS implementations typically do not use a page swapping system. //페이징은 비결정적 요소로 RTOS에서는 일반적으로 사용하지않는다. Even though the main memory is likely paged(managed by an MMU)the pages remain permanently in memory once loaded. // 프로그램을 전부 메모리에 올리고 page out을 막는다. Thus each partition is guaranteed that its configured amount of memory is always present with the same expected performance. // ARINC 공식 문서의 MMU의 지원 필수라는 문장 찾아서 첨조 달기 위 단락은 native RTOS의 환경설정을 이야기 하고 있음 

I/O Sharing

I/O Partition

Scheduled I/O

I/O Processor

I/O Interrupts 

Virtualization

Virtualized access to the hardware resources of a computer is provided via a hypervisor, also called a Virtual Machine Monitor (VMM), which has “three essential characteristics. First, the VMM provides an environment for programs which is essentially identical with the original machine; second, programs run in this environment show at worst only minor decreases in speed; and last, the VMM is in complete control of system resources.” // 3번째 특징은 ARINC-653 정책으로 제공할 수 있다. 

Typically the focus of a VMM design is on the CPU, particularly the method of handling various types of instructions within the defined Instruction Set Architecture (ISA) of the process, and also on the memory system. Less attention has been spent on isolating I/O access.  // 하이퍼 바이저는 CPU하드웨어에 의족적인 구현을 해야 한다, 하드웨어 가상화 지원 

Application to ARINC 653

Time-partitioning and isolation of system resources in ARINC 653 looks very much like virtualization. So it is natural to consider whether the two could be combined.

We could start with the current technology in virtualization and adapt it for use in safety-critical markets to meet the ARINC 653 standard Alternatively, we could start with current technology in the safety-critical market adding in virtualization concepts to meet the ARINC 653 standard. 

Nearly all ARINC 653 vendors today have used the second approach, // ARINC-653이 먼저 되는 환경에서 가상화를 적용하는 방법을 많이 사용하고 있다. 

However, in ARINC 653, in order to provide high assurance of safety, strict isolation and determinism are emphasized, goals which often require relinquishing some performance. // ARinc- 653은 가상화와 목표가 다르다 성능을 포기하더라도 안정성에 더 집중 하는 정책이다. 

Second, starting from the hypervisor is difficult because virtualization approaches typically do not provide much support for communication between partitions, but in ARINC 653 this communication is a must. // 2번째로 갈때 문제점은 가상화는 보통 파티션간의 통신을 지원하지 않는다., 하지만 ARINC-653은 필수 이다. 

Prototype ARINC 653 Hypervisor

As a case study, we are building a prototype implementation of the ARINC 653 standard using the Xen open source hypervisor. In this section we will explain the overall design of Xen and then delve into the details of our CPU scheduler and I/O driver models. // 본 논문은 CPU와 I/O에 집중되어 있음 이유는 이미 페이징을 통한 메모리 분리를 Xen에서 지원하고 있음 "Xen provides memory partitioning natively by utilizing paging functionality of the host  processor. "

Why Xen?

Open Source

PC Development 

Embedded Platform

Play Before You Pay

Xen Architecture 

Xen ARINC 653 Partitioning 

CPU Partitioning

We added a new arinc653 scheduler module to this set of schedulers to implement the ARINC 653 time partitioning. 

The ARINC 653 scheduler we added to Xen provides deterministic scheduling of Xen domains, which host the ARINC 653 partitions. Within a major frame, every domain in the current schedule is guaranteed a certain amount of CPU time. The order that domains are scheduled within a major frame is fixed.

Memory Partitioning

Modern CPUs have a memory management unit (MMU) that allows the OS to restrict access by a certain set of processes to a specified set of memory pages. Xen utilizes this technology to restrict access by domains to a configured set of memory pages. Thus, unmodified Xen satisfies the basic ARINC 653 requirement for spatial partitioning.  // Xen에서 MMU를 통한 제어를 하고 있기 때문에 접근 제어를 하고 있기 때문에 구현할 필요가 없다. 

I/O Partitioning

Testing the Prototype 

Future Plans

Multicore and Security