The complexity of today’s automobiles is increasing with every new model on the market. A modern car can contain up to 100 electronic control units and with connectivity and autonomy becoming growing trends, this is set to increase dramatically in the coming years. Many of these systems up until a few years ago have safely run on microcontrollers on an unsecured vehicle network, and this has been fine; the networks were ‘air-gapped’ from the rest of the world, and the risk of a malicious attacker causing any kind of danger to a car’s occupants by directly plugging in a new device was as likely as someone cutting the brake lines. The automotive industry on the whole were happy with this risk.
Today, however, we are seeing a shift from mechanical cars that use computing for assistance, to computerised cars that use mechanics for movement. As the Internet of Things, artificial intelligence and autonomy find their way into automotive designs, we are expecting more and more out of our cars. Functions such as object-recognition, machine learning, and even rendering graphics for HMI systems are too calculation-heavy for microcontrollers to handle. Instead, CPUs and GPUs are becoming more common in designs.
This trend poses several issues: Hardware costs increase with every device added to the vehicle, as does the weight of the vehicle; new CPUs and GPUs are being integrated to run alongside the existing microcontroller-based systems. Additionally, from a cyber security perspective, the attack surface increases as previously air-gapped networks become exposed to the Internet.
One solution is to use virtualisation to run multiple software environments on one processor. This provides the cost and weight savings that are vastly important to the automotive industry, as well as the ability to apply strict controls on the communications between sub-systems.
At Lynx, we originally designed our LynxSecure Separation Kernel (LSK) to separate DoD networks and applications of different security classifications that needed to run on the same hardware, and so the underlying foundational technology has very strict isolation properties. Memory, CPU cores, and devices can all be isolated, and then only the ones allocated to a particular domain will be presented to the applications running in that domain on top of the separation kernel.
Clearly, this approach is highly applicable to those functions that are designed to run on CPUs, but what about those written for microcontrollers? Designers in the automotive industry may become nervous when we talk about running safety-critical software in virtualised environments, and this is understandable. ‘Traditional’ hypervisors have usually been developed by taking an existing operating system and running hypervisor services that share resources to its hosted guests. This means that it is very difficult to run software designed as ‘bare metal’ applications without inheriting the processing overheads associated with accessing hardware through an OS and its drivers. Arguments have been made that modern processors are so fast that this doesn’t matter, but “as fast as possible” is not good enough for safety-critical applications – real-time guarantees need to be made.
LynxSecure is different. It has been developed from the ground up without an underlying operating system. It contains no hardware drivers and instead controls the assignment of resources and CPU time to guests (called ‘subjects’ in the LSK world), leaving the driver implementation up to the guest. This beautifully simplistic model means a designer can treat a subject as an independent processor and write applications to run on ‘bare metal’, gaining direct access to any resource that is assigned to it. These LynxSecure Applications (LSAs) could be anything from a single-function application that the designer wants to keep in its own container (e.g. a cryptography routine) to a task scheduler or real-time operating system (RTOS) designed for safety-critical applications.
At the recent Embedded World 2017 trade fair in Nuremberg, Germany, we announced a collaboration with automotive systems company, ETAS, and demonstrated the power of using LynxSecure to host real-time automotive systems alongside feature-rich operating systems. A single quad-core processor was used to host 3 virtual machines. One was a Linux subject running an open-source infotainment system, another was ETAS’s RTA-OS, an AUTOSAR-compatible real-time operating system. The third subject was a Virtual Device Server (VDS), which ‘owned’ the HMI-specific devices, and shared them with the relevant subjects (see below). There were directly-assigned serial ports that only RTA-OS could access, simulating a simplified vehicle network. If anyone did gain access to the Infotainment system via the Internet, they wouldn’t even know these serial ports existed.
With this platform, we were able to show that a catastrophic failure of the infotainment system (which could be caused by a software bug, or a malicious actor) has no effect on the behaviour of the RTA-OS subject. Further, because RTA-OS was running on its own CPU core, the scheduled tasks could still meet their real-time requirements.
Robert Day, Vice President of Marketing at Lynx Software Technologies demonstrated how safety-critical automotive systems at the Embedded World 2017.
At the same event, we also announced our first port to ARM architectures, using a Xilinx® Zynq® Ultrascale+™ MPSoC. This exciting development will allow designers to make use of the military-grade security benefits of LynxSecure described above, running bare metal and safety-critical software alongside general purpose operating systems on a multicore Cortex A53, while benefiting from the on-chip FPGA fabric. This provides a true heterogeneous computing platform; developers will have the option to decide whether functions reside in software, using OS services or LSAs, or in hardware through Xilinx FPGA fabric.
With the realisation within the automotive industry that cyber security and functional safety go hand-in-hand, we believe the architectures possible with LynxSecure’s separation kernel and our new ties with companies like ETAS and Xilinx can provide an unrivalled marriage of safety and security in our increasingly connected cars.