Background reading on the problem space: Linaro White paper on Software Defined Vehicles
Key Features for Automotive
- A hypervisor is critical for Automotive
- Independently updateable, don't have to retest and recertify safety on none hypervisor kernel updates
- Many Type 1 hypervisors with no clear winner
- Therefore standardizing on virtio interfaces is paramount to enable multiple SOCs and multiple OSes on each hypervisor
- Strong Isolation and documented Freedom from Interference (FFI)
- For Safety, Security, and Real-time isolation
- Proving Safety Isolation is much harder on Type 2 hypervisors
- Current type 2 hypervisors are less set up provide strong real-time guarantees (OS drivers in the path)
- VirtIO based communication with CPUs not under a common hypervisor
- Cortex-R/M CPUs can offer stronger real-time guarantees
- Lockstep CPUs offer stronger Safety guarantees, these are commonly Cortex-R/M
- A virtio backend that needs to be highly available will be implemented on a Cortex-R/M
- A Cortex-R/M CPU may choose to have a frontend driver using a backend in a guest under the hypervisors
- Safe Supervisor for the hypervisors and guests
- The safe supervisor needs to decide which guests need to be restarted or if the hypervisor itself should be restarted
- The supervisor will often need to be a higher safety standard than the hypervisor
- To restart a guest, the supervisor can talk directly to the hypervisor or via a guest at the same safety level as the hypervisor
- Ex: Safe Supervisor on lock step R/M core controls hypervisor via Virtio IPC like rpmsg
- VirtIO interfaces for IVI
- The In-vehicle Infotainment function has a lot in common with mobile device
- Rich UI, Multimedia playback, perhaps installable apps
- Key differences to mobile market
- Multiscreen independent playback of media
- AM/FM/Satelite Radio Tuner
- DRM protected playback is a key feature here as it is in mobile
- The In-vehicle Infotainment function has a lot in common with mobile device
- VirtIO for cluster
- Guaranteed low latency rear-view camera display (<5 seconds from start)
- Guaranteed visible and audio alarms
- GPU acceleration for dial animation, eg: Speedometer
- VirtIO interfaces for misc control
- SPI/I2C/GPIO controllers are very common on SOCs
- It is often difficult to ensure one I2C/SPI/GPIO bus is wholly owned by one guest
- Virtual interfaces allow the real control driver to be on a trusted domain and that domain can coordinate and police transactions
- Even when a given controller is owned wholly by one domain, a virtio interface gives SOC independence and avoids messiness in device assignment for platform devices.
- (Virtio may not be the best choice for critical real-time interactions)
- VirtIO for Automotive control interfaces: CAN etc
- CAN seems like an obvious extension for Automotive to the plan for SPI/I2/GPIO
- However, CAN is so tied into the critical operations that some designs will not expose it to guests at all
- The real priority of CAN is TBD
AGL Relationship
- Linaro Project Stratos & AGL Virtualization timeline.pdf
- https://wiki.automotivelinux.org/eg-virt-meetings
- https://confluence.automotivelinux.org/display/VE/Virtualization+EG?src=sidebar
- https://confluence.automotivelinux.org/display/VE/Support+VirtIO+in+AGL
Reference & Demo Platform is being leveraged to provide a demo in December 2020 to show the first steps in supporting AGL virtualization needs.