PikeOS: Multi-Core RTOS for IMA. Dr. Sergey Tverdyshev SYSGO AG 29.10.2012, Moscow

PikeOS: Multi-Core RTOS for IMA Dr. Sergey Tverdyshev SYSGO AG 29.10.2012, Moscow

Contents Multi Core Overview Hardware Considerations Multi Core Software Design Certification Consideratins PikeOS Multi-Core Support Use Cases SYSGO AG 2

Multi Core Overview Multi-Core Operating System Models Asymmetric Multi Processing Each Core runs a different uni-processor OS Loosely coupled through IPI and shared memory Both operating systems need to be fully trusted UP OS A Core A UP OS B Core B Semi Symmetric Multi Processing Each Core runs an instance of the same uni processor OS Loosely coupled through IPI and shared memory Operating system needs to be fully trusted UP OS Core A UP OS Core B Symmetric Multi Processing All cores are controlled by a single SMP operating system Closely coupled through resource locks and IPI synchronization Multi-processor support on application level Operating systems need to be fully trusted Core A SMP OS Core B SYSGO AG 3

Multi Core Overview Comparing AMP and SMP AMP Pro Simple system software design Concurrent execution of different uniprocessor operating systems Contra All operating systems need to be fully trusted External synchronization required to access shared resources No support for multi-processing within a single application Difficult to manage with more than 2 cores Distributed configuration SMP Pro Only one trusted system software layer Better control of CPU activities Support for multi-processing on application level Simpler synchronization between partitions Homogenous configuration Contra Increased complexity in SMP OS Performance decrease compared to AMP for loosely coupled applications Cache coherency required SYSGO AG 4

Hardware Considerations CPU and Platform Considerations Minimum CPU Features (AMP and SMP) Separate CPU, FPU and MMU Separate L1 (ideally also L2) Data and Instruction Cache Inter Processor Interrupt (IPI) Extended Features required for SMP Cache and TLB Coherency Protocol Coherency Sub-Domains (for mixed SMP / AMP configurations) Global Interrupt Disable Support Global Time Base (to avoid clock synchronization) Typical Problems Performance degradation due to cache / TLB coherency protocol Implicit device sharing due to missing separation of I/O addresses Shared Processor, Memory and PCI Bus Shared Interrupts (typical problem on x86 platforms Shared IO Devices (AFDX, A429, CAN, DIO, Frame Buffer,...) SYSGO AG 5

Hardware Considerations Multi Core based Processing Module L1 I-Cache Core 1 L1 D-Cache IPI L2 Cache L1 I-Cache Core 2 L1 D-Cache Coherncy Module Core Communication Bus Dual-Core CPU Processor Bus Memory Memory Controller(s) DRAM DRAM PCI PCI Controller(s) PCI-Bus(es) FLASH FLASH NVRAM NVRAM Graphics ARINC 664 ARINC 429 Special IO Serial DIO CAN SYSGO AG 6

MULTI CORE SOFTWARE DESIGN SYSGO AG 7

Multi Core Software Design Parallel operation on OS level Design Each core runs its own OS instance (AMP) Pro Single core OS design Cache coherency problem only for shared memory Contra Bus sharing difficult to control Device sharing difficult to implement (e.g. AFDX) No support for multi-core applications Distributed and inhomogeneous configuration Complexity increases while efficiency decreases with number of cores SYSGO AG 8

Multi Core Software Design Parallel operation on partition level Design One OS manages all cores (SMP) Each partition has its dedicated core Each partition provides single core runtime environment Pro Supports full control of all cores Supports shared access to I/O devices Supports ARINC-653 scheduling through core synchronization Contra Increased complexity in the OS Potential interference through shared OS resources SYSGO AG 9

Multi Core Software Design Parallel operation on application level Design Based on SMP approach Supports multiple cores per partition A partition may provides a multi-core runtime environment (e.g. POSIX) Code and data segment as well as the heap are shared between cores Pro Increased processing bandwidth for a single application Contra Increased risk of false sharing of the cache SYSGO AG 10

Multi Core Software Design Parallel operation on code block level Design Based on SMP approach Portions of one logical execution thread are executed in parallel (OpenMP Application Program Interface) The compiler actually allocates the code to CPU cores Pro Fine grain core allocation Contra High risk of false sharing SYSGO AG 11

CERTIFICATION CONSIDERATIONS SYSGO AG 12

Certification Considerations AMP Concept Concept similar to multiple Single Core platforms More interference channels between cores due to stronger coupling of the cores (memory bus, coherency protocol, etc) compared to dedicated communication buses in federated architecture Partitioning is distributed across multiple OS instances Correct spatial and temporal separation depends on an heterogonous system software architecture Cores may even run instances of different operating systems Execution on both cores is completely asynchronous Separate virtual address spaces No need for MMU synchronization Memory allocation based on OS instantiations Only dedicated memory regions shared between cores for communication SYSGO AG 13

Certification Considerations SMP Concept SMP concept is new for certification SMP operating system design needs assure that there are no interference channels between partitions du to cross CPU locking mechanisms. Partitioning is controlled by a single OS instance One time partition scheme with core synchronization on window boundaries Critical parts of the time frame can even executed in single processor mode Single virtual address spaces Requires MMU synchronization upon mapping changes Memory allocation based on resource partitions SYSGO AG 14

Certification Considerations Concerns related the Use of Multiple Cores Hardware Interference Channels Shared caches Typically one L1 cache per CPU L2 cache shared on some CPU (e.g. Intel, MPC 8572D) L3 cache typically shared Cache coherency protocol Problem grows with number of cores Configurable on some CPUs through core cross bar Global / Local cache flush and invalidate Shared buses (Core Connection, Processor, Memory, PCI) Shared Interrupts Shared devices (Memory, Timer, I/O) Shared peripherals (AFDX ES, A429, GPU, DIO, Ethernet) SYSGO AG 15

Certification Considerations Concerns related the COTS Multi Core CPUs SoC / MPSoC Design Lot of multi-core processors come as System on Chip devices which requires additional certification activities EASA has issued specific CRIs (CRI-F08 for A400M Project) which address the use of complex electronic devices. Currently a proposal for a Certification Memorandum (CM SWCEH 001) has be released which addresses Complex Electronic devices, Complex COTS Microcontrollers and Highly Complex COTS Microcontrollers Multi Core SoCs are considered by EASA as Highly Complex COTS Microcontrollers SYSGO AG 16

Certification Considerations Concerns related the COTS Multi Core CPUs Main challenges to comply with CM SWCEH 001 Missing processor design documents may lead to undetected interference channels In Service History There is not much in service history available for multi-core based designs in avionics applications Availability of Safety Features Sufficient robustness against SEU events Detection and correction of single and multi bit errors Determinism Random behavior e.g. Cache and TLB refill algorithms Bus arbitration Undocumented interference channels SYSGO AG 17

PIKEOS MULTI-CORE SUPPORT SYSGO AG 18

PikeOS Product Overview The safe and secure virtualization (SSV) RTOS runs concurrently software of different safety and security levels can provide multiple API, run time environments and guest operating systems enables a mixture of hard real-time and non real-time applications on a single embedded device Certified technology Enables modular certification according to highest industrial standards Runs on numerous platforms Provides multi-core functionally SYSGO AG 19

PikeOS Architecture Guest Operating System Guest Runtime Environment PikeOS Native up to 62 partitions PikeOS System Software User Mode PikeOS Separation Microkernel Kernel Mode Architecture Support Package (ASP) Platform Support Package (PSP) Hardware SYSGO AG 20

Sharing Challenges Challenge: Resources sharing Resources CPUs Memory, IO memory Flies, drivers, devices, buses Safety Integrity, availability Isolation, application errors, fail safe Security Integrity, availability, confidentiality Possible side channels via shared resources Resources and API are attack surface PikeOS Solution Resource Partitioning Challenge: Time sharing Time CPU cycles Time effects of accessing shared resources, e.g. buses Safety Availability, deterministic behavior, meeting deadlines Right balance between time- and event-triggered tasks Security Availability, confidentiality Possible timing side channels via shared resources, e.g. caches, busses Time is the attack surface PikeOS Solution Time Partitioning SYSGO AG 21

Resource Partitioning - Spatial Separation Static allocation of all system resources Application has guaranteed access to assigned resources Applications cannot access resources of other partitions if not explicitly configured otherwise No error propagation throughout other partitions Memory protection enforcement using Hardware (MMU) All partitions execute in user mode Separated resource partitions Guest Operating System ASP Guest Runtime Environment PikeOS System Software PikeOS Separation Microkernel Hardware PSP PikeOS Native SYSGO AG 22

Time Partitioning - Temporal Separation Static configuration of execution order and duration of partitions Deterministic hard real-time operation Advanced features* Multiple resource partitions can be assigned to one time partition Best possible CPU usage Dedicated threats can be scheduled whenever the current time partition becomes idle Shortest response time Optional: Dedicated threads can have superior priority to any normal partition (if used this will violate strict determinism and might have impact on hard real time behavior of normal partitions) * using PikeOS patented scheduler SYSGO AG 23

One RTOS, Multiple Standards PikeOS supports multiple programming interfaces, runtime environments and guest operating systems; these are called personalities The following personalities are currently available PikeOS native ARINC 653 APEX POSIX Linux Android Coqos / AUTOSAR * Real-time Java * Ada * RTEMS OSEK ITRON * 3 rd party add-ons SYSGO AG 24

Supported Hardware Microprocessor architectures PowerPC e500mc, e500, e200, oea, 405, x44 x86 ARM MIPS 24k, 34k, 74k Leon 1/2, SPARC 3/4 i7, i5, i3, Quad-Core, Core Duo, A15, A9, A8, A7, ARM11, big.little SoC Based on supported architectures Family example: OMAP, imx, QorIQ, custom made Board example: OMPA 4, imx5, imx6, P4080 SYSGO AG 25

PikeOS Multi-Core Support Asymmetric Multi Processing PikeOS design fully supports the AMP concept Adaptations are limited to the PikeOS PSP PikeOS ROM file system can be used to store image to be executed on other cores PikeOS can coexist with other operating systems or executives Multiple instances of PikeOS can run in parallel SYSGO AG 26

PikeOS Multi-Core Support Symmetric Multi Core Support Compatible with Single-Core PikeOS Same API for single and multi core PikeOS applications Cross CPU communication through IPC and Events Multiple cores managed by one OS instance Cores are statically allocated to resource partitions One core can be allocated to multiple partitions One partition can have multiple cores assigned CPU Affinity A PikeOS task has assigned a set of CPU cores (CPU allocation mask) A thread can only run on a core from its task s CPU allocation mask A thread can decide on which CPU it wants to run (CPU affinity mask) The task s CPU allocation mask is distributed to child tasks like any other task right (parent child principle) During IPC one IPC partner can be moved to the other partner s CPU in accordance with its affinity mask SYSGO AG 27

PikeOS Multi-Core Support Symmetric Multi Core Support Time Partitioning All CPU cores share the same time partitioning Cores are synchronized on time partition switches Multiple resource partitions can share the same time partition Concurrent execution of resource partitions on different cores A strict ARINC 653 scheduling scheme can be configured for parts of the major time frame Full Support for PikeOS Time Partition 0 Background and high priority tasks can run on dedicated core SYSGO AG 28

PikeOS Multi-Core Support PikeOS SMP Scheduling Example Configuration A 1 Tp_1 B C D 2 3 4 Tp_2 Tp_3 1 CPU Core Resource Partition Time Partition Execution A 1 2 1 2 B 1 2 1 2 C 3 3 D 4 2 4 2 Tp_1 Tp_2 Tp_3 Tp_1 Tp_2 Tp_3 SYSGO AG 29

Multi-Core Software Design Certification Aspects Support static partitioning of CPU cores Load balancing algorithms may not be used during execution of critical applications Control access to shared resources Avoid parallel execution of different criticality levels Eliminate False Sharing between partitions Avoid Multi-Core application design for safety critical applications Ensure proper data alignment inside shared software components Eliminate interference via OS internal synchronization objects Avoid module global locks SYSGO AG 30

PIKEOS MULTI-CORE USE- CASES SYSGO AG 31

AMP - PikeOS + AFDX Features MPC 8572D CPU based board Core A running PikeOS UMP with ARINC 653 Personality Core B running a software AFDX using 2 of the 4 TSEC controllers Communication and synchronization through shared memory and inter processor interrupts Suitable for certification safety critical applications Certification Considerations Independent execution of CPU cores and TSEC required L2-Cache need to be partitioned by software Worst case interference on memory bus need to be evaluated Impact of coherency protocol need to be evaluated SYSGO AG 32

High Performance IMA Platform Assumptions Platform connected to several Avionics busses Some applications with high CPU demands Some applications with hard real-time demands Multiple applications need to be connected to communication devices Inter-Partition communication needs Design Considerations Interference between cores needs to be eliminated for hard real-time application Configuration need to support single processor environment while hard real-time applications are running to eliminate interference channels introduced by shared HW and SW resources Software architecture needs to address access to shared platform resources, e.g. AFDX SYSGO AG 33

P4080 Configuration Example Application Layer Java APP (SMP) Java APP (SMP) Java APP (SMP) Network Stack File Server A653 App A653 App A653 App System Software / OS Layer JVM JVM PikeOS (SMP) Linux PikeOS A653 PikeOS A653 Local Data Concentrator PikeOS AFDX ES Software Stack CPU Layer Core 1 Core 2 Core 3 Core 4 Core 5 Coherency Sub-Domain Core 6 Coherency Sub-Domain Core 7 Coherency Sub-Domain Core 8 Coherency Sub-Domain Coherency Sub-Domain On Chip IO PAMU PAMU PAMU PAMU ETH ETH USB SATA PCIe ETH ETH Extenal IO MIL-BUS A429 DIO AFDX SYSGO AG 34

PikeOS on P4080 Platform P4080 WCET considerations Design independent application domains Allocate cores for I/O processing to reduces concurrent access to low bandwidth buses / devices Use P4080 Sub-Domain feature to reduce interference through cache coherency protocol between independent domains Resource allocation profile Generate application models which address memory and I/O utilization over time an use this information for module configuration Use debug unit to monitor and potentially restrict bus allocation Determine application domain behavior under worst case scenarios (maximum bandwidth used by other domains) Avoid to mix time-critical and non-trusted domains SYSGO AG 35

Conclusion Multi-Core CPUs unavoidable in Next Generation IMA SoC complicate state-of-the-art certification process Parallel execution can be provided on different abstraction levels Multi-Core based platform shall address all relevant interferences concurrent execution of different criticalities Multi-Core based platform can provide the level of determinism of a single core platforms for the cost of some unused bandwidth additional redundancy to increase safety due to the additional bandwidth SYSGO AG 36