Transcript Isolation of Cores
Claus Stellwag (Elektrobit), Thorsten Rosenthal (Delphi), Swapnil Gandhi (Delphi) March 2013 – WICERT
RECOMP is made possible by funding from the ARTEMIS Joint Undertaking .
Goal: Reduce costs of mixed-critical systems 3/22/2013 2
Hardware: Meridian Board Development board for the Trusted Computing Platform Supports all relevant bus systems (CAN, FlexRay, SPI, Ethernet) Lot of I/O pins Contains Multicore AURIX controller in FPGA External SRAM as flash emulation Debugging via JTEG or USB
Source: http://www.recomp.eu/meridian/downloads/Meridian_Datasheet.pdf
3/22/2013 3
MCU Architecture: AURIX TC27x Note: Used FPGA based board has only 2 instead of 3 cores
Source: http://www.infineon.com/dgdl/TriCore_Family-br-2013.pdf?folderId=db3a304412b407950112b409ae660342&fileId=db3a30431f848401011fc664882a7648
3/22/2013 4
AUTOSAR Overview AUTOSAR = Basic Software + Methodology + Application Interfaces AUTOSAR R4.0 building blocks: Applications (SoftWare Components - SWC) OS Run-Time Environment (RTE) Basic SoftWare (BSW): System Services (e.g. Ecu Manager, Watchdog Manager) (Non-volatile-)Memory stack Communication stack Diagnostic modules Microcontroller abstraction layer (MCAL) Complex Device Drivers (CDD) 3/22/2013 5
AUTOSAR R4.0 + Multicore +Safety
ASIL SW QM SW
Core0
SWC SWC SWC BSW CDD RTE
Core1
SWC SWC SWC OS
MCU 3/22/2013 6
RECOMP: Automotive Cluster 3/22/2013 7
Delphi ASIL D Application: ESCL (Electrical Steering Column Lock)
M
3/22/2013 8
ESCL: Safety Goals ESCL Risks • Risk 1: Unintended locking while vehicle is in motion
ASIL D
• Risk 2: Moving from rest with locked ESCL
ASIL B
ESCL safety goals • Risk 1 Goal 1: Unintended locking while vehicle is in motion shall be prevented • Risk 2 Goal 2: Starting and rolling of vehicle with locked ESCL shall be prevented ESCL Safe states • Safe State 1 (for safety goal 1) • ESCL is unlocked, not power supplied and locking functions is deactivated • Safe State 2 (for safety goal 2) • No engine start in case the SCL was not successfully unlocked • Abort of start sequence / shut off of engine if ESCL power supply was not switched off after engine was started 9 3/22/2013
Building Blocks of ESCL ESCL Module 1: Power supply for ESCL if locking conditions fulfilled ESCL Module 2: Locking command to ESCL if locking conditions fulfilled Power Mode Manager (PMM): Takes care about power off, sleep and other power related topics Driver Info: Supports info to driver of vehicle Other QM components 3/22/2013 10
Approach 1 : Cross Monitoring
ASIL SW QM SW ESCL1
Core0
PMM RTE
Core1
ESCL2 RTE Driver Info OS BSW C2C BSW OS
MCU 3/22/2013 11
Approach 2: AUTOSAR MultiCore
ASIL SW QM SW ESCL1
Core0
ESCL2 RTE PMM
Core1
Driver Info BSW OS
MCU 3/22/2013 12
Approach 3 : Isolated ESCL
ASIL SW QM SW
Core0
ESCL1 ESCL2 PMM RTE OS SWC
Core1
RTE Driver Info BSW C2C BSW OS
MCU 3/22/2013 13
Details of Implementation Each core run its own application (with a separate ELF image). There is no hard reference between the SW This allows SW updates on the core running the legacy / QM parts without impact on the ASIL cores The hardware supports the approach by dedicated core local memory de-central access control to shared peripherals Core2Core Communication (C2C) allows exchange of data between cores. Special care has been taken that the C2C does not impact safety part (e.g. lock-free mechanism for communication buffers) 3/22/2013 14
Summary: Pros & Cons Pro Clear isolation simplifies design (safety is concentrated on dedicated core(s) – freedom from interference can be easier shown) Divide and conquer principle eases handling of growing complexity Legacy code needs less adoption (constraints from single core are preserved) Less interaction between cores; No additional SW layers needed better utilization of existing multicore performance Contra Requires more memory Requires specific hardware features of the microcontroller 3/22/2013 15
3/22/2013
Questions ?
16