Chris Hills, the CTO of Phaedrus Systems, looks at how to solve the issues of co-ordinating software subsystems by using a microkernel based RTOS, like PikeOS from Sysgo.
Embedded systems used to be relatively simple in concept (although not necessarily in implementation). As hardware has got more powerful, software has got more complex. Today applications don’t run on single operating system, instead they may be built out of different components carrying out different aspects of the overall functions, more or less independently of each other. They may come from different providers and work with different operating systems, forcing the system software for embedded systems to cater for all these operating systems simultaneously.
There are two important requirements – the subsystems have to communicate efficiently and there should be no uncontrolled interactions across subsystem boundaries.
This problem is like that faced when consolidating servers. There the solution was virtualization. So is virtualization is compatible with the other requirements of embedded systems?
Model machines
Virtualization normally is achieved by creating a model of a computer in software. Programs running on the model see no difference – with the exception of time response – between the virtual machine (VM) and the real machine. Server world virtualization mainly uses a hypervisor approach. This, since it uses hardware emulation and code interpretation is not normally suitable for the special hardware and real-time demands of embedded systems.
Instead, in the embedded domain, microkernels are used to reduce the complexity of operating systems. A microkernel uses only a small se of mechanisms with non-privileged processes which provide services running outside the kernels. They are defined as personalities in microkernel environments, and provide services as answers to the messages which effectively replace.
Communications infrastructure
The microkernel can be seen as a communication infrastructure providing inter-process communication (IPC) with events such as traps and interrupts or rights to operating resources can also be transmitted along with messages.
Despite the difference in approach the end results of microkernel and hypervisor development are similar. Personalities create run-time environments which are indistinguishable from a native operating system environment by application programs. This is completely analogous to paravirtualisation, with the microkernel assuming the role of the hypervisor.
Virtualization creates several VMs on one physical computer. VMs are completely isolated from each another: interactions only take place via an interface provided by a hypervisor and under its full control. A VM only has access to those operating resources allocated to it by the hypervisor so errors cannot be propagated across the boundaries of a VM. For server consolidation, this isolation alone was sufficient. Embedded systems need efficient mechanisms for secure communication between VMs as different subsystems jointly contribute to the functioning of the embedded system. Second-generation kernels, such as PikeOS from Sysgo, have efficient and secure communication built in.
Kernels
Kernels transmit access rights, e.g. to memory areas, alongside simple messages, using the IPC mechanism. (In this case shared memory areas for communication can be set up.) Both senders and recipients of access rights have to give their express consent to avoid uncontrolled influence of one subsystem by another.
Server and desktop computers are dominated by Intel’s 32-bit architecture. This has limitations for virtualization and virtualization solutions have to use a lot of resources to compensate. The just-in-time paravirtualization of VMware, for example, can use unmodified core operating systems.
Most embedded development environments come with operating system source code, so that there are no obstacles to paravirtualization. For safety- or security-critical application, the code which must function correctly must be subjected to exhaustive scrutiny, including the code which works in privileged mode. Code analysis costs rise at least in proportion to code size, and most hypervisors designed for server or desktop applications are large. By contrast, second-generation microkernels, such as PikeOS, are much smaller, with less than 10,000 lines of code: even formal verification becomes a possibility.
The small code size of PikeOS, in comparison to other hypervisors, is partly because there is no privileged VM. And a microkernel doesn’t need to carry out all the functions of a hypervisor, particularly as it separates strategy and mechanism.
Deterministic
Embedded systems frequently need deterministic time response, while virtualization normally requires only soft time targets, at best. This allows them to use time slicing techniques to allocate tasks to VMs, even though this means that there is a vast discrepancy between best-case and worst-case. Shortening the time slices can reduce the latency but introduces increased switching times. This is in stark difference to the needs of a real-time system, so microkernels take a different route. PikeOS uses a patented scheduler which combines one simple, priority-controlled scheduler with the time partitioning as laid down in the ARINC 653 standard, which is frequently a special requirement of the avionics sector.
To do this, the kernel uses a two-step scheduler: the first step switches between different time partitions and the second step uses priorities to decide which thread in the selected time partition gets CPU time.
Using a microkernel based operating system brings the benefits of a hypervisor to embedded system, with none of the drawbacks.
Chris Hills is founder and CTO of Phaedrus Systems Limited, a specialist in high integrity and safety critical domains. His experience covers a wide range of applications.