ULTIMATE GUIDE TO EMBEDDED HYPERVISORS

An embedded hypervisor is software that allows multiple computing environments to run simultaneously on a single system on a chip (SoC). It enables system designers to consolidate diverse operating systems (OSs) and applications with different reliability, safety and security requirements on one SoC.

An embedded hypervisor must provide equivalence, safety and performance—the three conditions for efficient virtualization specified by Popek and Goldberg in 1974: 

Equivalence: Virtual machines (VMs) in a hypervisor duplicate the underlying hardware so accurately that guest operating systems can run without modification. From the point of view of a guest OS, the VM is hardware.

Safety: VMs are isolated from the hypervisor and from each other. The safety of the design is enforced without the hypervisor knowing anything about the software running inside a VM. 

Performance: Software executing in a VM must show no more than a minor decrease in speed compared to the same software running directly on the hardware (bare metal). 

With an embedded hypervisor, a system designer can: 

• Reduce hardware cost, size, weight and power consumption by reducing the number of SoCs in the overall design.

• Reduce development time by reusing proven, legacy software in a VM.

• Maintain fast-boot and real-time behavior while adding features more easily implemented by a specific operating system, such as multimedia applications running on Android™. 

• Use the best operating system for a specific purpose, such as the QNX® OS for Safety for safety-critical software, and Linux® or Android for an entertainment system.

• Streamline and limit the scope of safety certifications by isolating non-safety systems in safety-certified hypervisor VMs

• Increase reliability with system monitoring, guest failure detection, shutdown and automated restart: a guest can fail without affecting the hypervisor or other guests

• Increase embedded systems security: isolating components in separate VMs reduces the ability of an attacker to compromise the entire system.

Read more about the benefits of embedded hypervisors in Extend the Lifecycle of Embedded Systems with a Hypervisor.

The following terms are often used when discussing virtual environments and hypervisors:

Host: the hypervisor, also known as the host domain or hypervisor host

Guest: a guest OS and its applications running in a VM

Virtual machine (VM): a hypervisor host process that presents a virtual environment to a guest OS; the VM hosts the guest OS

VIRTIO: a virtualization technique promoted by OASIS and adopted extensively by the Android and Linux communities. A guest enabled with VIRTIO technology can run unmodified on different hypervisors, as long as they support VIRTIO services.

Virtual machine manager: Hypervisors are also known as virtual machine managers (VMMs).

Device: a physical or virtual device. A virtual device may emulate a physical device or it may be a paravirtualized device; that is, a virtual device with no hardware equivalent, such as the virtio-net (virtual network device) provided with the QNX^® Hypervisor.

Privilege: the authority to access hardware and execute instructions. A guest runs at a lower privilege than the hypervisor, and applications have the least privilege. Known as Exception Levels on Arm and Rings on x86.

A hypervisor is not a simulator. A simulator emulates an instruction set; this instruction set doesn’t have to match the instruction set of the underlying hardware. Since processing in a simulator can be from five to 1000 times slower than processing directly on hardware, simulators can’t meet Popek and Goldberg’s third condition for equivalence: performance.

By contrast, a hypervisor is a multiplexer. It manages VMs with guests compiled for the architecture and instruction set of the underlying hardware. Though they are in VMs, guests actually run directly on the hardware CPU. A guest system running on a well-designed hypervisor system exhibits only a minimal slowdown.

Thus, from a guest’s perspective, the VM in a hypervisor system replaces hardware. In fact, a guest in a VM doesn’t know it isn’t running on hardware; it will probe for devices and expect the same behavior from them as when it is running directly on hardware. For example, virtual interrupt controllers present the same event sequences, sometimes even the same timing, as their hardware equivalents.

Guests run in VMs. Each VM is a complete computing environment configured by a system designer, who specifies every VM component: CPU cores, graphics controller, memory, virtual, paravirtual and physical device, etc.

Configuring a VM is much like assembling a board, with the difference that instead of assembling physical memory cards, CPUs and other physical components, the VM designer specifies virtual components. The rules are like that for a board; for example:

• Two components can’t respond to the same physical address.
• The environment the VM configuration assembles must be one that the software (the guest OS) is prepared to deal with.

A VM doesn't know what its guest is doing any more than hardware knows what an OS is doing. At BlackBerry QNX, we say, “The guest is a blob.” For example, a VM may not know whether a guest quit due to a user-requested shutdown or a fatal error. If you’re designing a hypervisor system, you may need to add a mechanism for the guest to report such information.  

Virtualized environments can provide guests with access to virtual and physical devices. Whether it is for a virtual or a physical device, to work with a device, the device owner (hypervisor or guest) requires a device driver, just like in a non-virtualized system.

• Virtual device: A virtual device may emulate a physical device or it may provide functionality without emulating any specific physical device (paravirtualization). An emulation virtual device may either handle everything itself (e.g., emulate a timer chip), or it may act as an intermediary between the guest and an actual physical device (e.g., emulate an asynchronous communications chip such as the Intel 8250 UART).

• Paravirtualized device: A paravirtualized device provides the functionality that might be provided by a physical device (or several physical devices) in a non-virtualized environment, but without the constraints of emulating a piece of hardware. Thus, a paravirtualized device may be more efficient than a virtual device that must emulate hardware. The Organization for the Advancement of Structured Information Standards (OASIS) VIRTIO standard is a popular paravirtualization standard, but not the only one.

• Pass-through device: A guest may access a physical device through a virtual device in its VM. This virtual device acts as an intermediary between the guest and the physical device. The VM configuration may also pass through a physical device (pass-through device) directly to a guest. Guests have exclusive control of their pass-through devices. All the hypervisor knows about a pass-through device is the existence of the memory range reserved for it in the VM. 
  

An embedded hypervisor can play an important role in the ability of a product development team to rapidly create, test and certify a new version of a safety-critical product. With a hypervisor, the team can re-use proven legacy software in a VM and keep safety components separated on a single SoC. Software components built by separate groups can be tested separately, run together, and swapped out without affecting other systems or the whole system having to be retested repeatedly.

If a system will be certified to a safety standard, a hypervisor pre-certified to industry standards can significantly reduce the burden of certification. Different operating systems can run in different safety-certified VMs—such as a Linux guest in one VM and an Android guest in another VM—while the safety-critical system runs directly on the safety-certified hypervisor host. BlackBerry QNX has pre-certified our embedded hypervisors to IEC 61508 SIL 3 and ISO 26262 ASIL D to reduce time to market for safety-critical embedded systems. 

The QNX Hypervisor and the QNX^® Hypervisor for Safety are built on the same microkernel foundation as the renowned QNX^® Neutrino^® RTOS and come with the field-proven QNX tool chain and C and math libraries.

• The QNX Hypervisor: The QNX Hypervisor is a real-time microkernel hypervisor that provides the trusted reliability and performance of the QNX Neutrino RTOS while allowing multiple operating systems to co-exist on the same SoC.

• The QNX Hypervisor for Safety: QNX Hypervisor for Safety is built on the QNX OS for Safety, the safety-certified variant of the QNX Neutrino RTOS, so the hypervisor host and its VMs offer the same trusted functionality and performance, and is pre-certified to both IEC 61508 SIL 3 and ISO 26262 ASIL D.