recomp is made possible by funding from the artemis joint undertaking. claus stellwag (elektrobit),...
TRANSCRIPT
RECOMP is made possible by funding from
the ARTEMIS Joint Undertaking.
Isolation of CoresClaus Stellwag (Elektrobit), Thorsten
Rosenthal (Delphi), Swapnil Gandhi (Delphi)March 2013 – WICERT
Goal: Reduce costs of mixed-critical systems
?Dedicated MCU
ISOLATIONCertified OS
Hypervisor
3/22/2013 2
Source: http://www.recomp.eu/meridian/downloads/Meridian_Datasheet.pdf
Hardware: Meridian Board
Development board for the Trusted Computing Platform
Supports all relevant bus systems (CAN, FlexRay, SPI, Ethernet)
Lot of I/O pins Contains Multicore
AURIX controller in FPGA
External SRAM as flash emulation
Debugging via JTEG or USB
3/22/2013 3
Source: http://www.infineon.com/dgdl/TriCore_Family-br-2013.pdf?folderId=db3a304412b407950112b409ae660342&fileId=db3a30431f848401011fc664882a7648
MCU Architecture: AURIX TC27x
Note: Used FPGA based board has only 2 instead of 3 cores
3/22/2013 4
AUTOSAR Overview
AUTOSAR = Basic Software + Methodology + Application Interfaces
AUTOSAR R4.0 building blocks:Applications (SoftWare Components - SWC)OS Run-Time Environment (RTE)Basic SoftWare (BSW):
System Services (e.g. Ecu Manager, Watchdog Manager) (Non-volatile-)Memory stack Communication stack Diagnostic modules Microcontroller abstraction layer (MCAL)
Complex Device Drivers (CDD)
3/22/2013 5
MCU
Core0 Core1
OS
BSW
RTE
SWC SWCSWC
AUTOSAR R4.0 + Multicore +Safety
SWC SWC SWC
CDD
ASIL SW
QM SW
3/22/2013 6
RECOMP: Automotive Cluster
3/22/2013 7
Delphi ASIL D Application: ESCL (Electrical Steering Column Lock)
M
3/22/2013 8
ESCL: Safety Goals
ESCL Risks
• Risk 1: Unintended locking while vehicle is in motion ASIL D
• Risk 2: Moving from rest with locked ESCL ASIL B
ESCL safety goals
• Risk 1 Goal 1: Unintended locking while vehicle is in motion shall be prevented
• Risk 2 Goal 2: Starting and rolling of vehicle with locked ESCL shall be prevented
ESCL Safe states
• Safe State 1 (for safety goal 1) • ESCL is
unlocked, not power supplied and locking functions is deactivated
• Safe State 2 (for safety goal 2) • No engine start
in case the SCL was not successfully unlocked
• Abort of start sequence / shut off of engine if ESCL power supply was not switched off after engine was started
3/22/2013 9
Building Blocks of ESCL
ESCL Module 1: Power supply for ESCL if locking conditions fulfilled
ESCL Module 2: Locking command to ESCL if locking conditions fulfilled
Power Mode Manager (PMM): Takes care about power-off, sleep and other power related topics
Driver Info: Supports info to driver of vehicle Other QM components
3/22/2013 10
MCU
RTE
Core0
OS
Core1ASIL SW
QM SW
BSW
RTE
ESCL2PMMESCL1DriverInfo
OS
Approach 1 : Cross Monitoring
C2CBSW
3/22/2013 11
MCU
Core0 Core1ASIL SW
QM SWESCL2 PMMESCL1
DriverInfo
Approach 2: AUTOSAR MultiCore
BSW OS
RTE
3/22/2013 12
MCU
RTE
Core0
OS
Core1ASIL SW
QM SW
BSW
RTE
OS
Approach 3 : Isolated ESCL
ESCL2 PMMESCL1DriverInfo
SWC
BSW C2C
3/22/2013 13
Details of ImplementationEach core run its own application (with a separate
ELF image). There is no hard reference between the SWThis allows SW updates on the core running the legacy /
QM parts without impact on the ASIL coresThe hardware supports the approach by
dedicated core local memoryde-central access control to shared peripherals
Core2Core Communication (C2C) allows exchange of data between cores. Special care has been taken that the C2C does not impact safety part (e.g. lock-free mechanism for communication buffers)
3/22/2013 14
Summary: Pros & Cons
ProClear isolation simplifies design (safety is concentrated
on dedicated core(s) – freedom from interference can be easier shown)
Divide and conquer principle eases handling of growing complexity
Legacy code needs less adoption (constraints from single core are preserved)
Less interaction between cores; No additional SW layers needed better utilization of existing multicore performance
ContraRequires more memoryRequires specific hardware features of the
microcontroller3/22/2013 15
Questions ?
3/22/2013 16