A common difficulty, notably in the aeronautical sector, when an embedded computer is fine-tuned, resides in the question of certification. Conventionally, a computer comprises at least one processor, corresponding to a computation unit, and peripherals, such as electronic cards ensuring a plurality of functions. In this case, the process for certifying the processor on the one hand, and the peripherals on the other hand, is well mastered by the person skilled in the art. In general, the processors, simple computation units, are COTS (Components Off The Shelf), that is to say they are chosen by catalogue, and associated with management peripherals.
These peripherals, developed to ensure specific functions, are certified separately by the manufacturer of the computer or with a view to being integrated into a particular computer. However, today's embedded computers include ever more microcontrollers comprising at one and the same time—in the same physical chip—one or more processors and its peripherals such as the interfaces with the random access memory, which is external to the microcontroller, or PCI input-output interfaces for example.
This makes certification trickier since the microcontrollers exhibit limited observability of the transactions which take place therein.
The general problem which ensues therefrom is therefore concerned with the partitioning of the tasks within a microcontroller. Satisfactory partitioning must be guaranteed so as ensure the security of the transactions in the microcontroller.
In the aeronautics sector, current developments are carried out with the goal of increasing the share of integrated modular avionics, known by the acronym IMA. The general principle of this integrated modular avionics logic consists in creating, for the peripherals of microcontrollers, the illusion of multiple resources in terms of computation units, that is to say of processors, and of memory. Whence the principle of partitioning, which consists in contriving matters such that a problem on one resource must not impact the other resources. International standards, in particular the DO-178B standard for software and the DO-254 standard for hardware, govern the security level to be achieved, notably for computers embedded aboard aircraft.
Dealing as one is with platforms of IMA type, the notion of partitioning is the keystone of the architecture. For platforms that are intended to host functions with high criticality—corresponding for example to the DAL, the acronym standing for Design Assurance Level, level “A” according to standard DO178 or DO254—, the manufacturer of the computer must be capable of demonstrating the robustness of this partitioning.
In this context, a mechanism for verifying the memory accesses performed by the controller integrated into the processors intended to form part of embedded computers is known from the state of the art. This type of mechanism bears the acronym MMU standing for Memory Management Unit. Its role, as its name indicates, is to check memory accesses. Early processors did not comprise this type of mechanism which could be a separate element. Today, most processors comprise MMUs; these make it possible to check memory accesses for all the transactions passing through the processor and therefore to guarantee largely this notion of partitioning. The problem for current microcontrollers is that this MMU verification mechanism is short-circuited when transactions pass through an external master peripheral or through a direct memory access unit, known to the person skilled in the art by the acronym DMA for Direct memory access. The DMAs are placed after the MMUs of the processors. Thus, in the case of a malfunction, there may be rupture of the partitioning of the resources of the microcontroller, which, as has been seen, may turn out to be critical. The problem also resides in the guaranteeing of partitioning on processors not comprising any MMU. Today, it seems impossible to the person skilled in the art to achieve certification of an embedded computer in which some functions of a microcontroller utilize direct memory access units (DMA), and/or in which external master peripherals perform transfers competing with code execution by the microcontroller and/or in which the processor does not possess any MMU. According to the earlier state of the art, this problem was solvable for these computers comprising on the one hand one or more processor(s) in separate component form, and on the other hand specially adapted peripherals. Indeed, it was possible to develop a peripheral of controller type, comprising peripherals, communication means, memory accesses . . . etc. and a specially developed component to check the memory accesses and accesses to the input-output interfaces. In this way, the data buses between the processor and the controller were observable, and the said specially developed controller was able to obtain the proper certification.
Conversely, the basic element of today's embedded computers is no longer a processor, but a microcontroller, comprising at one and the same time the processor, optionally multi-core, and a certain number of peripherals, with the controllers of memory access and the controllers of access to inputs-outputs of PCI or PCI Express type for example within the same physical component. The data buses integrated into the design of the microcontrollers are not readily observable.
In this case, where microcontrollers are used with a view to integrating them into embedded computers, the solution known to the person skilled in the art for circumventing this problem consists in not performing any transaction passing through a DMA or through an external master peripheral; therefore, all the transactions are subject to passage through the processor and to a controller by the MMU type memory access verification mechanism. The drawback of this solution is obviously that it precludes the use of DMAs, which nevertheless exhibit, notably, the significant advantage of allowing data exchanges to be carried out very rapidly.
The technical problem posed is therefore that of the possibility of guaranteeing the detectability of erroneous accesses, carried out via direct memory access units or via external master peripherals, for the purposes of guaranteeing the partitioning of the functions within a microcontroller.