There are many computing environments in use today where multiple applications are operated simultaneously. To ensure security, integrity and reliability, the applications must not interfere with each other. Important examples of such multiple computing environments include avionics software that controls critical flight functions and national security applications that manage critical classified information. In these environments, the conventional approach has been to dedicate multiple, independent and physically-separate computer systems to ensure the separation of the critical information.
A particular example of an independent computer system being used for each unique function involves avionics and communications equipment, such as autopilots, flight management systems, and displays. The avionics computer systems offer only limited interfunctional dependencies in that they exchange sensor and control data. This computer system architecture provides strong functional isolation needed for critical avionics systems. Avionics systems typically must be certified to meet reliability standards established by regulatory agencies such as the Federal Aviation Administration. System certification involves verifying that all system components work properly together and that no fault can propagate from one system component to another.
In order to reduce hardware costs, power, and size involved with multiple commercial and custom high performance microprocessors, it may be beneficial to provide one computer system to perform many distinct functions in avionics, communications, and other equipment. Having one computer system may substantially reduce certification costs in avionics systems. System functions may be certified once, independently, and to the level appropriate to their criticality while a composition of functions may retain, individual certification.
Many different functions can be performed on a single computer system by using virtual machines. A virtual machine is a platform-independent instruction set or routine that provides a portable programming environment to users. Multiple virtual machines can run on a single physical processor through sharing or partitioning of the physical processor operation. The multiple virtual machines perform as if they were separate physical machines operating on a single processor. A well-known virtual machine is the JAVA virtual machine.
With a single computer system, the avionics functions are no longer physically isolated. Interaction of functions must be considered if physical isolation is not provided. Partitioning of functions must provide the necessary isolation for safety critical avionics applications such that each function is guaranteed not to be affected by the operation of any other function.
Multiple virtual machines have applications to many areas including avionics and communications products. Partitioning can have applications outside of the avionics and communication areas. Partitioning and multiple virtual machines can provide direct cost advantages in software development. Multiple levels of certified software can co-exist on the same processor. Software can be certified once and re-used in multiple application environments. These advantages are possible with brick-walled partitioning comprising partition management and deterministic execution.
U.S. Pat. No. 6,587,937, the entire contents of which is incorporated herein by reference, discloses a partition management unit (PMU) to meet avionics and security requirements and eliminate the need for multiple, physically-separate computer systems. U.S. Pat. No. 6,587,937 is assigned to the Assignee of the patent application and lists David W. Jensen and Steven E. Koenck as inventors.
The AAMP7 processor in the Selective Availability Anti-Spoofing Module (SAASM) system, manufactured by Rockwell Collins, Inc., has been employed in military systems to achieve partitioning. The AAMP7 processor includes a partition management unit (PMU). The partition management unit allows virtual machines to meet avionics and security requirements by ensuring the physical and temporal separation of applications and eliminates the need for multiple, physically-separate computer systems. The PMU is programmed to provide each partition access only to its allocated resources. The allocated resources are generally memory space, processing time, and/or peripheral devices.
The PMU architecture is similar to a memory management unit (MMU) architecture found on conventional computer systems. However, the PMU not only enforces memory management protocols, but also ensures that each partition consumes no more than its allocation of process time. The PMU can monitor the process via a watchdog timer and generate a non-maskable partition interrupt to force synchronization. This temporal partitioning allows the system designer to enforce not only worst case timing but best case timing. This “invariant performance” allows the operation of the application in the partition to be absolutely independent of the other partitions. Thus, any validation or verification is guaranteed for any component in the composed system, thereby easing the development of applications. Heretofore, such systems have not been employed outside of avionic and security computing systems.
Conventional computing systems have been susceptible to various problems. The problems can be caused by external access, control loops involving non-deterministic routines and power and configuration modes. Each of these sources of problems can cause a processor to be overwhelmed or cause the computing application to be slow, inaccurate or unstable. For example, service attacks and other Internet attacks can overwhelm a processor with service requests. Denying the service requests can require a large amount of processing time, thereby preventing the processor from appropriately managing other tasks. The processor can be overwhelmed by a large number of service requests and the time spent processing and monitoring those service requests can prevent other tasks from receiving appropriate processing resources. These conventional problems have not been solved using conventional computing techniques.
According to another example, virus and spyware software is becoming increasingly sophisticated. Virus and spyware software can operate at system levels and can be configured to make removal from the system difficult. Conventional anti-virus and anti-spyware software currently operates at the same priority and access level as other software and can interfere with such software.
According to another example, conventional computing systems can have difficulty with simultaneous operation of deterministic and non-deterministic software in control applications. Control loops or other routines in robotics and avionics typically require deterministic operation. Timing loops must be accurate for appropriate feedback and for the mathematical foundations associated with the control loops to operate correctly. If non-deterministic software requires more time than anticipated, critical timing loops cannot be supported and may malfunction, thereby affecting the integrity and behavior of deterministic control loops.
In yet another example, conventional computer systems can utilize power management software to transition from one power management mode to another. Generally, changes to such parameters may require a restart of the computers or may affect the stability of existing programs. The management power may involve dynamic voltage settings, frequency scaling, and/or power settings for peripheral devices.
In yet another example, conventional systems generally cannot allow configuration of cache data, peripheral settings, and field programmable gate array (FPGA) content to be dynamically changed. Power performance and security can be adjusted by changes to the cache data settings, peripheral settings and FPGA content. Changing and/or preloading these devices may radically change the operation of the processing system thereby compromising reliable transition from one provable stable state to another provable stable state.
Thus, there is a need to employ a PMU to solve certain problems associated with conventional computer environments. Further, there is a need to provide greater security, reliability and integrity by using a PMU in generalized computing environments. Yet further, there is a need for a computer system that provides a PMU to eliminate computing problems associated with network denial of service attacks, virus and spyware software, separation of deterministic and non-deterministic software, power management, and instability related to cache data, peripheral settings, and FPGA contents.