Several architectures using a real-time operating system as a hypervisor kernel, or a simple separation hypervisor are known. It is possible for a real-time operating system to provide sufficient functionality allow a para-virtualized general-purpose operating system to execute under the control of the real-time operating system. E.g. the PikeOS operating system from SYSGO implements this model. In a multi-core system that supports hardware virtualization, a simple separation kernel can allocate individual cores to real-time respectively to non-real-time operating systems. Such a hypervisor provides spatial isolation, similar to conventional hypervisors. Temporal isolation is attempted by running the components on individual cores. Although this means that contention for core-local resources, such as the core proper, the inner caches and translation look-aside buffer is eliminated, components still contend for resources shared among the cores, such as outer caches and the memory controller. Thus, it is difficult to obtain reliable worst-case execution times with such a software architecture.
ARM® TrustZone® technology is a system-wide approach to security that can be used to protect services and devices from scalable attacks. Its hardware based security is built-in by chip designers who want to provide secure end points and roots of trust. The family of TrustZone-technologies has been expanded and deepened so that it can be integrated into any ARM-based system.
ARM TrustZone works by partitioning the system wide address space into trusted and non-trusted regions, and by tagging address space (read and write) accesses with their trust status. Untrusted access to a trusted region is prevented by hardware. A TrustZone enabled ARM core is either in Trust state or Non-Trust state and its address space accesses are tagged with the core's present mode. An ARM system also includes an Interrupt Controller, which channels interrupt request signals emanating from system peripherals to the core. The Interrupt Controller can mask a arbitrary subset of the interrupt request lines, and prioritizes the unmasked and active interrupt request signals such that the highest priority interrupt request is presented to the core. A TrustZone system utilizes a TrustZone-aware Interrupt Controller: i.e., core registers are duplicated and the effective target register of an access depends on the trust status of the access.
The publication “Dual Operating System Architecture for Real-Time Embedded Systems”, Daniel Sangorrin, Shinya Honda and Hiroaki Takada, 6th International Workshop on Operating Systems Platforms for Embedded Real-Time Applications, Jul. 6, 2010, Brussels, Belgium, Workshop Proceedings, pages 6-15 www.researchgate.net/profile/Thomas_Nolte3/publication/254855921_Implementation_of_overrun_and_skipping_in_VxWorks/links/551cf6880cf2909047bcb454.pdf presents a software architecture to execute concurrently, on a single processor, a real-time operating system (RTOS) and a general-purpose operating system (GPOS). The proposed approach, based on common embedded security hardware (ARM TrustZone®), enables integrated scheduling of both operating systems to enhance the responsiveness of the GPOS soft real-time tasks and interrupts while preserving the determinism of the RTOS and without modifications to the GPOS core. Its low overhead and reliability makes it suitable for embedded applications such as car navigation systems, mobile phones or machine tools.
In the ARM processor, normally there are two interrupt signals: FIQ and IRQ. When a FIQ or IRQ is generated, execution is suspended and the program counter is loaded with the address of the corresponding interrupt vector. In TrustZone, there are independent interrupt vector tables for the Trust and Non-Trust state. If an interrupt occurs while executing in Trust state, the Trust state vector will be executed, and vice versa. An additional state, Secure Monitor Mode, is designed to facilitate transitions between Trust and Non-Trust state. Secure Monitor mode has its own vector table. It is possible to configure whether FIQ respectively IRQ are handled by the Trust/Non-Trust interrupt vector table, or by the Secure Monitor interrupt vector table. In ARM processors, FIQ and IRQ interrupts can be individually disabled (masked). Under TrustZone, the Trust state can prevent the Non-Trust state from disabling the FIQ interrupt, but it is not possible to prevent Non-Trust state from disabling IRQ). For this reason, it is recommended to use IRQs for the Non-Trust state, and FIQs for the Trust state. A TrustZone aware interrupt controller can steer each interrupt request input signal to either the FIQ or the IRQ interrupt request input to the ARM core.
The fast interrupt FIQ was traditionally used for especially low-latency processing. When taking an exception, the ARM processor switches to a mode that depends on the exception. FIQ mode contains a particularly large set of mode-specific registers, minimizing the amount of context switching that needs to be done. However, FIQ does not interact well with other exception modes. In particular, upon taking an exception, IRQ is automatically masked, but FIQ is not. This means it is very difficult to synchronize processing of FIQ exception with other processing. In consequence, FIQ mode tends to be unused by operating systems.
The fast interrupt FIQ was primarily designed within the ARM architecture for memory transfer operations as a substitute for a dedicated Direct Memory Access (DMA) device and has higher priority than all other exceptions of the processor. This fact is fatal for real-time operating systems, because a synchronization respectively mutual exclusion of interrupt services and other services of the operating system is hardly possible but this is, however, fundamental for avoiding race conditions and therefore for the correctness of the RTOS.
Therefore, there is a need for a method to isolate Real-time or Safety-critical Software and Operating System from Non-Critical Software and Operating System, providing a fast switch between the normal and secure worlds satisfying real time requirements and, in an ideal case, without any adjustments of the real-time operating system.