RFC - Time & space partitioning with RTEMS
Sven.BIEBAUT at be.thalesgroup.com
Sven.BIEBAUT at be.thalesgroup.com
Tue Apr 29 06:46:11 UTC 2008
Hello,
Although more and more the avionics world is going to IMA where several
airplane functions could be running on the same processor and thus need
serious separation, I feel that this is not where RTEMS could really shine.
There is most definitely a place for a highly configureable open source RTOS
that runs on a huge number of processors from very small to big, with and
without MMU, even when it does not do separation as per 653. A simpler,
optional memory protection scheme just using an MMU to protect for instance
against writing into a code section or stack overflows would be more
practical.
Personally, I believe that RTEMS could benefit from being able to run on
such a hypervisor, but that does not mean the hypervisor should be part of
RTEMS. IMHO, due to the very stringent DO178B requirements, i feel that the
hypervisor should be external, and RTEMS adapted to run on it, much like
what is done for XEN where you adapt the guest OSes to run on XEN when the
HW does not support virtualisation.
my 2cents to fuel the discussion,
Sven Biebaut
> -----Original Message-----
> From: rtems-users-bounces at rtems.org
> [mailto:rtems-users-bounces at rtems.org] On Behalf Of Metge Jean-Jacques
> Sent: 28 April, 2008 17:15
> To: rtems-users at rtems.com
> Subject: RFC - Time & space partitioning with RTEMS
>
> Dear all,
>
> I would like to re-open a july 2007 discussion about time and
> space partitionnig with RTEMS (see below).
> Based on my past experience of ARINC653 development in
> aeronautics domain, I really think, as Joel wrote in july
> 2007, that space community (at least), which is an important
> user community of RTEMS products, could get a big added-value
> from splitting RTEMS in 2 separate layers :
> - 1 low level and very light layer (let's call it "RTEMS
> level 1"), usually called "hypervisor", running in supervisor
> mode, aiming at creating robust partitions in the sense of
> ARINC653 standard (ie dedicated memory zones, dedicated I/O
> zones and appropriate time slices, with appropriate
> protections and monitoring). This supervisor should rely on a
> hardware MMU, meaning that appropriate hardware function
> should be specifically developed for the LEON processor
> - 1 medium level layer (let's call it "RTEMS level 2"),
> sometimes called "partition OS", running in user mode, to be
> hosted, if requested by one or several users, in one or
> several of the created partitions.(*)
>
> (*) The upper layer being the software applications themselves.
> Note that a the decision to use or not RTEMS layer 2 as
> partition OS is totally let to any user, which may prefer to
> develop its own basic software or to adapt its own usual OS
> on top of RTEMS level 1.
>
> In order to concretly progress on this ambitious topic (I
> think), my current idea would be to :
> - first, develop a new "2-layers RTEMS" prototype (to be ran
> on ground, on an existing LEON board prototype), to be
> derived from an existing RTEMS version for LEON, in order to
> validate the concept
> - in a second step, develop, on the basis on this prototype,
> a new RTEMS open source version, compatible with LEON
> processor, and compatible with software development standards
> applicable to space on board software.
>
> Does anybody feels some interest with this exercise ?
> Does anybody already works on this idea and could be ready to
> provide some helps and/or to exchange some technical views ?
>
> Thank you by adavance for your attention.
>
> Regards
>
> Jean-Jacques
>
> ==============================================================
> ==========
> ========
>
>
>
> RFC - Memory Partitioning
>
> * Date: Tue, 24 Jul 2007 10:19:08 -0500
> * From: joel.sherrill at oarcorp.com (Joel Sherrill)
> * Subject: RFC - Memory Partitioning
>
> Robert S. Grimes wrote:
> > I've been thinking about this for a while too. I haven't
> anything too
> > concrete to suggest at this time, but I don't want to see your post
> die
> > on the vine. I do have some observations about the nature of the
> > proposed beast...
> >
> > One thought is that this move could result in the POSIX API
> becoming
> > more in line with other implementations, if each
> "partition" could act
> > as a "process" in the proposed RTEMS. This would allow
> developers the
> > usual choices of multi-process, multi-threaded (I like to think of
> RTEMS
> > "tasks", in traditional API-speak, as "threads"), or combinations.
> >
> >
> I think you proposed using a hypervisor to put each RTEMS
> "process" inside its own container. Then you could get ARINC
> separation. Without reading the standard, could we implement
> an ARINC 653 manager that each RTEMS application runs inside of?
> > Another thought is that truly hard-real-time activities
> could run in a
> > suitably "high priority" partition, using such things as the rate
> > monotonic scheduler, and softer code then could run in other
> partitions.
> >
> > I certainly would not want to eliminate the current model of RTEMS,
> > especially wrt low overhead, high performance on "smaller" systems,
> > especially those without MMU. A rather simple-minded idea
> could be to
> > think of such systems as "single partition" systems, which
> might lead
> to
> > a useful guiding principle: In the proposed new RTEMS, a single
> > partition looks, acts, feels, sounds, smells, etc. like a
> traditional
> > RTEMS system.
> >
> I think this is the way to go. Writing trap interfaces for
> god knows how many services, dealing with the known memory
> issues (e.g. copying buffers, mapping memory, etc.), and who
> knows what else will be a significant undertaking.
>
> Approaching the problem by writing an ARINC 653 hypervisor
> will be more definable and give more value in the end to the
> RTEMS Experience. :)
>
> I think this approach would have extremely high value for the
> community and I would like to see it as a project.
> If there is interest, users from the space and aviation
> communities should be able to help sponsor this.
>
> > Just my $0.02, adjusted for inflation...
> >
> My opinion's value is about the same. :)
> > -Bob
> >
> > Charles Steaderman wrote:
> >
> >> RFC
> >>
> >> Memory Partitioning Support in RTEMS
> >>
> >> Goals:
> >> Provide task level code and memory partitioning for RTEMS.
> The short
> >> term goal would be for a project that contains functionality to be
> FAA
> >> certified at different certification levels (background data
> >> collection and storage certified to FAA Level C, and user
> interface
> >> non-certified).
> >>
> >> Proposed Strategy:
> >> Based upon some research into commercial partitioned embedded OSes
> >> (Integrity, Nucleus Secure, etc), I would like to suggest the
> >> following strategy for enhancing RTEMS. First, to provide
> separation
> >> from the kernel, I would propose that all RTEMS kernel calls be
> >> accessed via a TRAP or SWI. In this way, the kernel code can be
> mapped
> >> into a non-accessable memory area in order to provide
> protection from
> >> userland tasks. Second, I would propose that task creation and
> context
> >> switching become memory region aware. Task creation would
> need to be
> >> supplied memory regions and access permissions and those
> permissions
> >> would need to be updated on a context switch (MMU registers). In
> >> addition, each task could have its own private memory heap for
> dynamic
> >> memory allocation. This would mean that memory allocation
> would need
> >> to be told whether the allocation should come from the local or
> global
> >> heap.
> >>
> >> I am sure that there is a large number of issues that I have
> >> overlooked, but I would like to get people thinking about
> partitioning
> >> in RTEMS. In much the same way that desktop operating systems have
> >> benefitted from process protectsion (Win9x vs. WinNT or OS
> 9 vs. OS
> >> X), I think that given the present and future state of embedded
> >> hardware, embedded systems could benefit from the same robustness.
> One
> >> advantage that I believe the proposed solution has is that
> the code
> >> resides in a single address space, rather than virtual
> memory spaces.
> >> Perhaps this will cause problems with library calls and
> shared code,
> >> but perhaps there is a novel solution that we could employ.
> >>
> >> Thank you for your time and consideration.
> >>
> >> - Charlie
> >>
> >> _______________________________________________
> >> rtems-users mailing list
> >> rtems-users at rtems.com
> >> http://rtems.rtems.org/mailman/listinfo/rtems-users
> >>
> >>
> > _______________________________________________
> > rtems-users mailing list
> > rtems-users at rtems.com
> > http://rtems.rtems.org/mailman/listinfo/rtems-users
> >
>
>
>
> * References:
> * RFC - Memory Partitioning <msg00084.html>
> * From: charlies at poliac.com (Charles Steaderman)
> * RFC - Memory Partitioning <msg00086.html>
> * From: rsg at alum.mit.edu (Robert S. Grimes)
> * Prev by Date: RFC - Memory Partitioning <msg00086.html>
> * Next by Date: GameBoy Advance BSP <msg00088.html>
> * Previous by thread: RFC - Memory Partitioning <msg00086.html>
> * Next by thread: RTEMS and I2C APIs <msg00111.html>
> * Index(es):
> * Date <date1.html>
> Thread
>
> _______________________________________________
> rtems-users mailing list
> rtems-users at rtems.com
> http://rtems.rtems.org/mailman/listinfo/rtems-users
>
More information about the users
mailing list