Towards a lightweight embedded virtualization architecture exploiting ARM TrustZone

Pinto, Sandro; Oliveira, Daniel; Pereira, Jorge; Cardoso, N.; Ekpanyapong, Mongkol; Cabral, Jorge; Tavares, Adriano

doi:10.1109/etfa.2014.7005255

Cited by 20 publications

(10 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…TrustZone-based methodologies. ARM TrustZone was firstly introduced into ARM application processor (Cortex-A) in 2004; recently, ARM released TrustZone-M for the new generation of ARM MCUs (Cortex-M) [59]. This technology is centred around the concept of two hardware-enforced protection domains (secure world and non-secure world).…”

Section: B Prototypes For Mcs I/o Systemsmentioning

confidence: 99%

MCS-IOV: Real-Time I/O Virtualization for Mixed-Criticality Systems

Jiang

Audsley

Dong

et al. 2019

2019 IEEE Real-Time Systems Symposium (RTSS)

View full text Add to dashboard Cite

In mixed-criticality systems, timely handling of I/O is a key for the system being successfully implemented and functioning appropriately. The criticality levels of functions and sometimes the whole system are often dependent on the state of the I/O. An I/O system for a MCS must provide simultaneously isolation/separation, performance/efficiency and timingpredictability, as well as being able to manage I/O resource in an adaptive manner to facilitate efficient yet safe resource sharing among components of different criticality levels. Existing approaches cannot achieve all of these requirements simultaneously. This paper presents a MCS I/O management framework, termed MCS-IOV. MCS-IOV is based on hardware assisted virtualisation, which provides temporal and spatial isolation and prohibits fault propagation with small extra overhead in performance. MCS-IOV extends a real-time I/O virtualisation system, by supporting the concept of mixed criticalities and customised interfaces for schedulers, which offers good timing-preditability. MCS-IOV supports I/O driven criticality mode switch (the mode switch can be triggered by detection of unexpected I/O behaviors, e.g., a higher I/O utilization than expected) and timely I/O resource reconfiguration up on that. Finally, We evaluated and demonstrate MCS-IOV in different aspects.

show abstract

Section: B Prototypes For Mcs I/o Systemsmentioning

confidence: 99%

MCS-IOV: Real-Time I/O Virtualization for Mixed-Criticality Systems

Jiang

Audsley

Dong

et al. 2019

2019 IEEE Real-Time Systems Symposium (RTSS)

View full text Add to dashboard Cite

show abstract

“…A trusted computing base/secure execution environment is considered to be a major security requirement of a virtualized IoT infrastructure [20,[24][25][26]. Virtual machine isolation at different hardware levels (e.g., processor, memory, and networking) is essential for achieving a trusted computing base [27].…”

Section: Virtualization On Embedded Devicesmentioning

confidence: 99%

“…In an embedded hypervisor architecture as shown in Figure 2, the VCPU is directly assigned to a specific CPU and a secure execution environment is achieved by securely partitioning the memory [17,26].…”

Section: Physical Machinementioning

confidence: 99%

Secure and Dynamic Memory Management Architecture for Virtualization Technologies in IoT Devices

Jithin

Chandran

2018

Future Internet

View full text Add to dashboard Cite

The introduction of the internet in embedded devices led to a new era of technology-the Internet of Things (IoT) era. The IoT technology-enabled device market is growing faster by the day, due to its complete acceptance in diverse areas such as domicile systems, the automobile industry, and beyond. The introduction of internet connectivity in objects that are frequently used in daily life raises the question of security-how secure is the information and the infrastructure handled by these devices when they are connected to the internet? Security enhancements through standard cryptographic techniques are not suitable due to the power and performance constraints of IoT devices. The introduction of virtualization technology into IoT devices is a recent development, meant for fulfilling security and performance needs. However, virtualization augments the vulnerability present in IoT devices, due to the addition of one more software layer-namely, the hypervisor, which enables the sharing of resources among different users. This article proposes the adaptation of ASMI (Architectural Support for Memory Isolation-a general architecture available in the literature for the improvement of the performance and security of virtualization technology) on the popular MIPS (Microprocessor without Interlocked Pipeline Stages) embedded virtualization platform, which could be adopted in embedded virtualization architectures for IoT devices. The article illustrates the performance enhancement achieved by the proposed architecture with the existing architectures.

show abstract

“…To implement temporal and spatial isolation, hypervisors do not always require the availability of all virtualisation extensions. Pinto et al [16] show an interesting approach by exploiting the ARM TrustZone technology to run a realtime operating system in parallel to Linux on a single CPU. Their approach maintains real-time capabilities by using fast interrupts (FIQs) only for real-time critical devices.…”

Section: Related Workmentioning

confidence: 99%

Look Mum, no VM Exits! (Almost)

Ramsauer,

Kiszka,

Lohmann

et al. 2017

Preprint

View full text Add to dashboard Cite

Multi-core CPUs are a standard component in many modern embedded systems. Their virtualisation extensions enable the isolation of services, and gain popularity to implement mixedcriticality or otherwise split systems. We present Jailhouse, a Linux-based, OS-agnostic partitioning hypervisor that uses novel architectural approaches to combine Linux, a powerful generalpurpose system, with strictly isolated special-purpose components. Our design goals favour simplicity over features, establish a minimal code base, and minimise hypervisor activity.Direct assignment of hardware to guests, together with a deferred initialisation scheme, offloads any complex hardware handling and bootstrapping issues from the hypervisor to the general purpose OS. The hypervisor establishes isolated domains that directly access physical resources without the need for emulation or paravirtualisation. This retains, with negligible system overhead, Linux's feature-richness in uncritical parts, while frugal safety and real-time critical workloads execute in isolated, safe domains.

show abstract

Towards a lightweight embedded virtualization architecture exploiting ARM TrustZone

Cited by 20 publications

References 7 publications

MCS-IOV: Real-Time I/O Virtualization for Mixed-Criticality Systems

MCS-IOV: Real-Time I/O Virtualization for Mixed-Criticality Systems

Secure and Dynamic Memory Management Architecture for Virtualization Technologies in IoT Devices

Look Mum, no VM Exits! (Almost)

Contact Info

Product

Resources

About