ACRN Hypervisor

Today’s connected devices are increasingly expected to support a range of hardware resources, operating systems, and software tools/applications. Virtualization is key to meeting these broad needs, however, existing solutions don’t offer the right size and flexibility for IoT. Data center hypervisor code is too big, doesn’t offer safety-critical capabilities, and requires too much overhead for embedded development. Proprietary solutions are expensive and make it difficult to deliver long-term product support. In this presentation, Yu Wang will introduce a flexible, lightweight reference hypervisor, built with real-time and safety-criticality in mind, optimized to streamline embedded development through an open source platform. Its name is ACRN which is a Linux Foundation project.

1. ACRN ACRN™ : A Big Little Hypervisor for IoT Development Yu Wang, Intel Open Source Technology Center Key contributors: Anthony Xu; Jason Chen; Eddie Dong; Bing Zhu; Jack Ren; Hao Li; Kevin Tian

2.Table of Contents PART 1: ACRN Overview PART 2: Security in ACRN PART 3: Rich I/O Mediation PART 4: Call for Participation

3.What is ACRN? ACRNTM is a Big Little Hypervisor for IoT Development ACRN™ is a flexible, lightweight reference hypervisor, built with real-time and safety-criticality in mind, optimized to streamline embedded development through an open source platform

4.ACRN Features Built for Small Footprint Real Time Embedded IoT • Optimized for resource • Low latency • Rich set of I/O mediators constrained devices • Enables faster boot time to share devices across multiple VMs Adaptability Open Source Safety Criticality • Multi-OS support for • Permissive BSD licensing • Project is built with safety guest systems like Linux critical workload and Android considerations in mind

5.Virtualization User Cases for IOT In-Vehicle-Infotainment Robotics Precision instrument Industrial

6. Architecture Overview Service VM Linux Guest VM Android Guest VM Normal Secure World World VM User User Manager ACRN(PIT, Device Model PCI, ACPI ..) (Mediators) Kernel Kernel Keystore User virtio virtio Kernel Keystore FE Drivers FE Drivers Native Device Driver Kernel Mediators VMX non-root Native Device Driver Virtual Firmware Virtual Firmware operation VMX root ACRN Hypervisor VMX Hypercalls operation vPIC/vLAPIC/ VT-d EPT VM API Trusty API vIOAPIC/vMSI Firmware (UEFI, SlimBoot etc.) CSE SOC Platform (Apollo Lake etc.)

7.ACRN as a Device Hypervisor • Small footprint KVM Xen ACRN LOC 17M 290K 25K • BSD licensee • Be able to cherry pick piece of codes into OSV/OEM’s own hypervisor • Verified boot • Rich I/O mediators GPU IPU CSE USB Audio Ethernet Block IOC Touch Mediated Virtio Virito Emu. Virtio Virtio Virtio Emu. Virtio Passthru

8. Verified Boot Sequence with SBL • CSE verifies SBL Device Model APP1 Device Model APP1 • SBL verifies ACRN & SOS Android VM 1 Kernel • SOS kernel verifies DM Android VM 2 & vSBL thru dm-verity Trusty OS Android OS SOS Kernel • vSBL starts the guest Stitched as SOS side verification one image process (reusing the ACRN Android verified boot vSBL: Android OS Loader mechanism) SBL • NOTE: Each user VM has vSBL: Initialization a DM APP instance in SOS CSE

9.Verified Boot Sequence with UEFI OS Device ….. UEFI ACRN.EFI SOS Kernel vSBL Bootloader Model • UEFI verifies ACRN & OS Bootloader & SOS Kernel • SOS kernel verifies DM and vSBL thru dm-verity • vSBL starts the guest side verified boot process • NOTE: ACRN remains EFI runtime services and boot time services (without interrupt)

10. Trusty OS virtualization Service OS User OS • Trusty OS is Google released Android World Trusty World OS for Android secure world trusty apps trusted which designed to execute in trusted trusty apps Android apps trusted apps ARM TrustZone mode. trusty apps apps • ACRN hypervisor provide vCPU User with different contexts for Kernel normal world and secure world. The android OS and Trusty driver Trusty OS kernel Trusty OS can trigger the world switch through hypercall. Hypercall vCPU • ACRN hypervisor also switch maintain two EPT tables for vCPUswitch Secure world EPT different worlds. The secure ACRN Hypervisor switch Secure Normal world Secureworld world memory is invisible Normal Normal world EPT context world worldcontext for normal world, but not context context vice versa. Normal world Memory Android VM memory memory

11.Host Embedded Controller Interface(HECI) Service OS User OS User OS HECI emulator implements User OS a virtio PCIe device to HECI ACRN Device Model Applications HECI support multiple User OS. HECI virtio Applications BE Service HECI BE will communicate User with HECI FE driver to User Kernel MEI cdev Kernel send & receive the HECI MEI cdev mei_cl_driver mei_cl_driver mei_cl_driver mei_cl_driver mei_cl_driver messages. mei_cl_driver MEI Subsystem MEI Subsystem HECI client layer PCI-MEI HECI virtio FE Driver protocol will read/write to SOS MEI cdev directly. ACRN Hypervisor And HECI bus messages will emulate in the BE. CSE Hardware APL hardware *MEI: Intel Management Engine Interface Linux driver; mei_cl_driver: mei client driver

12.SEED Virtualization Service OS User OS User OS User OS • HV gets pSEED from SBL, which retrieves from Android Trusty CSE through HECI World World (PIT, PCI, Device ACPI ..) Model • Hypervisor implements User Key derivation function User Kernel (HKDF-256) to generate Kernel vSEED0 vSEED1 child seeds (vSEED) per Get and Erase request Get and Erase vSEED0 SOS SBL vSEED1 vSBL • Present the derived Derive - 0 Derive - 2 Derive - 1 vSEED to guest VM. Each Derive - 3 guest cannot see/derive pSEED ACRN Hypervisor the other guest’s vSEED UEFI/SBL pSEED One time read after boot CSE Hardware & Firmware pSEED

13.Automotive IO Controller Virtualization • IOC(IO controller) is a bridge of SoC to communicate with Vehicle User OS Service OS Bus. It routing of Vehicle User OS Bus signals(for example, ACRN Device Model User OS extracted from CAN IOC BE service UART IOC messages) from IOC to the (filter to emulate the Application whitelisted CMD only) Emulation SoC and back, as well as IOC Driver controlling the onboard (CBC drive) peripherals from SoC. IOC Driver (CBC drive) • SOS owns IOC, but UOS may Virtual UART access part features • Whitelisted CMDs from UOS ACRN Hypervisor may be forwarded / emulated IOC Hardware CAN Bus Physical UART (MCU) CAN Bus • Support Intel IOC controller only, OEMs may extend

14. USB Virtualization xHCI emulator provides multiple instances of Service OS User OS virtual xHCI controller ACRN Device Model User OS to share among multiple User UserOS OS User Oss, each USB port CarPlay can be dedicatedly DRD dm xHCI Emulator App assigned to a VM. Gadget Host Daemon SW Role Switch Daemon Uaser User xDCI controller can be passed through to the Kernel Sys I/F Kernel Sys I/F Intel USB role usbfs Intel USB role specific user OS with Driver Driver I/O MMU assistance. xHCI Driver xDCI Driver xHCI Driver DRD device model emulate the APL PHY MUX control logic. The ACRN Hypervisor frontend re-use the native Intel USB role driver directly which PHY MUX control xHCI controller xDCI Controller IO MMU provides sysfs interface to user space PHY MUX APL hardware of user OS to switch DCI/HCI role in CarPlay USB2 PHY USB3 PHY SW.

15.Other mature I/O mediator • Standard virtio devices – virtio storage – virtio network – virtio console – virtio input • GPU virtualization – base on Intel Open Source GVT-g technology

16.ACRN Roadmap - Proposal Area v0.2@Q2‘18 v0.5@Q3’18 V0.8@Q4’18 V1.0@Q1‘19 V1.x@2019 • APL NUC (UEFI) • APL NUC (UEFI) • APL NUC (UEFI) • APL NUC (UEFI) • APL NUC (UEFI) • KBL NUC (UEFI) • KBL NUC (UEFI) • KBL NUC (UEFI) • KBL NUC (UEFI) • KBL NUC (UEFI) HW • APL UP2 (UEFI) • APL UP2 (UEFI) • APL UP2 (UEFI) • APL UP2 (UEFI) • APL UP2 (UEFI) • APL Minnowboard3 (SBL) • ARM • VT-x • Virtio (v1.0) • 32bit guest • vHost • Advanced Realtime • VT-d • Power Management • Guest Real • Basic Realtime • Windows as guest (Px/Cx) mode • vxWorks as guest • CPU static-partitioning • Power Management • VM management • Android as guest (S3/S5) • SGX (Security) • memory partitioning • ACRN debugging • MISRA C • Functional Safety • Virtio (v0.95) tool compliance Hypervisor compliance • VHM • vSBL • Trusty (Security) • CPU sharing • EFI boot • AliOS as guest • SBL boot * • ARM • ClearLinux as guest • Zephyr as guest • Logical partitioning without Service OS • Storage • GPU Sharing • Touch sharing • IPU Sharing • HECI sharing (Security) • Ethernet • GPU Prioritized • IOC sharing • USB DRD virtualization • CSME/DAL sharing Rendering (Security) • USB host controller (PT) • Audio sharing • CarPlay • GPU Surface Sharing • TPM Sharing (Security) • USB device controller • USB host I/O (PT) • IPU (PT) controller • eAVB/TSN Sharing virtualization Sharing • SR-IOV • Audio (PT) • WiFi (PT) • Touch (PT) • GPU Sharing

17.Call For Action • Watch, … • … try, … hypervisor/blob/master/doc/getting_started/index.rst • … and participate! WeChat WeiBo


19.Reference: • ELC2018 ACRN introduction– Eddie Dong • Android tamper-resistant anti-replay secure storage solution and its virtualization – Bing Zhu

20.Backup • Storage virtualization • Network virtualization • GPU virtualization • Audio virtualization

21.Storage Virtualization Service OS User OS ACRN Device Model User OS Map/filter a guest disk access to a User OS host storage area (disk, partition, file Storage BE Service or portion of them) Storage FE virito driver Native Storage Driver Guest Virtual Disk ACRN Hypervisor Physical Disk VM1 partition VM2 partition • Map a host storage area (SAR), i.e., disk / partition / file, as a guest disk • Map a portion of host SAR (start_LBA, size) as a guest disk

22.Network Virtualization Service OS User OS User OS Virtual Bridge / NIC BE Service User OS Switch ACRN Device Model Virtio-NIC FE driver Native NIC Tap / Tun Driver Driver Guest Virtual NIC ACRN Hypervisor External Network

23.GPU Virtualization Service OS User OS User OS User OS App App App App User User Kernel Kernel GPU BE Services Host GPU Guest GPU Driver vGPU vGPU vGPU Driver Trap Pass- ACRN Hypervisor MPT API through GPU

24.Audio Virtualization Service OS User OS User OS ALSA: Advanced Linux Sound Audio Apps User OS Architecture Audio Apps ALSA lib/Tiny ALSA ALSA lib/Tiny ALSA User User FE driver communicate with Kernel IPC driver thru ops callback of ALSA Core ALSA Core Kernel platform driver Virtio Audio BE Service Shared SOF Machine Driver FE driver forwards IPC SOF Machine Driver Rings commands to BE service thru SOF PCM Driver virtio shared rings SOF PCM Driver SOF IPC Driver Service OS can directly access SOF IPC Driver the memory of User OS Virtio Audio FE DSP Platform Driver Drivers BE service communicate with IPC driver thru IPC TX/RX interface of IPC driver ACRN Hypervisor *SOF: Sound Open Firmware; PCM: Pulse-code modulation; IPC: Inter-Processor Communication