In an embedded platform, the use of virtualization is different; the primary purpose is to ensure security through separation. We define ‘security’ as the ability to isolate, police, and enforce behaviors on guest software. Such a technique enables consolidation of multiple different embedded CPUs into a single core resulting in lower silicon area and development effort, ultimately decreasing the overall cost and extending battery life.
Figure 1: Simple overview of embedded virtualization.
It all starts with isolation. With virtualization, common resources on a hardware platform can be partitioned into logically separate environments referred to as virtual machines (VMs). Each VM is comprised of applications and relevant operating systems (if required). Through hardware virtualization, it is possible to separate and protect critical assets such as communication interfaces (and software stacks), storage and other resources into their own address spaces, and ensure there is no access from/to any other applications’ address spaces.
A simple view of virtualization in an embedded environment is shown in Figure 1. The MIPS M5100 and M5150 IP cores are small footprint CPUs with the ability to enforce isolation of up to seven Guests. In most of today’s embedded virtualized applications, up to three isolated environments is typical; the M51xx CPUs allow for future scalability.
Once the critical assets are isolated from potential vulnerabilities, the next step in protection is implementing and ensuring trust for each isolated environment. A hardware Root of Trust (RoT) and associated security services can be used to enforce trust -- both authentication and privacy. The virtualized platform is based on a trusted hypervisor, which creates and manages the VMs, executing at the highest privileged Root level of the processor – also shown in Figure 1.
The structural integrity of the hypervisor can be maintained by following a trusted boot process. The operational integrity is not compromised since the hypervisor runs in its own unique context provided by the hardware, and is isolated to its own address space. Each address space is protected by the root memory management unit (MMU); whose contents can be locked down immediately after boot to provide absolute isolation of all address spaces.
Figure 2 shows the potential benefits of virtualization in embedded applications. In this case, a MIPS M5150 CPU is configured to support up to three distinct isolated environments. Each environment is isolated and protected from the others, including memory and IO. Generally, the RoT and security services provided are assigned to the trusted environment. RoT security services requested by other environments (VM2 or VM3) are redirected and managed by the secured environment of VM1.
Figure 2: Three isolated virtual environments in an embedded platform.
Next: Building trust