Open source hypervisor exploits hardware virtualization in MIPS CPUs
Hardware virtualization, Imagination says, is gaining attention beyond its traditional home in the data-centre for the benefits it provides across numerous application areas from IoT to consumer to automotive to industrial and beyond. Connected devices can be designed with numerous distinct domains in which multiple operating systems and applications can run independently at the same time on a single platform.
In a related statement, the company says, “Back in March 2015, the United States Federal Communications Commission (FCC) issued a security document that included a series of provisions related to the use of wireless devices. In order to comply with these security guidelines, some manufacturers of home routers and other networking equipment decided to lock down the software powering these devices. This caused an outcry from the open source community who demanded that the FCC and manufacturers would not restrict the free use of the operating system and associated software running on their devices. Imagination Technologies [presents] a proof of concept demonstration that addresses the next-generation security requirements mandated by the FCC and other similar agencies. The demo makes use of multi-domain, secure hardware virtualization in MIPS Warrior CPUs. This technology allows developers to create system-wide, hardware-enforced trusted environments that are more secure compared to current solutions; ‘security by isolation’. The platform for the demonstration runs three virtual machines (VMs) on a high-end MIPS P-class CPU integrated in a router-type evaluation kit; this approach securely separates the OpenWrt operating system from the Wi-Fi driver, allowing them to co-exist in isolation and thus comply with the FCC guidelines. The diagram above shows the outline architecture.”
Built in to the latest MIPS CPUs and other processor families, Imagination’s OmniShield technology makes use of hardware virtualization to enable the creation of multiple domains on a single SoC. The L4Re operating system is an ideal match: it works with systems that need to consolidate multiple applications with differing security, safety, or real-time requirements. With OmniShield-enabled MIPS CPUs, the L4Re hypervisor makes it possible for multiple isolated tenants or guests to run on the same host, authorizing access to on-chip resources, prioritizing use of shared resources, and allocating and managing service interrupts from external sources and peripherals.
The L4Re operating system is an open-source system framework for building applications with real-time, security, safety, and virtualization requirements. The L4Re system is built on the principle of a minimal Trusted Computing Base: minimize an application’s attack area by modularization and by reducing its dependencies. It consists of the L4Re hypervisor/microkernel, user-level infrastructure for building trusted native L4Re microapps, and virtual-machine support for running various standard OSes in isolated compartments.
The open source prpl Foundation, with its members Imagination and Kernkonzept, worked to create a demonstration vehicle that enables companies to see and try out the capabilities of hardware virtualization for themselves. It illustrates the power of a separation-based architecture in providing reliability and ease-of development for next-generation connected devices.
The demonstration builds on prpl’s proof-of-concept demonstration earlier in 2016 of its prplSecurit framework—a comprehensive collection of open source APIs providing hardware-level security controls. That was one of the first public demonstrations of hardware enforced multi-tenant OpenWrt, the Linux distribution at the heart of many home gateways.
The new demonstration features several domains including two instances of OpenWrt – one that isolates the Wi-Fi radio, and another that enables access to networking devices. With evolving Wi-Fi channel and frequency regulations, it’s important to ensure the radio is completely isolated, while letting users update their OS and install their own applications on the system. Additional domains can be used for provisioning of third party services such as those from operators and service providers.
The L4Re hypervisor for MIPS is available now at www.kernkonzept.com/download.html Kernkonzept also provides a supported version of the L4Re hypervisor; www.kernkonzept.com.
Imagination Technologies; www.imgtec.com
If you enjoyed this article, you will like the following ones: don't miss them by subscribing to :
