Skip navigation
2011

How do you protect a device that analyzes malware against malware? The malware experts at ValidEdge answered that question with Intel® Virtualization Technology (Intel® VT), a hardware technology that allows the company to create a secure environment for executing malicious code. To see how their solution works, check out the LynuxWorks case study below from the latest Embedded Innovator magazine.

 

You can access more articles like this by subscribing to the Embedded Innovator. Subscribers receive a quarterly newsletter as well as the annual Embedded Innovator magazine.  Both the newsletter and the magazine feature the latest in industry trends, design ideas, and embedded solutions. Subscribe today to stay on top of our fast-moving industry!

 

LynuxWorks is an Affiliate member of the Intel® Embedded Alliance.

 

Kenton Williston

Roving Reporter (Intel Contractor), Intel® Embedded Alliance

Editor-In-Chief, Embedded Innovator magazine

 

Follow me on twitter at http://twitter.com/#!/kentonwilliston

I’m sitting here at Stanfords in PDX airport, heading home after the Intel Firmware Summit . . . an internal Intel event where all the great minds (probably myself excluded) in firmware development at Intel congregate to present and discuss all the activities in progress across the corporation.  (By the way, the Herb Crusted Sirloin at Stanford’s is excellent).

 

There were many outstanding presentations and keynotes, including presentations from executives from McAffee (George Kurtz) and Wind River (Marc Brown), as well as numerous Intel Fellows and Architects from all over Intel.  I felt very honored to present to this exceptional audience of thought leaders at Intel.

 

While there was a lot of interest in what we are doing in the Embedded and Communications Group with our Intel® Boot Loader Development Kit (Intel® BLDK) program, it was overshadowed by two key themes stood out for me as I listened to all the other presenters:

 

1.  Security is becoming the next big focus area, and it starts with the firmware.  When you think about how to secure a system, the lowest interface layers need to be the first step in keeping the system secure.  Seems everyone in Intel working on firmware development is thinking about this.

 

2.  Convergence on UEFI . . . everyone in Intel is thinking about convergence to the latest UEFI standard.  You might be thinking DUH!  That has been Intel’s position for some time.  However, I heard at the firmware summit this is actually accelerating quite a bit.  In the Embedded Group, we decided last year to shift our approach for the Intel BLDK to align with the latest UEFI standards and based our implementation on the Intel® Unified Development Kit 2010 (Intel® UDK2010 . . . see http://www.tianocore.org).  At the time, we were on the bleeding edge, understanding that the rest of Intel would eventually be moving in that direction, but not for several years.  However, seems that we are going to see UEFI 2.3 based firmware/BIOS for Intel platforms across the board much sooner than expected.

 

Unfortunately, I cannot reveal much of the details, but suffice it to say that there are many exciting things going on across Intel in the firmware arena to make it easier and more productive to work with Intel Architecture.

 

Well, I have to finish my Crème Brule and then head to my gate to catch my flight.  Until next time!

 

p.s. Be sure to check out our new website at http://www.intel.com/go/bldk, and also follow me on twitter @intel_drew

The Tech Report recently reviewed a Gigabyte motherboard using a "Hybrid EFI" BIOS. It's true that this Gigabyte implementation isn't UEFIfrom the ground up, which makes it different from most UEFI implementations in the market. I think we need to take a look at the Gigabyte Hybrid EFI implementation and understand exactly what it does.

 

Gigabyte's "Hybrid EFI Technology" is pretty simple ... stick a UEFI layer on top of the existing legacy BIOS so users get support for 2TB+ hard drives and booting to UEFI-enabled operating systems. Since it's a layer on top of legacy BIOS, Gigabyte advertises that the "Hybrid EFI" layer could be applied to older motherboards for easier compatibility with large hard drives.

 

So Gigabyte gets to add support for large hard drives without replacing legacy BIOS on several motherboards, which The Tech Reportreviewer considers a "novel solution."  Now for the big question ... if this was such a good idea, why isn't every other BIOS provider and motherboard manufacturer using the "Hybrid EFI" approach?

 

The answer: they did, but they moved on.

 

Back in the early 2000's when EFI, the predecessor to UEFI, first made the scene the specification only covered the OS-to-firmware interface. Translation: the spec didn't care how the firmware worked "under the hood" as long as it produced the runtime interfaces per the EFI specification. The initial focus was supporting EFI as a runtime interface and bootloader.

 

So most of us BIOS guys did what Gigabyte does with "Hybrid EFI," build an EFI-over-BIOS bootloader and duct tape it into the flash ROM. Ok, there was no actual tape involved, but it wasn't the cleanest solution in the world. But back in 2002 it made a great demo for my Intel Developer Forum presentations, running the EFI Shell with network access and pre-OS diagnostics on an Intel Pentium III processor.

 

I know, it doesn't sound cool *now* ... but trust me, that's pretty cool for old school (yes, 2002 is "old school" in tech years).

 

In the current TianoCore implementation this is known as the Developer's UEFI Emulation (DUET)environment, a tool to help app & driver developers that don't have access to native UEFI platforms. You get the UEFI shell and ability to run UEFI pre-boot programs, but you also get some baggage from an implementation that only solves part of the problem. It's less relevant now that UEFI is shipping all over the Intel ecosystem.

 

When Intel started research into what would become EFI & UEFI, the Software Solutions Group (SSG) was trying to solve two problems. First, replace an aging set of OS-to-firmware interfaces built around 16-bit 8086 assumptions ... stuff like INT 13h storage interfaces and the INT 19h OS loader. Second was the same set of 16-bit 8086 assumptions applied to the underlying BIOS infrastructure. These were both handicaps for a company moving to 64-bit architectures.

 

The "Hybrid EFI" solution solves the first problem effectively, if you ignore the thunk layers in between 16-bit BIOS calls and x64 UEFI. However, it doesn't address the underlying firmware structure. This is important as the industry considers new UEFI features for Secure Boot, Driver Signing and IPV6 Networking. These features can't be properly developed using the legacy BIOS structure and be applied universally across multiple architectures. This is why you see embedded developers like Radisys and Kontron creating long term solutions using native UEFI implementations like Aptio.

 

Does this mean Gigabyte is behind other manufacturers in implementing UEFI? Absolutely not.

 

Gigabyte uses the "Hybrid EFI" solution on some products to fix an immediate consumer problem ... make new 3TB+ drives work with today's motherboards. There are other companies who used this hybrid approach on older products, but they are moving away from "UEFI over legacy" as products mature. In the long run companies like Gigabyte will migrate products to native UEFI firmware, catching up with companies who started their firmware transition much earlier. You can already see this on Gigabyte products using the Intel Q67 Express Chipset.

 

So, as my mother would say when referring to that horrible haircut I had in high school, it's just a phase they're going through

 

Brian Richardson
Senior Technical Marketing Engineer
American Megatrends, Inc.

 

American Megatrends, Inc. (AMI) is an Affiliate member of the Intel® Embedded Alliance.

 

Got a question about BIOS? … then it’s time to Ask a BIOS Guy! Find Brian on Twitter (@askabiosguy) or leave your question in the comments. Your BIOS question may be featured in an upcoming ‘Ask a BIOS Guy’ article.

Open-source operating system (OS) distributions often contain thousands of packages, making testing a difficult and time-consuming task. New automated testing tools for Android and MeeGo can significantly reduce this challenge and speed time to market. To see how these tools work, check out Wind River’s article in the latest Embedded Innovator magazine.

 

You can access more articles like this by subscribing to the Embedded Innovator. Subscribers receive a quarterly newsletter as well as the annual Embedded Innovator magazine.  Both the newsletter and the magazine feature the latest in industry trends, design ideas, and embedded solutions. Subscribe today to stay on top of our fast-moving industry!

 

Wind River Systems is an Associate member of the Intel® Embedded Alliance.

 

Kenton Williston

Roving Reporter (Intel Contractor), Intel® Embedded Alliance

Editor-In-Chief, Embedded Innovator magazine

The Intelligent Platform Management Interface (IPMI) enables remote diagnostics and self-repair, helping lower maintenance costs for networking and telecom equipment. What’s more, standards-based IPMI firmware can be used with the energy-efficient Intel® Xeon® processors for a solution that minimizes costs from the hardware up. To see how, check out American Megatrend’s article in the latest Embedded Innovator magazine.

 

You can access more articles like this by subscribing to the Embedded Innovator. Subscribers receive a quarterly newsletter as well as the annual Embedded Innovator magazine.  Both the newsletter and the magazine feature the latest in industry trends, design ideas, and embedded solutions. Subscribe today to stay on top of our fast-moving industry!

 

American Megatrends is an Affiliate member of the Intel® Embedded Alliance.

 

Kenton Williston

Roving Reporter (Intel Contractor), Intel® Embedded Alliance

Editor-In-Chief, Embedded Innovator magazine

Embedded developers work in a rapidly changing environment. Each new project requires developers to pack increased functionality into smaller, reduced-power embedded products. In addition to the added complexity of the application software for these new projects, customers also demand an interactive interface, ubiquitous connectivity, absolute security, and extreme reliability. To achieve these expanded requirements, embedded designers are turning to multicore architecture such as the 2nd generation Intel® Core™ processors to improve performance, reduce component count, and lower power requirements. Since embedded software invariably falls on the critical path to product delivery, software engineers are also looking for techniques to gain the full benefit of the latest multicore processors without significant changes to their existing development process.

 

The first step in this embedded product revitalization process is the successful integration of the 2nd generation Intel® Core™ processor family. This new architecture includes seven multicore processors that support extended lifecycle embedded applications. The Core™ i3/i5/i7 processors combine either two or four CPU cores, an integrated graphics processor, Last Level Cache (LLC), and a system agent/memory controller to optimize cost, performance, and power requirements for a wide range of embedded applications. In addition, all of the CPU cores (including the integrated graphics core) feature Intel® Turbo Boost Technology, allowing clock frequencies to scale up temporarily to handle intense workloads. The processors also include Intel® Advanced Vector Extensions (AVX), a new 256-bit instruction set optimized for signal processing applications. With this extended processing power, board designers can boost performance and possibly replace external dedicated DSPs or FPGAs to further reduce the component count and lower power requirements.

 

The next step is to update and streamline the software development toolset to incorporate multicore support while minimizing modifications to current code creation practices. New announcements from multiple software vendors already provide advanced development tools and board support packages for products based on the 2nd Generation Intel® Core devices. For example, the Prism software analysis tool from CriticalBlue (see figure below) allows software developers to analyze their existing software applications, evaluate the benefits of the new Intel® architecture, and select the appropriate processor. Prism analyzes the behavior of existing code running on simulators or hardware development boards to analyze opportunities to introduce or add further parallel code structures. Developers can select the appropriate member of the 2nd generation Intel® Core processor family and analyze the impact of Intel® Hyper-Threading Technology, data cache misses, and instruction throughput. Prism provides developers with an estimate of the performance gain achievable by partitioning their program into multiple threads while targeting one of the 2nd generation Intel® Core processors. The platform support package for Prism is offered at a price of $400 per month with an annual subscription agreement. You can also download a 30-day evaluation copy of Prism.

 

prism_flow.png

Green Hills Software has also updated their INTEGRITY Real Time Operating System (RTOS) and MULTI Integrated Development Environment (IDE) (see figure below) to support the latest Intel® micro-architecture. The INTEGRITY RTOS is built around a partitioning architecture to provide embedded systems with enhanced reliability, security, and real-time performance. Secure partitions guarantee each task the resources it needs to protect the operating system and user tasks from errant and malicious code. INTEGRITY architecture provides Asymmetrical Multiprocessing (AMP) and Symmetrical Multiprocessing (SMP) support optimized for embedded and real-time multicore processors. The MULTI IDE software tools include several C compiler options, a debugger, editor, configuration manager, code browser, and debugger in a single package. MULTI also features DoubleCheck, an integrated static analyzer that isolates bugs caused by complex interactions between code segments that may not be in the same source file. Finally, Green Hills Probe provides a multicore debug control for board bring-up, device driver development, and system level debugging.

 

GHSMulti.jpg

 

These are just a couple of examples where improved development tools and techniques can provide embedded developers with rapid transition to the enhanced performance benefits promised by multicore technology. If you have a new project that might benefit from the latest 2nd generation Intel® Core processor family and you have questions or concerns, please get in touch with fellow followers of the Intel® Embedded Community. Also, please check back as I uncover more information the 2nd generation Intel® Core™ processor family and how you can use it to enhance image analysis.

 

To view other community content on interoperability, see "Interoperability - Top Picks

interoperability.jpg

 

Warren Webb
OpenSystems Media®, by special arrangement with Intel® Embedded Alliance

 

CriticalBlue and Green Hills software are Affiliate members of the by Intel® Embedded Alliance.

Over the past couple of years, there have been numerous articles posted on the Intel® Embedded Community web site that focused on security topics. Today let’s discuss a similar but separate topic – safety. Embedded systems used in applications in the transportation industry, industrial process control, power generation, and similar instances must meet relevant safety standards, primarily IEC 61508. That standard seeks to ensure the safety of people, ranging from workers involved directly with a system managing a process or some other application and citizens in general. Embedded design teams working on applications with safety requirements can utilize operating systems certified to IEC 61508 combined with redundant Intel® Architecture (IA) processors to quickly deliver systems that meet the most stringent safety requirements.

 

First let’s briefly consider the similarities and differences of safety and security requirements. Both require a compartmentalized approach to protect systems both from inadvertent faults and malicious activity. In security systems, the primary goal is to ensure the reliability of data – financial data or data that might control a military mission. In safety systems, the primary goal is ensuring that a system operates in a fail-safe manner.

 

Some of the same techniques are useful in both safety and security applications. Redundant hardware is often used. And software techniques such as Intel® Virtualization Technology (VT) are used to partition and protect the mission-critical elements of the code.

 

Security requirements are prescribed by the Common Criteria for Information Technology Security Evaluation (called Common Criteria or CC) defined in the ISO/IEC 15408. The CC provides a framework of security levels called the Evaluation Assurance Level (EAL) – EAL 1 through EAL 7, with EAL 7 being the most secure system. For more background, review the article I posted last year about separation kernels and EAL compliance.

 

Safety requirements are prescribed by the IEC 61508 standard that is entitled “Functional safety of electrical/electronic/programmable electronic safety-related systems.” Safety levels are graded based on a SIL (Safety Integrity Level) scale that suns from SIL1 to SIL4. SIL3 is considered the highest-level that can be achieved using a programmed microprocessor-based system.

 

The safety standard prescribes the need for functional safety that relies on an active system. For example, consider a process-control application that involves a dangerous chemical. A containment vessel that might limit the damage should an overflow occur is considered a passive system. Sensors and check valves that prevent an overflow would be considered an active system.

 

Hardware and software safety elements

 

There are both hardware and software elements involved in designing for safety compliance. Primarily we’re going to discuss software – operating systems specifically – in this article. But there is an excellent hardware-centric whitepaper that has been posted on the Intel Embedded Community site by Men Mikro Elektronik GmbH*. The paper is entitled “Implementing safety-critical embedded systems designs” and it covers more details on the SIL levels and focuses on strategies for deploying redundant modular systems and meeting safety requirements.

 

On the software side, several embedded-operating-system vendors have products that have been certified to SIL3. And some vendors offer both safety and security certifications in the same product.

 

Consider QNX Software Systems** and the QNX Neutrino Realtime Operating System (RTOS) Certified Plus product. The RTOS has been certified to SIL3 and EAL 4+. The safety certification was performed by conformity-assessment specialist Sira Test & Certification who is accredited by the United Kingdom Accreditation Service. The key to compliance is a modular microkernel architecture utilized in the RTOS. Applications, device drivers, file systems, and network stacks all run in separate memory-protected partitions.

 

QNX has also published a series of two whitepapers entitled “Building functional safety into complex software systems. Part 1 of the series coves the basics of safety theory and provides some illustrative real-world examples to explain the concepts. Part 2 digs deeper into actual implementation scenarios. The illustration below is from Part 2 and illustrates Reason’s Model explaining how faults become failures.

 

QNX_safety_fig.jpg

 

Green Hills Software*** also offers an SIL-3-certified RTOS. The Intergity/velOSity product was certified by TuV Nord certification body. The company actually offers what it calls the Green Hills Platform for Industrial Safety that it targets specifically at systems developed for the automotive, rail-transportation, nuclear-power, and similar industries. The platform combines the RTOS, middleware, a development and verification tool set, and services including system certification support. The diagram below summarizes the coverage of the platform.

 

GHS_safety_fig.jpg

 

Green Hills also has an excellent web page that covers the safety topic. The Integrity architecture partitions code that run at different safety levels and allows a single microprocessor to safely run critical and noncritical partitions. velOSity is the kernel that underlies the Integrity platform.

 

Middleware includes network support, graphics and video support, a file system. Moreover embedded databases allows for the safe storage and retrieval of complex data using a structured architecture.

 

Green Hills also has partners that contribute to the safety platform. For example, design teams can use Telelogic’s Rhapsody modeling and code-generation tools, Esterel Technologies’ modeling and code-generation tools, and Vector Software’s test and code-coverage tools in safety-critical designs.

 

Has your design team tackled a project requiring SIL certification? How did you approach the problem? Did you rely on a commercial software platform? Please share you experiences with fellow followers of the Intel® Embedded Community via comments. Readers would welcome your insight into the safety issue.

 

Maury Wright

Roving Reporter (Intel Contractor)

Intel® Embedded Alliance

 

* Men Mikro Elektronik GmbH is an Affiliate member of the Intel® Embedded Alliance

** QNX Software Systems is an Affiliate member of the Alliance

***Green Hills Software is an Affiliate member of the Alliance

 

More information

security.jpg

 

 

To view other community content focused on security, see “Security – Top Picks.”

The embedded market is undergoing a fundamental shift. While traditional design targets like cost and reliability remain important, a new set of requirements has arisen thanks to escalating customer expectations, the spread of Internet connectivity, and tougher competition.   Success in this brave new world requires close attention to eight key capabilities: security, virtualization, connectivity, manageability, energy efficiency, workload consolidation, interoperability, and sensing and analytics. The latest Embedded Innovator magazine explains how you can address these emerging requirements and achieve design success with solutions from the Intel® Embedded Alliance.

 

You can access more articles like this by subscribing to the Embedded Innovator.  Subscribers receive a quarterly newsletter as well as the annual Embedded Innovator magazine.   Both the newsletter and the magazine feature the latest in industry trends, design ideas, and embedded solutions.  Subscribe today to stay on top of our fast-moving industry!

 

Kenton Williston

Roving Reporter (Intel Contractor), Intel® Embedded Alliance

Editor-In-Chief, Embedded Innovator magazine