Skip navigation
2013

With widely available virtualization software and new hardware-assist architectures, industrial designers can readily combine multiple factory functions into a single hardware platform in order to minimize development costs, power requirements, and the number of system components. This consolidation feature allows designers to merge existing applications with different operating software without the need to modify existing code.  Virtualization also allows designers to easily combine general purpose operating systems such as Windows or Linux with real-time software or safety/security-critical functions while retaining the required determinism and isolation. Combined with multi-core technology, virtualization can also be used to boost the performance of individual software segments by assigning additional processing power.


In order to optimize virtualization functions, embedded processor architectures from Intel include built-in hardware functions to increase the performance and speed up the interaction between virtual environments. For example, Intel® Virtualization Technology (Intel® VT) increases system performance and reliability with hardware support for virtualization software to simplify the transfer of data and control between virtual operating systems. If a system becomes disabled due to a software or operating system failure, a virtual backup can automatically take control and start execution without user intervention. Virtualization can also be used for hardware substitution by invoking a virtual layer that uses a modified set of I/O devices. Intel® VT improves the performance of software-based virtualization operations by using hardware-assist to allocate memory and I/O devices to specific partitions to decrease the processor load and reduce virtual machine switching times. In addition, specialized Intel functions such as Extended Page Tables (EPT) and Page Attribute Table (PAT) provide a hardware- assist to the partitioning and allocation of physical memory among virtual machines.


Virtualization platforms are built by adding a real-time virtual machine monitor (VMM) or hypervisor software layer directly above the hardware to create and manage individual partitions that contain guest operating systems.  The hypervisor allocates system hardware resources such as memory, I/O and processor cores to each partition while maintaining the necessary separation between operating environments. Several Intel Intelligent Systems Alliance members offer software products that take advantage of the enhanced performance and isolation provisions provided by Intel® VT. For example, the Wind River Hypervisor allows designers to partition hardware devices, memory, and cores into virtual machines, each with its own operating system while maintaining the necessary separation. (See figure 2).  The hypervisor allows system designers to isolate the safety-certified components while still operating on a single hardware platform utilizing a certified virtual machine monitor. Virtualization improves the potential uptime of embedded industrial systems since individual partitions can be rebooted or reprogrammed without affecting other applications on the same device.


hypervisor a.png


Green Hills Software also offers a popular embedded virtualization package that utilizes the Intel® VT architecture. The INTEGRITY Secure Virtualization product, shown in Figure 1, can host arbitrary guest operating systems alongside a suite of real-time applications and middleware. Applications and guest operating systems are scheduled across one or multiple cores, can communicate with each other, and utilize system peripherals according to a strict access control model. On hypervisor acceleration-enabled processors such as Intel® VT, INTEGRITY supports high performance "full virtualization" where no changes to the guest operating system are needed. The system supports multiple instances of Linux, Windows, Solaris, VxWorks and other operating systems with managed inter-process communications (IPC) between virtual environments and applications. System resources, including memory and devices, can be fixed at build-time or dynamically adjusted at run-time. Health monitoring features include performance monitoring, fault detection, and guest operating system and application restart. For the software development phase, Green Hills provides the MULTI Integrated Development Environment along with an integrated static analyzer allowing compilation and defect analysis in the same pass.


multivisor_arch.jpg


Hardware assisted virtualization (Intel® VT) improves the flexibility and robustness of software based virtualization technology and offers the tools needed to isolate and secure critical applications while lowering  production costs via hardware consolidation. If you are starting a new virtualization project with multiple operating systems and you have questions, please share your concerns with fellow followers of the Intel® Embedded Community. You can also keep up with the latest technical details and product announcements at the Embedded Computing Design archives on Virtualization.

 

LEARN MORE >>

 

Solutions in this blog:

 

Related topics (blogs, white papers, and more):

 

Warren Webb
OpenSystems Media®, by special arrangement with the Intel®
Intelligent Systems Alliance


Wind River Systems is an Associate member of the Intel® Intelligent Systems Alliance. Green Hills Software is an Affiliate member of the Alliance.


By AJ Shipley, Senior Security Architect, Wind River

 

Security cannot be bolted on, it must be built in. This statement proves to be especially true when considering the recent hack of the New York Times, where during a four-month long cyberattack by Chinese hackers, the company's antivirus system from Symantec missed 44 of the 45 pieces of malware installed by attackers on the network. Cases like this highlight the danger of relying on a single security product to keep you safe from hackers. According to a written statement by Symantec, "Advanced attacks like the ones the New York Times described underscore how important it is for companies, countries and consumers to make sure they are using the full capability of security solutions. Antivirus software alone is not enough."


As evidenced with incidents like this, products need to be developed that combine multiple layers of security to keep the “bad guys” out of customer systems, and to also minimize the danger and exposure to device resources and data if they do get in.


Products like the Wind River Intelligent Device Platform (IDP), a software platform built for developing next-generation smart systems, are a perfect example of what I mean by building security into the product. IDP provides multiple layers of security that are all highly configurable and customizable.  Security policies are developed that match the specific deployment scenario with the correct level of access control and integrity monitoring, providing a true architectural, defense in depth approach to securing embedded devices and machine-to-machine applications.


Specifically, IDP includes Secure Remote Management (SRM), which ensures the integrity of the system with boot time security using Trusted Platform Modules (TPM) and Trusted Software Stacks (TSS).  Advanced security features like address space layout randomization (ASLR) and non-executable memory pages make it exceedingly difficult to penetrate IDP.  Run time security and integrity is monitored with the built in integrity measurement architecture which immediately detects when system files have been tampered with.  SRM provides a robust access control infrastructure for limiting access to system resources based on the privilege levels of specific users or groups of users ensuring that if a bad guy gets in they can’t access any of the critical resources or information.  Finally, secure package management remotely deployed over secure communication channels ensure that software updates are intact and trusted prior to installation.


Anti-malware products, like the one deployed at the New York Times, are an important component of an overall security strategy, but are nowhere near sufficient to protect systems, resources, and information from the advanced persistent threats that are on the rise.  We can no longer assume that we can successfully keep the bad guys out of our systems.  A good security strategy must first understand the multiple attack vectors and then deploy solutions that provide multiple layers of defense to deter, detect, and defend our critical resources.


For additional information from Wind River, visit us on Facebook.

By Steve Konish, Director, Product Management, Wind River

 

In just three short months, the engineering team at Wind River has added new, amazing capabilities to the Wind River Intelligent Network Platform. These enhancements to the platform allow applications to go even deeper and faster than ever before.  

 

When we first launched the platform, it included two data plane engines for packet acceleration and pattern matching.  The two engines together created an incredible software-enabled solution to provide high-performance deep packet inspection (DPI) for network applications. We’ve now added a third data plane engine, the Flow Analysis Engine (FAE), which allows applications to incorporate even greater network intelligence.  The Flow Analysis Engine offers complete visibility into network traffic in real time, including flow classification, protocol and application identification, and metadata extraction.

 

INP2

 

With the addition of the Flow Analysis Engine, Wind River Intelligent Network Platform delivers the most comprehensive and integrated DPI solution on the market today.  Imagine being able to use one platform to consolidate management and data plane applications and also have the ability to accelerate, analyze, and secure network applications that help you deliver even greater value to your customers.

 

But wait…it gets better. We’ve added some very cool innovations to the platform that allows for the transparent acceleration of Linux-based applications.  This means any existing application can leverage the fast path within the Application Acceleration Engine without having to modify a single line of code. That’s right, unmodified applications can be accelerated up to 300% faster.  This capability is so extraordinary we had to patent it. Or, if you make the extra effort to also port and optimize your application for the platform, you can achieve even greater performance…up to 500% faster.

 

For additional information from Wind River, visit us on Facebook.