Xen Virtualization Takes On Automotive


Nautilus architecture

On Aug. 18 at the Xen Project Developer Summit, the Xen Project unveiled an Embedded and Automotive initiative for its datacenter-focused Xen virtualization technology. The immediate goal is to help auto manufacturers “adopt open source virtualization” to “quickly and cost-effectively develop a flexible, robust, and customizable integrated cockpit — one that keeps drivers safe, while meeting consumers’ connected car expectations,” according to the Xen Project, a Linux Foundation Collaborative Project.

The first project in the initiative is a collaboration with GlobalLogic on the latter’s Nautilus [PDF] in-vehicle infotainment (IVI) and telematics platform. Nautilus uses a modified, embedded version of the open source Xen Project type 1 hypervisor to enable sandboxed implementations of multiple OSes. (See farther below for an interview with representatives from both Xen Project and GlobalLogic.)

The Nautilus stack uses its own fast-booting version of Android for IVI along with a separate container for telematics and other back-end services running Linux or QNX. Nautilus is initially designed to run on a Texas Instruments Jacinto 6, a multicore, ARM-based system-on-chip designed for automotive computers that combines two Cortex-A15 cores, with four Cortex-M4 cores, and a pair of SGX544 GPUs. Mentor Graphics is also looking at doing automotive virtualization using the Jacinto SoC to combine its GENIVI compliant Linux distribution and its Nucleus RTOS.

Automotive Grade Android

The Xen Project initiative is associated with the Linux Foundation’s Automotive Grade Linux (AGL) project, which is currently defining an IVI stack based on Tizen. GlobalLogic is working to add the Xen-based technology to the AGL spec, and will soon add Tizen Linux to its list of supported OSes. The Android implementation is forming the basis for an Automotive Grade Android (AGA) offshoot of the AGL spec.

The Xen Project Embedded and Automotive initiative is being led by Artem Mygaiev, associate vice president of development at GlobalLogic. The project is also associated with the GENIVI project, which recently designated Tizen as being compliant with the GENIVI 5.0 open source automotive spec. Despite the focus on Android, the project is currently not collaborating with Google on its Android Auto project.

In addition to tackling the automotive problem, the subproject plans to extend the technology to other embedded applications where multiple OSes must run side by side on multicore processors in secure virtual machines (VMs) without risk of cross-contamination. For example, a hypervisor can be used in mobile devices where both personal and professional applications need to be available on the same device, without the threat of corporate data being compromised. Other examples include avionics and drones, as well as smart TVs with parental controls.

The Embedded and Automotive initiative will also draw on previous code contributions from ARM, Citrix, DornerWorks, Galois, and Washington University. In addition to submitting its Nautilus implementation, GlobalLogic plans to contribute automotive-focused driver support for QNX and Android OSes, as well as several Linux kernel drivers for paravirtualization. It will also share technology that enables the virtualization of various GPUs, USB, and audio devices in an IVI system “without compromising performance,” according to the project.

Much of the Nautilus/AGA project is focused on turning Android into an IVI-ready platform that overcomes deficiencies in reliability, security, and boot-time. The Xen-based containerization addresses the security side, while GlobalLogic’s AGA stack has made great strides in improving boot-time. So far a version of Android 4.2 has reduced boot time to about 5-6 seconds, and reduced the time to display a rear-view camera image in 1.5 seconds, says the company.

The AGA spec also supports Bluetooth, Miracast, MirrorLink, and wireless hotspot technologies. Users can access vehicle data via the cloud, as well as control automotive features from a mobile device, or cast data from such a device to the vehicle display.

Xen Project Benefits

The upstream contributions should enable enhancements to the next two Xen Project releases. These include improvements to the Xen Project Hypervisor on ARM, real-time scheduling enhancements, as well as improved security, boot time, stability, and reliability. The new technology was made possible by last year’s completion of the Xen port to ARM in the 10th year of the project’s existence.

Over the last two years, several other developments were said to have set the groundwork for the initiative, including:

  • Experimental PV (paravirtualization) ARM support on Nvidia by Samsung (2013)
  • Interrupts and IOMEM mapping to DomU to support driver domains by GlobalLogic (2014)
  • Development of rich PV drivers for HID, Audio, GPU, framebuffer, etc. by GlobalLogic (2013-14)
  • Ongoing improvements to real-time scheduling by DornerWorks and the University of Washington
  • Ongoing developments of a QNX baseport by GlobalLogic and a FreeRTOS baseport by Galois.

Prior to the announcement, I interviewed Lars Kurth, Xen Project Advisory Board chairman, as well as Alex Agizim, vice president and chief technology officer of embedded systems at GlobalLogic. Below is an edited version of that interview.

Q: It seems we’ve been talking about putting hypervisors in cars for years now. Is the delay due to the longer product cycles in the automotive business?

Agizim: Long production cycles are definitely the reason, but there are still a number of technological challenges such as performance and peripheral sharing. Only the recent SoCs like the TI J6 and Renesas R-Car M2/H2, have hardware support for virtualization. This will minimize the performance impact and provide maximum security and stability for the software running in different VMs.

Kurth: Software capabilities need to be hardened also. For example, we had a number of real-time schedulers for Xen which were initially designed for non-automotive use-cases on x86, such as ARINC653 and rt-xen, which are currently being optimized for ARM and automotive use-cases. Other areas where we made lots of progress is drivers for rich I/O as well as making it easier to create Xen PV base ports for operating systems. We could accelerate this technology if the hardware was more generally available for open source developers. Until this is fixed, it will be hard to create a diverse community that goes beyond a few vendors.

Q: Why is Xen better suited for automotive virtualization compared to other hypervisors?

Kurth: Xen Project is open source, it has ARM support, and it offers driver disaggregation and a flexible virtualization mode and architecture. The ARM implementation is only 90,000 lines of code, making it a perfect fit for embedded. We also have a multi-layered approach to security, including Driver Domains, Stub Domains, and Xen Security Modules, which can be thought of as a SELinux for virtual machines.

Q: How much of the Xen virtualization technology is easily transportable from the datacenter to automotive and embedded devices?

Kurth: Several Xen Project features are well-suited to both realms, such as security and isolation, stability and reliability, and rapid boot time. What is missing is optimization for the new ARM chipsets. We’re also starting to make use of TrustZone in the software stack. New challenges include power management and certification.

Q: Has the automotive initiative developed any innovations that could improve Xen in general?

Kurth: Some of the technology will be beneficial for the datacenter in the long run. For example real-time scheduling and virtualization is extremely interesting for NFV [network functions virtualization]. Graphics virtualization is becoming more interesting in the datacenter, too.

Q: The main focus of Nautilus appears to be Android combined with QNX under Xen virtualization. What role does embedded Linux play here? Linux is typically used on the IVI side of the equation, but your current implementation shows Linux as an alternative to QNX running on the backend.

Agizim: Linux is not a real-time system. Linux definitely can fit the place of Instrumental Cluster, but real telematics or ADAS should be driven by a real-time OS like QNX. Still, GlobalLogic aims to provide maximum flexibility, allowing IVI OEMs to pick the right OS for them.

More information

Vendors and developers interested in collaborating on the Xen Project Embedded and Automotive initiative, including non-automotive applications, are encouraged to join at the subproject website. GlobalLogic and the Linux Foundation will present a free webinarat 9 a.m. PDT, Wednesday, Aug. 27, on “Virtualization in the Automotive Industry.” The webinar will be led by GlobalLogic’s Alex Agizim, as well as Rudolf Streif, director of embedded solutions at the Linux Foundation.

More information on Nautilus can be found at GlobalLogic’s Infotainment web-page, as well as in this Embedded Computing interview with GlobalLogic’s Artem Mygaiev.