摘要：

The number of future automotive embedded software applications and their complexity is still rising. Additional non-functional requirements such as safety, portability, maintainability and efficiency compound this trend. The AUTOSAR standard gives flexible and efficient mechanisms to build systems of software components but also involves high configuration effort. When considering safety, the standard has some weaknesses preventing the realization of full separation between software partitions of mixed integrity. Virtualisation seems to be a promising technology allowing one to merge multiple safety-relevant sub-systems onto a single hardware platform and to implement strong separation. Microkernel based hypervisors exhibit a small Trusted Computing Base and serve as the most reliable and robust component within the system. This paper describes and evaluates a microkernel approach to isolate safety-relevant automotive software virtual machines by using a Memory Management Unit less embedded hypervisor. For our analysis, safety mechanisms were implemented with a separation kernel. We present a concept, based upon the ISO 26262 automotive safety standard and its safety assumptions, in order to support isolated virtual electronic control units within a real-time environment. Our final goal is to prevent virtual machines from propagating faults between each other. We evaluate our solution by porting some production automotive software to a hypervisor using a paravirtualised AUTOSAR basic software and a Real-Time Operating System. Our benchmarks are based on state-of-the-art automotive hardware and show that the approach is feasible even with less hardware support for virtualisation.

展开