To address security, privacy and reliability concerns in a wide range of devices, Imagination has added hardware supported virtualization technology into its MIPS Warrior cores, as well as its PowerVR Series7-based GPUs and other processors.
Hardware virtualization support enables Imagination’s processors to be OmniShield-ready. OmniShield is Imagination’s security technology which ensures that applications that need to be secure are effectively and reliably isolated from each other, as well as protected from non-secure applications.
Since virtualization concepts are already well understood and supported techniques in many OS and RTOS, they provide an ideal and proven foundation for hardware enablement and extensions needed for next-generation security.
Virtualization can be achieved with software only (para-virtualized) or with hardware assistance (fully virtualized). Para-virtualized solutions exist and run on MIPS-Based™ cores today, and the MIPS architecture provides hardware-assisted virtualization.
The core element of virtualization is the hypervisor, a small body of trusted and privileged code that sits above the hardware, managing and orchestrating all of the SoC resources. It manages the resources by defining access policies for each execution environment or “guest.” Guests are isolated from each other, but can communicate with the hypervisor and with each other via secure APIs. This ensures the reliability of the system by allowing the rest of the guests to operate reliably even if one of the guests crashes. The hypervisor manages all memory I/O privileges of the subsystems.
Hypervisors in general are easier to secure than the multiple operating systems running on top of them, because they have a smaller footprint and hence have an easier time achieving certification.
There are different ways to implement a virtualized system. Para-virtualization is an excellent approach for retrofitting a scalable security solution into deployed embedded systems that are not due for additional hardware updates, but require a trusted execution environment. Para-virtualization improves performance by optimizing the interaction of the OS and the hypervisor, but there is some effort required to customize the OSes. Hardware-assisted virtualization, once incorporated into a CPU, provides the benefits of improved virtualization performance with no modification of the guest operating systems required.
Hypervisors for the MIPS architecture include the Kernel-based Virtual Machine (KVM), Pike OS from Sysgo AG (now part of Thales Group), and others.
The KVM/MIPS hypervisor supports all MIPS32® processors and platforms, including those that do not implement virtualization hardware support. KVM is a fast and secure open source framework that brings native full virtualization to the Linux kernel. It enables multiple operating system instances to run securely on a single processor. It consists of a loadable kernel module, and so is a natural fit for Linux based systems that need virtualization.
Pike OS runs on a range of MIPS cores and currently supports para-virtualization.
- ARINC 653 and MILS (security) compliant architecture
- Provides different guest operating systems
- Supports multi core CPUs
- Highly portable
- Certifiable according to safety and security standards
- DO-178B, IEC-61508, ISO 26262, EN-50128, Common Criteria
- Modular certification package
- State of the art development environment