CLARE-Hypervisor is a type-1 hypervisor that integrates cutting-edge safety, security, and real-time resource management mechanisms. It provides strong isolation between execution domains with mixed and independent levels of safety and security while enabling safe inter-domain communications. Such domains can be rich environments powered by general purpose Operating Systems (Linux, Android, etc.) as well as high-criticality, real-time execution environments where predictability and temporal/spatial isolation is mandatory. Unmodified Guest OSes can be hosted by strongly-isolated Virtual Machines (VMs), thus allowing an easy integration of stand-alone domains. CLARE-Hypervisor follows a fully-static approach with off-line configurations generated by the CLARE-Toolkit.
CLARE-Hypervisor currently supports Armv8-A processor architectures.
Applications running in parallel on different cores and simultaneous I/O transactions can incur in highly-unpredictable interference. If not properly controlled, this interference can propagate among domains, even with different criticality levels, hence jeopardizing the isolation capabilities of a hypervisor.
CLARE-Hypervisor implements strong isolation mechanisms to control such interferences by offering cutting-edge protection features that really shield the system from any unwanted interference and related denial-of-service attacks.
Multi-domain FPGA Virtualization
Programmable logic is the beating heart of FPGA-based heterogeneous SoCs and can be used to deploy a large variety of devices and accelerators. In a multi-domain system, portions of programmable logic can be either reserved for use within a certain domain or shared among multiple domains. In the former case, it is essential to preserve the isolation capabilities of the hypervisor also at the level of programmable logic, especially in the presence of FPGA-based devices with direct access to shared resources and peripherals (e.g., the DRAM) that are also accessed by critical domains. In the latter case, it is crucial to mediate the access to avoid side-channel attacks. Furthermore, in some cases that available FPGA area may not be enough to implement the functionality required by a system and must therefore be shared by multiplexing in time the deployment of devices.
CLARE-Hypervisor enables the virtualization of programmable logic by offering all the support for deploying strongly-isolated, multi-domain FPGA designs and the possibility of exposing a virtual FPGA fabric to the domains. Under FPGA virtualization, the FRED framework (http://fred.santannapisa.it/) is leveraged to dispatch acceleration requests to be served on the physical FPGA fabric.
Mixed-criticality systems include both high-criticality, high-integrity software and low-criticality software. The latter may include vulnerabilities that, if not proper countermeasures are taken, may expose the whole system to severe security threats. Denial-of-service, side-channel attacks, code reuse attacks, control flow hijack are typical examples of threats that can jeopardize the functionality of a cyber-physical system.
CLARE-Hypervisor provides advanced security features to protect the system from such cyber-attacks. Among others, it offers support for efficient control-flow integrity, address-space layout randomization, secure boot with roll-back prevention, run-time security monitoring, and mitigations for side-channel attacks.
Applications with different criticality levels could cooperate in order to accomplish the mission of the system. Such a cooperation may rely on inter-domain communications whose criticality is inherited by the most critical application they involve. In these cases, it is crucial that low-criticality software does not have the capability of corrupting the data of communication channels or using them as attack vectors.
CLARE-Hypervisor offers a safe, secure and highly predictable inter-domain communication mechanism.
- Linux (Vanilla, PetaLinux, Ubuntu, etc.)
- Erika Enterprise 3 (OSEK/AUTOSAR RTOS)
- CLARE-BasicFirmware (environment for hosting C stand-alone code)
- Other proprietary RTOSs (industrial customer)
- Xilinx Zynq UltraScale+ MPSoC
- NXP i.MX8
- QEMU Virt aarch64
- Arm Fixed Virtual Platform
Work in progress:
- NVIDIA Jetson TX2/AGX Xavier