German software developer Kernkonzept has ported the open source L4Re hypervisor to the OmniShield ready MIPS CPUs from Imagination Technologies in a bid to mke IoT applicatiins more secure.
The small footprint L4Re hypervisor, maintained by Kernkonzept, can take advantage of the hardware virtualization technology in MIPS CPUs for more efficient context switching and better use of CPU cycles, leading to improved application headroom and security.
Hardware virtualization is quickly gaining attention beyond its traditional home in the data-center for the benefits it provides across numerous application areas from IoT to consumer to automotive to industrial and beyond. With this technology, connected devices can be designed with numerous distinct domains in which multiple operating systems and applications can run independently at the same time on a single platform.
The L4Re operating system is an open-source system framework for building applications with real-time, security, safety, and virtualization requirements, and the latest update includes a new portable virtual machine monitor called ‘uvmm’ with support for both MIPS and ARM virtualization technology
The OS is built on the principle of a minimal Trusted Computing Base: minimising an application’s attack area by modularization and by reducing its dependencies. It consists of the L4Re hypervisor/microkernel, user-level infrastructure for building trusted native L4Re microapps, and virtual-machine support for running various standard OSes in isolated compartments.
The MIPS OmniShield technology uses the hardware virtualization in the CPU to create multiple domains on a single SoC and this allows the L4Re operating system to consolidate multiple applications with differing security, safety, or real-time requirements. This means multiple isolated tenants or guests can run on the same host, authorizing access to on-chip resources, prioritizing use of shared resources, allocating and managing service interrupts from external sources and peripherals.
“As Imagination continues to expand its MIPS ecosystem and OmniShield security offerings, we are delighted to work with Kernkonzept to bring the proven, highly efficient L4Re hypervisor to MIPS. Open source technologies like L4Re, where entire communities are responsible for developing and maintaining the code, can lead to inherently more reliable systems. We’re seeing a great deal of interest in L4Re for MIPS,” said Jim Nicholas, EVP MIPS Processor IP at Imagination.
Kernkonzept develops the open-source L4Re operating systems and hypervisor for security/safety-critical and virtualization-enabled applications. The Dresden, Germany-based company provides software services for the security-sensitive, real-time, and embedded markets.
“The collaboration is enabling us to take the L4Re operating system into new areas. This technology is already quite strong in areas including government and military. Now it’s making its way into embedded markets such as Wi-Fi routers, cable set-top boxes, home gateways, and automotive where MIPS CPUs have a strong presence,” said Michael Hohmuth, CEO of Kernkonzept.
The open source prpl Foundation has created a demonstration vehicle that enables companies to see and try out the capabilities of hardware virtualization for themselves. It illustrates the power of a separation-based architecture in providing reliability and ease-of development for next-generation connected devices.
The demonstration builds on prpl’s proof-of-concept demonstration earlier this year of its prplSecurity framework—a comprehensive collection of open source APIs providing hardware-level security controls. That was one of the first public demonstrations of hardware enforced multi-tenant OpenWrt, the Linux distribution at the heart of most of the world’s home gateways.
The new demonstration features several domains including two instances of OpenWrt – one that isolates the Wi-Fi radio, and another that enables access to networking devices. With evolving Wi-Fi channel and frequency regulations, it’s important to ensure the radio is completely isolated, while letting users update their OS and install their own applications on the system. Additional domains can be used for provisioning of third party services such as those from operators and service providers.
The L4Re hypervisor for MIPS is available now at www.kernkonzept.com/download.html. Kernkonzept also provides a supported version of the L4Re hypervisor.