[trustable-software] No hypervisor required...
Paul Sherwood
paul.sherwood at codethink.co.uk
Wed Jun 6 17:45:48 BST 2018
Hi folks,
On 2018-05-22 13:44, Paul Sherwood wrote:
<snip>
https://docs.google.com/document/d/1H8ymdyAxKqBHTDPWY_ltQOwihRQ3iIzTqxjuYQXF8O4/edit?usp=sharing
Duncan Ferguson posted the following detailed comment on the google doc
today:
>> The only fundamental justification for using a hypervisor is to
>> support
>> multiple different operating systems on a single CPU. Since we expect
>> that
>> each system/vehicle requires a set of domain controllers, it seems
>> that we
>> can avoid that situation altogether just by dedicating some
>> controllers to
>> run QNX, some to run Linux and so on.
> I don't agree with this. There are many reasons you could construct to
> justify using a hypervisor, most of which ultimately come down to
> commercial
> reality. If I had to approve ONE codebase for isolating safety related
> and
> non safety related applications on one processor (and those
> applications
> could be full operating system stacks) then I would use a hypervisor.
> Why ? Because a hypervisor is fundamentally designed to serve this
> purpose
> and tested as such. Hypervisors are designed to absolutely prevent
> guests
> interacting with or effecting each other in any way, ever. Any other
> operating system is not designed with that absolute intent at all. Any
> other operating system is designed to allow applications to interact
> with
> each other if you so desire. It is therefore up to the people
> developing
> the applications to know what they are doing. Very often they simply do
> not.
> Implication : If all my development teams and suppliers did work of a,
> frankly, impossible to achieve quality level then one operating system
> may
> be ok . . . may, possibly . . . these are not words that will float the
> safety boat.
> This is the position almost every automotive manufacturer is in today.
> Variable quality code from variable quality vendors. Today that code
> runs
> on unique hardware and even with that level of isolation the different
> application bugs cause problems to other applications, via interaction
> over
> the various network interconnects . . . that is better isolation than
> any
> hypervisor can ever provide and certainly better than a badly used
> (developer quality again) single operating system.
> So in the real world, where we live, a hypervisor may be a much better
> solution for building real systems. Ivory tower approaches rarely work
> in
> the real world for one reason or another. Many of your arguments are
> reasonable but I'm not convinced, at all, that they hold water in the
> cost
> and quality constrained world that the automotive industry is. Multiply
> cost by 10->100 : different story entirely.
I'll reply separately once I've had a chance to digest it.
br
Paul
More information about the trustable-software
mailing list