[trustable-software] No hypervisor required...

Paul Sherwood paul.sherwood at codethink.co.uk
Wed Jun 6 17:45:48 BST 2018


Hi folks,
On 2018-05-22 13:44, Paul Sherwood wrote:
<snip>
https://docs.google.com/document/d/1H8ymdyAxKqBHTDPWY_ltQOwihRQ3iIzTqxjuYQXF8O4/edit?usp=sharing

Duncan Ferguson posted the following detailed comment on the google doc 
today:

>> The only fundamental justification for using a hypervisor is to 
>> support
>> multiple different operating systems on a single CPU. Since we expect 
>> that
>> each system/vehicle requires a set of domain controllers, it seems 
>> that we
>> can avoid that situation altogether just by dedicating some 
>> controllers to
>> run QNX, some to run Linux and so on.

> I don't agree with this. There are many reasons you could construct to
> justify using a hypervisor, most of which ultimately come down to 
> commercial
> reality. If I had to approve ONE codebase for isolating safety related 
> and
> non safety related applications on one processor (and those 
> applications
> could be full operating system stacks) then I would use a hypervisor.

> Why ? Because a hypervisor is fundamentally designed to serve this 
> purpose
> and tested as such. Hypervisors are designed to absolutely prevent 
> guests
> interacting with or effecting each other in any way, ever. Any other
> operating system is not designed with that absolute intent at all. Any
> other operating system is designed to allow applications to interact 
> with
> each other if you so desire. It is therefore up to the people 
> developing
> the applications to know what they are doing. Very often they simply do 
> not.
> Implication : If all my development teams and suppliers did work of a,
> frankly, impossible to achieve quality level then one operating system 
> may
> be ok . . . may, possibly . . . these are not words that will float the
> safety boat.

> This is the position almost every automotive manufacturer is in today.
> Variable quality code from variable quality vendors. Today that code 
> runs
> on unique hardware and even with that level of isolation the different
> application bugs cause problems to other applications, via interaction 
> over
> the various network interconnects . . . that is better isolation than 
> any
> hypervisor can ever provide and certainly better than a badly used
> (developer quality again) single operating system.

> So in the real world, where we live, a hypervisor may be a much better
> solution for building real systems. Ivory tower approaches rarely work 
> in
> the real world for one reason or another. Many of your arguments are
> reasonable but I'm not convinced, at all, that they hold water in the 
> cost
> and quality constrained world that the automotive industry is. Multiply
> cost by 10->100 : different story entirely.

I'll reply separately once I've had a chance to digest it.

br
Paul



More information about the trustable-software mailing list