SafeG (Safety Gate) is a dual-OS monitor designed to concurrently execute an
RTOS (Real-Time Operating System) and a GPOS (General-Purpose Operating System)
on the same hardware platform. SafeG's architecture takes advantage of the
ARM TrustZone security extensions which introduce the concept of Trust and
Non-Trust states
Trust state provides similar behavior to existing privileged and user mode levels in ARM processors.
On the other hand, code running under Non-Trust state, even in privileged mode, cannot access memory space (devices included) that was allocated for Trust state usage, nor can it execute certain instructions that are considered critical.
In order to control the TrustZone state, a new mode called "Secure Monitor" mode has been added to the processor. Switching between Trust and Non-Trust state is performed under Security Monitor mode by SafeG with interrupts disabled.
Fig.1 SafeG architecture
The main properties of SafeG's architecture are
Allows running an RTOS and a GPOS concurrently on top of the same processor.
RTOS memory and devices are protected from ilegal accesses by the GPOS. This is supported by configuring resources used by the RTOS to be accessible only from Trust state. The remaining resources are configured to be accessible both from Trust and Non-Trust state.
RTOS real-time requirements are guaranteed. Time isolation of the RTOS activities is supported by carefully allocating two types of interrupt (i.e.: FIQ and IRQ) to each TrustZone state
FIQ interrupts are forwarded to the RTOS.
IRQ interrupts are forwarded to the GPOS.
In Trust state, IRQs are disabled so that the GPOS cannot interrupt the execution of the RTOS. For that reason, the GPOS only executes upon an explicit request by the RTOS. This is achieved through the Secure Monitor Call (SMC) instruction. On the other hand, during the GPOS execution, FIQs are enabled so that the RTOS can recover the control of the processor (e.g.: through the FIQ associated to the system timer). TrustZone is configured to prevent the Non-Trust side from disabling FIQ interrupts.
It takes advantage of hardware extensions in order to achieve very low execution overhead.
The GPOS does not require major code modifications. Except for device and memory usage configuration, the GPOS can be considered to be executed under full virtualization.
SafeG's code footprint is extremely small and it runs with interrupts disabled which can smooth critical system's certification.
Supported hardware and guest operating systems
SafeG is limited by design to ARM processors with support for the TrustZone security extensions. These include the following processors
ARM Cortex-A9
ARM Cortex-A8
ARM Cortex-A5
ARM1176
Additionally, the target hardware must support the following TrustZone security features
Separation of Trust and Non-Trust memory and peripherals
The latest release supports the following guest operating systems:
Trust : ASP, FMP, bare metal
Non-Trust : ASP, FMP, Linux, Android
In order to build SafeG an operating systems supporting the GNU compilation toolchain is required. In particular the following host configuration has been tested
Ubuntu 14.04
GNU Make 3.81
CodeSourcery G++ Lite ARM toolchain
arm-none-eabi-gcc 4.2.0
arm-none-eabi-ld 2.17
arm-none-eabi-as 2.17
Download
SafeG's development is carried out by TOPPERS members using TOPPERS internal project management and version control tools. User oriented packages, both in source code or as prebuilt binaries, can be downloaded here
"Reliable Device Sharing Mechanisms for Dual-OS Embedded Trusted Computing", Daniel Sangorrin, Shinya Honda and Hiroaki Takada, Proceedings 5th International Conference on Trust and Trustworthy Computing, pp. 74-91, Vienna, Austria, Jun 2012.
"Integrated Scheduling for a Reliable Dual-OS Monitor",
Daniel Sangorrin, Shinya Honda and Hiroaki Takada,
Journal of Information Processing ACS no.23 2012.
"Multicore extensions for a high-reliability embedded dual-OS monitor",
Takaya Ohta, Daniel Sangorrin, Shinya Honda and Hiroaki Takada, 13th
summer workshop on embedded system technologies (SWEST13), Gero, Japan,
Poster, Sep 2011
"Application of a high-reliability embedded dual-OS monitor to a
multicore architecture", Takaya Ohta, Daniel Sangorrin, Toshiyuki
Ichiba, Shinya Honda and Hiroaki Takada, Information Proceessing Society
of Japan, 107th SIGOS, Apr 2011
"Integrated Scheduling in a Real-Time Embedded Hypervisor",
Daniel Sangorrin, Shinya Honda and Hiroaki Takada, 18th SIGEMB,
Hakodate Mirai University, Aug 2010.
"Dual Operating System Architecture for Real-Time Embedded Systems",
Daniel SANGORRIN, Shinya HONDA, Hiroaki TAKADA. OSPERT 2010 Brussels (Belgium)
"Enhancing Reliability in Hybrid OS System with Security Hardware",
K. Nakajima, S. Honda, S. Teshima, and H. Takada. The IEICE Transactions on
Information Systems, 93(2):7585, 2010-02-01