RE: [EXTERNAL] Re: Reference about Jailhouse w/out Linux
31 views
Skip to first unread message
Devshatwar, Nikhil
Mar 8, 2018, 9:37:01 AM3/8/18
to Jan Kiszka, Vutla, Lokesh, Claudio Scordino, jailho...@googlegroups.com, Ralf Ramsauer, Mills, William
Adding the conversation to the Jailhouse mailing list
Converted the attachment to github gist
https://gist.github.com/nikhildevshatwar/e17121c1355422a61fddaa52615fc7a9
Regards,
Nikhil D
> -----Original Message-----
> From: Jan Kiszka [mailto:jan.k...@siemens.com]
> Sent: Thursday, March 08, 2018 7:08 PM
> To: Vutla, Lokesh; Devshatwar, Nikhil; Claudio Scordino
> Cc: Ralf Ramsauer; Mills, William
> Subject: Re: [EXTERNAL] Re: Reference about Jailhouse w/out Linux
>
> On 2018-03-08 14:23, Lokesh Vutla wrote:
> > Hi Jan,
> >
> > Thanks a lot for sharing your views :)
> >
> > On Thursday 08 March 2018 06:41 PM, Jan Kiszka wrote:
> >> Hi all,
> >>
> >> just to clarify this again, because we were already discussing the
> >> boot with safety experts and assessors:
> >>
> >> "Root cell dependency is a problem for safety certifying Jailhouse
> >> - Failure in the root_cell bootup leads to failure in all VMs"
> >>
> >> Safety does - in most of the cases - NOT involve the boot/setup in
> >> the same way as the operational mode. You need to validate that you
> >> are in a safe state, likely periodically revalidate that, but you do
> >> not need to proof that you have been in an safely operational state
> >> along the whole
> >
> > What if the root cell is crashed after the hypervisor is up and running?
> > At this point we do not have any control on all other VMs. IIUC, we
> > are just trying to remove dependency on root cell at any point of time.
>
> First of all, you will not loose the safety critical cells this way.
> True, if they should also crash (but, well, ...), you won't be able to restart them.
> You will also loose any (hopefully) non-critical feature that the root cell provided
> to other cells. But that's it. With proper monitoring of the root cell, safety cells
> will be able to react on such situations and do a safe shutdown / restart of the
> whole system.
>
> But if you are looking for more sophisticated runtime control, you cannot solve
> the problem without an active root cell anyway. Boot-time partitioning is
> inherently static (bootloaders are history after the boot). So, an alternative to
> Linux could be booting a small, certifiable RTOS as root cell.
>
> But can we now carry this thread on the list? It's otherwise easily lost in local
> mailboxes.
>
> >
> >> boot chain. Given that most bootloaders are fare from being safety
> >> certifiable (low-quality code, non-conforming development processes -
> >> or both), Linux makes no difference here (better: it would have a
> >> chance to become certified). I just like to avoid that this
> >> misunderstanding is spread.
> >>
> >> The third isn't true either: In safety setups, you will never do any
> >> dynamic creation/destruction of cells. You will only set up the cells
> >> once, and then possibly reload individual ones without changing
> >> resource assignments. Again, this has been discussed with safety
> >> experts. Please also avoid this misunderstanding.
> >>
> >> BTW, if you can provide a safety certifiable multicore A-class
> >> platform with all the required manuals, we would immediately resume
> >> our certification project of a reference safety case we have in our
> >> drawer. :)
> >>
> >> The first reason has valid use cases in certain (not our) scenarios.
> >> For that alone, looking for boot-time partitioning options is a worthwhile
> goal!
> >>
> >> Thanks,
> >> Jan
> >>
> >> PS: Will anyone of you happen to be at Linaro Connect or ELC NA?
> >
> > Me, Nikhil, and William will be at Linaro Connect. I certainly look
> > forward for this connect so that we can discuss more on this topic.
> >
>
> Great, looking forward!
>
> Jan
> -----Original Message-----
> From: Vutla, Lokesh
> Sent: Thursday, March 08, 2018 6:53 PM
> To: Jan Kiszka; Devshatwar, Nikhil; Claudio Scordino
> Cc: Ralf Ramsauer; Mills, William
> Subject: Re: [EXTERNAL] Re: Reference about Jailhouse w/out Linux
>
> Hi Jan,
>
> Thanks a lot for sharing your views :)
>
> On Thursday 08 March 2018 06:41 PM, Jan Kiszka wrote:
> > Hi all,
> >
> > just to clarify this again, because we were already discussing the
> > boot with safety experts and assessors:
> >
> > "Root cell dependency is a problem for safety certifying Jailhouse
> > - Failure in the root_cell bootup leads to failure in all VMs"
> >
> > Safety does - in most of the cases - NOT involve the boot/setup in the
> > same way as the operational mode. You need to validate that you are in
> > a safe state, likely periodically revalidate that, but you do not need
> > to proof that you have been in an safely operational state along the
> > whole
>
> What if the root cell is crashed after the hypervisor is up and running?
> At this point we do not have any control on all other VMs. IIUC, we are just
> trying to remove dependency on root cell at any point of time.
>
> > boot chain. Given that most bootloaders are fare from being safety
> > certifiable (low-quality code, non-conforming development processes -
> > or both), Linux makes no difference here (better: it would have a
> > chance to become certified). I just like to avoid that this
> > misunderstanding is spread.
> >
> > The third isn't true either: In safety setups, you will never do any
> > dynamic creation/destruction of cells. You will only set up the cells
> > once, and then possibly reload individual ones without changing
> > resource assignments. Again, this has been discussed with safety
> > experts. Please also avoid this misunderstanding.
> >
> > BTW, if you can provide a safety certifiable multicore A-class
> > platform with all the required manuals, we would immediately resume
> > our certification project of a reference safety case we have in our
> > drawer. :)
> >
> > The first reason has valid use cases in certain (not our) scenarios.
> > For that alone, looking for boot-time partitioning options is a worthwhile goal!
> >
> > Thanks,
> > Jan
> >
> > PS: Will anyone of you happen to be at Linaro Connect or ELC NA?
>
> Me, Nikhil, and William will be at Linaro Connect. I certainly look forward for
> this connect so that we can discuss more on this topic.
>
> Thanks and regards,
> Lokesh
>
> >
> > On 2018-03-08 13:52, Devshatwar, Nikhil wrote:
> >> Hi all,
> >>
> >> +Lokesh (also from TI)
> >>
> >>
> >>
> >> Yes, I have tried to do a Proof of concept to try and bootup
> >> Jailhouse w/o Linux
> >>
> >> I have a small write-up on it, attaching it here.
> >>
> >> * *
> >>
> >> https://gist.github.com/nikhildevshatwar/e17121c1355422a61fddaa52615fc7a9
> >>
> >>
> >>
> >> Since I didn't have any code, I was staying back from starting any
> >> discussion.
> >>
> >> I have implemented this on a simulator platform. Now I am trying to
> >> port this on a QEMU machine.
> >>
> >> I do plan to disclose the code, in fact would want this to be
> >> integrated in Jailhouse.
> >>
> >>
> >>
> >> Note that this is done as part of a baremetal app outside Jailhouse.
> >>
> >> We can integrate this in the Jailhouse repo as a jailhouse-loader.
> >>
> >>
> >>
> >>
> >>
> >> Regards,
> >>
> >> Nikhil D
> >>
> >>
> >>
> >> *From:*Claudio Scordino [mailto:cla...@evidence.eu.com]
> >> *Sent:* Thursday, March 08, 2018 5:10 PM
> >> *To:* Devshatwar, Nikhil
> >> *Cc:* Jan Kiszka; Ralf Ramsauer
> >> *Subject:* [EXTERNAL] Re: Reference about Jailhouse w/out Linux
> >>
> >>
> >>
> >> Hi Nikhil,
> >>
> >>
> >>
> >> nice to meet you.
> >>
> >>
> >>
> >> 2018-03-07 18:15 GMT+01:00 Ralf Ramsauer
> >> <ralf.r...@oth-regensburg.de <mailto:ralf.ramsauer@oth-
> regensburg.de>>:
> >>
> >>>>
> >>>> My colleague Stefano told me that he has briefly discussed this
> >>>> topic with you at Embedded World, and you have mentioned that
> >>>> somebody has already looked at how to run Jailhouse without Linux.
> >>>> Can you please provide me a reference about the on-going work on
> this topic ?
> >>>
> >>> Adding Ralf to the thread who was chatting with someone from TI
> >>> about that. Ralf, who was it and what is the status in discussing
> >>> their work in a broader audience.
> >> Yep, that's Nikhil. Nikhil successfully booted Jailhouse without
> >> Linux by starting a tiny comp-layer app from u-boot that bootstraps
> >> an environment where Jailhouse feels happy.
> >>
> >> Nikhil, feel encouraged to discuss the whole topic on the ML. I think
> >> it's really worth discussing that.
> >>
> >>
> >>
> >> Yes, please.
> >>
> >>
> >>
> >> If you are not going to discuss it on ML, can you please at least
> >> give me some insights about your work ?
> >>
> >> Do you plan to eventually disclose the code ?
> >>
> >>
> >>
> >> Many thanks and best regards,
> >>
> >>
> >>
> >> Claudio
> >>
> >>
> >>
Converted the attachment to github gist
https://gist.github.com/nikhildevshatwar/e17121c1355422a61fddaa52615fc7a9
Regards,
Nikhil D
> -----Original Message-----
> From: Jan Kiszka [mailto:jan.k...@siemens.com]
> Sent: Thursday, March 08, 2018 7:08 PM
> To: Vutla, Lokesh; Devshatwar, Nikhil; Claudio Scordino
> Cc: Ralf Ramsauer; Mills, William
> Subject: Re: [EXTERNAL] Re: Reference about Jailhouse w/out Linux
>
> On 2018-03-08 14:23, Lokesh Vutla wrote:
> > Hi Jan,
> >
> > Thanks a lot for sharing your views :)
> >
> > On Thursday 08 March 2018 06:41 PM, Jan Kiszka wrote:
> >> Hi all,
> >>
> >> just to clarify this again, because we were already discussing the
> >> boot with safety experts and assessors:
> >>
> >> "Root cell dependency is a problem for safety certifying Jailhouse
> >> - Failure in the root_cell bootup leads to failure in all VMs"
> >>
> >> Safety does - in most of the cases - NOT involve the boot/setup in
> >> the same way as the operational mode. You need to validate that you
> >> are in a safe state, likely periodically revalidate that, but you do
> >> not need to proof that you have been in an safely operational state
> >> along the whole
> >
> > What if the root cell is crashed after the hypervisor is up and running?
> > At this point we do not have any control on all other VMs. IIUC, we
> > are just trying to remove dependency on root cell at any point of time.
>
> First of all, you will not loose the safety critical cells this way.
> True, if they should also crash (but, well, ...), you won't be able to restart them.
> You will also loose any (hopefully) non-critical feature that the root cell provided
> to other cells. But that's it. With proper monitoring of the root cell, safety cells
> will be able to react on such situations and do a safe shutdown / restart of the
> whole system.
>
> But if you are looking for more sophisticated runtime control, you cannot solve
> the problem without an active root cell anyway. Boot-time partitioning is
> inherently static (bootloaders are history after the boot). So, an alternative to
> Linux could be booting a small, certifiable RTOS as root cell.
>
> But can we now carry this thread on the list? It's otherwise easily lost in local
> mailboxes.
>
> >
> >> boot chain. Given that most bootloaders are fare from being safety
> >> certifiable (low-quality code, non-conforming development processes -
> >> or both), Linux makes no difference here (better: it would have a
> >> chance to become certified). I just like to avoid that this
> >> misunderstanding is spread.
> >>
> >> The third isn't true either: In safety setups, you will never do any
> >> dynamic creation/destruction of cells. You will only set up the cells
> >> once, and then possibly reload individual ones without changing
> >> resource assignments. Again, this has been discussed with safety
> >> experts. Please also avoid this misunderstanding.
> >>
> >> BTW, if you can provide a safety certifiable multicore A-class
> >> platform with all the required manuals, we would immediately resume
> >> our certification project of a reference safety case we have in our
> >> drawer. :)
> >>
> >> The first reason has valid use cases in certain (not our) scenarios.
> >> For that alone, looking for boot-time partitioning options is a worthwhile
> goal!
> >>
> >> Thanks,
> >> Jan
> >>
> >> PS: Will anyone of you happen to be at Linaro Connect or ELC NA?
> >
> > Me, Nikhil, and William will be at Linaro Connect. I certainly look
> > forward for this connect so that we can discuss more on this topic.
> >
>
> Great, looking forward!
>
> Jan
> -----Original Message-----
> From: Vutla, Lokesh
> Sent: Thursday, March 08, 2018 6:53 PM
> To: Jan Kiszka; Devshatwar, Nikhil; Claudio Scordino
> Cc: Ralf Ramsauer; Mills, William
> Subject: Re: [EXTERNAL] Re: Reference about Jailhouse w/out Linux
>
> Hi Jan,
>
> Thanks a lot for sharing your views :)
>
> On Thursday 08 March 2018 06:41 PM, Jan Kiszka wrote:
> > Hi all,
> >
> > just to clarify this again, because we were already discussing the
> > boot with safety experts and assessors:
> >
> > "Root cell dependency is a problem for safety certifying Jailhouse
> > - Failure in the root_cell bootup leads to failure in all VMs"
> >
> > Safety does - in most of the cases - NOT involve the boot/setup in the
> > same way as the operational mode. You need to validate that you are in
> > a safe state, likely periodically revalidate that, but you do not need
> > to proof that you have been in an safely operational state along the
> > whole
>
> What if the root cell is crashed after the hypervisor is up and running?
> At this point we do not have any control on all other VMs. IIUC, we are just
> trying to remove dependency on root cell at any point of time.
>
> > boot chain. Given that most bootloaders are fare from being safety
> > certifiable (low-quality code, non-conforming development processes -
> > or both), Linux makes no difference here (better: it would have a
> > chance to become certified). I just like to avoid that this
> > misunderstanding is spread.
> >
> > The third isn't true either: In safety setups, you will never do any
> > dynamic creation/destruction of cells. You will only set up the cells
> > once, and then possibly reload individual ones without changing
> > resource assignments. Again, this has been discussed with safety
> > experts. Please also avoid this misunderstanding.
> >
> > BTW, if you can provide a safety certifiable multicore A-class
> > platform with all the required manuals, we would immediately resume
> > our certification project of a reference safety case we have in our
> > drawer. :)
> >
> > The first reason has valid use cases in certain (not our) scenarios.
> > For that alone, looking for boot-time partitioning options is a worthwhile goal!
> >
> > Thanks,
> > Jan
> >
> > PS: Will anyone of you happen to be at Linaro Connect or ELC NA?
>
> Me, Nikhil, and William will be at Linaro Connect. I certainly look forward for
> this connect so that we can discuss more on this topic.
>
> Thanks and regards,
> Lokesh
>
> >
> > On 2018-03-08 13:52, Devshatwar, Nikhil wrote:
> >> Hi all,
> >>
> >> +Lokesh (also from TI)
> >>
> >>
> >>
> >> Yes, I have tried to do a Proof of concept to try and bootup
> >> Jailhouse w/o Linux
> >>
> >> I have a small write-up on it, attaching it here.
> >>
> >> * *
> >>
> >> https://gist.github.com/nikhildevshatwar/e17121c1355422a61fddaa52615fc7a9
> >>
> >>
> >>
> >> Since I didn't have any code, I was staying back from starting any
> >> discussion.
> >>
> >> I have implemented this on a simulator platform. Now I am trying to
> >> port this on a QEMU machine.
> >>
> >> I do plan to disclose the code, in fact would want this to be
> >> integrated in Jailhouse.
> >>
> >>
> >>
> >> Note that this is done as part of a baremetal app outside Jailhouse.
> >>
> >> We can integrate this in the Jailhouse repo as a jailhouse-loader.
> >>
> >>
> >>
> >>
> >>
> >> Regards,
> >>
> >> Nikhil D
> >>
> >>
> >>
> >> *From:*Claudio Scordino [mailto:cla...@evidence.eu.com]
> >> *Sent:* Thursday, March 08, 2018 5:10 PM
> >> *To:* Devshatwar, Nikhil
> >> *Cc:* Jan Kiszka; Ralf Ramsauer
> >> *Subject:* [EXTERNAL] Re: Reference about Jailhouse w/out Linux
> >>
> >>
> >>
> >> Hi Nikhil,
> >>
> >>
> >>
> >> nice to meet you.
> >>
> >>
> >>
> >> 2018-03-07 18:15 GMT+01:00 Ralf Ramsauer
> >> <ralf.r...@oth-regensburg.de <mailto:ralf.ramsauer@oth-
> regensburg.de>>:
> >>
> >>>>
> >>>> My colleague Stefano told me that he has briefly discussed this
> >>>> topic with you at Embedded World, and you have mentioned that
> >>>> somebody has already looked at how to run Jailhouse without Linux.
> >>>> Can you please provide me a reference about the on-going work on
> this topic ?
> >>>
> >>> Adding Ralf to the thread who was chatting with someone from TI
> >>> about that. Ralf, who was it and what is the status in discussing
> >>> their work in a broader audience.
> >> Yep, that's Nikhil. Nikhil successfully booted Jailhouse without
> >> Linux by starting a tiny comp-layer app from u-boot that bootstraps
> >> an environment where Jailhouse feels happy.
> >>
> >> Nikhil, feel encouraged to discuss the whole topic on the ML. I think
> >> it's really worth discussing that.
> >>
> >>
> >>
> >> Yes, please.
> >>
> >>
> >>
> >> If you are not going to discuss it on ML, can you please at least
> >> give me some insights about your work ?
> >>
> >> Do you plan to eventually disclose the code ?
> >>
> >>
> >>
> >> Many thanks and best regards,
> >>
> >>
> >>
> >> Claudio
> >>
> >>
> >>
Peng Fan
Mar 12, 2018, 3:38:08 AM3/12/18
to Devshatwar, Nikhil, Jan Kiszka, Vutla, Lokesh, Claudio Scordino, jailho...@googlegroups.com, Ralf Ramsauer, Mills, William
Hi Nikhil,
but I did not came up a good choice (:. Seems FreeRTOS has A53 support, not sure about
SMP.
From your PoC, what's the benifit using a baremetal app comparing with
a RTOS?
Another question: Why "Finally load and run the root cell"?
Thanks,
Peng.
>--
>You received this message because you are subscribed to the Google Groups "Jailhouse" group.
>To unsubscribe from this group and stop receiving emails from it, send an email to jailhouse-de...@googlegroups.com.
>For more options, visit https://groups.google.com/d/optout.
--
On Thu, Mar 08, 2018 at 02:36:58PM +0000, 'Devshatwar, Nikhil' via Jailhouse wrote:
>Adding the conversation to the Jailhouse mailing list
>Converted the attachment to github gist
>https://gist.github.com/nikhildevshatwar/e17121c1355422a61fddaa52615fc7a9
Previous, I was thinking taking an RTOS(FreeRTOS, RTEMS or zephyr) as root cell,
>Adding the conversation to the Jailhouse mailing list
>Converted the attachment to github gist
>https://gist.github.com/nikhildevshatwar/e17121c1355422a61fddaa52615fc7a9
but I did not came up a good choice (:. Seems FreeRTOS has A53 support, not sure about
SMP.
From your PoC, what's the benifit using a baremetal app comparing with
a RTOS?
Another question: Why "Finally load and run the root cell"?
Thanks,
Peng.
>You received this message because you are subscribed to the Google Groups "Jailhouse" group.
>To unsubscribe from this group and stop receiving emails from it, send an email to jailhouse-de...@googlegroups.com.
>For more options, visit https://groups.google.com/d/optout.
--
Reply all
Reply to author
Forward
0 new messages