Hypervisors Bring Greater Security to Arm Cortex-A Thinkstock

Hypervisors Step Up Security for Arm Cortex-A

The Arm TechCon conference spotlighted some of the latest hypervisor advances targeting Arm Cortex-A platforms.

The 64-bit, Arm Cortex-A ARMv8 architecture supports virtual machines (VMs), but it requires hypervisor software to deliver this functionality. Hypervisors, which can provide isolation between VMs, typically support VMs that run operating systems or bare-metal applications.

Seen at this year’s Arm TechCon conference was Lynx Software’s LynxSecure Separation Kernel Hypervisor running on Xilinx’s latest Zynq UltraScale MPSoC, which has quad Arm Cortex-A53s and a pair of Cortex-Rs. The hypervisor runs on the Cortex-A53 complex and supports LynxSecure Applications (LSA). LSA.connect is an LSA that provides secure communication between domains (Fig. 1).

1. Lynx Software’s hypervisor offers isolation between VMs, while LSA.connect provides secure communication between domains.

The system can also utilize private memory communication links between VMs. This approach allows one VM to write data that’s read-only at the other end (Fig. 2). The LynxSecure Separation Kernel Hypervisor is a Type 0 hypervisor designed for safe and secure applications. Lynx Software provides certification artifacts and certification professional services to assist in security system evaluations.

Green Hills Software’s Integrity Multivisor takes advantage of virtualization hardware acceleration built into ARMv8-A architecture platforms as well as Intel Virtualization Technologies (Intel VT-x and VT-d) for both 32- and 64-bit processors.

Integrity Multivisor can also virtualize peripherals like GPUs. This allows multiple displays to support multiple windows associated with different VMs. A crashed or corrupted VM will only affect its own windows and not those of other VMs. Moreover, the system is able to guarantee resource usage so that critical tasks can continue to run even if other VMs want to use more time, memory, or GPU resources.

2. One-way private memory communication links between VMs can be implemented using shared memory, where one VM can write data that’s read-only at the other end.

Red Hat Enterprise Linux (RHEL) is well-known in the cloud and enterprise data centers, but the operating system has features that make it desirable for embedded applications like IoT gateways. It also includes KVM (kernel-based virtual machine) support. Like the other platforms, it supports ARMv8-A architectures as well as Intel Virtualization Technologies.

One of RHEL’s strengths is the VM management support. It’s very scalable, handling up to 288 logical CPUs and 12 TB of memory per host. Guest VMs can support up to 240 virtual CPUs and 6 TB of RAM. RHEL also handles SELinux and sVirt capabilities with mandatory access controls (MAC) for enhanced VM and hypervisor security.

These hypervisors support single-root I/O virtualization (SR-IOV). SR-IOV devices are typically network devices that allow host-level management and pass-through to VMs. This increases network throughput while decreasing latency and CPU overhead for near bare-metal performance.

Arm Cortex-A platforms are being asked to do more. Having secure, high-performance hypervisors allows them to address safety- and security-critical applications from self-driving cars and avionics to IoT infrastructure.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.