Small footprint open source hypervisor

Jon Lawson

Imagination Technololgies has teamed up with German embedded software developer Kernkonzept to port the open source L4Re hypervisor to the MIPS architecture.

The small footprint L4Re hypervisor, maintained by Kernkonzept, can take advantage of the hardware virtualisation technology in MIPS CPUs for more efficient context switching and better use of CPU cycles, leading to improved application headroom.

Hardware virtualisation is quickly gaining attention beyond its traditional home in the data-centre for the benefits it provides across numerous application areas from IoT to consumer to automotive to industrial and beyond. With this technology, connected devices can be designed with numerous distinct domains in which multiple operating systems and applications can run independently at the same time on a single platform.

Built in to the latest MIPS CPUs, including the Creator Ci40 evaluation board, Imagination’s OmniShield technology leverages hardware virtualiszation to enable the creation of multiple domains on a single SoC. The L4Re operating system is an ideal match: it works with systems that need to consolidate multiple applications with differing security, safety, or real-time requirements. With OmniShield-enabled MIPS CPUs, the L4Re hypervisor makes it possible for multiple isolated tenants or guests to run on the same host, authorising access to on-chip resources, prioritising use of shared resources, allocating and managing service interrupts from external sources and peripherals, and more.

“As Imagination continues to expand its MIPS ecosystem and OmniShield security offerings, we are delighted to work with Kernkonzept to bring the proven, highly efficient L4Re hypervisor to MIPS,” said Jim Nicholas, executive vice president for MIPS Processor IP at Imagination. “Open source technologies like L4Re, where entire communities are responsible for developing and maintaining the code, can lead to inherently more reliable systems. We’re seeing a great deal of interest in L4Re for MIPS.”

The L4Re operating system is an open-source system framework for building applications with real-time, security, safety, and virtualization requirements. The L4Re system is built on the principle of a minimal Trusted Computing Base: minimize an application’s attack area by modularization and by reducing its dependencies. It consists of the L4Re hypervisor/microkernel, user-level infrastructure for building trusted native L4Re microapps, and virtual-machine support for running various standard OSes in isolated compartments.

“Our engagement with Imagination is extremely collaborative, and has already led to great value for both companies,” said Michael Hohmuth, CEO of Kernkonzept. “The collaboration is enabling us to take the L4Re operating system into new areas. This technology is already quite strong in areas including government and military. Now it’s making its way into embedded markets such as Wi-Fi routers, cable set-top boxes, home gateways, and automotive where MIPS CPUs have a strong presence.”

The open source prpl Foundation, with its members Imagination and Kernkonzept, worked to create a demonstration vehicle that enables companies to see and try out the capabilities of hardware virtualization for themselves. It illustrates the power of a separation-based architecture in providing reliability and ease-of development for next-generation connected devices.

The demonstration builds on prpl’s proof-of-concept demonstration earlier this year of its prplSecurity framework—a comprehensive collection of open source APIs providing hardware-level security controls. That was one of the first public demonstrations of hardware enforced multi-tenant OpenWrt, the Linux distribution at the heart of most of the world’s home gateways.

The new demonstration features several domains including two instances of OpenWrt – one that isolates the Wi-Fi radio, and another that enables access to networking devices. With evolving Wi-Fi channel and frequency regulations, it’s important to ensure the radio is completely isolated, while letting users update their OS and install their own applications on the system. Additional domains can be used for provisioning of third party services such as those from operators and service providers.

The L4Re hypervisor for MIPS is available now at Kernkonzept also provides a supported version of the L4Re hypervisor.