Jailhouse Hypervisor - the perfect solution for [heterogeneous] Multi-Core architectures, embedded and realtime requirements

What is Jailhouse?

Jailhouse is an open-source hypervisor which has been developed since 2014. Right from the beginning, the design specifically focused on isolated real-time applications (i.e. bare-metal or RTOS-based) and certifiable software.

Why another hypervisor?

Jailhouse Hypervisor has been established for industrial applications. To provide an appropriate base for certifiable software, its design has deliberately been reduced to essential features: for each architecture supported, the source code comprises of less than 10,000 lines of code. This is done by a simple, yet very effective method. First, the system is booted with the help of Linux; the type-1 hypervisor will then be loaded during the runtime. This Linux system, also called root cell, remains as the controlling and managing body.

Jailhouse has been developed under the GPLv2 open-source licence, and is therefore unique both with regard to real-time capability and open-source features. Its use is therefore not linked to a particular manufacturer. In addition, its past and future development (including relevant quality assurance measures such as static code analysis) can be monitored and understood by everyone.

How does Jailhouse work?

Jailhouse partitions a multi-core system in so-called “cells”, whereby a cell consists of at least one core. This is done by using the virtualization features provided by the CPU, i.e. the available resources will be statically partitioned and allocated to each guest operating system.

“Cell” is the Jailhouse term for the individual guest operating systems. They contain a combination of the CPU, memory and I/O system, which were allocated to the guest operating system. Jailhouse configures and controls the access peripherals and the individual memory areas, depending on how the cell was defined. The applications running in the cells or guest operating systems are called inmates. During operating time, cells can be started and stopped as desired.

What are its areas of use?

In the IT world, hypervisor solutions (virtualization) have been used for many years. Here, they are designed to effortlessly scale, migrate and port systems. This allows for the dynamic adaptation of systems to the current load situation, and to transfer them to new hardware with little effort.

Many of these advantages can be used in an industrial environment, in areas such as Software Defined Radio. However, the main priority is always on consolidation, for example in automation. Solutions which up until now have been distributed on different hardware, can now be consolidated on one multi-core CPU, and “old” systems (bare-metal or old operating systems) can continue to be used. In this way, HMI (GUI) real time and SPS or certified programs can co-exist and be used on one hardware system.

Even the scaling of computing power within one manufacturing site may be feasible and no longer a vision of the future. Single, decentralized control systems can operate with less computing power. This is delivered “centrally” and available on demand when it is actually needed. Such a scenario exactly reflects the status which has long been established in the IT environment. These approaches are making their way into the industrial sectors and are known as fog or edge computing (centralized data storage and computing power “close” to the machine). And just like in IT, hypervisors are used here, too. The scope of this approach and its added value has been examined, among others, in the research project piCASSO.

Data integrity and security

Another aspect supporting the use of hypervisors is that of protecting the systems. By operating different software on the virtual machines of a hypervisor, these are optimally separated from each other (unlike, for example, with container-based approaches). This is a significant advantage in case the VM is attacked, since all other cells are not affected by this and/or a spreading to other cells is not possible. This is a desired side effect to improve security. At the same time, stability is increased, as the crashing or malfunctioning of a cell does not affect the other cells. In fact, this even allows for guest cells to continue operating as usual even if the root cell (i.e. the management level) is malfunctioning.

Of course, the hypervisor does not replace a security concept for the individual components; it’s simply additional support. A security concept also comprises of a trustworthy software chain, ranging from the First Stage Boot Loader (FSBL) to the actual boot loader program to the systems running in a cell. The chain consisting of FSBL, boot loader such as Uboot, Linux etc. can manage and execute signed modules. In this way, it is guaranteed that only trustworthy and authenticated software is used.

If the protection by software only is not sufficient, hardware-based methods such as HSM, TPM or Trust Zone can additionally be applied. If the update of the system software can only be carried out using signed software, this results in a secure system. Further ways of increasing system security, e.g. the continuous self-monitoring of the root cell, are possible. Although Jailhouse uses technologies such as TrustZone for its own purpose, TrustZone can also be installed for use within the single cells!

Real-time capability

Jailhouse has been designed in a way that with appropriate CPU support there is no need for the hypervisor to interfere. First, this allows for a deterministic time response, and second, for latencies in the single cells to be almost identical to the values which can be achieved without the use of a hypervisor. Measurements in typical practical applications support the fact that the additional latency in the single cells remains in the low single-digit micro second range.

Picture 1 shows a latency measurement on a Zynq Ultrascale+ platform. The deviation of a cyclic task with an interval of 200 micro seconds and 100% CPU load was measured on a native Linux system using the real-time extension PREEMPT_RT. This resulted in a worst-case deviation of 23 micro seconds.

Picture 2 show the same measurement; this time, however, within a Jailhouse cell which 2 CPU cores have been forwarded to. The Linux system with PREEMPT_RT in this cell was configured identically to carry out the measurement on the native Linux system. The maximum deviation in this set-up was 26 micro seconds. The hypervisor therefore only resulted in a latency of 3 micro seconds! There are similar results with other platforms. A comparable experiment design on an Intel Xeon system revealed only about 1 micro second additional latency in the Jailhouse cell. The Jailhouse approach therefore demonstrates: Real-time and virtualization are compatible, allowing maximum system security.

 Functional safety

By reducing functionality to the absolute basics and using a very small code basis, some fundamental cornerstones for the future use in safety-critical systems have been laid. In addition to these minimum requirements, Jailhouse offers further features relevant to this area of use. For example, communication between single cells is enabled for e.g. status monitoring. Furthermore, cells can be configured in a way that they ignore root cell decisions and/or block a critical decision, such as a system shutdown (vote over management decisions).

Next to the available technical functions, the feasibility of a certification in a safety-critical environment, together with a certification authority, has been examined and generally been positively viewed.

Supported platforms

Currently, Jailhouse supports the x86 architecture, as well as ARMv7 and ARMv8. There are already pre-programmed configurations for use on a number of SOCs and associated development boards, which allow for a fairly easy evaluation of Jailhouse. Accordingly, the Jailhouse repository comprises of examples for the NVIDIA Jetson TK1 kit, for the Banana PI, for the Versatile Express platform and also for the ZCU102 kit with Zynq Ultrascale+ processor (and many more). In the last time support NXP iMX7 and iMX8 as well as LSxxx cpus and TI AM6xxx are added. Just to name a few ones. There are also examples available for use with the Qemu emulator. This allows for the easy integration of the technology without the need for suitable target hardware.

Evolution of Jailhouse

Jailhouse is being actively developed further by a growing community. Besides the Siemens company (which initiated the project and has continued to develop it until today), well-known companies such as Huawei, ARM and AMD have joined this project. Linutronix has also participated in further developing Jailhouse by supporting the piCASSO research project. This, for example, included the integration of the libvirt library, allowing for Jailhouse to be used with existing monitoring and configuration tooling from the IT world. Regarding the use of different guest operating systems, the company is continuously striving to reduce the effort for the user. For example, with version 4.16 the required adaptations to start Linux in a Jailhouse cell, have now reached the main branch of development.

Our services

Benefit from our many years of experience and our contacts into the open-source community! We will not only help you to configure Jailhouse for use on your platform and to customize it for your applications. We assist you with the necessary extensions and the required basic conceptual work.

And in case Jailhouse is not the suitable technology for your applications: We have been dealing with the real-time and virtualization topics for many years. Together, we will find a suitable concept for you!Picture 1 shows a latency measurement on a Zynq Ultrascale+ platform. The deviation of a cyclic task with an interval of 200 micro seconds and 100% CPU load was measured on a native Linux system using the real-time extension PREEMPT_RT. This resulted in a worst-case deviation of 23 micro seconds. Picture 2 show the same measurement; this time, however, within a Jailhouse cell which 2 CPU cores have been forwarded to. The Linux system with PREEMPT_RT in this cell was configured identically to carry out the measurement on the native Linux system. The maximum deviation in this set-up was 26 micro seconds. The hypervisor therefore only resulted in a latency of 3 micro seconds! There are similar results with other platforms. A comparable experiment design on an Intel Xeon system revealed only about 1 micro second additional latency in the Jailhouse cell. The Jailhouse approach therefore demonstrates: Real-time and virtualization are compatible, allowing maximum system security.

Functional safety

By reducing functionality to the absolute basics and using a very small code basis, some fundamental cornerstones for the future use in safety-critical systems have been laid. In addition to these minimum requirements, Jailhouse offers further features relevant to this area of use. For example, communication between single cells is enabled for e.g. status monitoring. Furthermore, cells can be configured in a way that they ignore root cell decisions and/or block a critical decision, such as a system shutdown (vote over management decisions).

Next to the available technical functions, the feasibility of a certification in a safety-critical environment, together with a certification authority, has been examined and generally been positively viewed.

Supported platforms

Currently, Jailhouse supports the x86 architecture, as well as ARMv7 and ARMv8. There are already pre-programmed configurations for use on a number of SOCs and associated development boards, which allow for a fairly easy evaluation of Jailhouse. Accordingly, the Jailhouse repository comprises of examples for the NVIDIA Jetson TK1 kit, for the Banana PI, for the Versatile Express platform and also for the ZCU102 kit with Zynq Ultrascale+ processor (and many more). There are also examples available for use with the Qemu emulator. This allows for the easy integration of the technology without the need for suitable target hardware.

Evolution of Jailhouse

Jailhouse is being actively developed further by a growing community. Besides the Siemens company (which initiated the project and has continued to develop it until today), well-known companies such as Huawei, ARM and AMD have joined this project. Linutronix has also participated in further developing Jailhouse by supporting the piCASSO research project. This, for example, included the integration of the libvirt library, allowing for Jailhouse to be used with existing monitoring and configuration tooling from the IT world. Regarding the use of different guest operating systems, the company is continuously striving to reduce the effort for the user. For example, with version 4.16 the required adaptations to start Linux in a Jailhouse cell, have now reached the main branch of development.

Our services

Benefit from our many years of experience and our contacts into the open-source community! We will not only help you to configure Jailhouse for use on your platform and to customize it for your applications. We assist you with the necessary extensions and the required basic conceptual work.

And in case Jailhouse is not the suitable technology for your applications: We have been dealing with the real-time and virtualization topics for many years. Together, we will find a suitable concept for you!

If you would like more information about our offer for the jailhouse hypervisor or specifically for the Xilinx UltraScale+ CPU, please contact us via: sales@linutronix.de