Jan Stojaspal reports on advances in virtualization technologies that could enable apps and safety-critical functions to share the same hardware without disrupting each other
When it comes to building in-vehicle infotainment systems around third-party apps, there is hardly anything that scares car makers more than the idea of a badly written app interfering with the vehicle’s safety-critical functions or providing an opening for a hacker attack.
As a result, carmakers have been slow to embrace apps and extremely cautious as to what they end up selecting to run on their in-vehicle infotainment (IVI) platforms.
They may soon be able to rest a little easier thanks to advances in virtualization technologies that make it possible for apps and safety-critical functions like rear-view camera and navigation to share the same hardware without danger of one disrupting the other.
The technological advances have been chiefly driven by the growing complexity of IVI systems, the increasing importance of open-source operating systems like Linux and Android in the automotive space, and attempts by OEMs to lower costs by folding the dozens of electronic control units that control everything from engine performance to electric windows into a handful of processors.
But Wind River, one of the mobile and embedded software companies to have introduced automotive virtualization, believes the technology may also result in greater openness of automotive platforms to third-party content, though only passengers in the rear seat may benefit at first. (For more on rear seat solutions, see The great telematics face-off: Tablets vs. rear screens and Telematics and infotainment: Designing rear-seat solutions.)
According to the Alameda, California-based company, virtualization will result in innovative IVI that allows owners to download content and applications without subjecting it to rigorous safety testing. Wind River technology does this by decoupling the lifecycles of certified versus non-certified applications, thereby reducing ongoing system certification costs while enabling reduced device size, weight and power consumption.
The idea of partitioning a hardware platform into isolated run-time environments is hardly new. Virtualization emerged in the 1960s when it was used to run multiple tasks on mainframe computers. More recently, the technology was embraced by the aerospace and defense industries as a way to lower hardware costs while safeguarding the integrity of mission-critical controls.
Now the automotive industry is starting to take closer look, though adoption of the technology is still largely at a proof-of-concept stage. A project called the Open Vehicular Secure Platform (OVERSEE) could demonstrate that the more advanced hardware platforms currently in use by the automotive industry are already powerful enough to support virtualization.
A mix of critical apps
Funded by the European Commission and made up of eight European partners, four academic and four industrial, OVERSEE plans simulations in which a third-party app running in a virtualized environment on top of an Intel Atom-based hardware board crashes. The point: To demonstrate that the app failure will not impair an emergency call solution running in a different partition on the same board.
“Our goal is to show that it is possible to have on a current automotive platform … a mixture of applications of different criticality, and that they can sit side by side in a secure way,” says Jan Holle, a member of the chair for data communications systems at the University of Siegen, Germany, an OVERSEE partner.
Early this year, Wind River showcased how two animations running in separate partitions of a single platform could safely share access to 3D accelerated graphics.
The firm outlined three basic partitions: safety-critical functions (rear-view camera, telematics, proprietary vehicle bus standards), trusted applications (navigation, human-machine interface (HMIs), radio, telephone), and untrusted applications (media players, app store downloads, Web browser). (For more on HMIs, see Industry insight: Telematics and the human-machine interface.)
Currently, each function more or less has its own electronic control unit (ECU) or processor. And that makes sense for things like instrument clusters and IVI systems, according to Andy Gryc, automotive marketing manager for QNX Software Systems.
One reason is that these systems typically have different life cycles within the vehicle; instrument clusters tend to last longer, and building them together with other systems would limit the OEM's flexibility in planning future model releases. Another reason is that there are typically different groups within each OEM specifying the components.
“That means that each box is usually provided by different suppliers, who may have expertise in one area but not the other,” Gryc says. “Having two different specs and suppliers means an OEM can usually get the best overall system for the best price on both components.”
But there are other functions that can be brought under one roof at a significant cost saving plus other benefits, and this is what Volkswagen set out to explore when it became one of OVERSEE’s industrial partners.
There is a strong financial incentive in doing that, even if hardware capable of running isolation technologies costs more because of the additional memory and processing power.
“We hope that we can integrate many functions in one ECU and thus achieve package advantages,” says Mario Navarro Martinez, who is responsible for driver information systems, security and connectivity in the Volkswagen research department. “Also we can reduce the number of plugs and wires, which also results in weight advantages and therefore finally in reduction of CO2 emissions.”
But it will take years before the technology becomes part of the vehicle, since it is one thing to simulate it in a research lab and another to finalize industrial-grade designs. “We think that virtualization is a very good technology to improve the isolation of several functionalities in one ECU, but we cannot say at this time how secure this technology is in the real [industrial grade] ECU,” Navarro Martinez adds. “There are many open questions.”
Virtual machine managers
Hypervisors are one way to consolidate multiple systems on a single platform. Used by both OVERSEE and Wind River, hypervisors are real-time virtual machine managers running directly on the hardware platform and ensuring that partition content keeps to its assigned memory space, CPU usage, and rules governing communication between partitions.
OVERSEE’s hypervisor is called XtratuM, and it has been adapted from a solution developed by the Real-Time System Group of the Institute of Control Systems and Industrial Computing of the Polytechnic University of Valencia for the European satellite market.
Wind River’s hypervisor draws on the company’s experience in the aviation and defense industries, is custom-built to provide integration with Wind River Linux and VxWorks, and leverages virtualization hardware-assist features on Intel and PowerPC.
Another way to provide secure access to shared resources is to build partitions on top of Linux through what is called Linux Containers. This approach makes the sharing of system resources like graphics and sound easier, but it also makes the system more vulnerable to malicious attack, some believe.
“Because Linux Containers run on a Linux kernel, it means that if a person wants to attack the Linux kernel and there are possibilities to do that, then the Linux Containers are affected as well,” says Franz Walkembach, senior product manager, open source platforms, at Wind River. (For more on Linux from Rudolf Streif, director of embedded solutions for The Linux Foundation, see Telematics and app development: The advantages of open innovation.)
Safeguards and security
In May, MontaVista released Linux Containers as part of its MontaVista Automotive Technology Platform (ATP) 2.0. Although the company believes the solution to be secure enough for most applications, it also offers the option of Security-Enhanced Linux, originally developed by the US National Security Agency to run a highly secure role-based access control environment.
“By writing the proper policies, you completely control which tasks are allowed to access which devices and which ports, and you can completely lock down a system and make it very, very secure,” says Dan Cauchy, vice president and general manager of MontaVista’s automotive business unit. The more safeguards, the more secure the solution, since malware can be downloaded through other connected devices or content, not just from apps in the cloud.
Still, these different layers of security may not be enough to sway car makers in Europe and the United States to throw their systems wide open to third party apps the way the smartphone industry has done. There are simply too many driver distraction, liability and branding issues to consider. (For more on distraction, see DOT’s distraction guidelines as challenge and opportunity, What DOT’s new distraction guidelines mean for telematics and Distraction guidelines as a telematics business opportunity.)
It may be enough in places like China, however, where driver-safety issues are much less prominent and where drivers are already free to install whatever they please on some of the head units on the market.
“It is not going to happen,” says Roger Lanctot, associate director, automotive multimedia & communications service, at Strategy Analytics. “Car-makers in partnership with suppliers will have to vet and approve all apps so there is no chance for a ‘rogue app’ to be downloadable into the car.”
Gryc is also doubtful: “It isn’t just all about security. It‘s also about what the OEM is doing in terms of brand management of their vehicle, [and even] more importantly what they are doing from a liability standpoint, from a driver distraction standpoint … I don’t think it will ever become a Wild West, where any third-party app developer would get a chance to put [an app] onto the box just because you are running some kind of a containerized format that makes it all safe. The car-maker will never allow that, because you don’t want to have somebody putting Angry Birds or whatever in the dash.”
Jan Stojaspal is a regular contributor to TU.
For more on connected cars, see Industry insight: Telematics and apps.
For more on virtualization technology, visit Content & Apps for Automotive Europe 2013 on June 18-19 in Munich.
For all the latest telematics trends, check out Telematics India and South Asia 2013 on April 17-18 in Bangalore, Insurance Telematics Europe 2013 on May 7-8 in London, Data Business for Connected Vehicles Japan 2013 on May 15-16 in Tokyo, Telematics Detroit 2013 on June 5-6, V2V & V2I for Auto Safety USA 2013 on July 9-10 in Novi, MI, Insurance Telematics USA 2013 on September 4-5 in Chicago, Telematics Russia 2013 on September 9-10 in Moscow and Telematics Munich 2013 on November 11-12.
For exclusive telematics business analysis and insight, check out TU’s reports: In-Vehicle Smartphone Integration Report, Human Machine Interface Technologies and Smart Vehicle Technology: The Future of Insurance Telematics.
In the second of a two-part series, Susan Kuchinskas reports on making in-car apps pay.
In the first of a two-part series, Susan Kuchinskas reports on making in-car apps pay.
Apple launches a new iOS with a replication interface for in-car touchscreens as Google acquires Waze. Andrew Tolve reports.
Derek Joyce, manager of product public relations, Hyundai Motor America, on augmenting the automotive human-machine interface with gesture controls.
Steven H. Bayless, senior director, telecommunications and telematics at the Intelligent Transportation Society (ITS) of America, on why a common platform for vehicle communications will provide more opportunity for the industry than individual OEM solutions
Crispin Moger, managing director of the Marmalade Group of Companies, on targeting usage-based insurance to an underserved audience