SgInt: Safeguarding Interrupts for Hardware-Based I/O Virtualization for Mixed-Criticality Embedded Real-Time Systems Using Non Transparent Bridges

  • Daniel MünchEmail author
  • Michael Paulitsch
  • Oliver Hanka
  • Andreas Herkersdorf
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9017)


Safety critical systems and in particular higher functional integrated systems like mixed-criticality systems in avionics require a safeguarding that functionalities cannot interfere with each other. A notably underestimated issue are I/O devices and their (message-signaled) interrupts. Message-signaled interrupts are the omnipresent type of interrupts in modern serial high-speed I/O subsystems. These interrupts can be considered as small DMA write packets. If there is no safeguarding for interrupts, an I/O device associated with a distinct functionality can trigger any interrupt or manipulate any control register like triggering reset of all processing cores to provoke a complete system failure. This is a particular issue for available embedded processor architectures, since they do not provide adequate means for interrupt separation like an IOMMU with a granularity sufficient for interrupts.

This paper presents the SgInt concept to enable the safeguarding of interrupts for hardware-based I/O virtualization for safety-critical and mixed-criticality embedded real-time systems using non-transparent bridges in single (multi-core) processor systems and multi (multi-core) processor systems. The advantage of this SgInt concept is that it is an general and reusable interrupt separation solution which is scalable from a single (multi-core) processor to a multi (multi-core) processor system and builds on available COTS chip solutions. It allows to upgrade spatial separation for interrupts to available processors having no means for interrupt separation. A practical evaluation shows that the SgInt concept provides the required spatial separation and even slightly outperforms state-of-the-art doorbell interrupt handling in transfer time and transfer rate (by about 0.04 %).


Virtual Machine Transfer Time Spatial Separation Address Space Direct Memory Access 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Muench, D., Paulitsch, M., Herkersdorf, A.: Temporal separation for hardware-based I/O virtualization for mixed-criticality embedded real-time systems using PCIe SR-IOV. In: International Conference on Architecture of Computing Systems (ARCS) (2014)Google Scholar
  2. 2.
    Muench, D., Isfort, O., Mueller, K., Paulitsch, M., Herkersdorf, A.: Hardware-based I/O virtualization for mixed criticality real-time systems using PCIe SR-IOV. In: International Conference on Embedded Software and Systems (ICESS) (2013)Google Scholar
  3. 3.
    Pek, G., Lanzi, A., Srivastava, A., Balzarotti, D., Francillon, A., Neumann, C.: On the feasibility of software attacks on commodity virtual machine monitors via direct device assignment. In: ACM Symposium on Information, Computer and Communications Security (ASIA CCS) (2014)Google Scholar
  4. 4.
    Intel: Intel Virtualization Technology for Directed I/O (VT-d spec) (2011)Google Scholar
  5. 5.
    AMD: AMD I/O Virtualization Technology (IOMMU) Specification Rev2.0 (2011)Google Scholar
  6. 6.
    Muench, D.: IOMPU: Spatial Separation for Hardware-Based I/O Virtualization for Mixed-Criticality Embedded Real-Time Systems Using Non Transparent Bridges (TR-TX4-399). Technical report, Airbus Group (2014)Google Scholar
  7. 7.
    PCI-SIG: Single Root I/O Virtualization and Sharing Specification 1.1 (2010)Google Scholar
  8. 8.
    Regula, J.: Using Non-transparent Bridging in PCI Express Systems. Technical report, PLX (2004)Google Scholar
  9. 9.
    Tu, C.C., Lee, C.T., Chiueh, T.C.: Secure I/O device sharing among virtual machines on multiple hosts. In: International Symposium on Computer Architecture (ISCA) (2013)Google Scholar
  10. 10.
    Nguyen, T.L., Carbonari, S.R.: Message Signaled Interrupt Redirection Table (2004)Google Scholar
  11. 11.
    Hummel, M.D., Strongin, G.S., Alsup, M., Haertel, M., Lueck, A.W.: Address Translation for Input/Output (I/O) Devices and Interrupt Remapping for I/O devices in an I/O Memory Management Unit (IOMMU) (2006)Google Scholar
  12. 12.
    Serebrin, B.C., Wiederhirn, J.F., Cooper, E.M., Hummel, M.D.: Guest Interrupt Manager that Records Interrupts for Guests and Delivers Interrupts to Executing Guests (2009)Google Scholar
  13. 13.
    Muench, D., Paulitsch, M., Hanka, O., Herkersdorf, A.: MPIOV: scaling hardware-based I/O virtualization for mixed-criticality embedded real-time systems using non transparent bridges to (multi-core) multi-processor systems. In: Conference on Design, Automation and Test in Europe (DATE) (2015)Google Scholar
  14. 14.
    Muench, D., Paulitsch, M., Honold, M., Schlecker, W., Herkersdorf, A.: Iterative FPGA implementation easing safety certification for mixed-criticality embedded real-time systems. In: Euromicro Conference on Digital System Design (DSD) (2014)Google Scholar
  15. 15.
    Jean, X., Gatti, M., Berthon, G., Fumey, M.: MULCORS - Use of Multicore Processors in airborne systems. Technical report, EASA (2012)Google Scholar
  16. 16.
    Freescale: P4080 QorIQ Integrated Multicore Communication Processor Family Reference Manual (2011)Google Scholar
  17. 17.
    FAA: Position Paper Certification Authorities Software Team (CAST) CAST-32 Multi-core Processors (2014)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Daniel Münch
    • 1
    Email author
  • Michael Paulitsch
    • 1
  • Oliver Hanka
    • 1
  • Andreas Herkersdorf
    • 2
  1. 1.Airbus Group InnovationMunichGermany
  2. 2.Institute for Integrated SystemsTU MünchenMunichGermany

Personalised recommendations