UST034

90 which tasks are on which cores, so that compatible tasks run on the same ones. This supports priorities within the tasks, but the main way of keeping the determinism is to do time partitioning, allocating a certain amount of time for each task and including a buffer, but once that time window expires then the OS will switch to the next task. If the task is not completed, the error-handling subsystems cut in. The RTOS allows a developer to allocate amounts of resources, such as the bandwidth to the I/O or memory to each core, on a continuous basis. That way, if an application is consuming more resources than expected it won’t cause other applications to fail. This fault isolation is a key part of the RTOS. The basic way to handle security/ certification is to divide the OS into parts. The smallest part is the separation kernel, the rest is in a partition in user space, network stack and device drivers. Even virtualisation can be in user mode, and that keeps a kernel very small, at 2000 lines of code, so it’s easier to certify for security and safety. Networking stacks are much more vulnerable to attacks so keeping those out of the kernel means they can be isolated with the lowest privilege to prevent vulnerabilities. The separation is done in the lower level in the kernel, but the true virtualisation is at a higher level in a user mode partition, and the guest OS runs on top of that to keep the code base of the kernel as small as possible. That is to avoid the issues of hypervisor vulnerabilities, also called hyperjacking. As the virtualisation layer is above the operating system it can be applied where required. For example, this allows a four-core system to run three instances of the RTOS directly on a core for the highest performance, with a Linux OS running on a virtualisation layer on the fourth core so that only the non-real time applications are paying the performance price for virtualisation. Again there is a lot of focus on the drivers that run alongside the RTOS. With this approach, most of the driver, which can be 1-2 million lines of code, runs in the user mode, but to get the performance, sometimes a small portion needs to run in the kernel. However, that would be handled by the RTOS developer in a limited number of cases, as the RTOS vendor typically does all the device driver implementation. Tools For these more complex RTOS and hypervisor implementations, the structure and services available to an application developer is fairly established and well-known, providing APIs that allow developers to write the code and get the OS to manage the applications. RTOS developers are moving to standard APIs such as ARINC 653 and Posix, but there aren’t common standards for access to the GPU or accelerators. APIs for image processing or ML, such October/November 2020 | Unmanned Systems Technology Focus | Real-time operating systems Building an RTOS and applications with a structured language such as Ada can provide safety and certification benefits (Courtesy of Adacore) This Lincoln MKZ autonomous car features the QNX RTOS (Courtesy of Blackberry QNX)