MIPS virtualization brings secure isolation to deeply embedded applications
Embedded computing is currently enjoying a rebirth thanks to a technology called virtualization.
It started when Imagination became the first semiconductor IP company to introduce virtualization to microcontroller-type CPUs and then demonstrated how developers could take advantage of this feature by using a lightweight hypervisor optimized for MIPS M-class MCUs.
We then showed how the same virtualization technology can be used to implement better security for routers and other connected devices running Linux-based operating systems on high-end MIPS Warrior CPUs.
Today I’d like to restate why virtualization is useful for microcontrollers by presenting a new demonstration running on our MIPS M-class CPUs. In the diagram below, we have a PIC32MZ EF MCU from Microchip Technology running the type of bare-metal applications you’d expect a high-performance microcontroller to handle.
The key difference here is that most microcontrollers would run these applications directly on the hardware available – there would be no secure way to ensure separation.
In our case, the development platform can leverage the hardware virtualization present in the MIPS M5150 CPU that powers the PIC32 microcontroller to run a hypervisor and thus securely isolate each application in its own virtual machine (VM). This opens up a world of opportunities for developers to create new and exciting use cases for embedded computers; in our example, we have three applications running in parallel:
- picoTCP: a small footprint, feature rich TCP/IP stack optimized for IoT
- prplPUF™: Intrinsic-ID’s Physical Unclonable Function (PUF) technology for MIPS CPUs which allows efficient implementation of security functions such as device authentication and anti-cloning.
- Robot control and management: bare-metal code controlling the movements of the robot through the rich set of I/Os available on the PIC32 dev board
This demonstration has also been made possible by another industry-first: the prplHypervisor™, a very lightweight and completely open source hypervisor specifically designed to provide security through separation for the billions of embedded connected devices that will power the Internet of Things.
The prplHypervisor takes full advantage of the virtualization technology embedded inside MIPS Warrior CPUs to create multiple distinct secure domains. This enables all types of applications and operating systems, from bare-metal code to Linux-based systems, to operate independently and securely within these secure domains; the prplHypervisor also creates secure and high-speed communication channels between the various VMs present within the system.
These channels are defined by a set of open source APIs called prplSecureInterVM™; in addition to the secure inter-VM communications channel, the prpl Foundation is also defining the key management and authentication APIs through prplPUF.
The prplHypervisor and its associated APIs is the direct result of another great collaborative effort from the prpl Foundation who recently added ADB, Baikal Electronics, SoftAtHome, PUCRS and Intrinsic-ID to its growing list of members.
For those interested in learning more about prpl’s open-source, hardware-led approach to IoT security, check out their GitHub account, where you will find the code for the prplHypervisor, the specifications of the prplPUF API and many other useful resources.