Virtual memory for real-time systems using hPMP
Konrad Walluszik, Daniel Auge, Gerhard Wirrer, Holm Rauchfuss, Thomas Roecker
TL;DR
The paper tackles the challenge of providing memory protection for automotive real-time systems without sacrificing deterministic timing. It extends the RISC-V SPMP framework with a hypervisor-controlled hpmp extension that enables address redirection via per-region offsets, allowing guest code to use guest-physical addresses while the hypervisor maps them to physical addresses through $PA = GPA + hpmpoffset_{<x>}$ with $x = 2k + 1$. The approach maintains an OFF-TOR translation model and supports scenarios such as partial updates and generic VM images, enabling VM switching via hpmpswitch. This yields virtual memory capabilities suitable for real-time automotive controllers, reducing hardware costs while preserving isolation and timing predictability. The work outlines future evaluation of corner cases, area/power/timing feasibility, and integration challenges with the hypervisor, indicating a practical path toward real-time virtualized automotive systems.
Abstract
To satisfy automotive safety and security requirements, memory protection mechanisms are an essential component of automotive microcontrollers. In today's available systems, either a fully physical address-based protection is implemented utilizing a memory protection unit, or a memory management unit takes care of memory protection while also mapping virtual addresses to physical addresses. The possibility to develop software using a large virtual address space, which is agnostic to the underlying physical address space, allows for easier software development and integration, especially in the context of virtualization. In this work, we showcase an extension to the current RISC-V SPMP proposal that enables address redirection for selected address regions, while maintaining the fully deterministic behavior of a memory protection unit.