Spatial Isolation
Stage-2 page tables + SMMU stream policy enforce hard memory and DMA boundaries that no existing work has validated on the i.MX95 AMP topology.
Background & Related Work
Research Context
Haven sits at the intersection of three active research areas: real-time hypervisors for mixed-criticality systems, asymmetric multiprocessing (AMP) on heterogeneous SoCs, and static resource partitioning. This page surveys the primary related work that motivates and contextualises the thesis contributions.
Primary Reference: The Omnivisor (ECRTS 2024)
The Omnivisor is the closest academic precedent to Haven. It extends a static partitioning hypervisor to support heterogeneous core virtualization on MPSoCs, enabling mixed-criticality workloads to run on cores with different ISAs or power domains inside the same SoC.
Key Omnivisor contributions
- A hypervisor framework that assigns individual CPU cores to isolated partitions at boot time, with no dynamic migration.
- Stage-2 MMU enforcement for per-partition memory regions - identical in principle to Haven’s
hv_stage2_map_partition()design. - Real-time scheduling guarantees that bound inter-partition temporal interference.
- Validation on an NXP i.MX8 platform with a Linux partition and a bare-metal RTOS partition co-running under EL2.
How Haven differs from Omnivisor
| Dimension | Omnivisor (ECRTS 2024) | Haven (this thesis) |
|---|---|---|
| Target platform | NXP i.MX8 (Cortex-A53 cluster) | NXP i.MX95 (Cortex-A55 + Cortex-M7) |
| Core heterogeneity | Homogeneous cores, heterogeneous partitions | True AMP: application and MCU cores co-isolated |
| SMMU / IOMMU isolation | Partial | Explicit per-partition stream ID policy |
| Budget scheduler | EDF-based | Fixed-budget EL2 scheduler with overrun detection |
| Verification artefacts | Single-platform demo | Reproducible QEMU CI + i.MX95 hardware evidence |
| Thesis traceability | Not applicable | Full chapter-level claim-to-evidence mapping |
Haven’s primary contribution over Omnivisor is the asymmetric core topology: the Cortex-M7 MCU domain on i.MX95 runs inside its own Haven partition, co-isolated with the Linux A55 cluster through a unified EL2 control path. The Omnivisor demonstrates that the concept is sound; Haven extends and validates it on the AMP-native i.MX95 platform.
NXP i.MX95 Platform
The thesis primary target is the NXP i.MX95 Dev Kit (formerly FRDM-IMX95). Key characteristics:
- Application domain: Quad Cortex-A55 cluster, up to 1.8 GHz, ARMv8.2-A, EL2-capable
- MCU domain: Cortex-M7 at 800 MHz, Arm Cortex-M profile, no MMU
- Cache coherency interconnect: CoreLink interconnect with per-cluster isolation primitives
- IOMMU: System MMU (SMMU-600) for peripheral DMA isolation
- Memory: LPDDR5 shared across both domains, separated by configurable firewall registers
The asymmetry between the A55 cluster (Linux, EL2 hypervisor, full MMU) and the M7 domain (FreeRTOS, no EL2, hardware memory firewall) is the defining challenge for Haven’s isolation model. Stage-2 page tables enforce spatial isolation on the A55 side; the MCU firewall registers extend equivalent protection to the M7 side.
Taxonomy of Related Hypervisors
Static partitioning hypervisors
| System | Partition model | Platform | Notes |
|---|---|---|---|
| Jailhouse | Static cells, Linux host | ARM, x86 | Open source, widely deployed |
| Bao | Static cells, no host OS | ARM, RISC-V | Minimal TCB, EL2/HS-mode |
| XVisor | Type-1 with static guests | ARM64 | Richer guest support |
| Omnivisor | Heterogeneous cores | NXP i.MX8 | ECRTS 2024, closest predecessor |
| Haven | AMP spatial + temporal | NXP i.MX95 | This thesis |
Mixed-criticality scheduling
The temporal isolation mechanism in Haven draws on the budget-based scheduling literature:
- MCTI (Mixed-Criticality Task-based Isolation) - Mancuso et al., Real-Time Systems Journal 2024. Provides a formal framework for isolating mixed-criticality tasks on shared multicore platforms.
- MemPol / E-WarP - Sohal et al., RTSS 2020; and follow-up work. Bandwidth regulation alongside CPU budget enforcement.
- Coherence-Aided Memory Bandwidth Regulation - Izhbirdeev et al., RTSS 2024 (Best Paper). Demonstrates that cache coherence traffic is a critical interference vector that must be accounted for alongside CPU time.
SMMU and DMA isolation
- ARM SMMU Architecture Specification (SMMUv3) - the authoritative reference for stream ID-based DMA isolation used in Haven’s
hv_smmu_assign_device(). - IOMMU-based partition isolation in Jailhouse - a practical reference for assigning PCIe and platform device streams to cells without host OS involvement.
Summary of Contributions
Temporal Isolation
A budget-based EL2 scheduler with overrun detection, validated against the Omnivisor baseline on an equivalent mixed-criticality workload.
AMP Extension
First published isolation design that covers both A55 (EL2 MMU) and M7 (hardware firewall) domains under a unified EL2 control path.
Reproducible Evidence
QEMU CI gate + i.MX95 hardware measurements, structured as chapter-traceability artefacts to satisfy thesis examination requirements.