The rapidly-evolving mobile handset market presents both a major market opportunity and a major design challenge. The market opportunity is to transform the handset from a mobile voice and basic data terminal into the consumer’s primary mobile communications, information, financial transaction and entertainment center, with a commensurate added value.
This transformation is well under way, with many handsets combining voice and simple data communications with:
The fastest growing segment of the mobile handset market is that which delivers this functionality – smart phones. However, it is an inescapable dynamic of consumer markets that the functionality of today’s high-end product must be implemented in tomorrow’s mid-range product in order to maintain sales volume, growth and market share. Consequently, the industry faces the design challenge of migrating smart phone functionality to the mid-range handset – the feature phone. And it must do so, with the competitive development costs, the competitive bill of materials (BOM) and the short design time necessary to succeed in fast-moving and demanding consumer markets.
This paper describes the design challenge in more detail, and compares and contrasts various implementation approaches. It then discusses how a virtualization solution may be used to ease introduction of smart phone software functionality to an existing feature phone hardware platform, with minimal efforts and costs. It also shows how a virtualization based solution opens up the phone software architecture to bring added functionality, to both feature phones and smart phones in the area of service availability, security and device management.
The mobile handset market is conventionally partitioned into three major cost/feature segments: low cost phones, feature phones and smart phones.
Low cost phones typically provide only voice communication and short messaging services (SMS). They typically use a DSP for signal processing and a RISC CPU to execute the upper protocol stack layers.
At the other end of the spectrum, smart phones offer advanced services similar to those provided by PDAs. Such phones typically use multiple processors: a DSP for signal processing, a RISC CPU with an RTOS to execute the upper protocol stack layers and some applications, and a more powerful RISC CPU with an OpenOS – such as Windows CE, Symbian OS or Linux – to execute a richer set of native applications delivering the features which make the phone a smart phone.
In the middle of the spectrum, feature phones offer a trade-off between low cost phones and smart phones. They typically offer fewer services than smart phones on less expensive hardware and with less battery drain. Typical hardware configurations use a DSP for signal processing and a RISC CPU (more capable than those used in low cost phones) to run an RTOS that executes the upper protocol stack layers and some applications, including Java and Flash based ones.
However, as noted in the introduction, the design challenge is to provide smart phone applications and functionalities on the feature phone, and to run the native OpenOS applications instead of the ones currently ported to the feature phone RTOS..
The feature phone design challenge is to offer more services inherited from smart phones on less capable hardware. Consequently, the processing capabilities of the platform (CPU, co-processors and hardware accelerators) must be optimally selected to support real-time protocol stacks and some end-user applications such as browsers, email clients, calendar applications and so forth.
In addition, mobile handsets, whether feature or smart phones, must be IP-connected using the common communications technologies, including cellular radio protocols – both narrow- and broadband –, Wi-Fi, Bluetooth, and InfraRed as well as USB and serial line. Such connectivity enables the delivery of more end-user services, such as TV, video and audio streaming, video and audio download and playback, network gaming, photo transfer, mobile data synchronization with PC or laptop, and e-mail. Location Based Services will soon enrich this set of services.
The on-time delivery of a new phone model mandates extensive design reuse, especially of legacy software. This software includes functions such as radio protocol stacks with their real-time constraints, and multimedia services that are difficult to validate and certify over the full range of operating conditions,.
However, end-user services such as those enabled by IP protocols are better delivered using OpenOS’ and open environments such as Linux, Symbian or Windows. These environments enable the reuse of high-level applications such as email clients, browsers, audio, video players, and Java applications. Linux, in particular, is rapidly becoming an OpenOS of choice. It provides the latest evolutions of IP family protocols and many up-to-date drivers for complex interfaces, such as USB, and as such is a good candidate to easily bring connectivity and new features on a mobile handset.
There is, therefore, an apparent conflict between the need for extensive legacy software reuse, the need to adopt additional “new” OS suites to execute new applications, and the need to deliver new features on a hardware constrained phone – and within the time to market constraints.
The optimum migration strategy must therefore enable the un-modified reuse of multiple software stacks executing on a single processor – resource consolidation.
Obviously, time to market constraints will not weaken as mobile handsets continue to evolve with richer feature sets – and mobile handset software stacks must be ready to support these evolutions. Hence a robust, but flexible stack architecture is essential to the timely delivery of evolving but validated software stacks.
Moreover, mobile handsets are and will be increasingly open, enabling the download of software to satisfy more personalized user requirements. Personalized requirements might well include – in addition to the phone’s standard feature set – business oriented Java applications; “one-touch” transactions such as train control gate “pass”, theater and train ticket purchase, and more complex financial transactions such as bank and brokerage account access.
Many of these applications may involve several handset users in a single set of transactions. Every participant must be able to dynamically download, install and run the appropriate software.
To avoid problems with administration, management and security of the evolving functionality, such software is best executed in independent run-time environments.
Security is a serious – and growing – issue for mobile handsets running an OpenOS. There are already more than 180 known viruses for mobile phones – still far behind the number of known PC viruses, but the number is growing fast. Consortia such as OMA, OMTP, LiPS Forum, and TCG are already attacking the issue.
Security cannot be an afterthought. The frequent, emergency post-development security upgrades and patches common in the PC world would be unacceptable to the average user of a mobile handset. Indeed, such an approach to security could stall the proliferation of smart and feature phones. Consequently, security must be designed-in from day one of the handset’s life cycle.
Environments that allow software downloads are obviously more susceptible to malware attacks than closed ones, and therefore must be protected and isolated to limit or prevent attacks. For example, operator stacks must be protected against any kind of attack, so that the phone continues to work and the customer is not billed for calls that he did not explicitly make. A second example: enterprise data must not be compromised by an attack from a downloaded game. Another example: the digital rights of a downloaded video should be stored securely to prevent unauthorized access. A final example: personal data must be protected to prevent spyware monitoring.
Most often, security is implemented by the sub-systems that are subject to attack. For instance, scanning for viruses in incoming and outgoing mail is usually executed by a program running in the same environment as the user’s email client. However, it is dangerous to rely upon self-security, especially in a multi-use scenario with different operators, banks, and other enterprises. The mobile handset user is simply a roving agent in a wireless IT world – and security is every bit as important as it is in the fixed-wire IT world.
Security should be achieved by means of clear partitioning and robust isolation. As an example, the NTT Docomo Intel specifications (http://www.nttdocomo.co.jp/english/binary/pdf/corporate/technology/osti/OSTI_Arch_R1_00.pdf) clearly calls for two independent environments supported within a phone (see figure). Isolating the assets of each party (operator, content provider, bank, user, etc.) ensures that if one asset is compromised, the others remain secure. In addition, robust isolation enables security checks to be conducted from a sandboxed part of the system other than that containing the attacked asset. In other words, handset functionality should be firewalled, just as IT networks and home LANs are firewalled.
The increasingly complex nature of mobile phone software will necessitate its management from various remote sources. Mobile phones are already managed over the air by the operators. For instance, it is not uncommon to be asked to power cycle the phone to activate new configuration data remotely installed in the SIM card. Indeed, the SIM card is considered to be a trusted execution environment that could be used as the standard means to manage and control many or all of the additional services offered by smart phones and feature phones. Of course, this use of the SIM card must be accompanied by the deployment of trusted application extensions, such as a secure user interface, in order to maintain security integrity.
Device management can be partitioned into three main categories: closed device management, open device management and local device management.
Closed device management encompasses management of the physical device and of the software that controls operator services, such as voice communications, SMS, and MMS. It thus manages the basic phone functions for which the phone manufacturer and the phone service provider are responsible. Examples of such management operations may include, but are not limited to:
Open device management encompasses management of all other phone software components that have been installed post-purchase by the user. Since the high end mobile phone is used for sensitive and confidential business, banking or personal applications, open device management may be the responsibility of different stakeholders, such as the enterprise, bank and the user.
In both management categories, management facilities must provide control data, software backup, software refresh, provisioning, and software removal and installation. Any and all such management operations must be executed safely and securely with authenticated management servers, and all software and critical data transfers must be signed.
Local device management is required in addition to the closed and open device management categories. It enables the mobile phone to operate under a broad range of conditions in a wide variety of environments. For example, local management dynamically adapts the system and/or application by stopping or suspending an application stack or component execution to give higher priority to another application. It also adapts phone behavior to changing security policies as it moves from one working environment to another. Such local management is critical to making the phone truly mobile.
So, what are the requirements to address the foregoing challenges?
First, a solution should enable the reuse of legacy real-time systems, telephony protocol stacks, together with OpenOS protocol stacks (IP protocol) and native OpenOS applications. Such a consolidation enables the simultaneous execution of both software environments on a single processor to deliver both sets of services without using more powerful and more expensive processing capacity. Also, an ideal consolidated solution would deliver native performance levels while avoiding extra porting cost.
Second, a consolidation solution would enable evolutions of both systems. In particular, it should enable the use of newer versions of the legacy OS and the OpenOS – with new or upgraded protocol stacks, drivers and applications– to deliver up-to-date services.
Third, a solution should enable the execution of security controls and policies, robustly isolated from both the legacy RTOS environment and from the OpenOS environment – an approach that applies equally well to non-consolidated dual-core architectures. This ensures that security and secure services remain protected in the event that other – more open – assets are breached. In fact, security services should be designed in a modular fashion and will be subject to evolution over time, requiring that the execution environment in which they operate be flexible to easily support such evolutions.
Fourth, the device management services should execute separately from the legacy real-time system and OpenOS. Such an approach enables to more easily provision and configure the resources of the mobile handset between each party in multi-tenants configurations. It also enables the secure and controlled upgrade of functions and services, with fall-back mechanisms in case of any misbehavior on the part of updated software.
Various potential implementation alternatives to implementing smart phone software functionality will now be considered.
Two processors: Obviously, two processors would execute two different software environments without software modification. Unfortunately, this approach violates one of the most important requirements: bringing smart-phone functionality to feature phones without increasing the processing power of the feature phone. In addition to the greater design complexity, requiring additional processing power increases both the BOM and the power consumption of the device. It also requires the duplication of other devices, such as audio devices, or the deployment of dual-port devices that can be accessed by both OS’.
Single processor, single OS: Another approach merges the legacy and OpenOS environments in a single environment. However, in practice, this conceptually simple approach requires a huge amount of effort to port, test and revalidate the software, thus significantly increasing time to market. Moreover, a OpenOS may not possess all of the properties of a legacy RTOS, especially real-time quality of service (QoS). On the other hand, the use of a legacy RTOS would make it difficult to use existing open implementations of protocol stacks such as TCP/IP and application software. Once the merge is complete, developers would then face evolution problems such as how to keep the merged environment up-to-date with the evolution of its individual components in their native environments. As an example, the TCP/IP family protocol is still evolving and getting richer. Such evolutions are easier to follow when using unmodified OpenOS such as Linux.
Hybrid OS: This approach partially solves the main problems of the single OS approach just described. Hybrid OS’ usually provide a real time environment within a Linux kernel. However, this conceptually-simple approach lacks the requisite flexibility. The real time environment usually commences execution after Linux has started, delaying critical real time applications. Moreover, the systems are not mutually isolated. Consequently, any misbehaviour of one system could seriously impact the behaviour of the overall platform, jeopardizing both availability and security. Moreover, such hybrid OS’ approaches impose their own real time framework and interfaces, which are generally different from those of any legacy system. Hence, additional porting effort is required. Finally, the approach is limited to two environments: it is quite difficult to extend the approach to support additional execution environments for example, for security or device management applications.
Paravirtualization: Paravirtualization enables the execution of multiple OS environments on a single processor, each environment being isolated within a dedicated partition. Physical resources such as memory and I/O devices are dedicated to partitions. The number of partitions can be optimized to the needs of the overall system, thus permitting the isolation of given security and device management functions in dedicated partitions. System environments can be reused in their partitions without much effort. Only part the hardware abstraction layer (HAL) of the OS require some adaptation, amounting for a quite small effort and cost.
Transparent Virtualization: An even better solution would be to use transparent virtualization, which in addition to all of the benefits of the paravirtualization approach, does not require modification of the operating systems. Depending upon the processor capabilities, transparent virtualization may require some complex dynamic binary translation mechanism, such as implemented by VMware on x86 machines, or may be implemented through hardware based mechanisms, such as those found on Intel VT-enabled processors. Unfortunately, embedded processors in mobile phones do not provide support for efficient transparent virtualization. Hence paravirtualization appears to be the best trade-off choice.
Generally, mobile handsets use processors that do not currently support hardware virtualization. Therefore, practical solutions must use the paravirtualization approach. Because paravirtualization achieves the same goals as virtualization and differs mostly in the means by which it is achieved, for the sake of brevity, we will simply refer to virtualization in the rest of this document.
Virtualization must enable real-time environments to execute in parallel with OpenOS and other execution environments on a common hardware platform or processor. The virtualization software layer that supports these multiple environments must maintain the system’s real time properties. It must also occupy a small memory footprint as required by real-time embedded markets. The most important benefits of virtualization for real-time systems are:
Virtualization most often relies on a foundation layer known as a hypervisor or a Virtual Machine Monitor (VMM) which may provide all or parts of the following services:
If multiple guest OS’ execute on the same processor, the hypervisor has to schedule the guest OS’ in a way that maintains the RTOS’ real-time properties.
Physical memory must be partitioned, and each memory partition allocated to a given guest OS. Thus, each guest OS may use its own native memory management mechanisms and policies without interfering with other guest OS'. This approach allows OS’ that make use of the MMU, for example, Linux and Windows CE, and those that do not, to run cooperatively on a single processor.
I/O devices used by a single guest OS are assigned exclusively to that guest OS. Native device drivers can thus be reused with no modification.
Hardware resources required by several guest OS’, such as the CPU, MMU, and FPU are virtualized so that they can be shared between all guest OS’. The CPU is shared among guest OS’ based on scheduling policies that ensure that real-time guest OS’ (and their applications) are assigned the highest priorities and can thus maintain their real-time guarantees. Once a guest OS has been granted CPU access, the OS uses its native policies to schedule its own applications and services.
The MMU is virtualized so that each guest OS may use it for its own purposes. As discussed above, MMU use by one guest OS is independent of that by another guest OS.
It must be possible to protect and securely isolate memory partitions from each other so that no OS can read or write into the memory partition of another OS. I/O access performed by the guest OS must also be controlled.
The usual policy provided by hypervisors for real-time embedded systems is close to a FIFO scheduling policy within an OS: guest OS’ are given priorities. The RTOS is assigned the highest priority, ensuring that it will preempt any other guest OS as soon as needed. Remember, it is the RTOS where time critical tasks are running.
Other OS’ sharing a given priority level may be scheduled in a FIFO manner or on a fair share basis, depending upon the configuration.
Executing different OS’ simultaneously on the same processor is only one part of the problem. The guest OS’ also need to share other hardware resources beside the CPU, the MMU and the physical main memory, namely, core devices and I/O peripherals:
I/O devices such as screen, keypad, USB, audio device, flash memory, camera, Bluetooth interface, and modem may be further classified depending upon their use by the various guest OS’.
I/O peripherals that are used by a single environment, for example a Bluetooth interface exclusively accessed by a Linux system, are dedicated to that system. In such a configuration, the guest OS may use a native driver to manage the peripheral. Interrupts generated by the peripheral are virtualized and propagated to the guest OS by virtue of the Core BSP component previously described.
Some I/O peripherals may be accessed by applications from both OS’. For example, the screen may be accessed by real-time applications dedicated to voice calls, and by a Linux system for browsing the file system on the flash.
It may be possible to configure a guest OS’ with purely virtual devices that are not associated with actual hardware. For example, one may configure a virtual Ethernet network connecting two or more guest OS’, enabling them to further communicate with whatever TCP/IP application they wish.
A typical OS supports multiple processes, provides them with services such as synchronization and inter-process communication, as well as scheduling policies, shared access to system and network interfaces, and memory management.
Similarly, a virtualization solution may provide each guest OS with synchronization - a virtual cross-interrupt mechanism - and inter-OS communication mechanisms. Such low-level communication mechanisms are commonly used by virtual and shared peripherals. Stacking the most appropriate virtual peripheral driver on top of the low-level communication mechanisms insures that the communication is well tuned to the application’s needs while hiding the low-level complexity from the application. This enables applications running in a OpenOs guest to communicate efficiently with applications running on the legacy OS or RTOS, using the most appropriate communication paradigm. Remember that such applications cooperate within the mobile handset to deliver an integrated service to the user.