AGL-µBinderBinding/Binder for small ECU and non AGL world
Tokyo ALS July/2019Fulup Ar Foll Lead Architect
Tokyo July 19AGL µBinder 2/22
Who are we ?
● 25 Engineers dedicated to AGL● Location: Lorient/Brittany/France/Europe
● https://iot.bzh/en/● http://github.com/iotbzh
LORIENT
Tokyo July 19AGL µBinder 3/22
UBS/IoT.bzh Collaboration● Technical Team
– Internship: Aymeric Aillet
– University tutor: Johann LAURENT
– IoT.bzh tutors: Thierry BULTEL & Jose Bollo● Technical Explorations
– Zephyr/AGL architecture for commercial boat signal acquisition
– Potential transport for µController2AGL IPC
– Integration of µController within AGL microservices architecture
– Downsizing of AGL AppFw
– Integration of NMEA2000 inside AGL distributed security model, …● Duration
– 6 months (January→June 2019)
Tokyo July 19AGL µBinder 4/22
What’s an AGL Binder
● A standard component use to expose API from a binding
● An Abstraction on transport layer● A security model● A container
Binding/Binder is somehow similar to WebServer/Applet in the Java world
Tokyo July 19AGL µBinder 5/22
Micro Service Architecture
Tokyo July 19AGL µBinder 6/22
Security Mechanism
Protected Service
LINUX KERNEL
Legitimate application BlackHat application
Resource and data
The permission database Cynara
helps to protect services
Smack linux security module helps to
protect resources and data
DENIED
DENIED
GRANTED
GRANTED
Tokyo July 19AGL µBinder 7/22
Binder is a Container for Bindings
● Connect services/applications together (UDS, WS/UDS, WS/TCP, HTTP, linked)
● High level flexible RPC mechanism (hide connections)
● Framework for event signalling
● Security and permissions facilities (Smack + Cynara)
● Builtin HTTP server support REST, WebSockets and TLS
● Management of client sessions and contexts
● Automatic Recovery from unexpected disconnections
● Handle dependencies and startup order
● Debugging, monitoring and supervision
Tokyo July 19AGL µBinder 8/22
Binding/Binder Connection
● HTTP+WS: common connection (Dbus legacy)
● Act as HTTP server & accept upgrade to websocket● It exports API● It manages sessions● It checks security tokens● API/WS: specific to API
● Only one API● It manages sessions● It doesn’t check tokens
Tokyo July 19AGL µBinder 9/22
Binder Remote Access
● Ask to launch APP 23● Returns the URL of the BINDER for APP 23 and its token (in the URI?)● Connect to the binder with its token● Check token validity with OpenIDconnect
BINDER23
CLIENTBROWSER
APP 23
REVERSEPROXY
AGL domain (CAR)
internetREMOTE“HOME”CLIENT
BROWSER“HOME”
AGLAPPFW ④②
③
①
①
Tokyo July 19AGL µBinder 10/22
Programming Model
monitor/get({“verbosity”: “monitor”})
Sample, call to get the verbosity level of API monitor
The api (or service)
The verb (or method) of the api
The request arguments is any JSON value
Curl invocation$ curl -H ‘x-afb-token: HELLO’ \ localhost:1056/api/monitor/get?verbosity=monitor
Javascript invocation
afb.call(‘monitor/get’, {‘verbosity’: ‘monitor’}).then(gotapis);
C binding invocation
wrap_json_pack(&req, “{ss}”, “verbosity”, “monitor”);afb_api_call(myapi, “monitor”, “get”, req, gotpis, NULL);
The reply is a JSON value
{ "verbosity": { "monitor":"info" }}
Tokyo July 19AGL µBinder 11/22
Binder/Binding AGL vocabulary
● Binder: the process afb-daemon (change name in ps -ef)
● Binding: share object that implements one/multiple api
● Api: exportable set of verbs belonging to the same namespace and implemented within only and one binding
● Verb: A callable endpoint, accept arguments, return result, can be protected by ACL (Cynara)
● Shadow api: an imported remote api accessed like a local api
Tokyo July 19AGL µBinder 12/22
AGL MicroService Architecture
Cluster
Carte handling
Localistion management
POI
CAN GPS
Geopositioning Virtual Signal
Multi ECU & Cloud Aware Architecture
Entertainement
CAN-BUS Virtual Signal
Gyro, AcelerometerCAN-BUS
LIN-BUS
Engine-CAN-BUS
ABS
Transport & ACL
Head Unix
Direction Indication
Cloud
Log Analytics
No-SQL Engine
Statistics & Analytics
Transport & ACL
My Car Portal
Paiement
Subcriptions
Preference
Preferences &
Custumisation
MongoDB Engine
Paiement Service
Cluster Virtual Signal
Transport & ACL
Navigation Service
Maintenance Portal
Know Bugs
Maintenances
Service Packs
Soft RealTimeHard RealTime
Tokyo July 19AGL µBinder 13/22
Why Zephyr as µController RTOS
● Opensource & hosted by the Linux Foundation● Ongoing Safety Certification● Modern Operating RTOS system
● TCP/IP, WIFI, Bluetooth● CANbus (even if not working out of the box)
● Very clean and straightforward API● Run on multiple boards
STM32F411RE NXP FRDM-K64F STM32L432KC
Tokyo July 19AGL µBinder 14/22
NMEA-2000 relies on CAN
● Based on CAN 2.0B● Integrated to AGL LowCAN binding (PNGs ported from CanBoatJS project to OpenXC JSON model)
Tokyo July 19AGL µBinder 15/22
NMEA200 POC
Tokyo July 19AGL µBinder 16/22
Porting Binder/Binding beyond AGL
● Goal● Make binding portable to expand AGL micro-services architecture to non AGL world● Hide OS specificities within the binder● Support multiple RTOS (imposes an OS abstraction layer µBinder)● Expand to Windows, MacOS, Android, QNX, Trusted zone, Hypervisor, …● Keep binder code generic enough to limit LTS maintenance cost
● Difficulties● Partial or total lost of Posix API (especially ePool)● Should work even without access to a filesystem● Limited resources RAM+CPU● Should support non TCP/IP connectivity model for remote access● Lack of native operative system security mechanism● Very different scheduling behaviour (threading, exception, events, …)
●
Tokyo July 19AGL µBinder 17/22
µbinding POC
● µbinding for Zephyr● Change AGL Binder architecture to select transport/options at compilation time● Enable Transport as a plugin (today static config only)● Enable Config as a plugin (eg: config from file, config from network, static config at
compilation, ...● Clean OS abstraction layer
● A lot of Work Still TBD● Implement a genetic security model supporting multiple OS● Realtime concept to Binding/API (as today Binding support ACL per API but no time/priority
constrains)● Merge µBinding code with mainstream AGL code (as today it’s a hack to prove it is possible)● Expands beyond Zephyr (Android, Windows, QNX, Autosar, VxWorks, QNX, TrustZone,
Hypervisor, ...)
Tokyo July 19AGL µBinder 18/22
µbinder Memory Usage ?
● Helloworld– FLASH: 14544 B 256 KB 5.55%
– SRAM: 4152 B 64 KB 6.34%
– IDT_LIST: 120 B 2 KB 5.86%
● TCP/IP– FLASH: 31005 B 256 KB 11.83%
– SRAM: 17028 B 64 KB 25.98%
– IDT_LIST: 120 B 2 KB 5.86%
● Binder + IPV4– FLASH: 94181 B 256 KB 35.93%
– SRAM: 18560 B 64 KB 28.32%
– IDT_LIST: 120 B 2 KB 5.86%
● Binder + IPV6– FLASH: 108077 B 256 KB 41.23%
– SRAM: 20460 B 64 KB 31.22%
– IDT_LIST: 120 B 2 KB 5.86%
µBinder with one transport (TCP webSocket) ~64KB
Tokyo July 19AGL µBinder 19/22
µBinder IPC Transport● Added a console/serial transport abstraction
● Based on previous work done for L4RE hypervisor inter AGL domains● Explored transport on Zephyr: TCP, UDP, I2C & MBUF● Note: currently transport are statically selected at compilation only
● Difficulties● Zephyr PoolFD is not as smart as the one from Linux● No file system on the board we used● AGL security model heavily relies on SMACK that is not available outside Linux● Multiple things that anyone would expect existing by default are optional or not present● No systemd to start services on demand or in the right order
● To be Solved in order to move beyond POC● No AGL support for remote authorities (security/authentication)● No discovery service (as today micro-services location are statically defined)● No realtime support at API level (critical when resources are limited)
Tokyo July 19AGL µBinder 20/22
Supporting Multiple OS/RTOS
● OS abstraction: LibUV looks like promising● Support Linux, Windows, MacOS, Zephyr, Android, …● Ported to a couple of embedded projects (eg: JerryScript)● WARNING: LibUV might not be a good choice for older generation of RTOS (VxWorks, QNX, ...)
● Distributed Security Model for a smaller footprint● Create an abstraction for SMACK (eg: seLinux for Android)
● Enable remote access to Cynara● Implement an security/authority delegation model (OpenIDconnect)
● Support of Tiny/Certified OS as AutoSAR● Provide a mechanism for 100% alien systems to play a role within
AGL micro-services architecture (eg: uart or buffer client model).● Provide a support to enforce realtime constrains at API binding level
Tokyo July 19AGL µBinder 21/22
Conclusions
● µBinder POC shows that AGL Binder May:● Skim down below 64KB and run on RTOS with 128/256KB● Support Non-TCP/IP IPC transport (memory, UART, ...)● Share a unique code base from µController to the cloud● Allow customization without touching the core● Support both static and dynamic model (config, transport, ...)
● Challenges before going to production● Current code need to be significantly restructured in a modular way (plugins)● Linux dependencies (Posix, SystemD, SMACK, …) should be abstracted● Remote internal capabilities should be added (API discovery, ACL, Token, ...)● Mapping to non AGL world (Android, TrustZone, QNX, …) would need sponsors
Tokyo July 19AGL µBinder 22/22
Visiting us in Lorient