Communications and Security Service
The NVIDIA DRIVE™ OS includes the Foundation Services runtime software stack that provides the infrastructure for the DRIVE™ OS Platform components. With this infrastructure, multiple guest operating systems can run on the NVIDIA hardware with the NVIDIA DRIVE™ Hyperion Developer Kit to manage the hardware resources.
The Foundation Services runtime architecture stack is as follows:
The focus of this Development Guide is on the Communications and the Security services components. For each component, a separate QNX virtual machine is running.
Component | Description |
Communications Services | The Communications Service manages the communications of the hardware peripherals. • Guest VMs can access the peripherals as if they were exclusively allocated to that VM. The Communications Service uses the Security Service to manage the routing of traffic to and from the peripherals, and to and from the guest VM. |
Security Services | The Security Service monitors the communications for potential threats and enacts the appropriate policy once a threat is detected. • The guest VM is not aware of the Security Service. • The guest VM has virtualized drivers that appear, to higher layers, like normal hardware drivers. • Multiple guest VMs can access the same peripheral without knowledge of each other. |
Definition of Terms
The following terms are used throughout this document:
Term | Definition |
CAN | Control Area Network |
Comms | Communications Services |
DDOS | Distributed Denial of Service |
DHCP | Dynamic Host Configuration Protocol |
DNS | Domain Name System |
DoS | Denial of Service |
ICMP | Inter Control Message Protocol |
IDPS | Intrusion Detection and Prevention System |
IP | Internet Protocol |
IVC | Inter-Virtual Machine Communication |
MAC | Media Access Control |
NAT | Network Address Translation |
OS | Operating System |
PTP | Precision Time Protocol |
SSL | Secure Sockets Layer |
SoC | System on a Chip |
TCP | Transmit Control Protocol |
TCU | Transmit Control Unit |
TLS | Transport Layer Security |
UDP | User Datagram Protocol |
VLAN | Virtual Local Area Network |
VM | Virtual Machine |
A Typical Communication Configuration
The following illustration provides a reference example of networking on IP communication. A similar model applies to other communication interfaces such as CAN.
• The HV0 IP interfaces between each Guest OS VM.
• The Communications Services are assigned with a static IP address.
• Each VM is on a different subnet, and each VM is connected to the eth0 physical Ethernet device on the Communications Service.
• The Communications Service implements the para-virtualization of the physical interface, which is Ethernet in this case.
In this way, each Guest OS operates as if it has exclusive and direct access to the Ethernet device.
• The link between each Guest OS and the Communications is implemented by leveraging the Hypervisor IVC API.
• The Security Services acts as the bridge for the data transfers.
In this example, the Security Service routes the traffic to and from the peripheral, and to and from the Guest VM using the nvsec_engine. One instance is required per VM Communications channel.