what is executive management
Execution management is a functional component of AP, which is responsible for platform initialization and application start/stop. It performs the above actions based on one or more manifest files, such as when and where to start the executable program
system start
When the machine is started, the OS will initialize EM as the initial process, and then EM will load other functional groups. After the basic components of the platform are running, EM will start platform applications and common applications in order according to the Machine Manifest and Execution Manifest.
The application of AP is based on a process, and startup refers to starting a process
executive management functions
- Platform Lifecycle Management
EM is started as part of the AP platform startup and is responsible for the application initialization of the AP platform and deployment
2. Application life cycle management
EM is responsible for starting and stopping the deployed applications in order, based on the Machine Manifest and Execution Manifest, the start/stop order is derived from the configured application dependencies
Based on the state of the machine and the state of the function group, the application may be executed during the machine startup phase, or at some later stage. It is foreseeable that many applications will not be executed immediately.
The EM is not responsible for the runtime scheduling of the application, which is the job of the OS, however, the EM is responsible for initializing/configuring the OS so that it can perform the necessary runtime scheduling (information comes from the Manifest)
deterministic execution
Deterministic execution provides a mechanism: using a given input data set, it will always give the same output within a specified time
Personal understanding: To understand deterministic execution, you must first know what is uncertain in program operation, time uncertainty (sometimes execution is fast, sometimes execution is slow), resource uncertainty (dynamic memory allocation, thread allocation, etc.) and other random uncertainties
EM provides time determinism and data determinism. The former means that the output can always be produced before the deadline, and the latter means that the output and internal state are always the same
The support provided by EM focuses on data determinism, since time determinism can be handled by providing sufficient resources
EM provides a set of deterministic client APIs to support control of in-process loops, a deterministic thread pool, activation timestamps and nonces
Further, deterministic execution optionally supports software lockstep, executes applications redundantly, and compares results
resource constraints
The AP platform allows multiple applications to be executed on the same machine, so make sure there is no interference between them
A misbehaving program should be limited in its ability to affect other programs, for example, a program should avoid consuming more CPU resources than configured, which would affect other applications
EM supports avoiding interference by configuring process resource groups, each of which may have limits on CPU time or memory
application recovery
EM is responsible for state-based process start/stop management, so it has special permissions to start and stop processes
PHM monitors the process, and when it does not meet expectations, it can trigger a recovery action, which is configured in Execution Manifest
Trusted Platform
In order to ensure the normal function of the system, it is very important to ensure the legal source of the executable file
The key attribute to achieve a trusted platform is the root of trust, which is usually a public key stored in a secure environment, such as in an unmodifiable persistent area or in an HSM (hardware security module)
The system designer is responsible for ensuring that the system starts with a root of trust until the EM module is loaded
Based on the mechanism chosen by the system designer, the integrity and trustworthiness of the entire system may be checked at startup, but if the system designer only ensures the integrity and trustworthiness of the programs that have already been executed, then EM in When controlling the entire system, it is necessary to take corresponding responsibilities and continue to establish the chain of trust, which requires the integrator to correctly configure EM
An example: passing trust from the root of trust to the OS and AP, might look like this:
- As a trusted entity, the root of trust authenticates the bootloader before the bootloader starts. In each sub-step of the boot process, the executable program to be started should be authenticated first, and the authentication check should be performed by an already authenticated entity. Such as a previously launched executable program, or some external entity (HSM, etc.)
- When the OS is authenticated to start, it should load EM as its first process, before EM starts, the OS needs to ensure that the authentication of EM has been completed and is a trusted entity
- EM now takes on the responsibility of authenticating applications, with multiple mechanisms to check integrity and trustworthiness
