# **NVIDIA DriveOS 7.0 Features** ## **Table of Contents** | Platform and Device Support | 3 | |-----------------------------------------|----| | System Configuration and Performance | 4 | | Connectivity and Communication | 6 | | Security and Data Integrity | 7 | | Debugging and Error Handling | 9 | | Camera and Vision Processing | 10 | | Development Tools and Environment | 12 | | Linux Safety Extensions | 13 | | System Management and Power | 14 | | Boot, Platform Support and Capabilities | 15 | | Memory Management | 16 | | Debugging and Tools | 17 | # Platform and Device Support #### NVIDIA DriveOS 7.0 includes support for: - Thor U Pre-QS device. - DRIVE AGX Thor C-sample, D-sample, and GA Devkits. - Thor-X SKU PS devices. ## System Configuration and Performance #### **Board SKU Capabilities** - An interface in the Guest VM for applications to read hardware board strap GPIO. - Mechanisms to choose different Guest OS DTS settings based on hardware board strap GPIO readings at boot time. - Mechanisms to choose different pinmux and BPMP DTB settings based on hardware board strap GPIO readings at boot time. #### Clocks/Profiles - Enables full production clocks for Thor U (TA1890SA) for NSR production and development, including MaxP-A-1080-D-01-S. - Enables the full production clocks for Thor X (TA1090SA) clocks/profiles for NSR production and development, MaxP-A-1090-D-01-S. - Supports flashing profiles for Thor X (MaxP-A-1090-D-01-S) and Thor U (MaxP-A-1080-D-01-S) with Linux non-Safety builds. #### DriveOS Core Flimination DriveOS eliminates its need for a dedicated core, allowing all system cores to be fully utilized by Guest OS VMs, which then delegate cycles to DriveOS services as needed. This includes GPU server support and FSI feature enhancements. #### GPU Hardware Scheduler in a Single VM Supports scheduling of high, medium, and low priority tasks in the GPU. ## PCIe, EMC, Timestamp synchronization Mechanism to support measurement of PCIe utilization: DriveOS in Standard and extended Safety debug overlay builds provides a mechanism to measure the bandwidth per PCIe root port. The measured bandwidth depends on data generated by the endpoint driver associated with the root port. Support for EMC bandwidth measurement. Provides a mechanism to measure timestamp with sync objects for 2D, VI, DLA, NVENC, OFA, ICP, ISP, IOFST, IEP, IGPU, PVA, CUDLA. ## **Connectivity and Communication** - Chip-2-Chip data transfers between two Thor SoCs: Supports transfers where Thor can be in either RP or EP mode to another Thor in RP or EP mode. - I2C multi-primary support between Tegra and sMCU for VMON and TMON: DriveOS supports I2C multi-primary access by SoC and MCU, including after SoC boot-up for device and board temperature sensors and VRS10/11 devices. - Multicast image data to multiple SoCs: DriveOS provides multicast image streaming across-SoC over PCle. - Ethernet interface concurrent timestamp API Thor boards: DriveOS provides an API to read and provide concurrent timestamps across the Thor 10 Gbps MGBE interfaces. These interfaces are connected to external switches for sensors and to an external GTM for PTP time sync. - Ethernet Virtualization: DriveOS provides ethernet virtualization for isolation amongst mixed critical workloads within one Guest OS VM (AV+L). - Enabled Ethernet driver with traffic shaping functionality. - PCIE C2C Reconnection support: - Support for C2C stack (KMD and UMD) re-initialization when PCIE link recovery occurs without rebooting local SoC. - o Support for NvSciStream-based streaming after C2C stack re-initialization without rebooting local SoC. - Boot sequence support between EPs and RPs among the SoC in C2C PCIE interconnect. - Adding/removing consumers to NvStream. ## Security and Data Integrity - Filesystem protection against rollback: DriveOS verifies the filesystem version against a ratchet value when checking its cryptographic integrity. - Support provisioning of tuned GR register values: DriveOS supports interfaces to enable provisioning of tuned values in production images and on production fused boards. - Supports and verifies the filesystem version against a ratchet value when checking its cryptographic integrity. - Principle of least privilege while running DriveOS Linux user space processes: - Each DriveOS Linux user space process shall drop root privileges including unneeded POSIX capabilities. - DriveOS Linux root processes shall drop their privileges at their process startup phase. - DriveOS user space processes shall only have read and write file access permissions as required by their functionality. - Linux Security Hardening: The following features are supported for production builds: - Disable Guest OS Shell Access. - Disable SSH Daemon. - Disable Telnet Daemon. - Disable the Guest OS UART Serial Console. - Enable DriveOS Linux ASLR (Address Space Layout Randomization). - Enabling DriveOS Linux Kernel module signing. - Removal of debug tools and interfaces from DriveOS Linux production images. - Linux Guest OS Arm PA (Pointer Authentication) support. - Enable stack canaries (kernel and user space) with random canary values. - Enable RELRO (RELocation Read-Only) for DriveOS Linux executables. - Enable DriveOS Linux user space Arm PA (Pointer Authentication) support. - Prevent sensitive information leakage from the DriveOS Linux kernel. - o Improve DriveOS Linux network security by mitigating known DoS and MiTM attacks. - Mitigations against Branch History Buffer Speculation Attacks. - Mitigations against Straight Line Speculation Attacks. - o Enable DriveOS Linux KASLR (Kernel Address Space Layout Randomization) for randomizing core kernel and kernel module virtual addresses. - o Enable memory randomization of DriveOS Linux user space stand alone executables and shared libraries. - Support for control flow integrity protection using pointer authentication codes. - PKCS#11 support for allowing writing FSI tokens from CCPLEX. ## Debugging and Error Handling - Support to provide verbose and user-friendly RCE logs. - Supports unified logging framework and associated client support: This framework includes guestVM, serverVMs, and HyperVisor to capture system-level events, error codes, and verbose logs. - FSI feature enhancements: - Supports disabling specific error codes through a configuration mechanism for individual reporter ID and error code pairs. - Ability to obtain and report EC index for HSM error from error collator by default. - Error injection utility for HSM reported hardware errors: DriveOS supports an error injection utility to simulate and inject HSM reported errors to test MCU error handlers. - Enhance GPU error debug methods: DriveOS provides a mechanism to identify the kernel, instruction, or CUDA program line/function name causing an exception when it occurs in a user kernel. ## Camera and Vision Processing - Ability to re-program/re-trigger Camera Fsync for Camera Modules: DriveOS can phase-shift the absolute start time of frame synchronization signals at runtime upon user application request. - Linear interpolation in case of scaling images using 2D engine: DriveOS supports linear interpolation for scaling images using the internal 2D Engine. - Camera authentication support including: - Report Camera Message Integrity Violation. - Verify Message Authenticity. - Preserve Message Ordering. - Report Dropped Messages. - Assign Unique Party Identifiers. - Immutable Party Identifiers. - Restrict Sessions to a Communication Set. - Unique Session Identifiers. - o Camera Communication Plane Isolation. - Authenticate Camera Sensor. - Detecting Message Corruption. - Drop Corrupted Messages. - Flash Firmware Updater (FFU) for DRIVE platform storage devices: - Supports update of firmware for eMMC/UFS storage devices from the target GOS. - Applies cryptographic integrity checks, anti-rollback, and replacement protections of eMMC/UFS firmware used for updates. - Frozen and delayed frames detection and reporting on Camera capturing and processing by ISP. - Supports linear interpolation in case of scaling images using the internal 2D engine. - Supports ability to re-program/re-trigger Camera Fsync for Camera Modules: When the user application requests to phase-shift the absolute start time of frame synchronization signals at runtime, DriveOS shifts the phase of running frame synchronization pulse. - Offers a software interface to select a region of interest (ROI) with maximum resolution. - Support for anonymization of personally identifiable information within video streams. - DriveOS SIPL provides a mechanism to customize the I2C address assignment method. - Support for configurable absolute start time of frame synchronization signals. ## **Development Tools and Environment** - GCC 13.2 Host Cross Compile tools: The DriveOS host development environment supports GCC 13.2 for cross-compiling kernel components, libraries, binaries, and applications for Linux on the Thor Ubuntu 24.04 target environment, compatible with Canonical Ubuntu 24.04 LTS. - C++ 17: DriveOS supports C++17 for non-Safety related development and uses compatible GCC/G++ toolchains. - Open box FSI sample app: DriveOS packages generators for MCALs and CDDs and a sample ECU extract for Open Box FSI solution. ## **Linux Safety Extensions** - Support VMON and TMON in NSR builds: DriveOS verifies Tegra SoC power sequences and enables VMON to report voltage errors to an external Safety MCU. It also enables internal and external thermal sensors, providing an API on the Guest OS for temperature readings and reporting over-temperature events to the external Safety MCU. - THOR SoC K(IST) (Beta quality). - Supports reporting SoC hardware errors to external MCU. - Supports error injection utility to simulate and inject software detected hardware errors to test customer side of MCU error handlers. - Supports error injection utility to simulate and inject HSM reported errors to test customer MCU error handlers. # System Management and Power - Support for suspend to ram (SC7). - Support for graceful platform shutdown. - sMCU fan control for automotive boards. ## Boot, Platform Support and Capabilities - Support for MCU and UFS firmware update in flashing tools. - The safety MCU firmware deliverable supports the management of more than one System-on-Chip (SoC). - Support for managing 2x Thor in safety MCU firmware deliverable. - Secure boot supports XMSS (PQC) verification of all boot images, including Guest OS Virtual Machines. - Multi Tegra support in DRIVE Update. - Support for asymmetric boot chain flashing via bootburn tool and DRIVE Update, including secure provisioning. - Support for a customizable, Linux-based recovery VM that supports DRIVE Update. - Supports ability to update board-specific customer data fields in BR-BCT with DRIVE Update. - Support for addition/deletion of partitions and resizing of partitions in DRIVE Update. - DRIVE Update package authentication. - Allow boot chain C to be disabled. - Support for configuring I/O interface tuning parameters for CSI and GMSL. - Recovery Boot Chain in QSPI: DriveOS provides a customizable recovery bootchain (chain-C) resident entirely in QSPI storage to support the ability to boot from QPSI and recover the system when UFS is unavailable or corrupted. #### Memory Management - Support for patrol scrubbing on external DRAM for non-Safety-related builds. - Support for DRAM ECC page retirement such that pages with uncorrected errors are tracked and taken out of use. Ensures security of bad page information by enabling authenticated and encrypted read/write. - Supports initiation of a HSM reset upon the detection of an uncorrected DRAM ECC error. #### DRAM ECC Error Detection and Correction - Supports DRAM ECC with alt-link ECC as the default mechanism on automotive T264-based platforms. - Enables detection and correction of single-bit DRAM errors and detection of double-bit DRAM errors. For Thor devices, alt-link ECC is the default supported ECC mechanism for all profiles, with no DRAM penalty/use for ECC storage. # **Debugging and Tools** - Error injection utility for software detected hardware errors. - Reduced lib size for DriveOS builds to meet load time KPIs during boot. #### Notice The information provided in this specification is believed to be accurate and reliable as of the date provided. However, NVIDIA Corporation ("NVIDIA") does not give any representations or warranties, expressed or implied, as to the accuracy or completeness of such information. NVIDIA shall have no liability for the consequences or use of such information or for any infringement of patents or other rights of third parties that may result from its use. This publication supersedes and replaces all other specifications for the product that may have been previously supplied. NVIDIA reserves the right to make corrections, modifications, enhancements, improvements, and other changes to this specification, at any time and/or to discontinue any product or service without notice. Customer should obtain the latest relevant specification before placing orders and should verify that such information is current and complete. NVIDIA products are sold subject to the NVIDIA standard terms and conditions of sale supplied at the time of order acknowledgement, unless otherwise agreed in an individual sales agreement signed by authorized representatives of NVIDIA and customer. NVIDIA hereby expressly objects to applying any customer general terms and conditions with regards to the purchase of the NVIDIA product referenced in this specification. NVIDIA products are not designed, authorized or warranted to be suitable for use in medical, military, aircraft, space or life support equipment, nor in applications where failure or malfunction of the NVIDIA product can reasonably be expected to result in personal injury, death or property or environmental damage. NVIDIA accepts no liability for inclusion and/or use of NVIDIA products in such equipment or applications and therefore such inclusion and/or use is at customer's own risk. NVIDIA makes no representation or warranty that products based on these specifications will be suitable for any specified use without further testing or modification. Testing of all parameters of each product is not necessarily performed by NVIDIA. It is customer's sole responsibility to ensure the product is suitable and fit for the application planned by customer and to do the necessary testing for the application in order to avoid a default of the application or the product. Weaknesses in customer's product designs may affect the quality and reliability of the NVIDIA product and may result in additional or different conditions and/or requirements beyond those contained in this specification. NVIDIA does not accept any liability related to any default, damage, costs or problem which may be based on or attributable to: (i) the use of the NVIDIA product in any manner that is contrary to this specification, or (ii) customer product designs. No license, either expressed or implied, is granted under any NVIDIA patent right, copyright, or other NVIDIA intellectual property right under this specification. Information published by NVIDIA regarding third-party products or services does not constitute a license from NVIDIA to use such products or services or a warranty or endorsement thereof. Use of such information may require a license from a third party under the patents or other intellectual property rights of the third party, or a license from NVIDIA under the patents or other intellectual property rights of NVIDIA. Reproduction of information in this specification is permissible only if reproduction is approved by NVIDIA in writing, is reproduced without alteration, and is accompanied by all associated conditions, limitations, and notices. ALL NVIDIA DESIGN SPECIFICATIONS, REFERENCE BOARDS, FILES, DRAWINGS, DIAGNOSTICS, LISTS, AND OTHER DOCUMENTS (TOGETHER AND SEPARATELY, "MATERIALS") ARE BEING PROVIDED "AS IS." NVIDIA MAKES NO WARRANTIES, EXPRESSED, IMPLIED, STATUTORY, OR OTHERWISE WITH RESPECT TO THE MATERIALS, AND EXPRESSLY DISCLAIMS ALL IMPLIED WARRANTIES OF NONINFRINGEMENT, MERCHANTABILITY, AND FITNESS FOR A PARTICULAR PURPOSE. Notwithstanding any damages that customer might incur for any reason whatsoever, NVIDIA's aggregate and cumulative liability towards customer for the products described herein shall be limited in accordance with the NVIDIA terms and conditions of sale for the product. #### VESA DisplayPort DisplayPort and DisplayPort Compliance Logo, DisplayPort Compliance Logo for Dual-mode Sources, and DisplayPort Compliance Logo for Active Cables are trademarks owned by the Video Electronics Standards Association in the United States and other countries. #### **HDMI** HDMI, the HDMI logo, and High-Definition Multimedia Interface are trademarks or registered trademarks of HDMI Licensing LLC. OpenCL is a trademark of Apple Inc. used under license to the Khronos Group Inc. #### Blackberry BLACKBERRY, EMBLEM Design, QNX, AVIAGE, MOMENTICS, NEUTRINO and QNX CAR are the trademarks or registered trademarks of BlackBerry Limited, used under license, and the exclusive rights to such trademarks are expressly reserved. NVIDIA and the NVIDIA logo are trademarks and/or registered trademarks of NVIDIA Corporation in the U.S. and other countries. Other company and product names may be trademarks of the respective companies with which they are associated. #### Copyright © 2025 NVIDIA Corporation and affiliates. All rights reserved.