Linux with Safety Extensions#
The NVIDIA DriveOS Linux legacy profile shipped from the beginning (termed the Standard profile) contains images with debug capabilities and is intended for development. However the documentation also provides recommendations on different options that customers can enable/disable to use in production. The Linux with Safety Extensions profile incorporates such options to minimize changes needed by customers for production.
In addition to a Development profile (based on the legacy Linux Standard profile), there are two additional variants of Linux with Safety Extensions profiles: Production and Test. The Production profile makes the following changes versus the standard profile:
DriveOS Safety Extensions (enabled by default)
Disables debugging, logging and profiling, console, SSH/NFS for Security
Boot KPI optimizations
Linux Security Hardening
The Test profile is a version of the Production profile, which restores capabilities like UART console and SSH access to be able to connect to the target and perform needed testing.
Comparison Between Different Profiles#
The following table shows the difference in terms of features between different profiles.
Feature |
Standard/Development Profile (dev-nsr bind option) |
Non-Safety Related Prod (prod_nsr bind option) |
Non-Safety Related Test (test_nsr bind option) |
|
1 |
Current Kernel debugging options |
Y |
N |
N |
2 |
Read/write Guest OS FS |
Y |
N (Read only FS) |
N (Read Only FS) |
3 |
Debuggers |
Y |
N |
N1 |
4 |
other tools that allow analyzing binaries and data |
Y |
N |
N |
5 |
Profiling tools |
Y |
N |
N1 |
6 |
Serial Console |
Y |
N |
Y |
7 |
Remote shell access (e.g., ssh, telnet) |
Y |
N |
Y |
8 |
Remote storage mount (e.g., NFS) |
Y |
N |
Y |
9 |
Tracing |
Y |
N |
N1 |
10 |
Debug tools and profilers such as NSight Compute, NSight Systems, NSight Graphics |
Y |
N |
N1 |
11 |
DRAM ECC |
Y |
Y |
Y |
12 |
PMU access for profiling |
Y |
N |
N |
13 |
Current TCF and Server VM logging and debugging options |
Y |
N |
N |
14 |
Bootloader debug(for Boot KPI measurement) |
Y |
N |
N |
15 |
tegrastats |
Y |
N |
Y |
1 Debugging, Profiling, and Tracing capabilities can be re-enabled following the instructions in the Linux Kernel for Safety Extensions Profile and Enabling/Disabling GPU Debugger/Profile Features sections below.
Linux with Safety Extension Bind Options#
AV+L Standard
$ cd drive-foundation/
$ ./make/bind_partitions [-b <board_name>] linux [options]
AV+L NSR Production (prod_nsr PCT variant)
# Bind with prod PCT variant
$ cd drive-foundation
$ ./make/bind_partitions [-b <board_name>] linux -p prod_nsr [options]
AV+L NSR Production-test (test_nsr PCT variant)
# Bind with nsr_prod_debug PCT variant
$ cd drive-foundation
$ ./make/bind_partitions [-b <board_name>] linux -p test_nsr [options]
For more detailed information, refer to the AV PCT Configuration -> Supported Bind Options chapter.
Linux Kernel for Safety Extensions Profile#
A new kernel image (based on a separate defconfig) is being added for Linux with Safety Extensions profile support. The prod_nsr and test_nsr configurations use the same Kernel image (may use OS command line arguments, dts, etc. to impose additional restrictions in prod_nsr profile).
The kernel defconfig for the prod_nsr profile is tegra_prod_defconfig which has debug configs, profiling, tracing disabled and additional security hardening applied. For recompiling the Kernel for Safety Extensions from source, the same steps outlined in “Compiling the Kernel”section shall be used and using tegra_prod_defconfig as the defconfig
Finally, the production kernel has support for DM_VERITY and rw_overlayfs to enable Read-Only Filesystem operations by providing write access to dynamic directories like /tmp, /var, /home, /etc by routing them to a scratch partition. For more details on the DM_Verity initramfs workflow, please refer to SDK documentation section “DM-Verity and Read-Only File System Support”.
Reenabling Profiling
The production defconfig disabled the following profiling related configs and shall be enabled back as needed in the defconfig to enable profiling support:
CONFIG_PROFILING=y
CONFIG_ARM_SMMU_V3_PMU=m (module needs to be copied to targetfs) or y
CONFIG_PERF_EVENTS=y
Reenabling Tracing
The production defconfig disabled the following profiling related configs and shall be enabled back as needed in the defconfig to enable Tracing support:
CONFIG_FTRACE=y
CONFIG_FUNCTION_TRACER=y
CONFIG_TRACING=y
Enabling/Disabling GPU Debugger/Profile Features#
DT nodes are used for enabling/disabling GPU debugger/profiler features.
In development builds, the GPU debugger/profiler features are enabled (by default) and are disabled in prod_nsr/test_nsr (by default).
The Disabling GPU Debugger and Profiler for Security section provides the steps to disable/enable the debugger, and profiler features and debugger and profiler features can be enabled in Linux with Safety Extensions profile following the steps under To enable GPU Debugger and Profiler.
Initramfs#
For the production profile the Yocto initramfs for boot ($NV_WORKSPACE/filesystem/initramfs/prod-initramfs.cpio) is used for the boot process. Because DM_VERITY is enabled by default in the production configuration, the production boot initramfs mounts the rootfs read-only and provides write access to a scratch partition before starting systemd in the rootfs. Due to this action, initramfs ensures any writes done to paths /var, /tmp, /home, /etc go to the scratch partition gos0-rw-overlay of size 1 GB. Finally, the production boot initramfs contains the production Tegra kernel modules (i.e., kernel drivers) required for the initramfs boot process.
For more details on the DM_Verity initramfs workflow, refer to the DM-Verity and Read-Only File System Support chapter in the NVIDIA DriveOS Linux SDK Developer Guide.