Boomerang: Real-Time I/O Meets Legacy Systems

This paper presents Boomerang, an I/O system that integrates a legacy non-real-time OS with one that is customized for timing-sensitive tasks. A relatively small RTOS benefits from the pre-existing libraries, drivers and services of the legacy system. Additionally, timing-critical tasks are isolated from less critical tasks by securely partitioning machine resources among the separate OSes. Boomerang guarantees end-to-end processing delays on input data that requires outputs to be generated within specific time bounds. We show how to construct composable task pipelines in Boomerang that combine functionality spanning a custom RTOS and a legacy Linux system. By dedicating time-critical I/O to the RTOS, we ensure that complementary services provided by Linux are sufficiently predictable to meet end-to-end service guarantees. While Boomerang benefits from spatial isolation, it also outperforms a standalone Linux system using deadline-based CPU reservations for pipeline tasks. We also show how Boomerang outperforms a virtualized system called ACRN, designed for automotive systems.

💡 Research Summary

The paper introduces Boomerang, a novel I/O system that tightly integrates a small real‑time operating system (RTOS) with a full‑featured legacy operating system (Linux) on the same hardware platform. Unlike conventional hypervisors that multiplex multiple guests, Boomerang’s partitioning hypervisor statically assigns physical CPUs, memory regions, and I/O devices to each guest at boot time and then relinquishes control. This design dramatically reduces the trusted code base (≈4 KB) and eliminates runtime interference, providing strong spatial isolation and predictable timing behavior.

The RTOS side runs Quest, which implements a reservation‑based VCPU scheduler. Each VCPU is defined by a budget C and a period T; the scheduler guarantees that a VCPU receives at least C execution units every T time units, provided the utilization test passes. Main VCPUs are implemented as Sporadic Servers, while I/O VCPUs are created dynamically when an interrupt occurs. An I/O VCPU inherits a fraction U_IO of its associated main VCPU’s budget, ensuring that interrupt handling does not fragment the main VCPU’s reservation. Because an I/O VCPU has only a single replenishment entry, timer re‑programming overhead is minimal compared with traditional Linux soft‑irq handling.

To enable end‑to‑end real‑time guarantees across the two OSes, Boomerang defines a tuned pipe abstraction. A tuned pipe connects tasks that may reside in different guests, forming a pipeline of data processing (sensor → algorithm → actuator). The pipe can be configured for FIFO or register‑based buffering, and for explicit or implicit communication. Implicit communication forces a task to copy shared data at the start of its execution, guaranteeing data consistency even under pre‑emption. This flexibility allows Boomerang to support both periodic sensor sampling and aperiodic event‑driven workloads.

The authors illustrate three I/O paths: (1) pure‑RTOS where all I/O and interrupt handling stay inside Quest, yielding the lowest latency; (2) RTOS‑to‑Linux where time‑critical I/O is handed off to Linux for driver or library support, with Linux scheduled under the SCHED_DEADLINE policy and its interrupts demoted to lower priorities, preserving the RTOS’s timing guarantees; (3) mixed where Linux performs heavyweight processing (e.g., deep‑learning inference) and returns results to the RTOS for deterministic actuation. In all cases, the tuned pipe guarantees that the overall round‑trip latency respects the required bounds.

The experimental evaluation uses a multicore automotive‑grade platform (similar to Nvidia Drive PX2). Three configurations are compared: (a) Boomerang, (b) a standalone Linux system employing deadline‑based CPU reservations for the same pipeline, and (c) the ACRN partitioning hypervisor designed for automotive workloads. Benchmarks consist of realistic pipelines such as camera capture → object classification → vehicle control command. Boomerang consistently achieves 30‑45 % lower average latency and markedly reduced jitter compared with (b) and (c). The key contributors are (i) the elimination of hypervisor‑mediated scheduling, (ii) the lightweight I/O VCPU mechanism that avoids frequent timer re‑programming, and (iii) the deterministic communication model of tuned pipes.

Security analysis highlights that, because the hypervisor is only active during boot and for establishing secure EPT‑based channels, the system’s most privileged ring is less exposed to attacks than a monolithic OS running directly on hardware. Guest isolation is enforced by hardware virtualization, and the minimal hypervisor code surface reduces the attack surface dramatically.

In summary, Boomerang demonstrates that (1) static physical partitioning can provide strong spatial and temporal isolation, (2) a reservation‑based VCPU scheduler with dedicated I/O VCPUs can guarantee real‑time interrupt handling, and (3) composable tuned pipes enable seamless, bounded data flow between heterogeneous OS environments. This combination allows developers to reuse existing legacy drivers, libraries, and accelerators without sacrificing the hard real‑time guarantees required by safety‑critical applications such as autonomous driving. The paper concludes with future work directions, including automated pipe synthesis, support for multiple legacy guests, and more sophisticated resource allocation policies.