XtratuM is a hypervisor specially designed for real-time embedded systems to be secure, reliable and efficient.

It is important to note that a hypervisor is an "enabling" technology, rather than a technology to solve problems. The hypervisor provides a framework to run several operating systems (or real-time executives) in a robust partitioned environment. XtratuM can be used to build a MILS (Multiple Independent Levels of Security) architecture.

The hypervisor is a promising technology to build trusted systems. XtratuM is designed to meet safety critical real-time requirements.

It is available both, under GPL (general public license) and proprietary licenses.


  • - Sparc v8 architectures:
    LEON2, LEON3 and LEON4 (multicore)
  • - x86
  • - ARM
  • - PowerPC (Cofinanced by )

Main features

  • - Para-virtualisation technology.
  • - Designed to be minimal: easy to certify.
  • - Multi-plan support.
  • - Advanced health monitoring and error reporting.
  • - Powerful configuration and validation tool (Xoncrete).
  • - ARINC-653 flavour.
  • - Smart IO multi/demultiplexing.

Partitioning concept

XtratuM partitions and execution environments. XtratuM offers partitions spatial and temporal isolation.

XtratuM provides the partition concept as an execution environment virtualised to be executed on top of the hypervisor. Partition developement on top of XtratuM requires to write the code to be executed inside of the partition. The hypervisor takes control of the system at boot time and initialises the hardware, then the partition code is started. This partition code can be:

  • An application compiled to be executed on a bare-machine.
  • A real-time operating system and its applications.
  • A general purpose operating system and its applications.

The XtratuM partitioning concept emerges for protection and separation among applications from the spatial and temporal point of views. XtratuM provides a safe partition execution, the hypervisor is executed in privileged (supervisor) processor mode, whereas partitions are executed in user mode. Only system partitions can use special services provided by the hypervisor. A strong spatial isolation protects the memory of a partition. Partitions are allocated in independent physical memory addresses. Thus, a partition only can access to its memory areas.

Temporal isolation means only one application at a point of time has acces to the system resources, whereas is not possible to an application run when another application is running. XtratuM provides a strong temporal isolation enforced by using a fixed cyclic scheduler.

Robust communication mechanisms

XtratuM implements a message passing model which highly resembles the one defined in the ARINC-653. Partitions are able to communicate with other partitions by using specific services provided by the hypervisor. The basic mechanism provided to the partitions is the port-based communication. The hypervisor implements the link (channel) between two ports or more ports. Partitions can access to channels through access points named ports. Two basic transfer modes are provided: sampling a queuing. The hypervisor is responsible for encapsulating and transporting messages.

Reducing complexity and increasing efficiency

Bare-metal hypervisor technology is the most promising approach to achieve the best performance which is a major criteria to design and implement critical real-time systems. On the other hand, para-virtualisation technique jointly with dedicated devices permits to reduce drastically the code of the virtualisation layer.

In order to reduce the design complexity and increase the reliability of the implementation, the hypervisor is designed as a monolithic, nonpreemtable kernel. This decision prevents the occurrence of internal race conditions and facilitates the formal model.

The validation and formal verification complexity increases with the number of lines of code. The hypervisor code shall provide the minimum services in order to be as minimal as possible. The small code size of the virtualisation subsystem keep the efficiency due to frequent context switches.

XtratuM provides deterministic and fast services (hypercalls).

Fault management model

Faults are detected and handled by the hypervisor.A fault can be defined as the occurrence of a system trap or an event triggered by the hypervisor itself. The trap mechanism is used to handle hardware interrupts, software traps and processor exceptions.

XtratuM provides a secure interrupt model to the partitions. A partition cannot interact with native traps. All the interrupts are, in first place, handled by the hypervisor, who is in charge of propagate them to partitions according to the system configuration file.

The health monitor is the part of XtratuM that detects and reacts to anomalous events or states. The purpose of the HM is to discover the errors at an early stage and try to solve or isolate the faulting subsystem in order to avoid or reduce the possible consequences. As as result of enforcing the isolation of the partitions, XtratuM contains a lot of consistency and security checks; therefore, it can detect a large number of errors. Errors are grouped by categories. Once an error is detected, XtratuM reacts to the error providing a simple set of predefined actions to be done when it is detected.

Tracing facilities

XtratuM provides a mechanism to store and retrieve the traces generated by partitions and XtratuM itself. Traces can be used for debugging, during the development phase of the application, but also to log relevant events or states during the production phase. In order to enforce resource isolation, each partition (as well as XtratuM) has a dedicated trace log stream to store its own trace messages. Trace streams are stored in buffers (RAM or FLASH). Only supervisor partitions can read from a trace stream.

XtratuM Website: http://www.xtratum.org