The growing complexity of real-time embedded systems demands strong isolation of software components into separate protection domains to reduce attack surfaces and limit fault propagation. However, application-supplied device interrupt handlers -- even untrusted -- have to remain in the kernel to minimize interrupt latency, undermining security and burdening manual certifications. Current hardware extensions accelerate interrupts only when the target protection domain is scheduled by the kernel; consequently, they are limited to improving average-case performance but not worst-case latency, and do not meet the requirements of critical real-time applications such as autonomous vehicles or robots. To overcome this limitation, we propose a novel hardware extension that enables direct, deterministic switching to the appropriate protection domain upon user-level interrupt arrival -- without kernel intervention -- even when that domain is dormant. Our hardware extension reduces worst-case latency by more than 50x with a 19% increase in core area (2% of total die area) and 4.1% increase in dynamic power. To the best of our knowledge, this is the first integrated mechanism to guarantee user-level interrupt delivery with a nanosecond-scale yet bounded worst-case latency.

翻译：实时嵌入式系统日益增长的复杂性要求将软件组件强隔离到独立的保护域中，以减少攻击面并限制故障传播。然而，即使应用程序提供的设备中断处理程序不可信，也必须保留在内核中以最小化中断延迟，这削弱了安全性并增加了手动认证的负担。当前的硬件扩展仅在目标保护域由内核调度时加速中断，因此仅限于改善平均情形性能而非最坏情况延迟，无法满足自动驾驶车辆或机器人等关键实时应用的需求。为克服这一限制，我们提出了一种新颖的硬件扩展，能够在用户级中断到达时——即使该域处于休眠状态——无需内核干预，直接、确定性地切换到相应的保护域。我们的硬件扩展将最坏情况延迟降低了50倍以上，同时核心面积增加19%（占总芯片面积的2%），动态功耗增加4.1%。据我们所知，这是首个能够保证用户级中断传输且具有纳秒级有界最坏情况延迟的集成机制。