TECHNOLOGY IN SYSTEMS
The Windows Embedded Legacy Continues with Windows Embedded 8 Standard
The much anticipated release of Windows 8 has arrived and brought with it a lot of speculation over what features an embedded version might have. Windows Embedded 8 Standard (WE8S) builds on the Windows Embedded Standard 7 tools and Microsoft’s latest OS designed to reach beyond the desktop to mobile, touch-friendly devices.
JOHN R. MALIN AND SEAN D. LIMING, ANNABOOKS
Page 1 of 1
In the past we would have been referring to Windows 8 as the latest desktop version of the popular Microsoft Windows operating system. However, this release of Windows has been architecturally designed not only for desktop and laptop PCs, but also for the needs of touch screen systems. Windows 8 has a whole new set of APIs, the WinRT APIs, that were designed to support the new Modern UI touch-centric graphic user interface used on the new Surface devices. Figure 1 shows the dual application support architecture.
Windows 8 architecture.
Windows 8 has also been ported to ARM processors to support mobile devices, but only Modern UI / Surface applications are supported by that port. The ARM version is called Windows RT. The Modern UI / Surface applications are available via the online store. The WinRT API is limited and the applications built with them run in an individual memory sandbox. Embedded developers would not likely create Modern UI applications because of the limitations. If you take away the Modern UI blocks in green from Figure 1, you will have the same desktop operating system of previous versions. Consider current Modern UI to be the first generation of a new programming API. Improvements will be made over time.
Windows 8 architecture.
WE8S stands firmly on the shoulders of Windows NT Embedded, Windows XP Embedded and Windows Embedded Standard 7, leveraging the full functionality of the Windows 8 Pro desktop operating system and providing Lockdown Features that include the Embedded Enabling Features of WES 7 along with some new features and improved configuration settings to address the needs of embedded devices. WE8S, like its predecessors, leverages off-the-shelf hardware, Windows 8 applications and Windows 8 device drivers. Any application or driver that runs on Windows 8 can run on WE8S as long as you have the right features in the image.
One of the biggest questions is about ARM support. Windows Phone 8 and Windows Embedded 8 Handheld are now running the Windows NT kernel on an ARM processor. Multicore ARM processors now have enough horsepower to run Windows RT on the new Surface tablet. With all the mobile devices running ARM processors these days, it would seem obvious to include ARM support for WE8S; but Windows Embedded 8 Standard does not include support for ARM. Will there be support for ARM in the future? Microsoft is controlling the devices Windows RT will support. Considering the history of Windows CE, it might be that Microsoft wants better control of the non-x86 operating system.
Development Process and Tools
WES 7 made a big change in the development process from Windows XP Embedded. WE8S improves on the WES 7 development process, and with these improvements come some terminology changes to go along with yet another product name change. WES 7 answer files are configuration files in WE8S. Distribution share in WES 7 is now a catalog in WE8S. WES 7 packages are now called modules in WE8S. The modules are the biggest improvement since you can now create your own modules.
The high-level development process stays the same. Two paths for OS installation are supported. One path provides a quick method for deploying an operating system build to the target hardware, but it lacks a lot of capability to customize the features. This method uses the Image Build Wizard (IBW) DVDs. The second path provides a more advanced method with feature control, which uses Image Configuration Editor (ICE) to create a custom IBW disk. ICE allows you to select individual modules to customize the OS support in the image. ICE also allows you to automate the installation of the operating system. Custom drivers, applications and settings can be set up in a configuration file to build a custom IBW disk that installs everything on the target. The automation helps to remove any human error for projects that would have had to manually install and set up these items
The modules are broken down differently than WES 7 packages. A straight conversion from a WES 7 answer file to a WE8S configuration file is not 1:1. Every WE8S image is built on the Embedded Core module, which has a starting size of 2 Gbyte for 32-bit support, thus images are bigger in WE8S. The Embedded Core is not broken down as much as it could be. Modern UI is the standard shell that is part of every image. The shell is bypassed with the new Shell Launcher module so you can launch custom applications. Since Module UI shell is in the image, .NET Framework 4.x is also in the image, thus the reason for the increased footprint.
WES 7 moved away from the component concept of Windows XP Embedded to packages. The packages were signed CAB files, and the benefit was the ability to better patch service a system in the field. The biggest drawback was the lack of custom package support, so you could not use the same tools for patching OS updates to patch custom applications and drivers. To add custom applications and drivers in WES 7, a distribution share had to be set up, but the process was confusing. New to WE8S is Module Designer (Figure 2), which allows you to create custom modules for applications and drivers. Module Designer is a wizard that walks through the process to create a module. You can add the applications and driver files, set the file paths, add dependencies on other modules and create custom commands. Compared to Component Designer in XP Embedded, Module Designer is the simplest method to create custom selectable elements. Custom modules mean that you have a single solution to patch images in the field using DISM.
One Servicing Solution
Servicing an image is an important part of maintaining the lifecycle of the product. Servicing can take place online, with the image running, or offline using a WIM file. Online servicing can be easily carried out using DISM and an update/service configuration set created in ICE. Deployment Image Servicing and Management (DISM) was introduced in WES 7 and provides servicing support for the image, both in the factory and in the field. For WE8S, DISM has been updated to capture OS images and replaces ImageX.
To get the latest OS patches and updates, Windows Embedded Developer Update (WEDU) is now supplied with the WE8S tools. The WEDU UI has been improved, and this new version supports updating WES 7 Distribution Shares, as well as WE8S Catalogs.
If you want to create a custom recovery or patch media, you can build a custom Windows Pre-Installation Environment 4.0 (WinPE) disk. ICE allows you to build the base WinPE disk, and you can add features to the WinPE disk such as .NET Framework 4.x to create an advanced user interface.
Beyond the Desktop: Lockdown Old and New
WE8S introduces many changes in the area of Embedded Enabling Features starting with the name. Lockdown Features is the new name for the Embedded Enabling Features. The old write filters, Enhanced Write Filter (EWF), File Based Write Filter (FBWF) and the Registry Filter, are still available in WE8S, but they are being deprecated in favor of a new write filter solution called Unified Write Filter (UWF). UWF combines the best features of the previous filters into a single solution. To achieve the write-through capability of FBWF and still be configured for EWF, UWF is a sector-based write filter that stores sectors in the overlay cache (Figure 3).
Unified write filter.
The choice of overlay cache can be RAM or a special cache file that exists on the boot disk. The disk overlay’s advantage is to save on RAM by using disk space. The UWF cache file will be cleared on system reset just like RAM, so any cached writes will be lost on reboot, whether the cache was RAM or disk file. The UWFMGR.EXE utility is used to control the state of EWF and perform some administrative functions.
Whereas for programming support, the EWF and FBWF came with custom APIs and had a header file and library file to support C++ programming, UWF takes a different approach with Windows Management Instrumentation (WMI) APIs for programming support. This means you can control the UWF with PowerShell scripts or any programming language that supports WMI APIs.
In addition to the new write filter there are some other filters available. The keyboard filter that was introduced as a download for WES 7 SP1 is now a standard feature in WE8S, and it can now be configured in ICE instead of through the Group Policy Editor after the operating system is installed on the target.
MessageBox default reply and the Dialog Box Filter have been combined into a single solution called the Dialog Filter that is more useful than previous versions. The Dialog Filter lets you identify dialogs, windows and processes that are to be blocked, given a specific response, or be exempted from filtering.
Since the Modern UI shell (Surface Shell) supports touch screen gestures, there is a new gesture filter. The Gesture Filter is configured in ICE and allows you to select from a single gesture to filter to any combination of eight defined gestures.
Finally, UWF, Keyboard Filter and Dialog Filter are being managed by a single tool called the Embedded Lockdown Manager (ELM), shown in Figure 4. ELM can connect to the local system or remote systems. ELM provides a graphical view of the current settings that you can change on the fly. You can also export a PowerShell script file for the current settings. The script file can be put into a module for preconfiguring the OS upon installation. Not everything was brought over from WES 7. The USB and SD card boot media options have been removed.
Embedded lockdown manager.
Standard vs. Industry
Also being introduced is the next release for Windows Embedded POSReady called Windows Embedded 8 Industry (WE8I ). The Industry version addresses the requirements for system integrators building point of sales systems. The lockdown features that are in WE8S are also available in WE8I, but the development process is completely different. WE8I doesn’t use build tools like ICE to automate the installation, but installs directly from a DVD like Windows desktop. Manual installation of applications and drivers is required. WE8I is intended for one shot installation for short lifecycle products, which POS system integrators need.
There may be some confusion on WE8I being used for other industries, but when managing long lifecycle products like medical, gaming and government system, WE8S is the preferred solution. Being able to automate the build process and remove human error is important to highly regulated industries and controls support costs over a longer time period.
All of the new features in WE8S make it a much better embedded solution than Windows Embedded Standard 7 (WES 7), but there is one very serious drawback: activation is required. This means that every image that you ship must connect to the Internet and register with Microsoft. Even if networking is not used in your product, the image must be activated. For embedded systems, activation is about as useful as a screen door on a submarine. The real concern is what happens during the lifecycle of the product. Embedded systems have long lives.
With all the updates, there have been instances when Windows can get deactivated, like when there is a major hardware change. Failure to reactivate within a given time period results in a screen overlay dialog that reminds the user that activation is required. It doesn’t change the performance of the system. To some customers, this dialog might be a flag that there is a defect in the product and also an indication that Windows is in the system, when the OEM tried really hard to hide the fact that Windows is there. When a system is activated a unique signature is sent to the system. Since activation has to happen on each system, any systems that require a CRC check like gaming and some medical devices will not be able to use WE8S.
There was a threat to have activation in WES 7, but it was removed after many customers balked at the idea. This time activation is required, which can impact manufacturing costs and field upgrades. During the WES 7 attempt, there was talk of BIOS signing or a license server that could be used as a workaround. With UEFI becoming the standard, something in the firmware might be possible, but the short-term solution looks to be a volume license implementation that is used for the desktop.
Windows is not a real-time operating system, but there are a couple solutions from TenAsys that add real-time capability. The first is INtime, which adds a real-time kernel to run side-by-side with the Windows kernel. The INtime SDK lets you write real-time applications that have direct access to hardware and interface to Windows applications via semaphores and mailboxes. If you already have an investment in a real-time operating system, the second solution is TenAsys’ eVM, which allows you to run in an embedded virtual machine. eVM limits the legacy impact with an efficient shared I/O layer.
WE8S contains all the security features of Windows and includes the lockdown features for further security. There is a point of vulnerability that is not addressed: USB ports. Many viruses can come through different USB devices like flash drives, custom keyboards, digital pictures frames, etc. To control what gets connected to a system, Sofa King Software developed SecureBus, a USB filter solution that lets you set up a list of devices that can connect to the system. Unauthorized devices will be blocked and their drivers will not load.
WE8S builds on the WES 7 development process to add new capabilities to best service systems in the field. If activation was not an issue and there was better module breakdown of the Embedded Core, WE8S would be the most complete embedded solution based on the Windows desktop ever developed.
One thing has not changed. Microsoft still uses the shared success model to differentiate from other operating systems. Since WE8S is Windows 8 broken down into modules, you can build and test your applications and driver on the Windows 8 desktop before ever making the investment in WE8S.
Sofa King Software