elisaproject – Page 2

Nov 06

ELISA seminar recap : Introduction to Requirements Engineering – Pete Brink, UL Solutions

By elisaproject Blog, Seminar Series

Pete Brink from UL Solutions led an ELISA seminar on the basics of requirements engineering. He explained why teams write requirements, how to know when you are “done,” and how safety-critical work raises the bar. Requirements describe what a system must do and how well it must do it, not how to implement it. They can be functional (including safety and security behavior) or non-functional (performance, resource, thermal, mechanical, usability, and similar constraints). Pete stressed an iterative process: elicit from stakeholders, analyze and validate, write the spec, verify requirement quality, and then do architecture, design, coding, and testing. Testing spans unit, component, integration, and acceptance to prove the requirements were fulfilled. He noted that language is imprecise, so clarity, atomicity, unique IDs, status, allocation, and traceability are essential. Text can be supported with diagrams and models (semi-formal); full formal notation is used rarely. Tooling in practice often includes markdown in GitHub; community tools like StrictDoc and others are emerging, but traceability remains hard.

Pete showed weak vs. improved requirements, fixing ambiguity like “regular intervals” and splitting “and/should” into separate, testable statements with precise timing and tolerances. He introduced EARS (Easy Approach to Requirements Syntax) to give simple, consistent sentence patterns, including ubiquitous, event-driven, state-driven, and optional-feature forms (useful for things like debug vs. release or hardware variants). Detail should match criticality: too little raises risk; too much raises cost. Open source adds challenges because code often exists first; teams may derive requirements from observed behavior or refactor to align with clearer, testable specs. In Q&A, attendees discussed automotive vs. aerospace use of formal methods, handling hardware variants and build types, and authoring options like LaTeX and Sphinx.

The core message: write clear, atomic, testable requirements, keep them implementation-free, manage them with discipline, and iterate whenever design and testing reveal issues.

ELISA Project Seminar Series focuses on hot topics related to ELISA’s mission to define and maintain a common set of elements, processes and tools that can be incorporated into Linux-based, safety-critical systems amenable to safety certification. Speakers are members, contributors and thought leaders from the ELISA Project and surrounding communities. Each seminar comprises a 45-minute presentation and a 15-minute Q&A, and it’s free to attend.

Watch the previous Seminar series here.

Oct 22

ELISA project at the OSS Europe 2025 - Blog 4

Key Takeaways from the Safety Critical Track at Open Source Summit Europe 2025 – 4

By elisaproject Blog, Critical Software Summit, Industry Conference, Safety-Critical Software Summit

The ELISA Project participated in Open Source Summit Europe 2025 (August 25–27, Amsterdam), the premier gathering for open source developers, technologists, and community leaders. With over 2,000 attendees representing 900+ organizations, the event showcased the strength, diversity, and innovation of the ecosystem.

For ELISA (Enabling Linux in Safety Applications), the summit was an invaluable opportunity to engage with developers, architects, and functional safety experts working at the intersection of Linux and safety-critical systems. ELISA was featured prominently in the Safety-Critical Software Summit, where sessions explored topics such as kernel safety, automotive innovation, and compliance and trust in regulated environments.

Sessions covered a wide range of important topics, including kernel safety (identifying weaknesses, fault propagation, and Linux as a safety element out of context), automotive innovation (safe platforms, prototyping frameworks, and software-defined vehicles), and compliance and trust (continuous compliance, traceability, and statistical methods in safety analysis). These talks reflected the growing maturity of the ecosystem and highlighted the shared challenges the community is tackling from technical methodologies to regulatory alignment.

This week we highlight two talks from the Safety Critical Summit session:

Shifting Safety Techniques To a Statistical World – Imanol Allende & Nicholas Mc Guire

As safety-critical systems grow ever more complex, the traditional deterministic mindset that has long guided safety engineering is reaching its limits. In their Open Source Summit Europe 2025 talk, “Shifting Safety Techniques to a Statistical World,” Imanol Allende (Codethink) and Nicholas Mc Guire (OpenTech) challenge conventional assumptions about how we design and assure safety in modern systems.

Today’s high-performance, interconnected platforms from autonomous vehicles to adaptive software systems exhibit inherent non-determinism. Their behavior cannot always be broken down and analyzed piece by piece, as Descartes’ reductionist approach once suggested. Instead, these systems display emergent properties that arise from complex interactions, requiring a more holistic lens.

Imanol and Nicholas argue that the next evolution in safety engineering lies in statistical system analysis. Approaches such as Probabilistic Worst Case Execution Time (pWCET) and Statistical Path Coverage offer promising ways to quantify and manage uncertainty in highly dynamic environments. These methods shift assurance from absolute determinism toward probabilistic confidence, reflecting the true behavior of modern computing platforms.

The talk outlines both the limitations of traditional safety techniques and the opportunities of statistical methods, emphasizing what will be needed methodologically, technically, and culturally for such approaches to gain acceptance within the functional safety domain.

In conclusion, this session invites the safety community to embrace uncertainty not as a flaw, but as a measurable feature of complex systems and to evolve its tools and thinking accordingly.

Engineering Trust: Formulating Continuous Compliance for Open Source – Paul Albertella & Kaspar Matas, Codethink

In this session, “Engineering Trust: Formulating Continuous Compliance for Open Source,” Paul Albertella and Kaspar Matas (Codethink) argue that software requirements, as commonly practiced, are broken. High-level requirements often collapse into feature wish lists; low-level requirements drift into after-the-fact narratives. Formal process models tend to treat the dynamism of FOSS as a defect—yet that very fluidity is a core strength and the result is that project intent and expectations get lost in the noise.

Enter the Eclipse Trustable Software Framework (TSF): a lightweight, continuous compliance framework built by and for open source. TSF lets projects organize and evidence their own objectives not only those imposed by standards while remaining workflow-agnostic and requiring only git. By managing objectives, reasoning, and artifacts alongside code, TSF closes the gap between paper processes and real engineering practice.

TSF’s distinctive outcome is an automated, transparent, traceable body of evidence quantified by a confidence score. That score helps teams decide where to focus next and gives consumers a concrete way to evaluate their trust in the software. Evidence can reference code, tests, results, and validators; hashes and links keep the graph consistent as projects evolve and CI runs.

The talk walks through TSF’s model and usage, then shows how its statements, evidence, and objectives can be mapped to functional safety standards (e.g., IEC 61508 or ISO 26262) to support certification and ongoing assessment. The message is pragmatic: keep the agility of open source, but capture intent and proof continuously so compliance becomes a living activity, not a one-off paperwork sprint.

MISRA C and C++ in OSS: Yes, We Can! – Roberto Bagnara, BUGSENG / University of Parma

In his presentation, “MISRA C and C++ in OSS: Yes, We Can!”, Roberto Bagnara (BUGSENG / University of Parma) challenged a long-standing assumption: that safety- and security-critical software written in C or C++ is fundamentally incompatible with open source development.

C and C++ have powered decades of system software efficient, portable, and close to the hardware but their origins in the 1970s also carry forward deep weaknesses. Undefined and unspecified behaviors, lack of runtime checks, and a “trust the programmer” philosophy make them risky foundations for modern critical systems. When open source software becomes part of automotive, aerospace, or industrial platforms, these risks demand a structured mitigation and that’s where MISRA C and MISRA C++ come in.

MISRA defines safe subsets of C and C++, guiding developers away from dangerous constructs and toward predictable, reviewable code. These rules are not about finding bugs, but about preventing entire classes of failures by design. Mandatory rules prevent undefined behavior; advisory rules promote clarity and verifiability. Importantly, deviations are allowed if they are justified, documented, and demonstrably safe.

Roberto highlighted real-world experience applying MISRA to major open source projects such as Xen, Zephyr, and Trusted Firmware, where compliance was achieved through a combination of training, tailoring, and tooling the “three T’s.” His team’s static analysis tool ECLAIR integrates MISRA checking into continuous integration, helping projects track compliance as they evolve.

The results are encouraging: projects once reporting millions of rule violations now maintain near-complete compliance, with violations justified or eliminated and regressions automatically detected.

The key insight: safety and openness are not mutually exclusive. With collaboration, tailored guidelines, and the right tools, even complex open source ecosystems can move toward MISRA-aligned development building a foundation of trustable, verifiable software for the systems that matter most.

What’s Next?

Together, these perspectives point to a pragmatic future: combine statistical assurance, continuous evidence, and disciplined coding subsets to make safety an ongoing, collaborative property of open source.

If you are interested in shaping this work, we invite you to join ELISA working groups and contribute to advancing safety practices in open source together.

Oct 09

ELISA project recap blog from the Open Source Summit - Part 3

Key Takeaways from the Safety Critical Track at Open Source Summit Europe 2025 – 3

By elisaproject Blog, Critical Software Summit, Industry Conference, Safety-Critical Software Summit

This week we highlight two talks from the Safety Critical Summit session:

Insights Into the Safe Open Source Vehicle Core Project for SDV – Philipp Ahmann, Etas GmbH (BOSCH)

The Safe Open Source Vehicle Core (S-Core) project, presented by Philipp Ahmann of ETAS (Bosch), is a collaborative, code-first effort to build a safety-certifiable middleware stack for software-defined vehicles (SDVs). Targeting the layers above the operating system, S-Core complements ELISA’s work and aims for ISO 26262, ASPICE, and ISO 21434 compliance. It supports POSIX-based systems like Automotive Grade Linux and Zephyr, is developed in C++ and Rust, and offers a VS Code-based dev environment with containerized builds.

Using a docs-as-code workflow with Sphinx, PlantUML, and Bazel, S-Core tightly links documentation, code, and testing through automated CI. Modules such as IPC, logging, and data persistence are under active development, with contributions from 70+ developers across 10+ companies.

Following a V-model safety process, S-Core builds in traceability, audits, and ASIL-B-level rigor, while distributors will handle final certification and integration. With a 0.5 release planned for late 2025 and 1.0 in 2026, the project is establishing a shared, open, and certifiable foundation for the next generation of safety-critical automotive software.

AutoSD: A Linux Development and Prototyping Framework for the Automotive Community – Alessandro Carminati & Gabriele Paoloni, Red Hat

AutoSD presented by Alessandro Carminati and Gabriele Paoloni (Red Hat) is an upstream, community-driven Linux distribution for automotive, backed by the CentOS Automotive SIG and serving as a public preview of Red Hat’s in-vehicle OS. Built on CentOS Stream, AutoSD adds automotive essentials: a real-time tuned Linux kernel, OSTree for transactional, rollback-safe updates, and containerized mixed-criticality so safety functions can run alongside infotainment without interference. A docs-as-code + CI approach keeps code, tests, and documentation aligned; images are declaratively built (YAML) via the Automotive Image Builder/OSBuild toolchain, and shipped as a binary distro for fast, reproducible onboarding.

A major focus is hardware enablement without the usual pain. If a SoC/board is already supported, you can boot prebuilt images and prototypes immediately. If drivers are upstream, contributors can add and maintain support in AutoSD under an upstream-first policy. For newly supported silicon, teams can evaluate quickly using a vendor BSP (“Frankenbuild”) but are encouraged to move to out-of-tree modules built against AutoSD’s stable kernel ABI for a maintainable, near-production path while upstreaming progresses.

Safety is treated as architecture, not afterthought: namespaces/cgroups isolate workloads, containers enforce domain boundaries, the kernel is real-time tuned, and intensive stress/fuzz testing (e.g., syzkaller + KASan) underpins freedom-from-interference claims. In Red Hat’s commercial in-vehicle OS, the same model maps to ASIL-B safety partitions (with a hardware watchdog and hardware-specific certification), while AutoSD remains the open, rapid-prototyping lane. Tightly aligned with communities like ELISA and Eclipse SDV, AutoSD offers a reference framework the industry can actually build on: contribute patches, enable new SoCs, propose features, and help shape a secure, updatable, and certifiable Linux base for software-defined vehicles.

What’s Next?

If you are interested in shaping this work, we invite you to join ELISA working groups and contribute to advancing safety practices in open source together.

Oct 07

ELISA project at Open Source Summit Europe 2025

Key Takeaways from the Safety Critical Track at Open Source Summit Europe 2025 – 2

By elisaproject Blog, Critical Software Summit, Safety-Critical Software Summit

This week we highlight two talks from the Safety Critical Summit session:

BASIL – What’s New, What’s Next – Luigi Pellecchia, Red Hat

At the Open Source Summit Amsterdam, during the Safety-Critical track, Luigi Pellecchia, Principal Software Quality Engineer at Red Hat and member of the ELISA Technical Steering Committee, presented the session “BASIL – What’s New, What’s Next.” BASIL is an open source tool designed to build and maintain requirements traceability for safety-critical systems in a collaborative environment. It helps engineers link requirements, test specifications, test cases, justifications, and documents into a unified traceability matrix. The tool features a web interface, a REST API for automation, and supports test execution through both built-in and external infrastructures. It also tracks all changes, manages users with fine-grained permissions, and exports full SPDX-based design SBOMs, ensuring complete traceability from design to verification.

Recent developments in BASIL include support for SPDX traceability export, import of requirements in multiple formats (CSV, JSON, YAML, StrictDoc, SPDX), and the ability to scan and import test repositories using TMT (Test Management Tool). The system now offers enhanced user management, allowing admins to clone permission sets, configure email servers for password resets, and simplify collaboration on shared components. New integrations include LAVA, enabling users to list, map, and trigger test runs from external infrastructures like GitLab CI, GitHub Actions, KernelCI, and Testing Farm. BASIL also introduces AI-assisted authoring, where large language models help draft test specifications and cases directly from selected document sections. Additional improvements include re-enabled end-to-end and API testing, broader browser compatibility, and better usability in shared environments.

In his demo, Luigi showcased how BASIL lets users select a reference document, break it into sections, and map traceable items on top. The system visualizes coverage and gaps, links tests to requirements, and executes or imports test results seamlessly. It can generate a design SBOM capturing the full traceability structure useful for ISO 26262 and similar compliance audits.

Looking ahead, the roadmap includes hierarchical document mapping, multi-reference document support, and baseline snapshots for point-in-time reviews. The team plans to migrate to PostgreSQL for scalability, improve file and folder management, enhance LAVA plugin templates, and align with the SPDX Safety Profile 3.1 specification. A PDF export option for assessors is also under consideration.

BASIL continues to evolve as a cornerstone in open source safety-critical development bringing together transparency, automation, and compliance readiness.

From Chaos to Control: Overcoming C and C++’s Inherent Unsafety – Assaf Tzur-El, Simple. Technology

In this talk, Assaf Tzur-El argues that the languages’ twin hazards are unsafety (buffer overflows, lifetime misuse, races) and unpredictability (undefined/unspecified/implementation-defined behavior). A “simple” line can become a CVE; a runtime divide-by-zero may legally do anything; evaluation order of f(a(), b(), c()) can change between calls; even fundamentals like sizeof(long) and char signedness vary. Calls to “just use Rust” collide with reality: massive legacy codebases, entrenched toolchains, domain constraints (real-time, performance, low-level access), and developer expertise mean wholesale migration isn’t practical.

The pragmatic path is discipline + enforcement. Discipline comes from structured guidelines MISRA C / MISRA C++ which codify dos and don’ts across categories (mandatory/required/advisory), with ~80% decidable by tools. Enforcement comes from wiring those rules into your pipeline: static analysis (e.g., clang-tidy/Sonar/Klocwork), -Wall -Werror, and CI gating.

Assaf illustrates how MISRA’s seemingly vague rules (e.g., “switch shall be appropriately structured”) unpack into precise checks (always have default), and how apparent collisions (e.g., “no unreachable code”) resolve once you read the rationale. Around that core, adopt defensive programming (“trust no input”), Secure-by-Design practices, and standards awareness (ISO 26262 et al.) to make failures rarer and more predictable when they do happen.

What’s Next?

The Safety-Critical track showed how open source is moving from complexity to control. BASIL is helping teams build clear, verifiable links between requirements, tests, and results bringing real traceability to safety-critical development. At the same time, Assaf Tzur-El reminded us that while C and C++ aren’t going away, we can make them safer through guidelines like MISRA, static analysis, and a defensive coding mindset.

Together, these talks highlight a shared goal: making open source software more reliable and trustworthy for safety-critical use. Stay tuned for more session highlights, and consider joining ELISA working groups to help advance safe, open software for all.

Sep 24

Key Takeaways from the Safety Critical Track at Open Source Summit Europe 2025 – 1

By elisaproject Blog, Critical Software Summit, Industry Conference, Linux Foundation, Safety-Critical Software Summit

This week we highlight two talks from the Safety Critical Summit session:

Looking at Linux as a SEooC – Kate Stewart, The Linux Foundation; Nicole Pappler, AlektoMetis & Chuck Wolber, The Boeing Company

Linux is increasingly deployed in safety-critical systems as a Safety Element out of Context (SEooC), yet its scale and rapid evolution, thousands of contributors and near-continuous upstream change pose unique assurance challenges. This talk explains what SEooC means in practice, why it should be understood as a “safety element with assumed context,” and the implications for integrators: a SEooC is not plug-and-play. System developers remain responsible for confirming compatibility, reviewing the safety manual and assumptions of use, ensuring traceability to their own requirements, configuring the element correctly, and validating it within their specific hazard and timing constraints. We frame the work through design assurance hazard identification, design mitigation via requirements-based engineering, and implementation assurance highlighting current gaps between kernel behavior and requirements-derived tests.

The session outlines community efforts to close those gaps: defining low-level Linux kernel requirements with maintainer sign-off; advancing coverage (statement, decision, MC/DC) using LLVM-based kernel coverage and object-code mapping; and packaging evidence with an SPDX functional-safety profile. Speakers also address non-determinism (focusing on deterministic outcomes, minimal configurations) and introduce knaf for call-tree analysis from specific entry points.

Overall, these efforts show how scaling requirements, testing, and coverage within open collaboration can yield reusable evidence, strengthen kernel reliability, and align with a substantial portion of DO-178C DAL A objectives across industries.

Identifying Safety Weaknesses and Fault Propagation in the Linux Kernel – Igor Stoppa, NVIDIA

With growing interest in using Linux in safety-critical domains such as automotive, traditional functional safety practices need to be applied to an open source environment. One such practice is fault injection, where failures are deliberately introduced to study how the system reacts.

This talk by Igor Stoppa, NVIDIA, introduced a tool and methodology for injecting controlled faults into Linux kernel data structures. The goal is to uncover subtle forms of degradation that may not trigger a crash but can compromise safety goals, such as delayed system responses. By running repeatable experiments, the approach makes it possible to check whether safety mechanisms detect and report problems consistently and within required timing constraints.

The work highlights both the challenges of applying safety analysis to a large, fast-moving project like the Linux kernel and the opportunities to integrate such testing into the regular release process. Over time, this could provide valuable data on fault propagation, improve kernel reliability, and strengthen Linux’s role in safety-critical applications.

What’s Next?

The Safety-Critical Software track at Open Source Summit Europe 2025 highlighted the important progress being made toward making Linux a reliable choice in regulated and safety-sensitive domains. From exploring Linux as a Safety Element out of Context to fault injection techniques that expose hidden weaknesses, these discussions show how the community is tackling complex challenges with rigor and collaboration.

To learn more, be sure to check our upcoming blogs where we will cover more sessions from the track. If you are interested in shaping this work, we invite you to join ELISA working groups and contribute to advancing safety practices in open source together.

Sep 08

When Kernel Comments Get Weird: The Tale of `drivers/char/mem.c`

By elisaproject Ambassadors, Blog, Working Group

This blog is written by Alessandro Carminati, Principal Software Engineer at Red Hat and lead for the ELISA Project’s Linux Features for Safety-Critical Systems (LFSCS) WG.

As part of the ELISA community, we spend a good chunk of our time spelunking through the Linux kernel codebase. It’s like code archeology: you don’t always find treasure, but you _do_ find lots of comments left behind by developers from the ’90s that make you go, “Wait… really?”

One of the ideas we’ve been chasing is to make kernel comments a bit smarter: not only human-readable, but also machine-readable. Imagine comments that could be turned into tests, so they’re always checked against reality. Less “code poetry from 1993”, more “living documentation”.

Speaking of code poetry, [here] one gem we stumbled across in `mem.c`:

```
/* The memory devices use the full 32/64 bits of the offset,
 * and so we cannot check against negative addresses: they are ok.
 * The return value is weird, though, in that case (0).
 */
 ```

This beauty has been hanging around since **Linux 0.99.14**… back when Bill Clinton was still president-elect, “Mosaic” was the hot new browser,
and PDP-11 was still produced and sold.

Back then, it made sense, and reflected exactley what the code did.

Fast-forward thirty years, and the comment still kind of applies…
but mostly in obscure corners of the architecture zoo.
On the CPUs people actually use every day?

```
$ cat lseek.asm
BITS 64

%define SYS_read    0
%define SYS_write   1
%define SYS_open    2
%define SYS_lseek   8
%define SYS_exit   60

; flags
%define O_RDONLY    0
%define SEEK_SET    0

section .data
    path:    db "/dev/mem",0
section .bss
    align 8
    buf:     resq 1

section .text
global _start
_start:
    mov     rax, SYS_open
    lea     rdi, [rel path]
    xor     esi, esi
    xor     edx, edx
    syscall
    mov     r12, rax        ; save fd in r12

    mov     rax, SYS_lseek
    mov     rdi, r12
    mov     rsi, 0x8000000000000001
    xor     edx, edx
    syscall

    mov     [rel buf], rax

    mov     rax, SYS_write
    mov     edi, 1
    lea     rsi, [rel buf]
    mov     edx, 8
    syscall

    mov     rax, SYS_exit
    xor     edi, edi
    syscall
$ nasm -f elf64 lseek.asm -o lseek.o
$ ld lseek.o -o lseek
$ sudo ./lseek| hexdump -C
00000000  01 00 00 00 00 00 00 80                           |........|
00000008
$ # this is not what I expect, let's double check
$ sudo gdb ./lseek
GNU gdb (Fedora Linux) 16.3-1.fc42
Copyright (C) 2024 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./lseek...
(No debugging symbols found in ./lseek)
(gdb) b _start
Breakpoint 1 at 0x4000b0
(gdb) r
Starting program: /tmp/lseek

Breakpoint 1, 0x00000000004000b0 in _start ()
(gdb) x/30i $pc
=> 0x4000b0 <_start>:   mov    $0x2,%eax
   0x4000b5 <_start+5>: lea    0xf44(%rip),%rdi        # 0x401000
   0x4000bc <_start+12>:        xor    %esi,%esi
   0x4000be <_start+14>:        xor    %edx,%edx
   0x4000c0 <_start+16>:        syscall
   0x4000c2 <_start+18>:        mov    %rax,%r12
   0x4000c5 <_start+21>:        mov    $0x8,%eax
   0x4000ca <_start+26>:        mov    %r12,%rdi
   0x4000cd <_start+29>:        movabs $0x8000000000000001,%rsi
   0x4000d7 <_start+39>:        xor    %edx,%edx
   0x4000d9 <_start+41>:        syscall
   0x4000db <_start+43>:        mov    %rax,0xf2e(%rip)        # 0x401010
   0x4000e2 <_start+50>:        mov    $0x1,%eax
   0x4000e7 <_start+55>:        mov    $0x1,%edi
   0x4000ec <_start+60>:        lea    0xf1d(%rip),%rsi        # 0x401010
   0x4000f3 <_start+67>:        mov    $0x8,%edx
   0x4000f8 <_start+72>:        syscall
   0x4000fa <_start+74>:        mov    $0x3c,%eax
   0x4000ff <_start+79>:        xor    %edi,%edi
   0x400101 <_start+81>:        syscall
   0x400103:    add    %al,(%rax)
   0x400105:    add    %al,(%rax)
   0x400107:    add    %al,(%rax)
   0x400109:    add    %al,(%rax)
   0x40010b:    add    %al,(%rax)
   0x40010d:    add    %al,(%rax)
   0x40010f:    add    %al,(%rax)
   0x400111:    add    %al,(%rax)
   0x400113:    add    %al,(%rax)
   0x400115:    add    %al,(%rax)
(gdb) b *0x4000c2
Breakpoint 2 at 0x4000c2
(gdb) b *0x4000db
Breakpoint 3 at 0x4000db
(gdb) c
Continuing.

Breakpoint 2, 0x00000000004000c2 in _start ()
(gdb) i r
rax            0x3                 3
rbx            0x0                 0
rcx            0x4000c2            4194498
rdx            0x0                 0
rsi            0x0                 0
rdi            0x401000            4198400
rbp            0x0                 0x0
rsp            0x7fffffffe3a0      0x7fffffffe3a0
r8             0x0                 0
r9             0x0                 0
r10            0x0                 0
r11            0x246               582
r12            0x0                 0
r13            0x0                 0
r14            0x0                 0
r15            0x0                 0
rip            0x4000c2            0x4000c2 <_start+18>
eflags         0x246               [ PF ZF IF ]
cs             0x33                51
ss             0x2b                43
ds             0x0                 0
es             0x0                 0
fs             0x0                 0
gs             0x0                 0
fs_base        0x0                 0
gs_base        0x0                 0
(gdb) # fd is just fine rax=3 as expected.
(gdb) c
Continuing.

Breakpoint 3, 0x00000000004000db in _start ()
(gdb) i r
rax            0x8000000000000001  -9223372036854775807
rbx            0x0                 0
rcx            0x4000db            4194523
rdx            0x0                 0
rsi            0x8000000000000001  -9223372036854775807
rdi            0x3                 3
rbp            0x0                 0x0
rsp            0x7fffffffe3a0      0x7fffffffe3a0
r8             0x0                 0
r9             0x0                 0
r10            0x0                 0
r11            0x246               582
r12            0x3                 3
r13            0x0                 0
r14            0x0                 0
r15            0x0                 0
rip            0x4000db            0x4000db <_start+43>
eflags         0x246               [ PF ZF IF ]
cs             0x33                51
ss             0x2b                43
ds             0x0                 0
es             0x0                 0
fs             0x0                 0
gs             0x0                 0
fs_base        0x0                 0
gs_base        0x0                 0
(gdb) # According to that comment, rax should have been 0, but it is not.
(gdb) c
Continuing.
�[Inferior 1 (process 186746) exited normally]
(gdb) 
```

Not so much. Seeking at `0x8000000000000001`…
Returns `0x8000000000000001` not `0` as anticipated in the comment.
We’re basically facing the kernel version of that “Under Construction”
GIF on websites from the 90s, still there, but mostly just nostalgic
decoration now.

## The Mysterious Line in `read_mem`

Let’s zoom in on one particular bit of code in [`read_mem`](https://elixir.bootlin.com/linux/v6.17-rc2/source/drivers/char/mem.c#L82):

```
	phys_addr_t p = *ppos;
	/* ... other code ... */
	if (p != *ppos) return  0;
```

At first glance, this looks like a no-op; why would `p` be different from
`*ppos` when you just copied it?
It’s like testing if gravity still works by dropping your phone…
**spoiler: it does.**

But as usual with kernel code, the weirdness has a reason.

## The Problem: Truncation on 32-bit Systems

Here’s what’s going on:

– `*ppos` is a `loff_t`, which is a 64-bit signed integer.
– `p` is a `phys_addr_t`, which holds a physical address.

On a 64-bit system, both are 64 bits wide. Assignment is clean, the check
always fails (and compilers just toss it out).

But on a 32-bit system, `phys_addr_t` is only 32 bits. Assign a big 64-bit
offset to it, and **boom**, the top half vanishes.
Truncated, like your favorite TV series canceled after season 1.

That `if (p != *ppos)` check is the safety net.
It spots when truncation happens and bails out early, instead of letting
some unlucky app read from la-la land.

## Assembly Time: 64-bit vs. 32-bit

On 64-bit builds (say, AArch64), the compiler optimizes away the check.

```
┌ 736: sym.read_mem (int64_t arg2, int64_t arg3, int64_t arg4);
│ `- args(x1, x2, x3) vars(13:sp[0x8..0x70])
│           0x08000b10      1f2003d5       nop
│           0x08000b14      1f2003d5       nop
│           0x08000b18      3f2303d5       paciasp
│           0x08000b1c      fd7bb9a9       stp x29, x30, [sp, -0x70]!
│           0x08000b20      fd030091       mov x29, sp
│           0x08000b24      f35301a9       stp x19, x20, [var_10h]
│           0x08000b28      f40301aa       mov x20, x1
│           0x08000b2c      f55b02a9       stp x21, x22, [var_20h]
│           0x08000b30      f30302aa       mov x19, x2
│           0x08000b34      750040f9       ldr x21, [x3]
│           0x08000b38      e10302aa       mov x1, x2
│           0x08000b3c      e33700f9       str x3, [var_68h]        ; phys_addr_t p = *ppos;
│           0x08000b40      e00315aa       mov x0, x21
│           0x08000b44      00000094       bl valid_phys_addr_range
│       ┌─< 0x08000b48      40150034       cbz w0, 0x8000df0        ;if (!valid_phys_addr_range(p, count))
│       │   0x08000b4c      00000090       adrp x0, segment.ehdr
│       │   0x08000b50      020082d2       mov x2, 0x1000
│       │   0x08000b54      000040f9       ldr x0, [x0]
│       │   0x08000b58      01988152       mov w1, 0xcc0
│       │   0x08000b5c      f76303a9       stp x23, x24, [var_30h]
[...]
```
Nothing to see here, move along.
But on 32-bit builds (like old-school i386), the check shows up loud and 
proud in the assembly. 
```
[0x080003e0]> pdf
┌ 392: sym.read_mem (int32_t arg_8h);
│ `- args(sp[0x4..0x4]) vars(5:sp[0x14..0x24])
│           0x080003e0      55             push ebp
│           0x080003e1      89e5           mov ebp, esp
│           0x080003e3      57             push edi
│           0x080003e4      56             push esi
│           0x080003e5      53             push ebx
│           0x080003e6      83ec14         sub esp, 0x14
│           0x080003e9      8955f0         mov dword [var_10h], edx
│           0x080003ec      8b5d08         mov ebx, dword [arg_8h]
│           0x080003ef      c745ec0000..   mov dword [var_14h], 0
│           0x080003f6      8b4304         mov eax, dword [ebx + 4] 
│           0x080003f9      8b33           mov esi, dword [ebx]     ; phys_addr_t p = *ppos;
│           0x080003fb      85c0           test eax, eax
│       ┌─< 0x080003fd      7411           je 0x8000410             ; if (!valid_phys_addr_range(p, count))
│     ┌┌──> 0x080003ff      8b45ec         mov eax, dword [var_14h]
│     ╎╎│   0x08000402      83c414         add esp, 0x14
│     ╎╎│   0x08000405      5b             pop ebx
│     ╎╎│   0x08000406      5e             pop esi
│     ╎╎│   0x08000407      5f             pop edi
│     ╎╎│   0x08000408      5d             pop ebp
│     ╎╎│   0x08000409      c3             ret
[...]
```

The CPU literally does a compare-and-jump to enforce it. So yes, this is a _real_ guard, not some leftover fluff.

## Return Value Oddities

Now, here’s where things get even funnier. If the check fails in `read_mem`, the function returns `0`. That’s “no bytes read”, which in file I/O land is totally fine.

But in the twin function `write_mem`, the same situation returns `-EFAULT`. That’s kernel-speak for “Nope, invalid address, stop poking me”.

So, reading from a bad address? You get a polite shrug. Writing to it? You get a slap on the wrist. Fair enough, writing garbage into memory is way more dangerous than failing to read it. Come on, probably here we need to fix things up.

Wrapping It Up

This little dive shows how a single “weird” line of code carries decades of context, architecture quirks, type definitions, and evolving assumptions.
It also shows why comments like the one from 0.99.14 are dangerous: they freeze a moment in time, but reality keeps moving.

Our mission in Elisa Architecture WG is to bring comments back to life: keep them up-to-date, tie them to tests, and make sure they still tell the truth. Because otherwise, thirty years later, we’re all squinting at a line saying “the return value is weird though” and wondering if the developer was talking about code… or just their day.

And now, a brief word from our *sponsors* (a.k.a. me in a different hat): When I’m not digging up ancient kernel comments with the Architecture WG, I’m also leading the Linux Features for Safety-Critical Systems (LFSCS) WG. We’re cooking up some pretty exciting stuff there too.

So if you enjoy the kind of archaeology/renovation work we’re doing there, come check out LFSCS as well: same Linux, different adventure.

Aug 13

ELISA Project Welcomes Simone Weiss to the Governing Board!

By elisaproject Ambassadors, Blog

We are excited to announce that Simone Weiss, Product Owner at Elektrobit, has joined the Governing Board of the Enabling Linux in Safety Applications (ELISA) Project. She brings a wealth of experience in functional safety, embedded systems, and open source leadership that will help guide ELISA’s mission to enable the use of Linux in safety-critical applications. One of Simone’s first tasks will be to lead the creation of a glossary in the ELISA Project directory.

ELISA Project Welcomes Simone Weiss to the Governing Board! Elektrobit has been an active contributor to the ELISA Project for several years, and Simone’s appointment reflects the company’s commitment to advancing the use of open source technologies in industries such as automotive, industrial, medical, and beyond.

“It’s an honor to join ELISA’s Governing Board. I’m looking forward to working with the community to support collaboration between industry and safety experts and drive broader adoption of Linux in safety-critical domains.” – Simone Weiss, Elektrobit

The ELISA Governing Board plays a critical role in setting the project’s strategic direction, ensuring sustainability, and supporting the vibrant technical community that underpins ELISA’s success. With the addition of Simone, the board strengthens its collective expertise and reaffirms its dedication to transparency, collaboration, and safety excellence.

Simone recently traveled to Open Source Summit North America, which happened in Denver, Colorado in June, to attend her first in-person Governing Board meeting.

Please join us in welcoming Simone to the ELISA Project Governing Board!

Jul 09

Arduino Portenta X8 as a Community Reference Hardware for Safe Systems – Highlights from the ELISA Project Workshop

By elisaproject Blog, Workshop

At the ELISA Project Workshop held May 7-9, 2025, in Lund, Sweden, co-hosted with Volvo Cars, Arduino co-founder and Head of Research at Malmö University, David Cuartielles shared an insightful session on using the Portenta X8 as a reference hardware platform for building safe and secure embedded Linux systems.

In his presentation, David walked through Arduino’s journey into Linux-capable hardware, the motivations behind creating the Portenta X8, and how it came to be through European-funded research projects. With industrial-grade capabilities, real-time microcontroller support, and built-in fleet management, the Portenta X8 stands out as a robust platform for prototyping secure and sustainable embedded Linux systems.

David also shared his insights into sustainability challenges in hardware manufacturing, highlighting Arduino’s ongoing research into biocompatible PCBs using PLA-flax substrates. The talk offers insights into balancing innovation with ecological responsibility, and how that might impact Linux-compatible hardware in the future.

To learn more, watch the session here. Slides available here.

Jun 11

Recap of the ELISA Project Workshop 2025: Lund, Sweden

By elisaproject Blog, Workshop

The ELISA Project’s workshop in Lund, Sweden brought together project members, contributors, and ecosystem partners for three days of focused collaboration and planning. From May 7 – 9, attendees convened at the Volvo Cars Lund Office to advance safety-critical Linux development and map out future goals.

On the afternoon of May 7, the workshop kicked off with welcome note by Philipp Ahmann (ETAS GmbH), Kate Stewart (Linux Foundation), and Robert Fekete (Volvo Cars), followed by an “Ask Me Anything” panel on ELISA and OSS safety applications featuring Philipp Ahmann and Gabriele Paoloni (Red Hat). David Cuartielles then demonstrated the Arduino Portenta X8 as community reference hardware for safe systems, and a cross-community case study highlighted collaboration with AGL, Eclipse S-Core, KernelCI, Xen, Zephyr, and more. The day closed with discussions on ELISA’s interaction with adjacent communities including Eclipse, Linaro, Rust, SPDX, and Yocto before an offsite dinner at Stäket.

Day 2 began with a comparison of Safety Linux vs. Safe(ty) Linux led by Philipp Ahmann and Paul Albertella (Codethink). Olivier Charrier (Wind River) and Alessandro Carminati (Red Hat) then explored hardware-level integration in the Linux kernel. After lunch, a series of special topics covered PX4Space (Pedro Roque, KTH), SPDX Safety Profile (Nicole Pappler, AlektoMetis), Safe Continuous Deployment (Håkan Sivencrona, Volvo Cars), and Resilient Safety Analysis (Igor Stoppa, NVIDIA). The afternoon sessions on KernelCI, BASIL & Testing (Luigi Pellecchia, Gustavo Padovan) and Requirements Traceability (Kate Stewart, Gabriele Paoloni) concluded with an engaging networking session.

On the morning of May 9, attendees discussed the Trustable Software Framework (Paul Albertella, Daniel Krippner) and examined Rust’s role in safety-critical applications. The final session on Best Practices Standard, presented by Philipp Ahmann, Gabriele Paoloni, and Olivier Charrier, distilled key takeaways and action items for ELISA’s roadmap. The workshop ended with stronger community connections and a clear plan for the project’s next steps.

We extend our thanks to Volvo Cars Lund for hosting, to all speakers and participants for their insights, and to the ELISA Project community for making this gathering a success.

Videos from the workshop are now available on the YouTube channel of the ELISA Project. Watch the full playlist here.

Slides can be accessed here at the ELISA Project directory.

Keep an eye out for details on the next in-person workshop and virtual participation options here!

May 28

Criteria and Process for Evaluating Open-Source Documentation

By elisaproject Ambassadors, Blog, Seminar Series

As the open source and safety (and security) communities collaborate more closely, there’s an opportunity to build trust by showcasing how open source development aligns with key safety principles. As part of the ELISA Seminar series, Pete Brink, Principal Consultant at UL Solutions and ELISA Project ambassador, recently presented the process designed to adapt to a variety of projects and contexts, including evaluation criteria.

This video aims to introduce a flexible, practical framework for evaluating documentation that supports trustworthiness in development practices. The goal is to empower teams to highlight their commitment to quality and safety in a way that works for them. Watch here:

The ELISA Seminar Series focuses on hot topics related to ELISA’s mission to define and maintain a common set of elements, processes and tools that can be incorporated into Linux-based, safety-critical systems amenable to safety certification. Speakers are members, contributors and thought leaders from the ELISA Project and surrounding communities. Each seminar comprises a 45-minute presentation and a 15-minute Q&A, and it’s free to attend. You can watch all videos on the ELISA Project Youtube Channel ELISA Seminar Series Playlist here.

For more ELISA Project updates, subscribe to @ProjectElisa or our LinkedIn page or our Youtube Channel.