Ambassadors

Jun 11

Recap: ELISA Project at Open Source Summit North America 2026

By elisaproject Ambassadors, Blog, Safety-Critical Software Summit

Open Source Summit North America 2026 brought together developers, contributors, maintainers, technologists, and community leaders to share knowledge, collaborate on solutions, and push open source projects forward.

The ELISA Project participated in the Safety Critical Software Track, which explored the intersection of open source and safety standards. Sessions covered best practices for regulatory compliance, security updates, safety engineering, requirements traceability, quality assessments, safety analysis methodologies, and technical development for safety-critical systems.

The track featured sessions on Space Grade Linux graduating from ELISA incubation, software supply chain management with the Yocto Project, Xen’s path toward safety certification, Tidepool’s open source quality management system for patient safety, deterministic interoperability in medical robotics, and modern approaches to software verification.

Together, these sessions highlighted how open source communities are advancing practical approaches for building reliable, transparent, and safety-critical systems across industries including aerospace, embedded systems, medical devices, robotics, and critical infrastructure.

The session playlist is now available. Watch the recordings here.

Thank you to all speakers, attendees, contributors, and community members who joined the conversations and continue to support the advancement of open source in safety-critical software.

May 27

Recap – ELISA Seminar – Functional safety with Xen, Zephyr and Linux for avionics, automotive and industrial

By elisaproject Ambassadors, Blog, Seminar Series, Technical Update, Working Group

On May 13, 2026, the ELISA Project hosted a seminar exploring how open source technologies including Xen, Zephyr RTOS, and Linux are advancing toward deployment in safety-critical systems across avionics, automotive, and industrial domains.

The session featured Ayan Kumar Halder (AMD) and Matthew Weber (Boeing), who shared ongoing collaborative work around functional safety, mixed-criticality systems, and open source safety certification efforts.

The discussion focused on how Xen, Zephyr, and Linux can be composed into a unified architecture for safety-critical environments. The speakers outlined how Xen can act as a Type-1 hypervisor, isolating workloads with different safety requirements while supporting deterministic execution, static partitioning, and freedom from interference between virtual machines.

A major theme throughout the session was the growing collaboration between the Xen community and the ELISA Project to build an open functional safety ecosystem. The work spans multiple safety standards including ISO 26262, IEC 61508, and DO-178C, with the goal of creating reusable safety certification artifacts and methodologies that can benefit multiple industries.

The seminar highlighted several ongoing technical efforts within the Xen functional safety initiative, including:

MISRA C compliance improvements and automated CI checking
MPU support for ARM Cortex-R systems
Static partitioning and deterministic scheduling
Requirements traceability and architecture specifications
Domain-based testing, fault injection, fuzzing, and unit testing
White-box testing approaches using Ceedling and coverage analysis
Open source traceability workflows using Open Fast Trace

The speakers also discussed the importance of defining assumptions of use (AoU) between system components such as firmware, hypervisors, operating systems, and applications. This systems-level perspective is critical for enabling Linux and Xen to operate within certified safety environments.

Matthew Weber shared additional insights from the aerospace domain, explaining how avionics standards such as DO-178C and ARINC 653 complement ongoing automotive safety efforts. The session explored how higher levels of testing rigor, deterministic partitioning, and lifecycle traceability can help support mixed-criticality aerospace systems using open source technologies.

Another key discussion point was sustainability. Functional safety is not a one-time activity but an ongoing engineering process that must evolve alongside code changes, new features, and emerging defects. The speakers emphasized the importance of open collaboration, transparent development processes, and community participation to keep safety-related artifacts and testing continuously maintained.

The session concluded with an invitation for the broader community to get involved through mailing lists, workshops, Git repositories, and upcoming events including the Xen Summit and ELISA workshops.

As open source continues expanding into regulated and safety-critical industries, collaborations like these are helping create the technical foundations, tooling, and community processes needed to support the next generation of safety-focused systems.

Watch for upcoming ELISA seminars and community workshops to continue the conversation around functional safety, mixed-criticality systems, and open source collaboration.

Upcoming ELISA Seminars:

May 20

When “Probably Safe” Is Not Safe Enough

By elisaproject Ambassadors, Blog, Working Group

This blog is written by Alessandro Carminati, TSC member and Linux Features WG Chair at the ELISA Project and an engineer at NVIDIA.

If you ever worked with Linux, you probably heard something like:

“User space and kernel space are isolated.”

Which is true. And also… not entirely comforting.

Because, as Murphy politely reminds us:

“Anything that can go wrong, will go wrong.”

At the ELISA LFSCS working group, we try to look at Linux from a functional safety perspective. That means we are not satisfied with “it usually works”… we want to understand what could go wrong.

At the ELISA LFSCS working group, we try to look at Linux from a functional safety perspective. That means we are not satisfied with “it usually works”… we want to understand what could go wrong.

From Munich: A Suspicious Idea

During the Munich 2025 session, we discussed what we called the linear mapping threat.

The idea is simple:

Linux keeps a linear mapping of physical memory
This mapping includes all RAM
Kernel objects and user pages come from the same pool

So in theory:

A kernel object page could sit right next to a user page.

Not a fault… Not a bug… Just… how memory is laid out.

And that alone raises a question.

Because if a kernel bug causes an overflow, adjacency matters much more than isolation:

overflow → likely direction → next page
underflow → possible, but statistically less common
So the interesting case becomes:

kernel page → next → user page

At that point, this was still a hypothesis. A reasonable one… But still a hypothesis.

From Hypothesis to Observation

So we asked:

Can we observe this situation?

Not in theory. Not in diagrams. But in actual memory.

To be clear, not the fault happening… just the fact that Kernel objects pages and userspace pages can sit next to each other.

The Tool (a.k.a. “Let’s Peek at PFNs”)

Initially, the plan was simple:

“Let’s write a kernel module and scan the linear mapping.” Because… that’s what kernel people do. (Maslow’s Hammer: If the only tool you have is a hammer, you tend to see every problem as a nail)

Then came the slightly embarrassing realization:

“Wait… I can already see this from userspace.”

Using /proc/kpageflags.

And suddenly:

no kernel module needed
no patching
no special hooks

Just a userspace tool reading kernel-exposed data.

Small Technical Box: /proc/kpageflags

/proc/kpageflags exposes metadata for each physical page frame (PFN).

With it, you can:

iterate over physical memory
classify pages (anonymous, slab, huge, etc.)
build a PFN-level view of the system

In practice, the tool:

scans PFNs sequentially
assigns a category per page
renders a colored raster

Think of it as:

a “topographic map” of memory… where mountains are slab pages and plains are user memory. (Yes, the legend is still under construction.)

First Results: “This Looks… Too Clean”

Using the tool on a real system (x86), results were promising:

memory looked mixed
user and kernel pages were interleaved
adjacency was visible

Good.

But the LFSCS working group set its reference platform as aarch64 many moons ago and when if came to the ARM64 VM we’re targeting:

almost no user pages
almost no slab pages
everything looked… suspiciously clean

At this point, either:

the tool was wrong
the kernel was lying
or the system was too nice

What We Learned (a.k.a. “The Plot Thickens”)

Huge Pages Were Hiding Reality

Disabling THP:

echo never > /sys/kernel/mm/transparent_hugepage/enabled

suddenly changed everything.

Why?

Because:

userspace sees memory at page granularity (4KB)
linear mapping may represent the same memory as huge pages

So we had:

fine-grained user memory vs coarse-grained linear mapping view

Disabling THP aligned the two worlds and revealed the real distribution.

Slab Pages Don’t Like Attention

The SLAB flag is only set on compound head pages.

Meaning:

most kernel objects are there… just not explicitly labeled

So the absence of slab in the visualization was… misleading.

The System Was Too Clean

The VM had:

low workload
low fragmentation
limited kernel activity

In short:

not enough chaos to trigger interesting behavior

Forcing Reality (a.k.a. “Adding Some Chaos”)

One missing piece was understanding that:

a real system naturally creates fragmentation a virtual machine… usually does not

So to observe the phenomenon in a controlled environment, we needed to give to the kernel an helping foot.

The approach was to introduce controlled memory pressure and fragmentation using a small kernel-side helper.

The idea is simple:

allocate many temporary objects
insert a few persistent objects in between
free the temporary ones

Swiss Cheese Kernel Heap

This leaves behind memory pages that are:

partially used
not reclaimable
and therefore fragmented

This creates a layout where:

kernel allocations are spread across many partially filled pages

Which is exactly the condition needed to increase the chance of:

kernel page → next → user page adjacency

Think of memory like a block of cheese:

temporary allocations = drilling holes
persistent objects = small solid parts left behind

After removing the temporary allocations:

you don’t get a clean empty block you get a holey structure the kernel cannot easily compact

The Key Result

After:

fixing classification
aligning granularity
adding controlled fragmentation

We can say:

Kernel and user pages can be physically adjacent. Not always. Not everywhere. But definitely possible.

And importantly: this can happen naturally on a real system while in a VM it may require forcing conditions

Looking Closer (a.k.a. “What Exactly Is Sitting at the Edge?”)

At this point, we knew that: kernel pages and user pages can be physically adjacent. Which is already interesting.

But adjacency alone does not tell us how easy it is for trouble to cross the border.

If the last object in the kernel page ends hundreds of bytes before the page boundary, then an overflow would need to be fairly enthusiastic.

If instead the object ends exactly at the page boundary…

then even a tiny mistake can immediately step into the next page.

So the obvious next question was: “What is actually sitting at the very end of the slab page?”

Teaching the Tool Some Slab Archaeology

The original direct_map_view PoC was good at classifying pages.

The updated version became slightly more nosy.

Given a user page, it now:

looks at the preceding PFN,
checks whether that PFN is slab-backed,
scans the page,
and identifies the kernel object closest to the end of the page.

Using kmem_dump_obj(), the probe can determine which slab cache owns the object and where the object begins.

In other words: we stopped looking only at pages and started looking at what is actually living inside them.

A Typical Result

[   66.010479] pfn_slab_probe: input_pfn=1078469 checked_pfn=1078468 flags=0xbfffe0000000200
[   66.010862] pfn_slab_probe: checked PFN 1078468 is slab-backed, scanning [ffff0000c74c4000 - ffff0000c74c5000)
[   66.011652] slab kmalloc-512 start ffff0000c74c4e00 pointer offset 504 size 512
[   66.013007] pfn_slab_probe: nearest candidate object at ffff0000c74c4ff8, offset 0xff8 into PFN 1078468

The probe did not find an object starting at 0xff8.

It found itself standing 8 bytes before the edge of the page, inside a kmalloc-512 object, at offset 504 from the beginning of that object.

So the math is:

0xff8 - 504 = 0xe00

The object starts at 0xe00 and, being 512 bytes long, ends at 0x1000.

Exactly at the page boundary. Which is the memory-management equivalent of parking with the bumper touching the wall.

Turning Logs into Pictures

Because hexadecimal offsets are excellent at convincing computers but less effective with humans, a small script was added to convert the logs into SVG diagrams.

The result is a picture showing:

the slab page,
the last kernel object,
the page boundary,
and the user page immediately after it.

Sometimes, a drawing is worth several hundred printk()s.

From “Interesting Layout” to “Well… That Escalated Quickly”

At this point, we had demonstrated that:

a kernel object can sit at the end of a page,
the next physical page can belongs to a user process.

The next question was unavoidable: “What happens if the kernel writes past that boundary?”

Fortunately for science, and slightly less fortunately for the victim process, we now have a PoC for that too.

The Victim (a.k.a. “The Simplest Program We Could Get Away With”)

The userspace target is a tiny assembly program, available for both:

Its behavior is intentionally boring:

print the address of a string,
wait,
print the string,
exit.

That is all. No threads. No libraries. No excuses. If something changes, we know exactly who to blame.

Was it that simple?

The PoC script: poc.sh

Coordinates with the kernel module: umem_poke.c

The script does not do magic address translation in bash.

Which is probably good news for everyone. It only coordinates the experiment: it starts the victim, gets the address printed by the process, and passes that VMA address to the module.

The module is the one doing the kernel-side work. It uses GUP to resolve the userspace address to the underlying page, computes the linear mapping address destination byte, and then performs the write.

After all that machinery, the corruption itself is still disappointingly simple:

*dst_target = act.value;

That is it.

No ptrace().
No copy_to_user().
No access_ok().
No “Dear Kernel, may I please touch userspace?”

Just a normal assignment. From the kernel’s point of view, this is simply a write to a valid pointer.

Which leads to a slightly uncomfortable realization: once a userspace page is reached through the linear mapping, it stops being special. It is just memory. And the kernel is very good at writing to memory.

“But Surely Read-Only Memory Is Safe?”

A reasonable objection is: “Fine, but this probably works only on writable pages.” That would be reassuring… Would it really?

Even then, the wall would still have a door. Unfortunately, reality is even less reassuring.

The experiment works even when the target string is moved from .bss to .rodata.

In other words, the process sees the page as read-only. The process itself cannot modify the string.

And yet, after the userspace address has been translated to its corresponding location in the linear mapping, changing the supposedly immutable data still requires nothing more sophisticated than:

*dst_target = act.value;

No page permissions are changed.
No special write mechanism is invoked.
No dedicated “modify userspace memory” API is used.

Just a normal store through a valid kernel pointer.

So the surprising part is not that the kernel, in principle, has enough privilege to modify the page. The surprising part is that once the page is reached through the linear mapping, the actual modification is indistinguishable from writing to any other ordinary kernel address.

Same physical page. Different virtual permissions. Same single dereference.

The Grand Finale

Before the write, the program prints one string.

After the write, it prints a different one.

buildroot login: root
# /usr/umem_poke/poc.sh 
running without corruption
message address: 0x0000000000400168
<TOKEN>

running again with corruption
[   27.675393] umem_poke: loading out-of-tree module taints kernel.
message address: 0x0000000000400168
[   28.751270] umem_poke: req: poke memory for pid=107 mem[400168]=1074707572726f63
[   28.752020] umem_poke: act: poke memory for pid=107 mem[400168]=1074707572726f63
corrupt
#

The process does not crash. The kernel does not panic. No alarms ring. No dramatic music starts.

The application simply continues running with modified data. Which, from a functional safety perspective, is often the most interesting outcome.

Not: “The system exploded.”

But: “The system kept working… incorrectly.”

From Layout Curiosity to Concrete Effect

At this point, the full chain becomes visible:

+---------------------------+
|   shared physical memory  |
+---------------------------+
              |
             \ /
              V
+---------------------------+
|     possible adjacency    |
+---------------------------+
              |
             \ /
              V
+---------------------------+
| kernel object at page end |
+---------------------------+
              |
             \ /
              V
+---------------------------+
|   kernel write defect     |
+---------------------------+
              |
             \ /
              V
+---------------------------+
|   ordinary pointer store  |
+---------------------------+
              |
             \ /
              V
+---------------------------+
| userspace data corruption |
+---------------------------+
              |
             \ /
              V
+---------------------------+
|  incorrect but apparently |
|       normal behavior     |
+---------------------------+

So the original question: “Can kernel and user pages be physically adjacent?”

Now has a more complete answer: Yes. And if a kernel write goes in the wrong direction, the next page may belong to a perfectly innocent process. That process may continue running as if nothing happened, except for the small detail that its data is no longer what it thinks it is.

Why This Matters

From a safety perspective, the concern is not: user → kernel corruption (blocked by MMU)

The concern is:

kernel → anything else

Because in the linear mapping:

everything shares the same physical space
adjacency is not controlled
allocators optimize for performance, not isolation

So when something goes wrong: the target is simply “the next page”

And what that page is… depends on the moment.

Bigger Picture

This PoC is not proving a vulnerability.

It is proving something more subtle: Linux enforces virtual access separation, but does not guarantee physical separation between kernel and userspace allocations.

And in safety: lack of guarantees is already a problem.

Final Thought

The tool didn’t find a bug and this article does not imply Linux is unsafe. It found something more annoying: an assumption that is not always true.

Meaning that physical separation is not an inherent property of the Linux memory manager and must be established through additional architectural controls if required by a safety case.

Apr 29

ELISA Lighthouse SIG – Annual Update (February 12, 2026) | Philipp Ahmann, ETAS

Recap of ELISA Lighthouse SIG – Annual Update (February 12, 2026)

By elisaproject Ambassadors, Blog, Technical Update, Working Group

On February 11–12, the ELISA Project community gathered for the 2026 Working Group (WG) and Special Interest Group (SIG) Annual Updates. Over two focused sessions, group leads shared key milestones from 2025, current technical priorities, and what lies ahead in 2026, along with concrete opportunities for collaboration and contribution.

The annual updates serve as a checkpoint for the project: a moment to reflect on progress, align on priorities, and welcome new contributors into the work of advancing Linux in safety-critical systems.

This week we highlight the session on ELISA Lighthouse Special Interests Group presented by Philipp Ahmann, ETAS.

The Lighthouse SIG focuses on best practices for open source software in safety-critical systems. Philipp explained that many existing quality and safety standards were designed for proprietary software development, while open source communities often work through code-first, CI-driven, and agile processes. The group is exploring how established open source practices can be evaluated, documented, and eventually shaped into guidance or a standard that regulated industries can use.

In 2025, the SIG worked to understand the current landscape. The group reviewed existing safety, quality, and security standards, conducted literature research, and began assessing open source projects. Early work included creating a template to evaluate process robustness and evidence confidence across different criteria. Initial project assessments included Yocto, Xen, and LLVM, with plans to expand to projects such as Linux, curl, and OpenSSL.

The session also highlighted collaboration with other communities, including Eclipse automotive efforts, CHAOSS, OpenSSF Scorecard, LFX Insights, OpenSSF Best Practices, OpenChain, and the Joint Development Foundation. The goal is to avoid duplication, learn from existing work, and align with broader open source and standards communities.

Looking ahead to 2026, the Lighthouse SIG plans to refine its maturity model, review more projects, evaluate existing badges and scorecards, and continue preparing for possible standards work. The group is also exploring how to define and measure quality in open source projects more clearly.

Philipp closed by inviting new contributors to join the Lighthouse SIG. The group meets every other Friday and welcomes participation through its meetings, mailing list, Discord channel, GitHub repository, and meeting minutes.

Watch the full session to learn how the Lighthouse SIG is progressing and how you can get involved.

Apr 01

ELISA Seminar – From Requirements to Code: Managing End-to-End Traceability with BASIL - recap blog

ELISA Seminar – Recap Notes – From Requirements to Code: Managing End-to-End Traceability with BASIL

By elisaproject Ambassadors, Blog

This seminar explores BASIL, an open source requirements and traceability management tool under the ELISA Project. BASIL enables teams to connect specifications, requirements, test artifacts, documentation and source code using flexible traceability matrices while integrating with existing test infrastructures. In this session, Luigi Pellecchia, BASIL Maintainer and member of the ELISA Project Technical Steering Committee, presents how BASIL supports end-to-end traceability from requirements to code, improves collaboration and governance through role-based permissions, traceability-as-code, and AI-driven workflow guidance, and helps teams manage software quality evidence in a collaborative environment.

The session includes a live demonstration of BASIL, showcasing its web-based architecture, deployment options, and how users can create, map, and manage work items such as requirements, test specifications, and test cases. It also highlights integration with test management tools, external CI systems, and APIs, along with features for importing data, exporting traceability matrices, and automating workflows. The seminar further introduces advanced capabilities such as repository scanning and building traceability from distributed project assets, illustrating how BASIL can support complex, real-world development environments.

Learn more about BASIL.

Mar 06

What to Expect from the ELISA Project at Embedded World Exhibition & Conference 2026

What to Expect from the ELISA Project at Embedded World 2026

By elisaproject Ambassadors, Blog, Industry Conference

The ELISA Project will be participating in the upcoming Embedded World Exhibition & Conference, taking place March 10–12, 2026 at Messezentrum Nürnberg, Germany.

Established in 2003, Embedded World has become one of the most important annual gatherings for the global embedded systems community. The event combines a large industry exhibition with a world-class conference program that bridges applied research and real-world industrial applications.

For the ELISA Project community, this event offers an opportunity to connect with engineers, researchers, and organizations working to enable safe use of Linux in safety-critical systems.

ELISA at Embedded World 2026

At this year’s event, the ELISA Project will engage with attendees through:

A conference session discussing approaches for assessing the safe usage of Linux
On-site discussions with ELISA ambassadors and community members
Opportunities to connect with companies building Linux-based safety-critical systems

If you are developing systems where safety, reliability, and open source intersect, this is a great chance to learn more about how the ELISA Project is advancing safety practices around Linux.

Conference Session: Assessing Safe Usage of Linux

A key highlight will be a talk by Kate Stewart from the Linux Foundation.

Approaches on Assessing Safe Usage of Linux

📅 March 10, 2026
⏱ 11:30 (30 minutes)

Linux has become one of the most widely used operating systems across industries—from deeply embedded devices in automotive, aerospace, and medical systems to servers powering global financial infrastructure.

While there are established mechanisms for maintaining and distributing security updates, the question remains:

After applying fixes and updates, how can we demonstrate that a Linux-based system is still safe to use in regulated environments?

In this session, Kate Stewart will explore:

Current approaches within the ELISA Project to evaluate Linux in the context of functional safety
Methods to support analysis and verification of Linux-based systems
Opportunities for automation and collaboration across the ecosystem
Emerging best practices for organizations building safety-critical Linux systems

The talk will provide insight into how the community is working to make Linux viable for safety-certified environments.

Learn more about the Embedded World Conference here.

Meet the ELISA Community

In addition to the conference session, several ELISA Project ambassadors and contributors will be attending Embedded World, including: Philipp Ahmann — ETAS GmbH, Nicole Pappler – Alektometis, Simone Weiß — Linutronix along with many other members of the ELISA Project ecosystem.

They will be available throughout the event to discuss:

The ELISA Project’s mission and roadmap
Collaboration opportunities
Safety practices for Linux-based systems
How organizations can participate in the project

Let’s Connect

If you are attending Embedded World and already working on Linux-based safety-critical applications, or interested in learning more about the ELISA Project and its goals for 2026 we encourage you to connect with the team during the event.

You can:

Reach out directly to ELISA ambassadors onsite
Or contact the project team (info@elisa.tech) to schedule a meeting

Embedded World is a fantastic opportunity to exchange ideas, learn from industry leaders, and explore how open source and safety engineering can evolve together. See you there!

Mar 04

What do you mean when you say…?

By elisaproject Ambassadors, Blog

This blog post “What Do You Mean When You Say…?” Introducing the ELISA Glossary for Safety-Critical Open Source” was written by Simone Weiss, Linutronix.

You’re reading a blog post, and three sentences in, you encounter a term and wonder, “What does the author mean when they say that?” You could research it, but you keep reading, telling yourself, “I’ll figure it out later.” We’ve all been there.

The world of embedded and safety-critical open source uses specific terms that can make it hard to understand what’s meant. That’s why we created the ELISA Glossary—a single place for all those terms.

Take a look at the glossary here:
https://directory.elisa.tech/glossary/index.html

What Is the ELISA Glossary?

The ELISA Glossary is a collection of definitions for terms that frequently come up in the ELISA project. Each entry tries to provide not just the theoretical meaning but also the way of how it’s used within ELISA.

You’ll find definitions covering:

Safety and certification concepts
Embedded and real-time software terms
Open-source processes and tools
Standards, specifications, and compliance-related language

The glossary is useful for things like:

Reading an ELISA blog post and needing a quick refresher
Joining a new working group and encountering unfamiliar terms
Ensuring consistent language across documents and discussions

The glossary is work in progress. As tools evolve, standards shift, and best practices change, the glossary will continue to grow. We rely on community feedback – if there’s a term you think should be added or a definition that needs refinement, let us know!

Why the Glossary?

The ELISA Project brings together engineers, safety experts, and organizations working on Linux-based safety-critical systems. This diverse mix of industry, standards, and technical backgrounds is one of ELISA’s strengths—but it also means we use a language that’s not always obvious to newcomers, occasional contributors, or even long-time members diving into new topics.

Since ELISA began, we’ve created:

Technical documentation
Working group deliverables
Presentations

Certain terms pop up again and again, which is where the ELISA Glossary comes in—to help make those terms easier to understand, reference, and use consistently.

Explore the ELISA Glossary

https://directory.elisa.tech/glossary/index.html

Clear language may not solve all the challenges in safety-critical software, but it sure makes collaboration easier.

Feb 25

Recap of ELISA Working Group and Special Interest Group Annual Updates 2026

By elisaproject Ambassadors, Blog, Working Group

The first day opened with an ELISA Project overview from Technical Steering Committee Chair Philipp Ahmann (ETAS), highlighting overall progress and reinforcing ELISA’s mission to define and maintain common elements, processes, and tools that support safety certification for Linux-based systems.

The first day highlighted progress across ELISA’s core Working Groups:

Open Source Engineering Process – Paul Albertella (Codethink) shared updates on process alignment and best practices to support safety certification efforts.

Systems and Automotive – Philipp Ahmann discussed advancements in aligning Linux with functional safety requirements for automotive and system-level applications.

Safety Architecture – Gabriele Paoloni (Red Hat) presented ongoing architectural work supporting safety use cases.

Linux Features for Safety-Critical Systems – Alessandro Carminati (NVIDIA) outlined kernel and feature-level progress enabling dependable Linux deployments.

The second day focused on use-case driven Working Groups and SIGs:

Aerospace – Matthew Weber (The Boeing Company) shared updates on Linux in aerospace systems.

Space Grade Linux – Ramon Roche (The Linux Foundation) discussed the evolution of Space Grade Linux and its relationship with ELISA.

BASIL & Tools WG Evolution – Luigi Pellecchia (Red Hat) highlighted progress in tooling and traceability efforts.

Lighthouse SIG – Philipp Ahmann provided insights into cross-domain collaboration and coordination.

The event concluded with closing reflections and a forward-looking discussion on collaboration opportunities in 2026.

Continuing the Work

The WG & SIG Annual Updates are more than a status review, they are a coordination point for the year ahead. As Linux adoption in safety-critical systems continues to expand across automotive, aerospace, industrial, and emerging domains, ELISA remains committed to open collaboration, practical tooling, and shared technical foundations.

Thank you to all speakers, contributors, and attendees who helped make the 2026 updates a success.

We look forward to another year of advancing Linux in safety-critical environments together.

Jan 28

ELISA Project at FOSDEM 2026: Advancing Open Source in Safety-Critical Systems

By elisaproject Ambassadors, Blog, Industry Conference

As open source software continues to move deeper into safety-critical systems, FOSDEM provides a unique space for the conversations that need to happen between developers, safety engineers, maintainers, and industry stakeholders. For the Enabling Linux in Safety Applications (ELISA) project, FOSDEM 2026 is an opportunity to engage directly with the open source community, share practical progress, and collaborate on the challenges of using Linux in systems where failure can have serious consequences.

ELISA’s mission is to make it easier for organizations to build and certify Linux-based safety-critical applications systems whose failure could result in loss of human life, significant property damage, or environmental harm. By bringing these discussions to FOSDEM, ELISA helps connect real-world safety and certification needs with the developers and projects building the software at the core of these systems.

What ELISA Is Working On

ELISA brings together companies, developers, and safety experts to define and maintain a shared set of tools, processes, and best practices that help organizations demonstrate that Linux-based systems can meet functional safety requirements. Rather than positioning Linux as a standalone “safety solution,” ELISA focuses on how Linux can be used as a component within safety-critical systems, supported by appropriate system-level mitigations, documentation, and evidence.

A key part of this work is collaboration with certification authorities and standardization bodies across multiple industries. By engaging early and openly, ELISA helps clarify expectations around certification pathways, safety arguments, and compliance, reducing uncertainty for both developers and assessors. This approach enables reuse, transparency, and consistency across domains such as automotive, aerospace, railways, industrial automation, and medical systems.

ELISA at FOSDEM 2026

FOSDEM 2026 offers an ideal environment to continue these conversations. As a free, community-driven event that brings together thousands of open source developers from around the world, it allows ELISA to connect directly with the people building and maintaining the software used in safety-critical products.

Throughout the weekend, ELISA Project Ambassadors will be actively participating across the event giving talks, joining technical discussions, and engaging with contributors in multiple developer rooms. Attendees can also meet the ELISA team at the Linux Foundation Europe stand (Building K, Level 2, Group A), where they will be available to discuss ongoing work, community activities, and ways to get involved in the project.

Several members of the ELISA Technical Steering Committee (TSC) will be present as well, providing an opportunity for in-depth conversations around safety concepts, certification challenges, and cross-industry collaboration.

Session Highlight:

Code, Compliance, and Confusion: Open Source in Safety-Critical Products

This talk examines the growing use of open source software in functionally safe systems, including platforms such as Linux, Zephyr, Xen, and automotive middleware. It looks at both the progress made in recent years and the persistent barriers to adoption, from certification uncertainty and fragmented governance to common misunderstandings around safety responsibility and system architecture. Learn more.

BOF/Unconference

In addition to talks, ELISA-related topics will be discussed in Birds of a Feather (BoF) sessions, which offer a more informal space for discussion and idea exchange.

One BoF will focus on Linux & Open Source Software for safety applications in Railways, exploring how large-scale reuse and collaborative development can support the sector’s growing software needs while meeting strict safety requirements. The discussion will also consider whether there is sufficient momentum to form a foundation-backed initiative to support OSS adoption in railways.

Another BoF, Safety-Critical Linux: Challenges across industries, will bring together participants from automotive, aerospace, medical devices, robotics, and rail. The session will explore shared challenges such as documentation, tooling, certification, and system design, and identify opportunities where cross-industry collaboration could reduce duplication and improve outcomes.

Join the Conversation at FOSDEM

FOSDEM 2026 is an opportunity to move beyond theory and engage in practical, technical discussions about open source in safety-critical systems. Whether you are building software, assessing safety cases, or defining certification strategies, ELISA invites you to take part in the conversations, meet the community, and help shape how Linux and open source software are used in systems that demand the highest levels of trust and reliability.

We look forward to connecting with you in Brussels.

Dec 10

Schrödinger’s test: The /dev/mem case

By elisaproject Ambassadors, Blog

This blog was originally published by Alessandro Carminati, Principal Software Engineer at Red Hat, on his personal blog and is republished here with permission.

Why I Went Down This Rabbit Hole

Back in 1993, when Linux 0.99.14 was released, /dev/mem made perfect sense. Computers were simpler, physical memory was measured in megabytes, and security basically boiled down to: “Don’t run untrusted programs.”

Fast-forward to today. We have gigabytes (or terabytes!) of RAM, multi-layered virtualization, and strict security requirements… And /dev/mem is still here, quietly sitting in the kernel, practically unchanged… A fossil from a different era. It’s incredibly powerful, terrifyingly dangerous, and absolutely fascinating.

My work on /dev/mem is part of a bigger effort by the ELISA Architecture working group, whose mission is to improve Linux kernel documentation and testing. This project is a small pilot in a broader campaign: build tests for old, fundamental pieces of the kernel that everyone depends on but few dare to touch.

In a previous blog post, “When kernel comments get weird”, I dug into the /dev/mem source code and traced its history, uncovering quirky comments and code paths that date back decades. That post was about exploration. This one is about action: turning that historical understanding into concrete tests to verify that /dev/mem behaves correctly… Without crashing the very systems those tests run on.

What `/dev/mem` Is and Why It Matters

/dev/mem is a character device that exposes physical memory directly to userspace. Open it like a file, and you can read or write raw physical addresses: no page tables, no virtual memory abstractions, just the real thing.

Why is this powerful? Because it lets you:

Peek at firmware data structures,
Poke device registers directly,
Explore memory layouts normally hidden from userspace.

It’s like being handed the keys to the kingdom… and also a grenade, with the pin halfway pulled.

A single careless write to /dev/mem can:

Crash the kernel,
Corrupt hardware state,
Or make your computer behave like a very expensive paperweight.

For me, that danger is exactly why this project matters. Testing /dev/mem itself is tricky: the tests must prove the driver works, without accidentally nuking the machine they run on.

`STRICT_DEVMEM` and Real-Mode Legacy

One of the first landmines you encounter with /dev/mem is the kernel configuration option STRICT_DEVMEM.

Think of it as a global policy switch:

If disabled, /dev/mem lets privileged userspace access almost any physical address: kernel RAM, device registers, firmware areas, you name it.
If enabled, the kernel filters which physical ranges are accessible through /dev/mem. Typically, it only permits access to low legacy regions, like the first megabyte of memory where real-mode BIOS and firmware tables traditionally live, while blocking everything else.

Why does this matter? Some very old software, like emulators for DOS or BIOS tools, still expects to peek and poke those legacy addresses as if running on bare metal. STRICT_DEVMEM exists so those programs can still work: but without giving them carte blanche access to all memory.

So when you’re testing /dev/mem, the presence (or absence) of STRICT_DEVMEM completely changes what your test can do. With it disabled, /dev/mem is a wild west. With it enabled, only a small, carefully whitelisted subset of memory is exposed.

A Quick Note on Architecture Differences

While /dev/mem always exposes what the kernel considers physical memory, the definition of physical itself can differ across architectures. For example, on x86, physical addresses are the real hardware addresses. On aarch64 with virtualization or secure firmware, EL1 may only see a subset of memory through a translated view, controlled by EL2 or EL3.

The main function that the STRICT_DEVMEM kernel configuration option provides in Linux is to filter and restrict access to physical memory addresses via /dev/mem. It controls which physical address ranges can be legitimately accessed from userspace by helping implement architecture-specific rules to prevent unsafe or insecure memory accesses.

32-Bit Systems and the Mystery of High Memory

On most systems, the kernel needs a direct way to access physical memory. To make that fast, it keeps a linear mapping: a simple, one-to-one correspondence between physical addresses and a range of kernel virtual addresses. If the kernel wants to read physical address 0x00100000, it just uses a fixed offset, like PAGE_OFFSET + 0x00100000. Easy and efficient.

But there’s a catch on 32-bit kernels: The kernel’s entire virtual address space is only 4 GB, and it has to share that with userspace. By convention, 3 GB is given to userspace, and 1 GB is reserved for the kernel, which includes its linear mapping.

Now here comes the tricky part: Physical RAM can easily exceed 1 GB. The kernel can’t linearly map all of it: there just isn’t enough virtual address space.

The extra memory beyond the first gigabyte is called highmem (short for high memory). Unlike the low 1 GB, which is always mapped, highmem pages are mapped temporarily, on demand, whenever the kernel needs them.

Why this matters for /dev/mem: /dev/mem depends on the permanent linear mapping to expose physical addresses. Highmem pages aren’t permanently mapped, so /dev/mem simply cannot see them. If you try to read those addresses, you’ll get zeros or an error, not because /dev/mem is broken, but because that part of memory is literally invisible to it.

For testing, this introduces extra complexity:

Some reads may succeed on lowmem addresses but fail on highmem.
Behavior on a 32-bit machine with highmem is fundamentally different from a 64-bit system, where all RAM is flat-mapped and visible.

Highmem is a deep topic that deserves its own article, but even this quick overview is enough to understand why it complicates /dev/mem testing.

How Reads and Writes Actually Happen

A common misconception is that a single userspace read() or write() call maps to one atomic access to the underlaying block device. In reality, the VFS layer and the device driver may split your request into multiple chunks, depending on alignment and boundaries, in this case.

Why does this happen?

Many devices can only handle fixed-size or aligned operations.
For physical memory, the natural unit is a page (commonly 4 KB).

When your request crosses a page boundary, the kernel internally slices it into:

A first piece up to the page boundary,
Several full pages,
A trailing partial page.

For /dev/mem, this is a crucial detail: A single read or write might look seamless from userspace, but under the hood it’s actually several smaller operations, each with its own state. If the driver mishandles even one of them, you could see skipped bytes, duplicated data, or mysterious corruption.

Understanding this behavior is key to writing meaningful tests.

Safely Reading and Writing Physical Memory

At this point, we know what /dev/mem is and why it’s both powerful and terrifying. Now we’ll move to the practical side: how to interact with it safely, without accidentally corrupting your machine or testing in meaningless ways.

My very first test implementation kept things simple:

Only small reads or writes,
Always staying within a single physical page,
Never crossing dangerous boundaries.

Even with these restrictions, /dev/mem testing turned out to be more like diffusing a bomb than flipping a switch.

Why “success” doesn’t mean success (in this very specific case)

Normally, when you call a syscall like read() or write(), you can safely assume the kernel did exactly what you asked. If read() returns a positive number, you trust that the data in your buffer matches the file’s contents. That’s the contract between userspace and the kernel, and it works beautifully in everyday programming.

But here’s the catch: We’re not just using /dev/mem; we’re testing whether /dev/mem itself works correctly.

This changes everything.

If my test reads from /dev/mem and fills a buffer with data, I can’t assume that data is correct:

Maybe the driver returned garbage,
Maybe it skipped a region or duplicated bytes,
Maybe it silently failed in the middle but still updated the counters.

The same goes for writes: A return code of “success” doesn’t guarantee the write went where it was supposed to, only that the driver finished running without errors.

So in this very specific context, “success” doesn’t mean success. I need independent ways to verify the result, because the thing I’m testing is the thing that would normally be trusted.

Finding safe places to test: `/proc/iomem`

Before even thinking about reading or writing physical memory, I need to answer one critical question:

“Which parts of physical memory are safe to touch?”

If I just pick a random address and start writing, I could:

Overwrite the kernel’s own code,
Corrupt a driver’s I/O-mapped memory,
Trash ACPI tables that the system kernel depends on,
Or bring the whole machine down in spectacular fashion.

This is where /proc/iomem comes to the rescue. It’s a text file that maps out how the physical address space is currently being used. Each line describes a range of physical addresses and what they’re assigned to.

Here’s a small example:

By parsing /proc/iomem, my test program can:

Identify which physical regions are safe to work with (like RAM already allocated to my process),
Avoid regions that are reserved for hardware or critical firmware,
Adapt dynamically to different machines and configurations.

This is especially important for multi-architecture support. While examples here often look like x86 (because /dev/mem has a long history there), the concept of mapping I/O regions isn’t x86-specific. On ARM, RISC-V, or others, you’ll see different labels… But the principle remains exactly the same.

In short: /proc/iomem is your treasure map, and the first rule of treasure hunting is “don’t blow up the ship while digging for gold.”

The Problem of Contiguous Physical Pages

Up to this point, my work focused on single-page operations. I wasn’t hand-picking physical addresses or trying to be clever about where memory came from. Instead, the process was simple and safe:

Allocate a buffer in userspace, using mmap() so it’s page-aligned,
Touch the page to make sure the kernel really backs it with physical memory,
Walk /proc/self/pagemap to trace which physical pages back the virtual address in the buffer.

This gives me full visibility into how my userspace memory maps to physical memory. Since the buffer was created through normal allocation, it’s mine to play with, there’s no risk of trampling over the kernel or other userspace processes.

This worked beautifully for basic tests:

Pick a single page in the buffer,
Run a tiny read/write cycle through /dev/mem,
Verify the result,
Nothing explodes.

But then came the next challenge: What if a read or write crosses a physical page boundary?

Why boundaries matter

The Linux VFS layer doesn’t treat a read or write syscall as one giant, indivisible action. Instead, it splits large operations into chunks, moving through pages one at a time.

For example:

I request 10 KB from /dev/mem,
The first 4 KB comes from physical page A,
The next 4 KB comes from physical page B,
The last 2 KB comes from physical page C.

If the driver mishandles the transition between pages, I’d never notice unless my test forces it to cross that boundary. It’s like testing a car by only driving in a straight line: Everything looks fine… Until you try to turn the wheel.

To properly test /dev/mem, I need a buffer backed by at least two physically contiguous pages. That way, a single read or write naturally crosses from one physical page into the next… exactly the kind of situation where subtle bugs might hide.

And that’s when the real nightmare began.

Why this is so difficult

At first, this seemed easy. I thought:

“How hard can it be? Just allocate a buffer big enough, like 128 KB, and somewhere inside it, there must be two contiguous physical pages.”

Ah, the sweet summer child optimism. The harsh truth: modern kernels actively work against this happening by accident. It’s not because the kernel hates me personally (though it sure felt like it). It’s because of its duty to prevent memory fragmentation.

When you call brk() or mmap(), the kernel:

Uses a buddy allocator to manage blocks of physical pages,
Actively spreads allocations apart to keep them tidy,
Reserves contiguous ranges for things like hugepages or DMA.

From the kernel’s point of view:

This keeps the system stable,
Prevents large allocations from failing later,
And generally makes life good for everyone.

From my point of view? It’s like trying to find two matching socks in a dryer while it is drying them.

Playing the allocation lottery

My first approach was simple: keep trying until luck strikes.

Allocate a 128 KB buffer,
Walk /proc/self/pagemap to see where all pages landed physically,
If no two contiguous pages are found, free it and try again.

Statistically, this should work eventually. In reality? After thousands of iterations, I’d still end up empty-handed. It felt like buying lottery tickets and never even winning a free one.

The kernel’s buddy allocator is very good at avoiding fragmentation. Two consecutive physical pages are far rarer than you’d think, and that’s by design.

Trying to confuse the allocator

Naturally, my next thought was:

“If the allocator is too clever, let’s mess with it!”

So I wrote a perturbation routine:

Allocate a pile of small blocks,
Touch them so they’re actually backed by physical pages,
Free them in random order to create “holes.”

The hope was to trick the allocator into giving me contiguous pages next time. The result? It sometimes worked, but unpredictably. 4k attempts gave me >80% success. Not reliable enough for a test suite where failures must mean a broken driver, not a grumpy kernel allocator.

The options I didn’t want

There are sure-fire ways to get contiguous pages:

Writing a kernel module and calling alloc_pages().
Using hugepages.
Configuring CMA regions at boot.

But all of these require special setup or kernel cooperation. My goal was a pure userspace test, so they were off the table.

A new perspective: software MMU

Finally, I relaxed my original requirement. Instead of demanding two pages that are both physically and virtually contiguous, I only needed them to be physically contiguous somewhere in the buffer.

From there, I could build a tiny software MMU:

Find a contiguous physical pair using /proc/self/pagemap,
Expose them through a simple linear interface,
Run the test as if they were virtually contiguous.

This doesn’t eliminate the challenge, but it makes it practical. No kernel hacks, no special boot setup, just a bit of clever user-space logic.

From Theory to Test Code

All this theory eventually turned into a real test tool, because staring at /proc/self/pagemap is fun… but only for a while. The test lives here:

github.com/alessandrocarminati/devmem_test

It’s currently packaged as a Buildroot module, which makes it easy to run on different kernels and architectures without messing up your main system. The long-term goal is to integrate it into the kernel’s selftests framework, so these checks can run as part of the regular Linux testing pipeline. For now, it’s a standalone sandbox where you can:

Experiment with /dev/mem safely (on a test machine!),
Play with /proc/self/pagemap and see how virtual pages map to physical memory,
Try out the software MMU idea without needing kernel modifications.

And expect it still work in progress.

From Munich: A Suspicious Idea

From Hypothesis to Observation

The Tool (a.k.a. “Let’s Peek at PFNs”)

Small Technical Box: /proc/kpageflags

First Results: “This Looks… Too Clean”

What We Learned (a.k.a. “The Plot Thickens”)

Huge Pages Were Hiding Reality

Slab Pages Don’t Like Attention

The System Was Too Clean

Forcing Reality (a.k.a. “Adding Some Chaos”)

The Key Result

Looking Closer (a.k.a. “What Exactly Is Sitting at the Edge?”)

Teaching the Tool Some Slab Archaeology

A Typical Result

Turning Logs into Pictures

From “Interesting Layout” to “Well… That Escalated Quickly”

The Victim (a.k.a. “The Simplest Program We Could Get Away With”)

Was it that simple?

“But Surely Read-Only Memory Is Safe?”

The Grand Finale

From Layout Curiosity to Concrete Effect

Why This Matters

Bigger Picture

Final Thought

ELISA at Embedded World 2026

Meet the ELISA Community

Let’s Connect

What Is the ELISA Glossary?

Why the Glossary?

Explore the ELISA Glossary

Continuing the Work

What ELISA Is Working On

ELISA at FOSDEM 2026

Session Highlight:

BOF/Unconference

Join the Conversation at FOSDEM

Why I Went Down This Rabbit Hole

What /dev/mem Is and Why It Matters

STRICT_DEVMEM and Real-Mode Legacy

A Quick Note on Architecture Differences

32-Bit Systems and the Mystery of High Memory

How Reads and Writes Actually Happen

Safely Reading and Writing Physical Memory

Why “success” doesn’t mean success (in this very specific case)

Finding safe places to test: /proc/iomem

The Problem of Contiguous Physical Pages

Why boundaries matter

Why this is so difficult

Playing the allocation lottery

Trying to confuse the allocator

The options I didn’t want

A new perspective: software MMU

From Theory to Test Code

What `/dev/mem` Is and Why It Matters

`STRICT_DEVMEM` and Real-Mode Legacy

Finding safe places to test: `/proc/iomem`