Blog – ELISA

Nov 13

Robotics and Space Grade Linux at ROSCon 2025 Singapore

By rroche Blog, Industry Conference, Space Grade Linux

The Space Grade Linux (SGL) team participated in ROSCon 2025, held in Singapore from October 27-29, to engage directly with the global robotics community and strengthen collaboration across open-source robotics and space technology. The event brought together more than 1,000 attendees from research institutions, industry, and open source projects, representing one of the most diverse and active developer ecosystems in robotics today.

ROSCon serves as the primary annual conference for the Robot Operating System (ROS) ecosystem. ROS is an open-source middleware framework that powers a wide range of robotics platforms, from industrial manipulators and autonomous vehicles to aerial and space systems. It is hosted by the Open Source Robotics Alliance (OSRA), an independent non-profit organization that supports the growth, governance, and long-term sustainability of the ROS ecosystem. ROSCon provides a space for developers, researchers, and organizations to collaborate, share experiences, and learn about the latest advances in robotics software.

The Space Grade Linux (SGL) initiative, launched in December 2024, is hosted under the Enabling Linux in Safety Applications (ELISA) project, an open collaboration within the Linux Foundation. ELISA’s mission is to help industries build Linux-based systems for use in safety-critical domains such as automotive, medical, industrial, aerospace, and now space. By providing a forum for companies and research groups to define safety frameworks, develop tooling, and share best practices, ELISA enables projects like Space Grade Linux to leverage the strengths of open-source development while meeting the rigorous requirements of mission-critical environments. Through this collaboration, the SGL community benefits from ELISA’s established processes for safety analysis, continuous integration testing, and compliance documentation, creating a strong foundation for future space-ready Linux systems.

Space Grade Linux brings together experts from aerospace, robotics, and embedded Linux to create an open, safety-focused operating system platform for space applications. The project aims to make Linux reliable and predictable in environments where failure is not an option, while remaining fully open and collaborative. The initiative serves as a bridge between the robotics and space communities, where shared principles such as real-time performance, autonomy, and open collaboration are essential.

This year’s conference featured the first live hardware demonstration of a Microchip-based implementation of Space Grade Linux running Space ROS, presented by Rob Woolley (Wind River). The demo highlighted how the same open technologies that enable robust automotive and industrial systems are now being adapted for the extreme reliability and determinism required in space applications.

Ramón Roche, SGL group lead, delivered a Lightning Talk inviting developers working in space and robotics to join the SGL community’s monthly meetings. He emphasized the importance of collaboration across domains, encouraging experts from aerospace, automotive, and embedded Linux to work together toward a unified ecosystem for open and certifiable space software.

In his technical session, Rob Woolley gave an in-depth presentation on OpenEmbedded and its role as the build foundation for both Automotive Grade Linux and Space Grade Linux. His talk outlined the ongoing integration work between Space ROS and SGL, and discussed plans to establish Space Grade Linux as a standalone foundation project under the Linux Foundation umbrella.

The event provided valuable opportunities for in-person discussions between developers, researchers, and maintainers working at the intersection of ROS, Linux, and aerospace systems. The SGL team will continue collaborating with the ROS and Space ROS communities to advance open standards, reliability, and interoperability in mission-critical robotics.

Resources

Nov 11

ELISA Project - Open Source Summit: Tokyo, Japan 2025

ELISA Project at Open Source Summit: Tokyo, Japan 2025

By elisaproject Ambassadors, Blog, Critical Software Summit, Safety-Critical Software Summit

Open Source Summit is the place to connect directly with the people shaping open source – maintainers, developers, and community leaders, while learning from their experience and insights. It’s an opportunity to discover emerging technologies, explore practical solutions you can apply immediately, and collaborate on ideas and code that drive projects forward. Whether you’re looking to grow your skills, expand your network, or advance your career, the summit offers a unique environment to learn, contribute, and be part of the momentum powering the future of open source.

ELISA project will be represented by our community members at the Safety Critical Track.

This track explores the intersection of open source and safety standards, covering best practices for regulatory compliance, security updates, and safety engineering. Sessions will delve into requirements traceability, quality assessments, safety analysis methodologies, and technical development for safety-critical systems. Learn more.

Track Highlights:

1. A Human-Centric Quality Assurance Process for Open Source Software Projects – Wendi Urribarri & Carlos Ramirez, Woven by Toyota – Wednesday December 10, 2025 11:10 – 11:50 JST

As autonomous systems become part of our daily environments, ensuring software quality is critical, especially when defects can cause physical harm. In safety-critical domains like automotive, functional safety must be supported by development processes that ensure high quality and reliability, not only for embedded systems but also, in some cases, for software tools.

This talk presents an approach to support quality assurance of open source software projects. What sets this effort apart is the proposed integration of a human-centric quality strategy, rooted in human-error research informed by cognitive psychology and human factors, in the development process of these projects. We introduce a defect prediction engine designed to anticipate common error modes, enabling proactive defect prevention, focused code reviews, and targeted documentation checks. Our approach offers a fresh perspective on improving software quality across domains while aligning with the expectations of safety-critical frameworks.

2. Comparison and Proposal of Vulnerability Management Approaches in Yocto-Based Linux for the CRA – Akihiko Takahashi, Fujitsu Limited – Wednesday December 10, 2025 12:00 – 12:40 JST

Fujitsu has long provided multilateral support for SPDX, especially through activities in Yocto and SPDX. From 2016, we have been joining maintainers of meta-spdxscanner, enabling SPDX functionality for the Yocto Project. In 2024, We joined OpenSSF to enhance the security and trustworthiness of the global software supply chain. This marked a step forward in our continued dedication to this mission.

Due to the EU CRA, manufacturers in the EU will be obligated to report vulnerabilities starting in September 2026. In the context of Yocto, several vulnerability management approaches are being considered, such as cve-check, yocto-vex-check, and third-party tools. However, as of now, there is no clearly established best practice.
In this session, we will apply these vulnerability management approaches to practical use cases relevant to manufacturers covered by the CRA. The comparison includes the use of SBOMs and VEX to evaluate the effectiveness of each method. Through this analysis, we will clarify the strengths and challenges of vulnerability management in Yocto-based Linux and propose which approach is most suitable depending on the context.

3. Driving Safety Forward: Lessons Learned From Deploying OSS in Real-world Automotive – Jaylin Yu, EMQ – Wednesday December 10, 2025 14:00 – 14:40 JST

While OSS in Automotive is seen as the holy grail to solve SDV complexity challenges with faster time to market and higher performance, it still lacks practical real-world examples and showcases that address OSS usage in compliance with the stringent safety and security demands of Automotive.
In this talk, the author shares his real-world story of bringing OSS into mass production vehicles. This includes the impact of a healthy open-source community and how academic research helped solve security gaps, leading to increased system stability. This also embraces the impact of the software supply chain, providing a proven approach, refined through failures, helping to lower dependency risk for MQTT-based remote vehicle diagnostics.
The session is rounded out by highlighting the link between system utilities and safety functions, covering time synchronization, dependency management, and data integrity within a Linux system, which impact the selection of a file system, and what happens when a customer suddenly requires STR.
The audience will leave the session with a holistic impression of what to consider when creating a secure, safe, OSS-based SDV automotive system.

4. Decoding Safe(ty) Linux Architectural Approaches for Critical Systems – Philipp Ahmann, Etas GmbH – Wednesday December 10, 2025 14:50 – 15:30 JST

For years, diverse interpretations about what it means to “enable Linux in safety applications” exist – an observation spanning multiple industries but particularly pronounced in automotive. With its long history of Linux adoption (like AGL) and current software-defined vehicle (SDV) innovation challenges, the automotive sector is undergoing a transition by both manufacturers and suppliers seeking to implement Linux also in safety critical production systems.

This presentation intends to resolve confusion around the terminology “safety Linux” versus “safe Linux”, clarifying where safety responsibility is allocated to Linux itself versus handled at the system level. By examining architectural system concepts currently implemented in products or under development, the author cuts through marketing rhetoric to provide clear distinctions between approaches. It showcases solutions employed by distributors and identifies crucial elements for safety argumentation like watchdog & monitoring.

Attendees will gain practical insights for evaluating safety approaches in Linux-based systems, including key questions to ask when assessing different safety concepts.

5. LF Energy 101: How Open Source Is Powering the Digital Energy Transition – Darshan Chawda & Nao Nishijima, Hitachi -Wednesday December 10, 2025 16:40 – 17:20 JST

The current energy sector must shift from legacy control systems, which are rigid and hardware-bound, to digital, software-defined systems that enable greater sustainability, resilience, and intelligence. To support this transformation, LF Energy, a Linux Foundation initiative, has empowered industrial partners for over seven years to collaborate through community-driven OSS projects, accelerating innovation across the digital energy ecosystem.

This talk offers a beginner-friendly introduction to LF Energy and its key projects, with a demo highlighting their role in virtualizing substations, forecasting energy, and simplifying operations through automation. These projects show how IT and AI technologies enhance grid safety, which is critical because failures in energy systems can disrupt public infrastructure. However, unlike pure IT systems, energy infrastructure relies heavily on physical hardware, making large-scale digital adoption more complex. LF Energy’s open innovation model, focused on IT/OT convergence, helps overcome these barriers by enabling redundancy, virtualization, and collaborative development, which leads to a more reliable and intelligent energy future.

Learn more about the event and register here.

Nov 06

ELISA seminar recap : Introduction to Requirements Engineering – Pete Brink, UL Solutions

By elisaproject Blog, Seminar Series

Pete Brink from UL Solutions led an ELISA seminar on the basics of requirements engineering. He explained why teams write requirements, how to know when you are “done,” and how safety-critical work raises the bar. Requirements describe what a system must do and how well it must do it, not how to implement it. They can be functional (including safety and security behavior) or non-functional (performance, resource, thermal, mechanical, usability, and similar constraints). Pete stressed an iterative process: elicit from stakeholders, analyze and validate, write the spec, verify requirement quality, and then do architecture, design, coding, and testing. Testing spans unit, component, integration, and acceptance to prove the requirements were fulfilled. He noted that language is imprecise, so clarity, atomicity, unique IDs, status, allocation, and traceability are essential. Text can be supported with diagrams and models (semi-formal); full formal notation is used rarely. Tooling in practice often includes markdown in GitHub; community tools like StrictDoc and others are emerging, but traceability remains hard.

Pete showed weak vs. improved requirements, fixing ambiguity like “regular intervals” and splitting “and/should” into separate, testable statements with precise timing and tolerances. He introduced EARS (Easy Approach to Requirements Syntax) to give simple, consistent sentence patterns, including ubiquitous, event-driven, state-driven, and optional-feature forms (useful for things like debug vs. release or hardware variants). Detail should match criticality: too little raises risk; too much raises cost. Open source adds challenges because code often exists first; teams may derive requirements from observed behavior or refactor to align with clearer, testable specs. In Q&A, attendees discussed automotive vs. aerospace use of formal methods, handling hardware variants and build types, and authoring options like LaTeX and Sphinx.

The core message: write clear, atomic, testable requirements, keep them implementation-free, manage them with discipline, and iterate whenever design and testing reveal issues.

ELISA Project Seminar Series focuses on hot topics related to ELISA’s mission to define and maintain a common set of elements, processes and tools that can be incorporated into Linux-based, safety-critical systems amenable to safety certification. Speakers are members, contributors and thought leaders from the ELISA Project and surrounding communities. Each seminar comprises a 45-minute presentation and a 15-minute Q&A, and it’s free to attend.

Watch the previous Seminar series here.

Oct 22

ELISA project at the OSS Europe 2025 - Blog 4

Key Takeaways from the Safety Critical Track at Open Source Summit Europe 2025 – 4

By elisaproject Blog, Critical Software Summit, Industry Conference, Safety-Critical Software Summit

The ELISA Project participated in Open Source Summit Europe 2025 (August 25–27, Amsterdam), the premier gathering for open source developers, technologists, and community leaders. With over 2,000 attendees representing 900+ organizations, the event showcased the strength, diversity, and innovation of the ecosystem.

For ELISA (Enabling Linux in Safety Applications), the summit was an invaluable opportunity to engage with developers, architects, and functional safety experts working at the intersection of Linux and safety-critical systems. ELISA was featured prominently in the Safety-Critical Software Summit, where sessions explored topics such as kernel safety, automotive innovation, and compliance and trust in regulated environments.

Sessions covered a wide range of important topics, including kernel safety (identifying weaknesses, fault propagation, and Linux as a safety element out of context), automotive innovation (safe platforms, prototyping frameworks, and software-defined vehicles), and compliance and trust (continuous compliance, traceability, and statistical methods in safety analysis). These talks reflected the growing maturity of the ecosystem and highlighted the shared challenges the community is tackling from technical methodologies to regulatory alignment.

This week we highlight two talks from the Safety Critical Summit session:

Shifting Safety Techniques To a Statistical World – Imanol Allende & Nicholas Mc Guire

As safety-critical systems grow ever more complex, the traditional deterministic mindset that has long guided safety engineering is reaching its limits. In their Open Source Summit Europe 2025 talk, “Shifting Safety Techniques to a Statistical World,” Imanol Allende (Codethink) and Nicholas Mc Guire (OpenTech) challenge conventional assumptions about how we design and assure safety in modern systems.

Today’s high-performance, interconnected platforms from autonomous vehicles to adaptive software systems exhibit inherent non-determinism. Their behavior cannot always be broken down and analyzed piece by piece, as Descartes’ reductionist approach once suggested. Instead, these systems display emergent properties that arise from complex interactions, requiring a more holistic lens.

Imanol and Nicholas argue that the next evolution in safety engineering lies in statistical system analysis. Approaches such as Probabilistic Worst Case Execution Time (pWCET) and Statistical Path Coverage offer promising ways to quantify and manage uncertainty in highly dynamic environments. These methods shift assurance from absolute determinism toward probabilistic confidence, reflecting the true behavior of modern computing platforms.

The talk outlines both the limitations of traditional safety techniques and the opportunities of statistical methods, emphasizing what will be needed methodologically, technically, and culturally for such approaches to gain acceptance within the functional safety domain.

In conclusion, this session invites the safety community to embrace uncertainty not as a flaw, but as a measurable feature of complex systems and to evolve its tools and thinking accordingly.

Engineering Trust: Formulating Continuous Compliance for Open Source – Paul Albertella & Kaspar Matas, Codethink

In this session, “Engineering Trust: Formulating Continuous Compliance for Open Source,” Paul Albertella and Kaspar Matas (Codethink) argue that software requirements, as commonly practiced, are broken. High-level requirements often collapse into feature wish lists; low-level requirements drift into after-the-fact narratives. Formal process models tend to treat the dynamism of FOSS as a defect—yet that very fluidity is a core strength and the result is that project intent and expectations get lost in the noise.

Enter the Eclipse Trustable Software Framework (TSF): a lightweight, continuous compliance framework built by and for open source. TSF lets projects organize and evidence their own objectives not only those imposed by standards while remaining workflow-agnostic and requiring only git. By managing objectives, reasoning, and artifacts alongside code, TSF closes the gap between paper processes and real engineering practice.

TSF’s distinctive outcome is an automated, transparent, traceable body of evidence quantified by a confidence score. That score helps teams decide where to focus next and gives consumers a concrete way to evaluate their trust in the software. Evidence can reference code, tests, results, and validators; hashes and links keep the graph consistent as projects evolve and CI runs.

The talk walks through TSF’s model and usage, then shows how its statements, evidence, and objectives can be mapped to functional safety standards (e.g., IEC 61508 or ISO 26262) to support certification and ongoing assessment. The message is pragmatic: keep the agility of open source, but capture intent and proof continuously so compliance becomes a living activity, not a one-off paperwork sprint.

MISRA C and C++ in OSS: Yes, We Can! – Roberto Bagnara, BUGSENG / University of Parma

In his presentation, “MISRA C and C++ in OSS: Yes, We Can!”, Roberto Bagnara (BUGSENG / University of Parma) challenged a long-standing assumption: that safety- and security-critical software written in C or C++ is fundamentally incompatible with open source development.

C and C++ have powered decades of system software efficient, portable, and close to the hardware but their origins in the 1970s also carry forward deep weaknesses. Undefined and unspecified behaviors, lack of runtime checks, and a “trust the programmer” philosophy make them risky foundations for modern critical systems. When open source software becomes part of automotive, aerospace, or industrial platforms, these risks demand a structured mitigation and that’s where MISRA C and MISRA C++ come in.

MISRA defines safe subsets of C and C++, guiding developers away from dangerous constructs and toward predictable, reviewable code. These rules are not about finding bugs, but about preventing entire classes of failures by design. Mandatory rules prevent undefined behavior; advisory rules promote clarity and verifiability. Importantly, deviations are allowed if they are justified, documented, and demonstrably safe.

Roberto highlighted real-world experience applying MISRA to major open source projects such as Xen, Zephyr, and Trusted Firmware, where compliance was achieved through a combination of training, tailoring, and tooling the “three T’s.” His team’s static analysis tool ECLAIR integrates MISRA checking into continuous integration, helping projects track compliance as they evolve.

The results are encouraging: projects once reporting millions of rule violations now maintain near-complete compliance, with violations justified or eliminated and regressions automatically detected.

The key insight: safety and openness are not mutually exclusive. With collaboration, tailored guidelines, and the right tools, even complex open source ecosystems can move toward MISRA-aligned development building a foundation of trustable, verifiable software for the systems that matter most.

What’s Next?

Together, these perspectives point to a pragmatic future: combine statistical assurance, continuous evidence, and disciplined coding subsets to make safety an ongoing, collaborative property of open source.

If you are interested in shaping this work, we invite you to join ELISA working groups and contribute to advancing safety practices in open source together.

Oct 09

ELISA project recap blog from the Open Source Summit - Part 3

Key Takeaways from the Safety Critical Track at Open Source Summit Europe 2025 – 3

By elisaproject Blog, Critical Software Summit, Industry Conference, Safety-Critical Software Summit

This week we highlight two talks from the Safety Critical Summit session:

Insights Into the Safe Open Source Vehicle Core Project for SDV – Philipp Ahmann, Etas GmbH (BOSCH)

The Safe Open Source Vehicle Core (S-Core) project, presented by Philipp Ahmann of ETAS (Bosch), is a collaborative, code-first effort to build a safety-certifiable middleware stack for software-defined vehicles (SDVs). Targeting the layers above the operating system, S-Core complements ELISA’s work and aims for ISO 26262, ASPICE, and ISO 21434 compliance. It supports POSIX-based systems like Automotive Grade Linux and Zephyr, is developed in C++ and Rust, and offers a VS Code-based dev environment with containerized builds.

Using a docs-as-code workflow with Sphinx, PlantUML, and Bazel, S-Core tightly links documentation, code, and testing through automated CI. Modules such as IPC, logging, and data persistence are under active development, with contributions from 70+ developers across 10+ companies.

Following a V-model safety process, S-Core builds in traceability, audits, and ASIL-B-level rigor, while distributors will handle final certification and integration. With a 0.5 release planned for late 2025 and 1.0 in 2026, the project is establishing a shared, open, and certifiable foundation for the next generation of safety-critical automotive software.

AutoSD: A Linux Development and Prototyping Framework for the Automotive Community – Alessandro Carminati & Gabriele Paoloni, Red Hat

AutoSD presented by Alessandro Carminati and Gabriele Paoloni (Red Hat) is an upstream, community-driven Linux distribution for automotive, backed by the CentOS Automotive SIG and serving as a public preview of Red Hat’s in-vehicle OS. Built on CentOS Stream, AutoSD adds automotive essentials: a real-time tuned Linux kernel, OSTree for transactional, rollback-safe updates, and containerized mixed-criticality so safety functions can run alongside infotainment without interference. A docs-as-code + CI approach keeps code, tests, and documentation aligned; images are declaratively built (YAML) via the Automotive Image Builder/OSBuild toolchain, and shipped as a binary distro for fast, reproducible onboarding.

A major focus is hardware enablement without the usual pain. If a SoC/board is already supported, you can boot prebuilt images and prototypes immediately. If drivers are upstream, contributors can add and maintain support in AutoSD under an upstream-first policy. For newly supported silicon, teams can evaluate quickly using a vendor BSP (“Frankenbuild”) but are encouraged to move to out-of-tree modules built against AutoSD’s stable kernel ABI for a maintainable, near-production path while upstreaming progresses.

Safety is treated as architecture, not afterthought: namespaces/cgroups isolate workloads, containers enforce domain boundaries, the kernel is real-time tuned, and intensive stress/fuzz testing (e.g., syzkaller + KASan) underpins freedom-from-interference claims. In Red Hat’s commercial in-vehicle OS, the same model maps to ASIL-B safety partitions (with a hardware watchdog and hardware-specific certification), while AutoSD remains the open, rapid-prototyping lane. Tightly aligned with communities like ELISA and Eclipse SDV, AutoSD offers a reference framework the industry can actually build on: contribute patches, enable new SoCs, propose features, and help shape a secure, updatable, and certifiable Linux base for software-defined vehicles.

What’s Next?

If you are interested in shaping this work, we invite you to join ELISA working groups and contribute to advancing safety practices in open source together.

Oct 07

ELISA project at Open Source Summit Europe 2025

Key Takeaways from the Safety Critical Track at Open Source Summit Europe 2025 – 2

By elisaproject Blog, Critical Software Summit, Safety-Critical Software Summit

This week we highlight two talks from the Safety Critical Summit session:

BASIL – What’s New, What’s Next – Luigi Pellecchia, Red Hat

At the Open Source Summit Amsterdam, during the Safety-Critical track, Luigi Pellecchia, Principal Software Quality Engineer at Red Hat and member of the ELISA Technical Steering Committee, presented the session “BASIL – What’s New, What’s Next.” BASIL is an open source tool designed to build and maintain requirements traceability for safety-critical systems in a collaborative environment. It helps engineers link requirements, test specifications, test cases, justifications, and documents into a unified traceability matrix. The tool features a web interface, a REST API for automation, and supports test execution through both built-in and external infrastructures. It also tracks all changes, manages users with fine-grained permissions, and exports full SPDX-based design SBOMs, ensuring complete traceability from design to verification.

Recent developments in BASIL include support for SPDX traceability export, import of requirements in multiple formats (CSV, JSON, YAML, StrictDoc, SPDX), and the ability to scan and import test repositories using TMT (Test Management Tool). The system now offers enhanced user management, allowing admins to clone permission sets, configure email servers for password resets, and simplify collaboration on shared components. New integrations include LAVA, enabling users to list, map, and trigger test runs from external infrastructures like GitLab CI, GitHub Actions, KernelCI, and Testing Farm. BASIL also introduces AI-assisted authoring, where large language models help draft test specifications and cases directly from selected document sections. Additional improvements include re-enabled end-to-end and API testing, broader browser compatibility, and better usability in shared environments.

In his demo, Luigi showcased how BASIL lets users select a reference document, break it into sections, and map traceable items on top. The system visualizes coverage and gaps, links tests to requirements, and executes or imports test results seamlessly. It can generate a design SBOM capturing the full traceability structure useful for ISO 26262 and similar compliance audits.

Looking ahead, the roadmap includes hierarchical document mapping, multi-reference document support, and baseline snapshots for point-in-time reviews. The team plans to migrate to PostgreSQL for scalability, improve file and folder management, enhance LAVA plugin templates, and align with the SPDX Safety Profile 3.1 specification. A PDF export option for assessors is also under consideration.

BASIL continues to evolve as a cornerstone in open source safety-critical development bringing together transparency, automation, and compliance readiness.

From Chaos to Control: Overcoming C and C++’s Inherent Unsafety – Assaf Tzur-El, Simple. Technology

In this talk, Assaf Tzur-El argues that the languages’ twin hazards are unsafety (buffer overflows, lifetime misuse, races) and unpredictability (undefined/unspecified/implementation-defined behavior). A “simple” line can become a CVE; a runtime divide-by-zero may legally do anything; evaluation order of f(a(), b(), c()) can change between calls; even fundamentals like sizeof(long) and char signedness vary. Calls to “just use Rust” collide with reality: massive legacy codebases, entrenched toolchains, domain constraints (real-time, performance, low-level access), and developer expertise mean wholesale migration isn’t practical.

The pragmatic path is discipline + enforcement. Discipline comes from structured guidelines MISRA C / MISRA C++ which codify dos and don’ts across categories (mandatory/required/advisory), with ~80% decidable by tools. Enforcement comes from wiring those rules into your pipeline: static analysis (e.g., clang-tidy/Sonar/Klocwork), -Wall -Werror, and CI gating.

Assaf illustrates how MISRA’s seemingly vague rules (e.g., “switch shall be appropriately structured”) unpack into precise checks (always have default), and how apparent collisions (e.g., “no unreachable code”) resolve once you read the rationale. Around that core, adopt defensive programming (“trust no input”), Secure-by-Design practices, and standards awareness (ISO 26262 et al.) to make failures rarer and more predictable when they do happen.

What’s Next?

The Safety-Critical track showed how open source is moving from complexity to control. BASIL is helping teams build clear, verifiable links between requirements, tests, and results bringing real traceability to safety-critical development. At the same time, Assaf Tzur-El reminded us that while C and C++ aren’t going away, we can make them safer through guidelines like MISRA, static analysis, and a defensive coding mindset.

Together, these talks highlight a shared goal: making open source software more reliable and trustworthy for safety-critical use. Stay tuned for more session highlights, and consider joining ELISA working groups to help advance safe, open software for all.

Sep 24

Key Takeaways from the Safety Critical Track at Open Source Summit Europe 2025 – 1

By elisaproject Blog, Critical Software Summit, Industry Conference, Linux Foundation, Safety-Critical Software Summit

This week we highlight two talks from the Safety Critical Summit session:

Looking at Linux as a SEooC – Kate Stewart, The Linux Foundation; Nicole Pappler, AlektoMetis & Chuck Wolber, The Boeing Company

Linux is increasingly deployed in safety-critical systems as a Safety Element out of Context (SEooC), yet its scale and rapid evolution, thousands of contributors and near-continuous upstream change pose unique assurance challenges. This talk explains what SEooC means in practice, why it should be understood as a “safety element with assumed context,” and the implications for integrators: a SEooC is not plug-and-play. System developers remain responsible for confirming compatibility, reviewing the safety manual and assumptions of use, ensuring traceability to their own requirements, configuring the element correctly, and validating it within their specific hazard and timing constraints. We frame the work through design assurance hazard identification, design mitigation via requirements-based engineering, and implementation assurance highlighting current gaps between kernel behavior and requirements-derived tests.

The session outlines community efforts to close those gaps: defining low-level Linux kernel requirements with maintainer sign-off; advancing coverage (statement, decision, MC/DC) using LLVM-based kernel coverage and object-code mapping; and packaging evidence with an SPDX functional-safety profile. Speakers also address non-determinism (focusing on deterministic outcomes, minimal configurations) and introduce knaf for call-tree analysis from specific entry points.

Overall, these efforts show how scaling requirements, testing, and coverage within open collaboration can yield reusable evidence, strengthen kernel reliability, and align with a substantial portion of DO-178C DAL A objectives across industries.

Identifying Safety Weaknesses and Fault Propagation in the Linux Kernel – Igor Stoppa, NVIDIA

With growing interest in using Linux in safety-critical domains such as automotive, traditional functional safety practices need to be applied to an open source environment. One such practice is fault injection, where failures are deliberately introduced to study how the system reacts.

This talk by Igor Stoppa, NVIDIA, introduced a tool and methodology for injecting controlled faults into Linux kernel data structures. The goal is to uncover subtle forms of degradation that may not trigger a crash but can compromise safety goals, such as delayed system responses. By running repeatable experiments, the approach makes it possible to check whether safety mechanisms detect and report problems consistently and within required timing constraints.

The work highlights both the challenges of applying safety analysis to a large, fast-moving project like the Linux kernel and the opportunities to integrate such testing into the regular release process. Over time, this could provide valuable data on fault propagation, improve kernel reliability, and strengthen Linux’s role in safety-critical applications.

What’s Next?

The Safety-Critical Software track at Open Source Summit Europe 2025 highlighted the important progress being made toward making Linux a reliable choice in regulated and safety-sensitive domains. From exploring Linux as a Safety Element out of Context to fault injection techniques that expose hidden weaknesses, these discussions show how the community is tackling complex challenges with rigor and collaboration.

To learn more, be sure to check our upcoming blogs where we will cover more sessions from the track. If you are interested in shaping this work, we invite you to join ELISA working groups and contribute to advancing safety practices in open source together.

Sep 17

Recap Blog: ELISA Project at Open Source Summit Europe 2025

By sremmert Blog, Critical Software Summit, Industry Conference, Safety-Critical Software Summit

The ELISA Project was proud to participate in Open Source Summit Europe 2025, held August 25-27 in Amsterdam, Netherlands. As the premier gathering for open source developers, technologists, and community leaders, this year’s event once again showcased the strength, diversity, and innovation of the open source ecosystem.

For ELISA (Enabling Linux in Safety Applications), it was an incredible opportunity to connect with developers, architects, functional safety experts, and contributors working at the intersection of Linux and safety-critical systems.

ELISA Project community photo taken at the Open Source Summit Europe 2025

ELISA Booth Highlights

As a Bronze Sponsor, ELISA hosted Booth #29, where attendees learned about safety-critical software and Linux.

Visitors stopped by to:

Learn more about ELISA’s mission and latest progress.
Explore tools, processes, and working group initiatives.
Connect with project members, contributors, and users.

The booth was buzzing throughout the summit, and it was inspiring to see interest from developers across automotive, industrial, medical, and other safety-focused domains.

ELISA in the Safety-Critical Software Summit

ELISA was also featured in the Safety-Critical Software Summit, a focused track within Open Source Summit Europe dedicated to exploring how open source and safety standards intersect. Watch the sessions here.

Sessions covered a wide range of important topics, including:

Kernel safety – identifying weaknesses, fault propagation, and ways Linux can evolve as a safety element out of context (SEooC).
Automotive innovation – exploring safe software platforms, prototyping frameworks, and open source initiatives for software-defined vehicles.
Compliance and trust – practical approaches to continuous compliance, traceability, and the use of statistical methods in safety analysis.

These talks reflected the growing maturity of the ecosystem and highlighted the shared challenges the community is tackling from technical methodologies to regulatory alignment.

Key Takeaways

There is strong and growing interest in applying Linux to safety-critical domains, from automotive to medical and industrial applications.
Progress in tools, methodologies, and compliance frameworks is enabling broader adoption of open source in regulated environments.
Collaboration between industry, academia, and the open source community is essential to tackling safety challenges at scale.
The ELISA community continues to expand, fueled by conversations and new contributors who engaged with us in Amsterdam.

Join the ELISA Community

We want to thank everyone who visited us at Booth #29, attended our sessions, and engaged with the ELISA Project at Open Source Summit Europe 2025.

Your questions, feedback, and contributions help shape the future of open source in Linux in safety-critical applications.

If you didn’t get a chance to connect in Amsterdam, it’s not too late!

Learn more about ELISA’s mission and working groups.
Get involved in the community.
Stay tuned for upcoming events and opportunities to collaborate.

👋 Thank You, Amsterdam!

From booth conversations to technical discussions, ELISA’s presence at Open Source Summit Europe 2025 was a success thanks to the open source community. We look forward to building on this momentum and continuing the conversation about safety-critical open source systems.

Until next time – see you at the next event!

Sep 08

When Kernel Comments Get Weird: The Tale of `drivers/char/mem.c`

By elisaproject Ambassadors, Blog, Working Group

This blog is written by Alessandro Carminati, Principal Software Engineer at Red Hat and lead for the ELISA Project’s Linux Features for Safety-Critical Systems (LFSCS) WG.

As part of the ELISA community, we spend a good chunk of our time spelunking through the Linux kernel codebase. It’s like code archeology: you don’t always find treasure, but you _do_ find lots of comments left behind by developers from the ’90s that make you go, “Wait… really?”

One of the ideas we’ve been chasing is to make kernel comments a bit smarter: not only human-readable, but also machine-readable. Imagine comments that could be turned into tests, so they’re always checked against reality. Less “code poetry from 1993”, more “living documentation”.

Speaking of code poetry, [here] one gem we stumbled across in `mem.c`:

```
/* The memory devices use the full 32/64 bits of the offset,
 * and so we cannot check against negative addresses: they are ok.
 * The return value is weird, though, in that case (0).
 */
 ```

This beauty has been hanging around since **Linux 0.99.14**… back when Bill Clinton was still president-elect, “Mosaic” was the hot new browser,
and PDP-11 was still produced and sold.

Back then, it made sense, and reflected exactley what the code did.

Fast-forward thirty years, and the comment still kind of applies…
but mostly in obscure corners of the architecture zoo.
On the CPUs people actually use every day?

```
$ cat lseek.asm
BITS 64

%define SYS_read    0
%define SYS_write   1
%define SYS_open    2
%define SYS_lseek   8
%define SYS_exit   60

; flags
%define O_RDONLY    0
%define SEEK_SET    0

section .data
    path:    db "/dev/mem",0
section .bss
    align 8
    buf:     resq 1

section .text
global _start
_start:
    mov     rax, SYS_open
    lea     rdi, [rel path]
    xor     esi, esi
    xor     edx, edx
    syscall
    mov     r12, rax        ; save fd in r12

    mov     rax, SYS_lseek
    mov     rdi, r12
    mov     rsi, 0x8000000000000001
    xor     edx, edx
    syscall

    mov     [rel buf], rax

    mov     rax, SYS_write
    mov     edi, 1
    lea     rsi, [rel buf]
    mov     edx, 8
    syscall

    mov     rax, SYS_exit
    xor     edi, edi
    syscall
$ nasm -f elf64 lseek.asm -o lseek.o
$ ld lseek.o -o lseek
$ sudo ./lseek| hexdump -C
00000000  01 00 00 00 00 00 00 80                           |........|
00000008
$ # this is not what I expect, let's double check
$ sudo gdb ./lseek
GNU gdb (Fedora Linux) 16.3-1.fc42
Copyright (C) 2024 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./lseek...
(No debugging symbols found in ./lseek)
(gdb) b _start
Breakpoint 1 at 0x4000b0
(gdb) r
Starting program: /tmp/lseek

Breakpoint 1, 0x00000000004000b0 in _start ()
(gdb) x/30i $pc
=> 0x4000b0 <_start>:   mov    $0x2,%eax
   0x4000b5 <_start+5>: lea    0xf44(%rip),%rdi        # 0x401000
   0x4000bc <_start+12>:        xor    %esi,%esi
   0x4000be <_start+14>:        xor    %edx,%edx
   0x4000c0 <_start+16>:        syscall
   0x4000c2 <_start+18>:        mov    %rax,%r12
   0x4000c5 <_start+21>:        mov    $0x8,%eax
   0x4000ca <_start+26>:        mov    %r12,%rdi
   0x4000cd <_start+29>:        movabs $0x8000000000000001,%rsi
   0x4000d7 <_start+39>:        xor    %edx,%edx
   0x4000d9 <_start+41>:        syscall
   0x4000db <_start+43>:        mov    %rax,0xf2e(%rip)        # 0x401010
   0x4000e2 <_start+50>:        mov    $0x1,%eax
   0x4000e7 <_start+55>:        mov    $0x1,%edi
   0x4000ec <_start+60>:        lea    0xf1d(%rip),%rsi        # 0x401010
   0x4000f3 <_start+67>:        mov    $0x8,%edx
   0x4000f8 <_start+72>:        syscall
   0x4000fa <_start+74>:        mov    $0x3c,%eax
   0x4000ff <_start+79>:        xor    %edi,%edi
   0x400101 <_start+81>:        syscall
   0x400103:    add    %al,(%rax)
   0x400105:    add    %al,(%rax)
   0x400107:    add    %al,(%rax)
   0x400109:    add    %al,(%rax)
   0x40010b:    add    %al,(%rax)
   0x40010d:    add    %al,(%rax)
   0x40010f:    add    %al,(%rax)
   0x400111:    add    %al,(%rax)
   0x400113:    add    %al,(%rax)
   0x400115:    add    %al,(%rax)
(gdb) b *0x4000c2
Breakpoint 2 at 0x4000c2
(gdb) b *0x4000db
Breakpoint 3 at 0x4000db
(gdb) c
Continuing.

Breakpoint 2, 0x00000000004000c2 in _start ()
(gdb) i r
rax            0x3                 3
rbx            0x0                 0
rcx            0x4000c2            4194498
rdx            0x0                 0
rsi            0x0                 0
rdi            0x401000            4198400
rbp            0x0                 0x0
rsp            0x7fffffffe3a0      0x7fffffffe3a0
r8             0x0                 0
r9             0x0                 0
r10            0x0                 0
r11            0x246               582
r12            0x0                 0
r13            0x0                 0
r14            0x0                 0
r15            0x0                 0
rip            0x4000c2            0x4000c2 <_start+18>
eflags         0x246               [ PF ZF IF ]
cs             0x33                51
ss             0x2b                43
ds             0x0                 0
es             0x0                 0
fs             0x0                 0
gs             0x0                 0
fs_base        0x0                 0
gs_base        0x0                 0
(gdb) # fd is just fine rax=3 as expected.
(gdb) c
Continuing.

Breakpoint 3, 0x00000000004000db in _start ()
(gdb) i r
rax            0x8000000000000001  -9223372036854775807
rbx            0x0                 0
rcx            0x4000db            4194523
rdx            0x0                 0
rsi            0x8000000000000001  -9223372036854775807
rdi            0x3                 3
rbp            0x0                 0x0
rsp            0x7fffffffe3a0      0x7fffffffe3a0
r8             0x0                 0
r9             0x0                 0
r10            0x0                 0
r11            0x246               582
r12            0x3                 3
r13            0x0                 0
r14            0x0                 0
r15            0x0                 0
rip            0x4000db            0x4000db <_start+43>
eflags         0x246               [ PF ZF IF ]
cs             0x33                51
ss             0x2b                43
ds             0x0                 0
es             0x0                 0
fs             0x0                 0
gs             0x0                 0
fs_base        0x0                 0
gs_base        0x0                 0
(gdb) # According to that comment, rax should have been 0, but it is not.
(gdb) c
Continuing.
�[Inferior 1 (process 186746) exited normally]
(gdb) 
```

Not so much. Seeking at `0x8000000000000001`…
Returns `0x8000000000000001` not `0` as anticipated in the comment.
We’re basically facing the kernel version of that “Under Construction”
GIF on websites from the 90s, still there, but mostly just nostalgic
decoration now.

## The Mysterious Line in `read_mem`

Let’s zoom in on one particular bit of code in [`read_mem`](https://elixir.bootlin.com/linux/v6.17-rc2/source/drivers/char/mem.c#L82):

```
	phys_addr_t p = *ppos;
	/* ... other code ... */
	if (p != *ppos) return  0;
```

At first glance, this looks like a no-op; why would `p` be different from
`*ppos` when you just copied it?
It’s like testing if gravity still works by dropping your phone…
**spoiler: it does.**

But as usual with kernel code, the weirdness has a reason.

## The Problem: Truncation on 32-bit Systems

Here’s what’s going on:

– `*ppos` is a `loff_t`, which is a 64-bit signed integer.
– `p` is a `phys_addr_t`, which holds a physical address.

On a 64-bit system, both are 64 bits wide. Assignment is clean, the check
always fails (and compilers just toss it out).

But on a 32-bit system, `phys_addr_t` is only 32 bits. Assign a big 64-bit
offset to it, and **boom**, the top half vanishes.
Truncated, like your favorite TV series canceled after season 1.

That `if (p != *ppos)` check is the safety net.
It spots when truncation happens and bails out early, instead of letting
some unlucky app read from la-la land.

## Assembly Time: 64-bit vs. 32-bit

On 64-bit builds (say, AArch64), the compiler optimizes away the check.

```
┌ 736: sym.read_mem (int64_t arg2, int64_t arg3, int64_t arg4);
│ `- args(x1, x2, x3) vars(13:sp[0x8..0x70])
│           0x08000b10      1f2003d5       nop
│           0x08000b14      1f2003d5       nop
│           0x08000b18      3f2303d5       paciasp
│           0x08000b1c      fd7bb9a9       stp x29, x30, [sp, -0x70]!
│           0x08000b20      fd030091       mov x29, sp
│           0x08000b24      f35301a9       stp x19, x20, [var_10h]
│           0x08000b28      f40301aa       mov x20, x1
│           0x08000b2c      f55b02a9       stp x21, x22, [var_20h]
│           0x08000b30      f30302aa       mov x19, x2
│           0x08000b34      750040f9       ldr x21, [x3]
│           0x08000b38      e10302aa       mov x1, x2
│           0x08000b3c      e33700f9       str x3, [var_68h]        ; phys_addr_t p = *ppos;
│           0x08000b40      e00315aa       mov x0, x21
│           0x08000b44      00000094       bl valid_phys_addr_range
│       ┌─< 0x08000b48      40150034       cbz w0, 0x8000df0        ;if (!valid_phys_addr_range(p, count))
│       │   0x08000b4c      00000090       adrp x0, segment.ehdr
│       │   0x08000b50      020082d2       mov x2, 0x1000
│       │   0x08000b54      000040f9       ldr x0, [x0]
│       │   0x08000b58      01988152       mov w1, 0xcc0
│       │   0x08000b5c      f76303a9       stp x23, x24, [var_30h]
[...]
```
Nothing to see here, move along.
But on 32-bit builds (like old-school i386), the check shows up loud and 
proud in the assembly. 
```
[0x080003e0]> pdf
┌ 392: sym.read_mem (int32_t arg_8h);
│ `- args(sp[0x4..0x4]) vars(5:sp[0x14..0x24])
│           0x080003e0      55             push ebp
│           0x080003e1      89e5           mov ebp, esp
│           0x080003e3      57             push edi
│           0x080003e4      56             push esi
│           0x080003e5      53             push ebx
│           0x080003e6      83ec14         sub esp, 0x14
│           0x080003e9      8955f0         mov dword [var_10h], edx
│           0x080003ec      8b5d08         mov ebx, dword [arg_8h]
│           0x080003ef      c745ec0000..   mov dword [var_14h], 0
│           0x080003f6      8b4304         mov eax, dword [ebx + 4] 
│           0x080003f9      8b33           mov esi, dword [ebx]     ; phys_addr_t p = *ppos;
│           0x080003fb      85c0           test eax, eax
│       ┌─< 0x080003fd      7411           je 0x8000410             ; if (!valid_phys_addr_range(p, count))
│     ┌┌──> 0x080003ff      8b45ec         mov eax, dword [var_14h]
│     ╎╎│   0x08000402      83c414         add esp, 0x14
│     ╎╎│   0x08000405      5b             pop ebx
│     ╎╎│   0x08000406      5e             pop esi
│     ╎╎│   0x08000407      5f             pop edi
│     ╎╎│   0x08000408      5d             pop ebp
│     ╎╎│   0x08000409      c3             ret
[...]
```

The CPU literally does a compare-and-jump to enforce it. So yes, this is a _real_ guard, not some leftover fluff.

## Return Value Oddities

Now, here’s where things get even funnier. If the check fails in `read_mem`, the function returns `0`. That’s “no bytes read”, which in file I/O land is totally fine.

But in the twin function `write_mem`, the same situation returns `-EFAULT`. That’s kernel-speak for “Nope, invalid address, stop poking me”.

So, reading from a bad address? You get a polite shrug. Writing to it? You get a slap on the wrist. Fair enough, writing garbage into memory is way more dangerous than failing to read it. Come on, probably here we need to fix things up.

Wrapping It Up

This little dive shows how a single “weird” line of code carries decades of context, architecture quirks, type definitions, and evolving assumptions.
It also shows why comments like the one from 0.99.14 are dangerous: they freeze a moment in time, but reality keeps moving.

Our mission in Elisa Architecture WG is to bring comments back to life: keep them up-to-date, tie them to tests, and make sure they still tell the truth. Because otherwise, thirty years later, we’re all squinting at a line saying “the return value is weird though” and wondering if the developer was talking about code… or just their day.

And now, a brief word from our *sponsors* (a.k.a. me in a different hat): When I’m not digging up ancient kernel comments with the Architecture WG, I’m also leading the Linux Features for Safety-Critical Systems (LFSCS) WG. We’re cooking up some pretty exciting stuff there too.

So if you enjoy the kind of archaeology/renovation work we’re doing there, come check out LFSCS as well: same Linux, different adventure.

Aug 13

ELISA Project Welcomes Simone Weiss to the Governing Board!

By elisaproject Ambassadors, Blog

We are excited to announce that Simone Weiss, Product Owner at Elektrobit, has joined the Governing Board of the Enabling Linux in Safety Applications (ELISA) Project. She brings a wealth of experience in functional safety, embedded systems, and open source leadership that will help guide ELISA’s mission to enable the use of Linux in safety-critical applications. One of Simone’s first tasks will be to lead the creation of a glossary in the ELISA Project directory.

ELISA Project Welcomes Simone Weiss to the Governing Board! Elektrobit has been an active contributor to the ELISA Project for several years, and Simone’s appointment reflects the company’s commitment to advancing the use of open source technologies in industries such as automotive, industrial, medical, and beyond.

“It’s an honor to join ELISA’s Governing Board. I’m looking forward to working with the community to support collaboration between industry and safety experts and drive broader adoption of Linux in safety-critical domains.” – Simone Weiss, Elektrobit

The ELISA Governing Board plays a critical role in setting the project’s strategic direction, ensuring sustainability, and supporting the vibrant technical community that underpins ELISA’s success. With the addition of Simone, the board strengthens its collective expertise and reaffirms its dedication to transparency, collaboration, and safety excellence.

Simone recently traveled to Open Source Summit North America, which happened in Denver, Colorado in June, to attend her first in-person Governing Board meeting.

Please join us in welcoming Simone to the ELISA Project Governing Board!