Written by Philipp Ahmann, Chair of the ELISA Project TSC, and Kate Stewart, Vice President of Dependable Embedded Systems at the Linux Foundation
On October 16-18, ELISA Project gathered at the Red Hat Munich office for an in-person workshop. The event had a great mix of attendees, including both familiar faces and first-time participants, with representatives from non-member companies such as Canonical, Volvo, MBition, Harman, and Valeo. While the workshop was primarily focused on automotive companies, there was also one participant from NASA.
Discussions centered around the core part of Linux, with a need to define what constitutes a core or minimal configuration. It was suggested that distro providers be consulted to determine their kernel configurations. The topic may continue in the architecture working group. A guide and methodology to strip down the kernel to a smaller use case and system-adjusted setting could also be useful.
A major part of the workshop was the discussion around BASIL, a new tool for tracing requirements code and tests that was proposed in the Berlin workshop earlier in the year. Introduced by Red Hat and open sourced just before the event, it has gained interest among other members, including SUSE. SUSE presented their approach on Automotive SPICE SWE processes for complex Open Source Software to get an argumentation around QM state of Linux and components in use of these systems. It is seen as promising by others and will be taken forward. It can be a path towards quality management argumentation of Linux systems.
Nvidia presented a more technical discussion on the kernel level, with a systematic approach to using the Linux kernel in safety scenarios. This was also interesting for Windriver and Elektrobit. The idea is to have a shared list of risk factors and potential interference between system elements. It is a bit of a direction like CVE to CWE if you want to compare it to security.
A session about the SPDX-SIG on Safety focused on requirement traceability with code and tests and gave a good fit to the discussions around BASIL. This was in line with the ELISA’s discussions around enhancing SBOMs to support safety argumentation and evidence.
Sessions were held on how to catch up newcomers, and understand member needs, the ELISA big picture, outreach to adjacent communities, and current challenges to comply with different aspects of the ISO26262 were held as well.
The workshop concluded with a strategy and path towards 2024. ELISA will take a stronger driver towards tools and documentation, with good documentation around PREEMPT_RT being one of these elements. It is further important to show the results so that others can better understand where ELISA is reaching and where it fits into their industrial use cases.
Overall, the workshop was a great success, with many interesting discussions and presentations. The ELISA looks forward to the next workshop and continuing to drive innovation in the Linux ecosystem.
Testimonials
“I am thrilled to have attended the ELISA workshop in Munich, where I gained valuable insights into the complexities of achieving functional safety for Linux, particularly in the automotive industry. The engaging presentations and collaborative discussions with industry experts highlighted the importance of strong collaboration in addressing this challenge.” – Bertrand Boisseau (Canonical)
“I found the ELISA workshop to be very educational and engaging. The speakers were really skilled and had a great understanding of both safety and Linux aspects. I will closely follow ELISA and hope to engage with more OEM presence” – Robert Fekete (Volvo Cars)
Wondering when and where the next ELISA workshop will be held? Keep an eye on upcoming ELISA events.
Interested in getting involved in ELISA? Introduce yourself, ask a question and follow along on Technical Forum, check out the Working Groups and start participating.
Written by Philipp Ahmann, Chair of the ELISA Project TSC and Technical Business Development Manager at Robert Bosch GmbH
In June, the ELISA Project’s core contributors and affiliates came together for three days at the Bosch IoT Campus in Berlin, Germany. We discussed recent achievements, project branding and perception, upcoming goals and next steps.
From left to right: (MBition), Gabriele Paoloni (Red Hat), (Red Hat), Olivier Charrier (Windriver), Dongni Fan (MBition), Leonard Moritz Hübner (NXP), Alex Fomichev (MBition), Christof Petig (Aptiv), Philipp Ahmann (Bosch), Kai Hudalla (Bosch Digital), Johannes Kristan (Bosch Digital), Christopher Temple (ARM), Kate Stewart (Linux Foundation) & Sven Erik Jeroschewski (Bosch Digital)
Quick recap on the three days
The workshop kicked off with a discussion about ELISA’s big picture document. The document serves as an entry point for new contributors to find their path through the ELISA deliverables and approach. It will be a living document which gets updated and enhanced when major achievements are reached. It is structured into 3 major parts and complements the project charter and mission.
The project objective
The ELISA approach (ongoing work to meet the project objective)
Using and putting ELISA results into practice
The second session focused on the creation of a pragmatic guide to best practices for open source contributors to facilitate safety analysis in the future. In this session, Kate Stewart, Vice President of Dependable Embedded Systems and and ELISA Ambassador, shared an overview of existing tools which help to make the kernel development work more discoverable, creating certain traceability, and to make analysis “more provable.” The session addressed a few next steps which the project has to look into:
Capturing current Kernel requirements
Using Linux features
Testing Frameworks
Some parts of the topics were directly addressed as part of the second day agenda. In the first session, the safety analysis approach uses a combination of risk analysis, fault injection, and a high degree of automation. Part of it is also the System Theoretic Process Analysis (STPA). This was already successfully applied within Codethink and taken forward within the Open Source Engineering Process (OSEP) Working Group. The motivation to go in this direction was also made visible and which initial work has been started.
In the following session certain limits of a traditional STPA when applied to the Linux Kernel were pointed out by Red Hat. Additional tool support may be needed which was one reason to create the ks-nav tool. The objective of this tool is to analyze the Linux kernel for safety by presenting diagrams of call trees. In this way an understanding of the interactions and dependencies among different parts of the kernel can be gained for safety analysis. To speed up the development and make the tool more visible, the ks-nav tool resides now in an own repository within the ELISA github organization.
After that, the workshop participants had a longer discussion, whether manpage derived requirements and manpage driven testing can improve the argument towards usage of Linux in safety-critical applications.
It describes a large part of the software components of Linux usage in products
It is the established format to describe and learn the software functionality provided by Linux.
It is used by a large audience.
The workshop participants agreed that there is still a lot of work to map the current kernel implementation to the existing manpages and to close the gaps between both. This will be a great contribution to the whole kernel community. Overall the ELISA project plans to take major actions in the field of Kernel documentation improvements.
In the afternoon session “targets for upstreaming to Linux kernel for the remainder of the year” the topic of upstreaming documentation within the user and admin guide of the Kernel was put into practice. The current activities of the Linux Features for Safety Critical Systems (LFSCS) WG were presented to the workshop participants. Shuah Khan (Linux Foundation Fellow) together with Elana Copperman (Mobileye, LFSCS WG lead) illustrated the different configuration parameters of the PREEMPT_RT patches which are now almost completely upstreamed. However, it turned out that the documentation of the parameter and configuration towards desired usage have large room for improvements. As many safety-critical products rely on certain real time capabilities, ELISA judges this topic as high priority and very important.
The 3rd day concentrated heavily on internal ELISA activities, project health and growth. There was a session revisiting the project messaging along with a session about review of change management workflow, and a proposed approach document to go to the working groups/TSC for approval. In another session the participants brainstormed ideas for community growth and engagement, adjacent community outreach and mutual alignment.
Although the sessions focused on internal work, especially the contributions by affiliated workshop participants representing e.g. Eclipse Software-Defined-Vehicle, ETAS, MBition and NXP added new perspectives, led to good takeaways and made the workshop a success.
Major Workshop Takeaways
During the various sessions and at the end of each day takeaways from the participants were collected and discussed. An extract of major takeaways are listed below:
Rework and structure Kernel documentation is an important element of ELISA
Strong risk of diverging, in case you write documentation by another person than the maintainer of the code.
Start identifying critical subsystems of the Linux kernel to enhance user documentation similar to “workload” and “realtime” documentation.
Identification of the “core” part of the kernel that is present in all set of config images
Looking at user APIs for the “core” parts, may be a useful focus for doing detailed analysis that others can use, and build from
Any analysis has to be tagged to specific release, as changes are happening through time.
Getting the API and subsystem analysis of key pieces upstream, combined with recommendations on testing to demonstrate the user space APIs are consistent. (Maintainer need to agree)
ELISA is not providing a safe Linux, but there are interesting tools supporting Safety with using Linux
If you push a patch to the Linux kernel you have to follow rules (e.g. checkpatch). Maybe there can be kernel tools to improve the safety part of Linux, e.g. that the proposed change/config is in line with the safety guidelines
The kernel alone does not make the operating system, you need other components to create a particular system.
Open Sourcing the Red Hat requirement tool would be a great benefit for the wider open source safety community
Use the requirements tool to export SPDX safety linkage SBOMs for the Linux Kernel
Reach out to Eclipse SDV and AGL with SOAFEE to talk about an example system as part of Systems WG
SDPX and System SBOM may be of interest for Eclipse Foundation (SDV)
OEM may be a must have to work on a real use case in certain domains (especially automotive).
The puzzle pieces on the table may not yet be complete and people may use puzzle pieces differently
Workshops are a good place to learn how the different pieces fit together, SBOM, OSEP, ARCH…
Getting involved
The ELISA Project is open to anyone to participate. While membership is not required for participation, we always love to welcome additional members to join us in the mission of enabling Linux in safety applications and to collaborate with other members who are committed to this effort.
If you are interested to learn more about ELISA or want to participate in one of the working groups or recently started activities, just send an email to the technical forum mailing list. Or you can get advice on where to contribute best by joining the Technical Steering Committee (TSC) meeting which is held every other Wednesday at 13:00 UTC.
Last but not least the next in person workshop is only a few months away. ELISA members currently plan to meet again most likely in Munich, Germany, October 16- 18. Please join the mailing list and/or subscribe to @ProjectElisa or our LinkedIn page or our Youtube Channel to learn more about the next workshop.
Written by Red Hat’s Gabriele Paoloni, Alessandro Carminati & Maurizio Papini
One of the main challenges in using the Linux Kernel for safety-critical systems is conducting safety analyses in the absence of architectural documentation. As outlined in this article, within the ELISA (Enabling Linux in Safety Applications) Project, we are adopting the STPA approach at the system level. Accordingly, the Safety Architecture Working Group has been actively working on implementing and expanding this approach within the Kernel.
To conduct an STPA-inspired analysis, it is necessary to define “controller” entities, along with their corresponding control actions and feedback mechanisms. The Linux Kernel has already been divided into entities, which are maintained by different individuals based on the MAINTAINERS file.
Therefore, the Safety Architecture Working Group has made the decision to experiment with STPA analysis within the Kernel by treating the various subsystems or drivers (as defined in the MAINTAINERS file) as individual controllers. Within this context, the challenge has been to identify the control actions and feedback mechanisms between the drivers and subsystems.
The ks-nav tool set, comprising two complementary tools, is specifically designed to support the identification of such control actions.
To facilitate this, ks-nav offers subsystem call trees, which visually represent the interactions and dependencies among subsystems, starting from a given symbol. This feature allows users to identify potential interfaces between subsystems or drivers that support relevant control actions within the specific context of the symbol under analysis.
Another key feature of ks-nav is the identification of function call trees, which list functions potentially encountered starting from a given one . Such a feature could be useful to understand the subsystem or driver behavior following the invocation of a given function.
In summary, within the context of a specific symbol, ks-nav is capable of initially highlighting potential candidates for control actions between subsystems and drivers. Additionally, it allows users to “zoom in” on each subsystem as necessary to support expert judgment in semantically specifying the control actions.
To accommodate diverse analysis needs, the tool set supports multiple output formats, including dot, raster images (PNG or JPG), and vector images (SVG), facilitating effective visualization.
Flexibility is emphasized with compatibility across different database management systems (DBMS) like PostgreSQL, MySQL, MariaDB, or SQLite. This enables seamless integration with users’ preferred DBMS or existing infrastructure.
Moreover, ks-nav is able to identify indirect calls, including the x86 retpoline technique, within the kernel code, and deals with compiler code optimization.
By offering function call trees, subsystem call trees, versatile output formats, DBMS compatibility, and indirect call detection, the ks-nav tool set provides a comprehensive and efficient solution for ELISA activities in Linux kernel analysis. It provides users with the necessary tools to explore the kernel’s structure, and make informed decisions.
This initial commit of the ks-nav tool set also ensures fair test coverage, guaranteeing reliability and effectiveness in supporting ELISA activities. It marks a milestone, demonstrating the team’s commitment to continuous improvement and future advancements to refine the tool set and meet evolving needs in ELISA activities conducted by the working group.
All are welcome to try out the tools, send pull requests for improvements and bug fixes on the ELISA GitHub here.
There will also be a dedicated session on how to apply this tool at the upcoming ELISA Berlin Workshop June 20-22. Learn more about the Workshop or register for it here.
SAN FRANCISCO – August 11, 2022 – Today, the ELISA (Enabling Linux in Safety Applications) Project announced that Boeing has joined as a Premier member, marking its commitment to Linux and its effective use in safety critical applications. Hosted by the Linux Foundation, ELISA is an open source initiative that aims to create a shared set of tools and processes to help companies build and certify Linux-based safety-critical applications and systems.
“Boeing is modernizing software to accelerate innovation and provide greater value to our customers,” said Jinnah Hosein, Vice President of Software Engineering at the Boeing Company. “The demand for safe and secure software requires rapid iteration, integration, and validation. Standardizing around open source products enhanced for safety-critical avionics applications is a key aspect of our adoption of state-of-the-art techniques and processes.”
As a leading global aerospace company, Boeing develops, manufactures and services commercial airplanes, defense products, and space systems for customers in more than 150 countries. It’s already using Linux in current avionics systems, including commercial systems certified to DO-178C Design Assurance Level D. Joining the ELISA Project will help pursue the vision for generational change in software development at Boeing. Additionally, Boeing will work with the ELISA Technical Steering Committee (TSC) to launch a new Aerospace Working Group that will work in parallel with the other working groups like automotive, medical devices, and others.
“We want to improve industry-standard tools related to certification and assurance artifacts in order to standardize improvements and contribute new features back to the open source community. We hope to leverage open source tooling (such as a cloud-based DevSecOps software factory) and industry standards to build world class software and provide an environment that attracts industry leaders to drive cultural change at Boeing,” said Hosein.
Linux is used in all major industries because it can enable faster time to market for new features and take advantage of the quality of the code development processes. Launched in February 2019, ELISA works with Linux kernel and safety communities to agree on what should be considered when Linux is used in safety-critical systems. The project has several dedicated working groups that focus on providing resources for system integrators to apply and use to analyze qualitatively and quantitatively on their systems.
“Linux has a history of being a reliable and stable development platform that advances innovation for a wide range of industries,” said Kate Stewart, Vice President of Dependable Embedded Systems at the Linux Foundation. “With Boeing’s membership, ELISA will start a new focus in the aerospace industry, which is already using Linux in selected applications. We look forward to working with Boeing and others in the aerospace sector, to build up best practices for working with Linux in this space.”
Other ELISA Project members include ADIT, AISIN AW CO., Arm, Automotive Grade Linux, Automotive Intelligence and Control of China, Banma, BMW Car IT GmbH, Codethink, Elektrobit, Horizon Robotics, Huawei Technologies, Intel, Lotus Cars, Toyota, Kuka, Linuxtronix. Mentor, NVIDIA, SUSE, Suzuki, Wind River, OTH Regensburg, Toyota and ZTE.
ELISA Summit – Hosted virtually for participants around the world on September 7-8, this event will feature overview of the project, the mission and goals for each working group and an opportunity for attendees to ask questions and network with ELISA leaders. The schedule is now live and includes speakers from Aptiv Services Deutschland GmbH, Boeing, CodeThink, The Linux Foundation, Mobileye, Red Hat and Robert Bosch GmbH. Check out the schedule here: https://events.linuxfoundation.org/elisa-summit/program/schedule/. Registration is free and open to the public. https://elisa.tech/event/elisa-summit-virtual/
ELISA Forum – Hosted in-person in Dublin, Ireland, on September 12, this event takes place the day before Open Source Summit Europe begins. It will feature an update on all of the working groups, an interactive System-Theoretic Process Analysis (STPA) use case and an Ask Me Anything session. Pre-registration is required. To register for ELISA Forum, add it to your Open Source Summit Europe registration.
Open Source Summit Europe – Hosted in-person in Dublin and virtually on September 13-16, ELISA will have two dedicated presentations about enabling safety in safety-critical applications and safety and open source software. Learn more.
Founded in 2000, the Linux Foundation and its projects are supported by more than 2,950 members. The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, ONAP, Hyperledger, RISC-V, and more. The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.
The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.
If you’re new to the project and would like to learn more about the community, ELISA has several upcoming events in September that you can attend to meet ambassadors or project members, receive updates about technical milestones and goals of each of the working groups and ask questions or get involved. Focused Working Groups include Automotive, Linux Features for Safety-Critical Systems, Medical Devices, Open Source Engineer Processes, Safety Architecture, Systems and Tool Investigation and Code Improvement and they are always looking for more participants.
September events:
ELISA Summit – Hosted virtually for participants around the world on September 7-8, this event will feature overview of the project, the mission and goals for each working group and an opportunity for attendees to ask questions and network with ELISA leaders. View the schedule here. Registration is free and open to the public. https://elisa.tech/event/elisa-summit-virtual/
ELISA Forum – Hosted in-person in Dublin, Ireland, on September 12, this event takes place the day before Open Source Summit Europe begins. It will feature an update on all of the working groups, an interactive System-Theoretic Process Analysis (STPA) use case and an Ask Me Anything session. Pre-registration is required. To register for ELISA Forum, add it to your Open Source Summit Europe registration.
Open Source Summit Europe – Hosted in-person in Dublin, Ireland, and virtually on September 13-16, ELISA will have two dedicated presentations about enabling safety in safety-critical applications and safety and open source software. Learn more.
ELISA Workshop – Hosted in-person in Manchester, England, at Codethink offices. This workshop offers an opportunity for active ELISA contributors and members to have interactive discussions on predetermined topics and have side-by-side working sessions. Learn more.
The Spring ELISA Workshop, which took place on April 5-7 virtually, had more than 130 global registrants that learned more about the various working groups, hot topics related to enabling linux in safety applications and networked with ambassadors. If you missed the workshop, you can check out the materials here or subscribe to the new ELISA Youtube Channel and add these sessions to your watch list.
In April, Raffaele Giannessi, Industrial PhD, and Fabrizio Tronci, Functional Safety Manager and Alessandro Biasci, Project Manager at Huawei, presented a session titled, “Hazard Analysis Application to Complex Software.” In this talk, they showcase the methodology to apply STPA to software non-physical system and application of case study on dynamic memory allocation.
Watch the video below.
If you are interested in learning more about the ELISA Project, please join us at one of the September events:
ELISA Summit, a virtual conference happening on September 7-8 . ELISA ambassadors and leaders will offer an introductory overview of the project, more in-depth technical content, emerging trends, and hot topics related to open source software in safety-critical applications. Register to attend at no cost here: https://events.linuxfoundation.org/elisa-summit/register/.
ELISA Forum, in-person in Dublin, Ireland on September 12. This is a co-located event with Open Source Summit Europe. ELISA Ambassadors and leaders will offer an overview of the project, the activities of the various working groups (WGs) and how the WGs interact and work together to tackle the challenges in advancing open source in safety-critical systems and bridge the gap between functional safety and Linux kernel development velocity. There will also be in-depth updates for the System-Theoretic Process Analysis (STPA) methodology to a sample use case and a Q&A session. Pre-registration is required. To register for ELISA Forum, add it to your Open Source Summit Europe registration.
The Spring ELISA Workshop, which took place on April 5-7 virtually, had more than 130 global registrants that learned more about the various working groups, hot topics related to enabling linux in safety applications and networked with ambassadors. If you missed the workshop, you can check out the materials here or subscribe to the new ELISA Youtube Channel and add these sessions to your watch list.
Red Hat’s Christoffer Hall-Federiksen, Senior Software Engineer, and Gabriele Paoloni, Senior Principal Software Engineer and Chair of the ELISA Project Governing Board, presented a session titled, “Integrity of the Safety Application Address Space.”
In this video, you’ll get an overview of the address space descriptors and critical Linux Kernel code involved along different scenarios (process creation, memory allocation, context switch, etc.), safety goals and an interactive discussion on the next steps.
The Spring ELISA Workshop, which took place on April 5-7 virtually, had more than 130 global registrants that learned more about the various working groups, hot topics related to enabling linux in safety applications and networked with ambassadors. If you missed the workshop, you can check out the materials here or subscribe to the ELISA Youtube Channel and add these sessions to your watch list.
At the workshop, Shuah Khan, Chair of the ELISA Technical Steering Committee (TSC) and Kernel Maintainer and Linux Fellow at the Linux Foundation, joined Kate Stewart, ELISA TSC member and co-chair of the Medical Devices Working Group, to kick off the workshop with an introduction to the ELISA Project.
You can view the video below, which is intended for new community members interested in the project and those who aren’t regular participants in the working groups.
We invite you to join a working group to learn more! Click here to check out the working groups and subscribe to their mailing lists and calendars to join meetings.
The Spring ELISA Workshop, which took place on April 5-7 virtually, had more than 130 global registrants that learned more about the various working groups, hot topics related to enabling linux in safety applications and networked with ambassadors. If you missed the workshop, you can check out the materials here or subscribe to the new ELISA Youtube Channel and add these sessions to your watch list.
Christopher Temple, Lead Safety & Reliability Systems Architect at Arm Germany GmbH, and Paul Albertella, ELISA Project TSC member, Chair for Open Source Engineering Process Working Group and Consultant at Codethink, presented a session, “Mixed-Criticality Processing on Linux.”
Check out the video that features the presentation and community discussion about how to create a common understanding of mixed-criticality processing on Linux and the related problems, collect and discuss alternatives for addressing the problems.
In the video, you’ll see there is good engagement from existing ELISA participants and new ones, and the group ended with a clearer understanding of the challenges faced when safety functions co-exist on a system with non-safety functions, and with other safety functions. There was a broad consensus about how ELISA might provide useful guidance for how to tackle some of these, by describing design patterns for systems that include Linux, rather than focussing on what Linux needs in order to be ‘safe’.
The Spring ELISA Workshop, which took place on April 5-7 virtually, had more than 130 global registrants that learned more about the various working groups, hot topics related to enabling linux in safety applications and networked with ambassadors. If you missed the workshop, you can check out the materials here or subscribe to the new ELISA Youtube Channel and add these sessions to your watch list.
Gabriele Paoloni, ELISA Project Governing Board Chair and Senior Principal Software Engineer at Red Hat, and Daniel Bristot, Senior Principal SW Engineer at Red Hat, gave a presentation at the Spring ELISA Workshop titled, “Safety Monitors Inside the Kernel.”
The recently proposed “Runtime Verification Monitor” framework, which can be found here, has the capability of monitoring the Kernel Drivers / Subsystems to behave as expected and to protect them against interference from within the Kernel itself. The video will explain how the RVM framework works with a specific focus on the Watchdog Monitor that has been proposed in the patchset and how it can support a functional safety claim. Watch it here:
