Xen Safety Certification – Progress & Plans for the Future


Xen Project is a static partitioning hypervisor for embedded, from aerospace to industrial and automotive. Xen enforces strong isolation between domains so that one cannot affect the execution of another. Features such as cache coloring reduce interference and improve interrupt latency and determinism. A real-time workload can run alongside a more complex guest. But can it be used in safety-critical environments? The Xen hypervisor has a microkernel design: services and tools are non-essential and run in unprivileged VMs, while the core is less than 50K LOC. This architecture lends itself well to safety-critical applications as only the hypervisor core is critical and needs to go through the certification process. This presentation will describe the activities of the Xen FuSa SIG (Special Interest Group) to make Xen easier to safety-certify. It will highlight the most significant improvements introduced in the last 12 months to align Xen with safety standards such as DO-178C and ISO 26262. It will go into detail on MISRA C compliance, its latest status, and the next steps to close all the outstanding MISRA C gaps. It will discuss the role of Gitlab-CI and how to keep the Xen codebase MISRA C compliant without major efforts. The Xen community has a clear path ahead to achieve the safety certification of the hypervisor. This talk will discuss it focusing on the most impactful changes to the Xen codebase and Xen community processes.