Linux Can Finally Run Your Car's Safety Systems and Driver-Assistance Features (arstechnica.com) 25
An anonymous reader quotes a report from Ars Technica: There's a new Linux distro on the scene today, and it's a bit specialized. Its development was led by the automotive electronics supplier Elektrobit, and it's the first open source OS that complies with the automotive industry's functional safety requirements. [...] With Elektrobit's EB corbos Linux for Safety Applications (that sure is a long name), there's an open source Linux distro that finally fits the bill, having just been given the thumbs up by the german organization TUV Nord. (It also complies with the IEC 61508 standard for safety applications.) "The beauty of our concept is that you don't even need to safety-qualify Linux itself," said Moritz Neukirchner, a senior director at Elektrobit overseeing SDVs. Instead, an external safety monitor runs in a hypervisor, intercepting and validating kernel actions.
"When you look at how safety is typically being done, look at communication -- you don't safety-certify the communication specs or Ethernet stack, but you do a checker library on top, and you have a hardware anchor for checking down below, and you insure it end to end but take everything in between out of the certification path. And we have now created a concept that allows us to do exactly that for an operating system," Neukirchner told me. "So in the end, since we take Linux out of the certification path and make it usable in a safety-related context, we don't have any problems in keeping up to speed with the developer community," he explained. "Because if you start it off and say, 'Well, we're going to do Linux as a one-shot for safety,' you're going to have the next five patches and you're off [schedule] again, especially with the security regulation that's now getting toward effect now, starting in July with the UNECE R155 that requires continuous cybersecurity management vulnerability scanning for all software that ends up in the vehicle."
"In the end, we see roughly 4,000 kernel security patches within eight years for Linux. And this is the kind of challenge that you're being put up to if you want to participate in that speed of innovation of an open source community as rich as that of Linux and now want to combine this with safety-related applications," Neukirchner said. Elektrobit developed EB corbos Linux for Safety Applications together with Canonical, and together they will share the maintenance of keeping it compliant with safety requirements over time.
"When you look at how safety is typically being done, look at communication -- you don't safety-certify the communication specs or Ethernet stack, but you do a checker library on top, and you have a hardware anchor for checking down below, and you insure it end to end but take everything in between out of the certification path. And we have now created a concept that allows us to do exactly that for an operating system," Neukirchner told me. "So in the end, since we take Linux out of the certification path and make it usable in a safety-related context, we don't have any problems in keeping up to speed with the developer community," he explained. "Because if you start it off and say, 'Well, we're going to do Linux as a one-shot for safety,' you're going to have the next five patches and you're off [schedule] again, especially with the security regulation that's now getting toward effect now, starting in July with the UNECE R155 that requires continuous cybersecurity management vulnerability scanning for all software that ends up in the vehicle."
"In the end, we see roughly 4,000 kernel security patches within eight years for Linux. And this is the kind of challenge that you're being put up to if you want to participate in that speed of innovation of an open source community as rich as that of Linux and now want to combine this with safety-related applications," Neukirchner said. Elektrobit developed EB corbos Linux for Safety Applications together with Canonical, and together they will share the maintenance of keeping it compliant with safety requirements over time.
Finally! (Score:5, Funny)
Re: (Score:3)
Now my car can run Emacs. :-)
And I know this is a Linux milestone, but I wouldn't be surprised if NetBSD ran on cars like 20 years ago, right after being ported to a toaster (google it) -- the bread kind, not Cylon, though that wouldn't surprise me either.
Re: (Score:3)
Re: (Score:2)
I'm waiting until my car runs in Emacs. =)
What if it Freezes? (Score:2)
How can the hypervisor ensure that the services maintained by the Linux subsystem continue if the Linux subsystem freezes or halts?
VxWorks (Score:2)
I'd imagine it works the same way VxWorks does, which is what most car companies use (along with, sometimes, QNX.)
Re: (Score:2)
I ran more than 50 Linux machines in my life, guess what: the "stable" non-experimental distros practically never freeze, unless there is a hardware issue. This just doesn't happen.
Just make sure you are running stable kernel and stable software and Linux is more stable than a ton of rock.
Re: (Score:2)
There is one thing which will stop Linux in its tracks. NFS issues. A glitch with NFS, even if a server is mounted with an interruptible hard mount or (ugh) a soft mount can cause a kernel to completely hang and require a hard power cycle.
I think it is interesting, using the hypervisor as a watchdog timer. This is a useful idea in a lot more applications. For example, ATMs, digital signage, or other items which should just run without interruption.
Re: (Score:1)
If this is really such a big issue (which I doubt), just don't use NFS on embedded critical systems. Problem solved.
Freeze, halt, or crash? (Score:2)
Freeze: Okay, except your air conditioning turns on full blast.
Halt: Possibly okay, if there's nobody behind you and you can handle the g-forces of going from 60 to 0 in 1ms.
Crash: File an insurance claim.
Re: (Score:2)
Re: (Score:2)
How can the hypervisor ensure that the services maintained by the Linux subsystem continue if the Linux subsystem freezes or halts?
By NOT running a gUI (or games for that matter) on top of that Auto-Linux you avoid many risk points that can cause the system to freeze.
I have numerous headless (no gUI, no display) systems running 24x7 for years on end and they have never once frozen up. All of them run easily downloadable and widely available free Linux distributions.
My secret is this: run the absolute minimum server daemons & applications that you need, AND, lock off that system from the external world as such as possible (unless
Re: (Score:2)
I had a hard frozen sshd two days ago on a Linux VM, but I think my hoster may have screwed up there and sabotaged the filesystem doing a backup (which I did not tell them to do and which I am not paying for). Apache was still up on the box though. Fixed by reboot. Other than that, the last freeze I had on anything Linux was when I told the kernel a wrong memory size on the kernel commandline about 10 years ago.
Re: (Score:2)
Network equipment often runs some version of Linux, including big iron stuff like Cisco Nexus. And they are running a watchdog, which works similar to a dead-man's-switch in a train engine: If it does not get activated in regular intervals, it restarts vital services or even the whole system.
RTOS (Score:2)
Re: (Score:2)
Linux in general is not, but there've been projects to adapt it, including RTLinux and PREEMPT_RT
Re: (Score:2)
Don't generalise. There are plenty of scenarios requiring safety certified software lawyers that don't require the precision of an RTOS. We're not talking about deploying airbags here. Many applications in a car already are too complex (e.g. machine vision) to be baked into firmware on an RTOS. Yeah this won't replace your ECU, or your airbag system, but there there is far more to a modern car.
Re: (Score:3)
Even airbags probably don't require an RTOS, you just want to fire them as soon as possible, and a collision takes a long time in compute terms. An RTOS is designed for consistent timing, not fast timing, and the use cases are actually fairly narrow and not what most people expect.
No (Score:2)
I don't need any car with a Linux operating system.
CANBUS is bad enough as it is.
Re: (Score:2)
What's wrong with canbus? The only time I ever had a car with issues was due to water leaking and corroding something.
No, it can not. (Score:4, Interesting)
This Linux has been certified up to ASIL-B (ASIL 2).
To completely control all aspects of a car, you need ASIL-D (ASIL 4).
Links:
https://www.elektrobit.com/pro... [elektrobit.com]
https://en.wikipedia.org/wiki/... [wikipedia.org]