SlideShare a Scribd company logo
[Public]
Copyright (2023) Advanced Micro Devices, Inc.
Safety-Certifying
OSS Software : The case of Xen
• May 10th , 2023
• Stefano Stabellini & Senthil K Rajagopal
[Public]
Copyright (2023) Advanced Micro Devices, Inc.
Functional safety definition
• Safety critical embedded software applications are developed
for systems whose failures contribute to hazards in the system
for safety of life and environment.
• A functionally safe or safety critical system has a safety
function which maintains or transitions the system to safe
state. Safety function can be implemented by combination of
programmable electrical / electronic hardware and software.
• Safety certifications (IEC 61508, ISO 26262 etc..)
• Strict coding guidelines (MISRA C)
• Strict verification & validation (Testing) requirements
• Strict software process requirements
[Public]
Copyright (2023) Advanced Micro Devices, Inc.
Functional safety definition
“Functional safety is part of the overall safety that depends
on a system or equipment operating correctly in response to
its inputs.” (IEC 61508)
“Absence of unreasonable risk due to hazards caused by
malfunctioning behavior of E/E systems” (ISO 26262)
“Safety is freedom from unacceptable risk” (ISO 14971)
Safety is all about doing the job right with good
engineering practices
[Public]
Copyright (2023) Advanced Micro Devices, Inc.
Functional safety compliance
• Functional safety standards provide engineering guidelines to achieve functional safety
for programmable electrical / electronics hardware, software and the overall system.
• Safety standards like IEC 61508 and ISO 26262 recommend V model-based development
flow for hardware (ASIC / SoC/ FPGA) and software.
• Safety standards also provide options to qualify pre-existing software by satisfying
certain engineering requirements – Tailored software safety lifecycle by retroactive
engineering.
Copyright (2023) Advanced Micro Devices, Inc.
[Public]
Copyright (2023) Advanced Micro Devices, Inc.
Functional safety compliance – V model for newly developed software
Specification of software
safety requirements
Software architectural
design
Software unit design and
implementation
Software unit verification
Software integration and
verification
Testing of the embedded
software
Technical safety concept
System and item integration
and testing
Software verification
Software testing
Unit verification
System and item verification
V model-based safety
software development flow
to develop software from
the scratch
The following is the software development flow (V model) for safety related applications according to ISO 26262:
[Public]
Copyright (2023) Advanced Micro Devices, Inc.
Functional safety compliance for Pre-existing software
• Safety standards also provide options to qualify pre-existing software by
satisfying certain engineering requirements – Tailored software safety lifecycle by
retroactive engineering.
IEC 61508-3, 7.4.2.12 Route 3s ISO 26262-8, Clause 12
[Public]
Copyright (2023) Advanced Micro Devices, Inc.
Embedded Hypervisor – Xen
• Xen is the AMD Open-Source reference hypervisor for
embedded and automotive
• Both ARM and AMD x86
• AMD has an in-house engineering team to develop,
enhance, and support Xen for embedded and automotive
• Xen is delivered to customers today as reference and is
supported by Forum, Premium Technical support, and
engineering
• We have many customers using Xen on ARM in production
which require hard-real time isolation between VMs (Xen
cache coloring)
Copyright (2023) Advanced Micro Devices, Inc.
[Public]
Copyright (2023) Advanced Micro Devices, Inc.
Xen : Open-source community
Contributions to Xen by Company
• Xen Project is an Open-Source project under the Linux Foundation
• Well known and widely used in the industry​
• Extremely strong review process and security process​
• AMD x86 and ARM architectures already fully supported
• Xen is widely used in datacenter, cloud, client devices and more
• The Xen Open-Source Community is a diverse multi-
vendor community​
• Maintainers from Amazon, ARM, Citrix, AMD, SuSE, and more​
• Independent panel of experts with 15+ years of experience
• AMD has a team working closely with the upstream project
• Healthy long-term maintenance of the project
Copyright (2023) Advanced Micro Devices, Inc.
[Public]
Copyright (2023) Advanced Micro Devices, Inc.
Xen: Open-Source Community
9
Several security-focused
projects and products
based on Xen, including
QUBES OS
Copyright (2023) Advanced Micro Devices, Inc.
[Public]
Copyright (2023) Advanced Micro Devices, Inc.
Xen Hypervisor Rigorous Quality Process
• Xen has an extremely strong quality and validation process already in place
• Rigorous review process famous industry-wide
• Sometimes it is "too hard" to get patches accepted in Xen due to the strict review process
• Strong security process to handle security vulnerabilities with responsible disclosure
• Xen Security Process is best-in-class; OpenStack and other projects' security processes based on Xen’s
• Security and isolation are top priority of the project
• Traceability of commits: all communication done in public on xen-devel, with archives going back 20+ years
• Every commit is tested on a variety of hardware by 2 CI-loops before reaching the “master” branch
• Xen is already widely deployed in critical production environments
• Datacenter & Cloud: Amazon AWS, Rackspace, Citrix XenServer, Vates (multi-tenancy, AMD x86)
• Desktop: QubesOS, OpenXT (AMD x86 highly secure environments; mitigate common cause failures)
• Embedded: Xilinx Petalinux (ARM hard real-time isolation with cache coloring)
Copyright (2023) Advanced Micro Devices, Inc.
[Public]
Copyright (2023) Advanced Micro Devices, Inc.
Safety certifying Xen Hypervisor
• AMD is working on making Xen safety-certifiable for AMD platforms (ARM & AMD x86 )
• IEC 61508 SIL 3 (Systematic Capability 3 ) & ISO 26262 ASIL D
• Certification based on Xen upstream community processes and upstream codebase
• Not working with a private fork
• Ability to update the certification with limited efforts for newer Xen releases
• Certification docs & artifacts available for AMD customers
• Xen upstream community alignment with safety certifications requirements
• MISRA C
• Public interfaces documentation
• Gitlab-CI testing
Copyright (2023) Advanced Micro Devices, Inc.
[Public]
Copyright (2023) Advanced Micro Devices, Inc.
Safety certification scope of Xen Hypervisor
• Scope: IEC 61508 SIL 3 & ISO 26262 ASIL D
• Safety certifications for both Xen on ARM and AMD x86
• Stable AMD x86 hardware and ARM hardware platforms
• Core components in Xen
• x86: AMD-v, AMD-Vi, HPET, vPCI
• ARM: SMMUv3, Arch Timer, Hypervisor Extensions, vPCI
• Xen enabling components for VM-to-VM communication and PV Drivers
• grant table (memory sharing)
• event channels (notifications)
• No OS/hypervisor dependencies
• Dom0less/Hyperlaunch for both ARM and x86
• Domain creation done by Xen at boot based on provided
configuration
• Dom0 is not required; Out of Scope.
HW
HW partition
HW partition
Xen
Safe OS QM Linux
access access
[Public]
Copyright (2023) Advanced Micro Devices, Inc.
Xen hypervisor as a pre-existing software component shall take the following routes for
the safety certification:
Xen Hypervisor safety certification route
Established Open Source Development Process
Established Security Practices
Tailored software safety lifecycle
IEC 61508-3, 7.4.2.12 Route 3s– Assessment of non-compliant development
ISO 26262-8, Clause 12 – Qualification of software components
Organizational Supporting Processes
Independent Functional safety assessment
Xen
Hypervisor
Safety case
Certified
IEC 61508 SC 3
(Element level SIL 3)
ISO 26262 ASIL D
Xen Safe Hypervisor
[Public]
Copyright (2023) Advanced Micro Devices, Inc.
Xen Hypervisor safety certification plan
Xen Hypervisor software safety certification
ISO 26262:2018, Element level ASIL D
IEC 61508, Edition 2 Systematic Capability 3 (SIL 3)
Phase I
Safety
Concept
Review
Phase II
Final
Assessment
[Public]
Copyright (2023) Advanced Micro Devices, Inc.
Xen Hypervisor safety certification plan
Phase I
Safety
Concept
Approval
Safety concept review
Assessment of functional safety management
• Software safety requirements
• Software architecture specification
• Verification & validation plan (high level)
• Software verification plan
• Software validation plan
• Software tools classification
• Safety assessment plan
• Safety plan
• Software requirements management plan
• Project management plan
• Document management system
• Software development process
• Continuous quality improvement strategy
• Software configuration management plan
• Software change management plan
• Competence management plan
• Organizational safety culture tracking sheet
• Product security compliance
[Public]
Copyright (2023) Advanced Micro Devices, Inc.
Safety analysis
Software tools qualification
• Software FMEA report
Phase II
Final
Assessment
• Software tools qualification reports
Implementation / Coding
• MISRA C (based) Coding guidelines
• Coding guidelines conformance report
• Code review evidence
Software verification
• Software Verification specification
• Software Verification report
Software validation
• Software validation specification
• Software validation report
• Traceability reports
User guide & safety manuals
• General software user guide
• Software safety manual for IEC 61508 & ISO 26262
Safety case • Safety case
Xen Hypervisor safety certification plan
[Public]
Copyright (2023) Advanced Micro Devices, Inc.
Software safety engineering work products & evidence
S.No Work Products & Evidence Purpose
1 Software Safety Requirements (SSR) List of all functional requirements of the software
2 Software Architecture Specification (SAS) Document describes all the interfaces and design corresponding to the functional requirements
3 Coding:
• MISRA C Coding guidelines
• MISRA C Coding guidelines conformance matrix / code review report
Implementing (new features) and / or refactoring the code to meet good coding practices such as
MISRA C.
4 Software Verification :
• Software Verification Plan (Test Plan)
• Software Test Specification
• Software Test Report
To ensure all the developed software modules function correctly with their dependencies as per
the specification.
The test scope shall cover testing of all the interfaces, dynamic (e.g. code coverage), static testing
(e.g. control / data flow) , performance test, regression test, hardware test & fault injection test.
5 Software Validation :
• Software Validation Plan (Test Plan)
• Software Validation Test Specification
• Software Validation Test Report
• Traceability Reports
To ensure the developed software meets its original requirements and intended usage.
The test scope shall cover requirements test and testing the assumptions of usage.
Report also shall be generated to show the traceability between requirements and the test
results.
6 Tools Analysis :
Software Tools Classification & Qualification Report
To ensure tools used in development such as compiler and other testing tool do not introduce any
faults (bugs) in the target software, software tools are analyzed, classified and qualified (if
required) for the usage.
7 Software Failure Analysis :
Software Failure Mode Analysis (Software FMEA) Report with Mitigations
To ensure no additional hidden silent failures in the software, possible failures are identified, and
mitigations are implemented or proposed.
8 Process Control:
Plan documents for document / change/ configuration control and project
management
To ensure quality software is developed using standard software engineering metric.
9 Safety Management:
Safety plan, Training plan, safety manual and safety case documents
To meet the requirements of safety standards, assessment authority and customers.
[Public]
Copyright (2023) Advanced Micro Devices, Inc.
Software safety engineering work estimate
• Pre-existing software (open-source and in-
house) which has good development process in
place can be taken for safety certification.
• There will approximately be 65 % of effort in
verification & validation tests and safety analysis.
• There will approximately be 35 % of effort in
documentation.
• Experience says pre-existing software with
approximately 50K LoC can be made for safety
compliance in 24 to 30 months time frame.
More tests and quality documentation are good for any software project.
65%
35%
ENGINEERING EFFORT
Testing Documentation
Copyright (2023) Advanced Micro Devices, Inc.
[Public]
Copyright (2023) Advanced Micro Devices, Inc.
Xen Hypervisor safety certification deliverables
S.No Deliverables Phase
1 Xen safety concept report
Completion of
safety concept
review phase
2 Xen safety certificate
Completion of final
assessment
3
Report to the certificate with high
details and results
Completion of final
assessment
4 Technical report
Completion of final
assessment
Assessment Deliverables Customer Package by AMD
Copyright (2023) Advanced Micro Devices, Inc.
[Public]
Copyright (2023) Advanced Micro Devices, Inc.
Xen Hypervisor safety certification - Periodic audits
• Assessment body may conduct re-audit after
the certification of the software product as per
the requirements of the assessment body
• The frequency of the audit shall be negotiated – E.g.
once in 12-24 months
• Impact analysis shall be performed in case of any
product updates
• Impact analysis shall be performed by the
engineering team and shall be reviewed by the
safety manager and assessor
• Based on the output of the impact analysis, the
need and scope of reassessment will be decided
[Public]
Copyright (2023) Advanced Micro Devices, Inc.
The Xen path to safety: Impact
on the Xen Community
• Xen entering environments where safety is a
requirement
• Proof that Xen is safety-certifiable paves the way
for others in the community to safety-certify Xen
• Concrete positive impact to the Xen Open Source
project:
• More robust coding guidelines with MISRA C
• Better documentation
• Much more testing
Copyright (2023) Advanced Micro Devices, Inc.
[Public]
Copyright (2023) Advanced Micro Devices, Inc.
Safety/Community Alignment: MISRA C
• MISRA C: coding guidelines for safe and secure C programming
• The goal is to improve the codebase -- MISRA C compliance is never at the expense of quality
• MISRA C adoption in OSS needs to be for the benefit for the Open Source project and its community
• Involve the community in evaluating MISRA C guidelines
• Select the rules that make sense for your project
• Adopt the rules as part of your project’s coding style
• Use MISRA C code checkers to automatically scan new patches for MISRA C violations
• Make code reviews easier
• Helps contributors write better code
Copyright (2023) Advanced Micro Devices, Inc.
[Public]
Copyright (2023) Advanced Micro Devices, Inc.
Safety/Community Alignment: MISRA C
23
• MISRA C Tailoring completed: ~140 rules considered relevant for Xen​
• MISRA C Rules adoption in progress ~38/140 rules ​
• Xen is already following many MISRA C rules, just not officially​
→ Add Xen Rules we already follow to CODING_STYLE​
• Evaluate the remaining​ MISRA C rules for adoption
• Deviations are sometimes required
• Alternative strategies to address the underlying issues identified by MISRA C are sometimes possible
• MISRA C Deviation strategy
• Deviations are intentional and documented exceptions to the rule​
• Tag deviations with in-code comments so that MISRA C scanners will “ignore” them​
• Document the reason for the deviation appropriately in documenting-violations.rst
• A tool is provided to convert the Xen deviation tag into the tool-specific tag
• we can support multiple tools with a single tag
Xen code with
Xen tag
Xen code with
cppcheck tag
/* SAF-1-safe R8.6 linker defined symbols */
extern char _start[], _end[], start[];
Copyright (2023) Advanced Micro Devices, Inc.
[Public]
Copyright (2023) Advanced Micro Devices, Inc.
▪ MISRA C checkers are fundamental for spotting violations in new contributions
▪ MISRA C checkers integration with Xen Project Gitlab CI/CD in-progress
Safety/Community Alignment: MISRA C
[Public]
Copyright (2023) Advanced Micro Devices, Inc.
Safety/Community Alignment: Documentation
• Safety requires detailed documentation of interfaces, architectures, and expected behaviors
• Helps OSS users adopting the software
• Helps contributors find their ways around codebase
• Helps maintainers keep supported interfaces stable
• Dcumentation of Xen public interfaces in progress
• Hypercalls
• Boot configurations
• Virtual hardware
• Physical hardware
• Documentation of key interfaces already exists but might need improvement
• Use Doxygen / RST and keep the document under GIT revision next to the code
• Easier to maintain
• Easier to keep in sync with the code
• Use the same contribution and maintenance model as the Xen codebase
• Maintainers to require documentation updates when a Xen interface changes
Copyright (2023) Advanced Micro Devices, Inc.
[Public]
Copyright (2023) Advanced Micro Devices, Inc.
Safety/Community Alignment: Testing
• Safety requires all features and interfaces to be tested
• Testing directly improve the quality and reliability of OSS releases
• Better testing leads to fewer bugs
• Enhance and Extend the existing Gitlab CI/CD infrastructure with more tests
• 118 Gitlab tests including build tests and runtime tests
• Of the runtime tests 5 tests are running on real hardware, ARM & x86
• The remaining runtime tests are running on QEMU as emulating environment
• Community member can contribute both tests and also gitlab-runners to run real hardware tests
• To help the community
• To verify that Xen keeps running on their platforms of choice
• Require tests updates when interfaces change
• Proposal: require addition of new Gitlab-CI tests for any new Xen feature?
Copyright (2023) Advanced Micro Devices, Inc.
[Public]
Copyright (2023) Advanced Micro Devices, Inc.
Conclusions
• Safety certifiability of upstream Open Source software is possible -- Xen has an example
• It greatly helps if the upstream project has good quality processes already in place
• The Open Source community needs to get behind Safety as a goal for the project
• It is key to get community buy-in
• Safety is not about paperwork but actual safety of the codebase
• Codebase improvements, protecting against common errors
• Far better testing
• Clear and comprehensive documentation
Copyright (2023) Advanced Micro Devices, Inc.
Thank you
[Public]
Copyright (2023) Advanced Micro Devices, Inc.

More Related Content

What's hot

ELC21: VM-to-VM Communication Mechanisms for Embedded
ELC21: VM-to-VM Communication Mechanisms for EmbeddedELC21: VM-to-VM Communication Mechanisms for Embedded
ELC21: VM-to-VM Communication Mechanisms for Embedded
Stefano Stabellini
 
Kernel Module Programming
Kernel Module ProgrammingKernel Module Programming
Kernel Module Programming
Saurabh Bangad
 
Diving into SWUpdate: adding new platform support in 30minutes with Yocto/OE !
Diving into SWUpdate: adding new platform support in 30minutes with Yocto/OE !Diving into SWUpdate: adding new platform support in 30minutes with Yocto/OE !
Diving into SWUpdate: adding new platform support in 30minutes with Yocto/OE !
Pierre-jean Texier
 
Android Boot Time Optimization
Android Boot Time OptimizationAndroid Boot Time Optimization
Android Boot Time Optimization
Kan-Ru Chen
 
Xen Debugging
Xen DebuggingXen Debugging
Xen Debugging
The Linux Foundation
 
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, XilinxXPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
The Linux Foundation
 
Fosdem 18: Securing embedded Systems using Virtualization
Fosdem 18: Securing embedded Systems using VirtualizationFosdem 18: Securing embedded Systems using Virtualization
Fosdem 18: Securing embedded Systems using Virtualization
The Linux Foundation
 
Power Management from Linux Kernel to Android
Power Management from Linux Kernel to AndroidPower Management from Linux Kernel to Android
Power Management from Linux Kernel to Android
National Cheng Kung University
 
Arm device tree and linux device drivers
Arm device tree and linux device driversArm device tree and linux device drivers
Arm device tree and linux device drivers
Houcheng Lin
 
Architecture Of The Linux Kernel
Architecture Of The Linux KernelArchitecture Of The Linux Kernel
Architecture Of The Linux Kernel
guest547d74
 
Xen and the art of embedded virtualization (ELC 2017)
Xen and the art of embedded virtualization (ELC 2017)Xen and the art of embedded virtualization (ELC 2017)
Xen and the art of embedded virtualization (ELC 2017)
Stefano Stabellini
 
Static partitioning virtualization on RISC-V
Static partitioning virtualization on RISC-VStatic partitioning virtualization on RISC-V
Static partitioning virtualization on RISC-V
RISC-V International
 
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Linaro
 
Linux introduction
Linux introductionLinux introduction
Linux introduction
Md. Zahid Hossain Shoeb
 
XPDDS17: Shared Virtual Memory Virtualization Implementation on Xen - Yi Liu,...
XPDDS17: Shared Virtual Memory Virtualization Implementation on Xen - Yi Liu,...XPDDS17: Shared Virtual Memory Virtualization Implementation on Xen - Yi Liu,...
XPDDS17: Shared Virtual Memory Virtualization Implementation on Xen - Yi Liu,...
The Linux Foundation
 
Browsing Linux Kernel Source
Browsing Linux Kernel SourceBrowsing Linux Kernel Source
Browsing Linux Kernel Source
Motaz Saad
 
Linux field-update-2015
Linux field-update-2015Linux field-update-2015
Linux field-update-2015
Chris Simmonds
 
Embedded Linux BSP Training (Intro)
Embedded Linux BSP Training (Intro)Embedded Linux BSP Training (Intro)
Embedded Linux BSP Training (Intro)
RuggedBoardGroup
 
Linux Kernel Image
Linux Kernel ImageLinux Kernel Image
Linux Kernel Image
艾鍗科技
 
Run Qt on Linux embedded systems using Yocto
Run Qt on Linux embedded systems using YoctoRun Qt on Linux embedded systems using Yocto
Run Qt on Linux embedded systems using Yocto
Marco Cavallini
 

What's hot (20)

ELC21: VM-to-VM Communication Mechanisms for Embedded
ELC21: VM-to-VM Communication Mechanisms for EmbeddedELC21: VM-to-VM Communication Mechanisms for Embedded
ELC21: VM-to-VM Communication Mechanisms for Embedded
 
Kernel Module Programming
Kernel Module ProgrammingKernel Module Programming
Kernel Module Programming
 
Diving into SWUpdate: adding new platform support in 30minutes with Yocto/OE !
Diving into SWUpdate: adding new platform support in 30minutes with Yocto/OE !Diving into SWUpdate: adding new platform support in 30minutes with Yocto/OE !
Diving into SWUpdate: adding new platform support in 30minutes with Yocto/OE !
 
Android Boot Time Optimization
Android Boot Time OptimizationAndroid Boot Time Optimization
Android Boot Time Optimization
 
Xen Debugging
Xen DebuggingXen Debugging
Xen Debugging
 
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, XilinxXPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
 
Fosdem 18: Securing embedded Systems using Virtualization
Fosdem 18: Securing embedded Systems using VirtualizationFosdem 18: Securing embedded Systems using Virtualization
Fosdem 18: Securing embedded Systems using Virtualization
 
Power Management from Linux Kernel to Android
Power Management from Linux Kernel to AndroidPower Management from Linux Kernel to Android
Power Management from Linux Kernel to Android
 
Arm device tree and linux device drivers
Arm device tree and linux device driversArm device tree and linux device drivers
Arm device tree and linux device drivers
 
Architecture Of The Linux Kernel
Architecture Of The Linux KernelArchitecture Of The Linux Kernel
Architecture Of The Linux Kernel
 
Xen and the art of embedded virtualization (ELC 2017)
Xen and the art of embedded virtualization (ELC 2017)Xen and the art of embedded virtualization (ELC 2017)
Xen and the art of embedded virtualization (ELC 2017)
 
Static partitioning virtualization on RISC-V
Static partitioning virtualization on RISC-VStatic partitioning virtualization on RISC-V
Static partitioning virtualization on RISC-V
 
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
 
Linux introduction
Linux introductionLinux introduction
Linux introduction
 
XPDDS17: Shared Virtual Memory Virtualization Implementation on Xen - Yi Liu,...
XPDDS17: Shared Virtual Memory Virtualization Implementation on Xen - Yi Liu,...XPDDS17: Shared Virtual Memory Virtualization Implementation on Xen - Yi Liu,...
XPDDS17: Shared Virtual Memory Virtualization Implementation on Xen - Yi Liu,...
 
Browsing Linux Kernel Source
Browsing Linux Kernel SourceBrowsing Linux Kernel Source
Browsing Linux Kernel Source
 
Linux field-update-2015
Linux field-update-2015Linux field-update-2015
Linux field-update-2015
 
Embedded Linux BSP Training (Intro)
Embedded Linux BSP Training (Intro)Embedded Linux BSP Training (Intro)
Embedded Linux BSP Training (Intro)
 
Linux Kernel Image
Linux Kernel ImageLinux Kernel Image
Linux Kernel Image
 
Run Qt on Linux embedded systems using Yocto
Run Qt on Linux embedded systems using YoctoRun Qt on Linux embedded systems using Yocto
Run Qt on Linux embedded systems using Yocto
 

Similar to Safety-Certifying Open Source Software: The Case of the Xen Hypervisor

A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
Jiunn-Jer Sun
 
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
The Linux Foundation
 
Overcoming Security Challenges in DevOps
Overcoming Security Challenges in DevOpsOvercoming Security Challenges in DevOps
Overcoming Security Challenges in DevOps
Alert Logic
 
Towards 0-bug software in the automotive industry
Towards 0-bug software in the automotive industryTowards 0-bug software in the automotive industry
Towards 0-bug software in the automotive industry
Ashley Zupkus
 
Veracode Integration Adapter - Datasheet
Veracode Integration Adapter - DatasheetVeracode Integration Adapter - Datasheet
Veracode Integration Adapter - Datasheet
Kovair
 
In-kernel Analytics and Tracing with eBPF for OpenStack Clouds
In-kernel Analytics and Tracing with eBPF for OpenStack CloudsIn-kernel Analytics and Tracing with eBPF for OpenStack Clouds
In-kernel Analytics and Tracing with eBPF for OpenStack Clouds
PLUMgrid
 
IoT and M2M Safety and Security
IoT and M2M Safety and Security 	IoT and M2M Safety and Security
IoT and M2M Safety and Security
Real-Time Innovations (RTI)
 
Building Secure IoT Solutions using Azure Sphere
Building Secure IoT Solutions using Azure SphereBuilding Secure IoT Solutions using Azure Sphere
Building Secure IoT Solutions using Azure Sphere
Chris Pietschmann (Microsoft MVP)
 
Web Application Security for Continuous Delivery Pipelines
Web Application Security for Continuous Delivery PipelinesWeb Application Security for Continuous Delivery Pipelines
Web Application Security for Continuous Delivery Pipelines
Avi Networks
 
VMworld 2016: Migrating from a hardware based firewall to NSX to improve perf...
VMworld 2016: Migrating from a hardware based firewall to NSX to improve perf...VMworld 2016: Migrating from a hardware based firewall to NSX to improve perf...
VMworld 2016: Migrating from a hardware based firewall to NSX to improve perf...
VMworld
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure Cloud
Paulo Renato
 
Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443
Yokogawa1
 
Cybersecurity and Software Updates in Medical Devices.pdf
Cybersecurity and Software Updates in Medical Devices.pdfCybersecurity and Software Updates in Medical Devices.pdf
Cybersecurity and Software Updates in Medical Devices.pdf
ICS
 
366864108 azure-security
366864108 azure-security366864108 azure-security
366864108 azure-security
ober64
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security Overview
Alert Logic
 
Simplifying SDN Networking Across Private and Public Clouds
Simplifying SDN Networking Across Private and Public CloudsSimplifying SDN Networking Across Private and Public Clouds
Simplifying SDN Networking Across Private and Public Clouds
5nine
 
Software Defined Substation Intelligence, Automation and Control
Software Defined Substation Intelligence, Automation and ControlSoftware Defined Substation Intelligence, Automation and Control
Software Defined Substation Intelligence, Automation and Control
Bastian Fischer
 
SLTS kernel and base-layer development in the Civil Infrastructure Platform
SLTS kernel and base-layer development in the Civil Infrastructure PlatformSLTS kernel and base-layer development in the Civil Infrastructure Platform
SLTS kernel and base-layer development in the Civil Infrastructure Platform
Yoshitake Kobayashi
 
Azure Sphere - GAB 2019
Azure Sphere - GAB 2019Azure Sphere - GAB 2019
Azure Sphere - GAB 2019
Mirco Vanini
 
DESIGNS & IMPLEMENTATIONS TO OVERCOME CHALLENGES IN THE UTILITY INDUSTRY
DESIGNS & IMPLEMENTATIONS TO OVERCOME CHALLENGES IN THE UTILITY INDUSTRYDESIGNS & IMPLEMENTATIONS TO OVERCOME CHALLENGES IN THE UTILITY INDUSTRY
DESIGNS & IMPLEMENTATIONS TO OVERCOME CHALLENGES IN THE UTILITY INDUSTRY
iQHub
 

Similar to Safety-Certifying Open Source Software: The Case of the Xen Hypervisor (20)

A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
 
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
 
Overcoming Security Challenges in DevOps
Overcoming Security Challenges in DevOpsOvercoming Security Challenges in DevOps
Overcoming Security Challenges in DevOps
 
Towards 0-bug software in the automotive industry
Towards 0-bug software in the automotive industryTowards 0-bug software in the automotive industry
Towards 0-bug software in the automotive industry
 
Veracode Integration Adapter - Datasheet
Veracode Integration Adapter - DatasheetVeracode Integration Adapter - Datasheet
Veracode Integration Adapter - Datasheet
 
In-kernel Analytics and Tracing with eBPF for OpenStack Clouds
In-kernel Analytics and Tracing with eBPF for OpenStack CloudsIn-kernel Analytics and Tracing with eBPF for OpenStack Clouds
In-kernel Analytics and Tracing with eBPF for OpenStack Clouds
 
IoT and M2M Safety and Security
IoT and M2M Safety and Security 	IoT and M2M Safety and Security
IoT and M2M Safety and Security
 
Building Secure IoT Solutions using Azure Sphere
Building Secure IoT Solutions using Azure SphereBuilding Secure IoT Solutions using Azure Sphere
Building Secure IoT Solutions using Azure Sphere
 
Web Application Security for Continuous Delivery Pipelines
Web Application Security for Continuous Delivery PipelinesWeb Application Security for Continuous Delivery Pipelines
Web Application Security for Continuous Delivery Pipelines
 
VMworld 2016: Migrating from a hardware based firewall to NSX to improve perf...
VMworld 2016: Migrating from a hardware based firewall to NSX to improve perf...VMworld 2016: Migrating from a hardware based firewall to NSX to improve perf...
VMworld 2016: Migrating from a hardware based firewall to NSX to improve perf...
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure Cloud
 
Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443
 
Cybersecurity and Software Updates in Medical Devices.pdf
Cybersecurity and Software Updates in Medical Devices.pdfCybersecurity and Software Updates in Medical Devices.pdf
Cybersecurity and Software Updates in Medical Devices.pdf
 
366864108 azure-security
366864108 azure-security366864108 azure-security
366864108 azure-security
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security Overview
 
Simplifying SDN Networking Across Private and Public Clouds
Simplifying SDN Networking Across Private and Public CloudsSimplifying SDN Networking Across Private and Public Clouds
Simplifying SDN Networking Across Private and Public Clouds
 
Software Defined Substation Intelligence, Automation and Control
Software Defined Substation Intelligence, Automation and ControlSoftware Defined Substation Intelligence, Automation and Control
Software Defined Substation Intelligence, Automation and Control
 
SLTS kernel and base-layer development in the Civil Infrastructure Platform
SLTS kernel and base-layer development in the Civil Infrastructure PlatformSLTS kernel and base-layer development in the Civil Infrastructure Platform
SLTS kernel and base-layer development in the Civil Infrastructure Platform
 
Azure Sphere - GAB 2019
Azure Sphere - GAB 2019Azure Sphere - GAB 2019
Azure Sphere - GAB 2019
 
DESIGNS & IMPLEMENTATIONS TO OVERCOME CHALLENGES IN THE UTILITY INDUSTRY
DESIGNS & IMPLEMENTATIONS TO OVERCOME CHALLENGES IN THE UTILITY INDUSTRYDESIGNS & IMPLEMENTATIONS TO OVERCOME CHALLENGES IN THE UTILITY INDUSTRY
DESIGNS & IMPLEMENTATIONS TO OVERCOME CHALLENGES IN THE UTILITY INDUSTRY
 

More from Stefano Stabellini

Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Stefano Stabellini
 
RunX ELCE 2020
RunX ELCE 2020RunX ELCE 2020
RunX ELCE 2020
Stefano Stabellini
 
RunX: deploy real-time OSes as containers at the edge
RunX: deploy real-time OSes as containers at the edgeRunX: deploy real-time OSes as containers at the edge
RunX: deploy real-time OSes as containers at the edge
Stefano Stabellini
 
System Device Tree update: Bus Firewalls and Lopper
System Device Tree update: Bus Firewalls and LopperSystem Device Tree update: Bus Firewalls and Lopper
System Device Tree update: Bus Firewalls and Lopper
Stefano Stabellini
 
Cache coloring Xen Summit 2020
Cache coloring Xen Summit 2020Cache coloring Xen Summit 2020
Cache coloring Xen Summit 2020
Stefano Stabellini
 
Xen Cache Coloring: Interference-Free Real-Time System
Xen Cache Coloring: Interference-Free Real-Time SystemXen Cache Coloring: Interference-Free Real-Time System
Xen Cache Coloring: Interference-Free Real-Time System
Stefano Stabellini
 
Dom0less - Xen Developer Summit 2019
Dom0less  - Xen Developer Summit 2019Dom0less  - Xen Developer Summit 2019
Dom0less - Xen Developer Summit 2019
Stefano Stabellini
 
Xen Project for ARM Servers
Xen Project for ARM ServersXen Project for ARM Servers
Xen Project for ARM Servers
Stefano Stabellini
 
Xen and OpenStack
Xen and OpenStackXen and OpenStack
Xen and OpenStack
Stefano Stabellini
 
XDS15: Project Raisin
XDS15: Project RaisinXDS15: Project Raisin
XDS15: Project Raisin
Stefano Stabellini
 
OpenStack and Xen
OpenStack and XenOpenStack and Xen
OpenStack and Xen
Stefano Stabellini
 

More from Stefano Stabellini (11)

Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdf
 
RunX ELCE 2020
RunX ELCE 2020RunX ELCE 2020
RunX ELCE 2020
 
RunX: deploy real-time OSes as containers at the edge
RunX: deploy real-time OSes as containers at the edgeRunX: deploy real-time OSes as containers at the edge
RunX: deploy real-time OSes as containers at the edge
 
System Device Tree update: Bus Firewalls and Lopper
System Device Tree update: Bus Firewalls and LopperSystem Device Tree update: Bus Firewalls and Lopper
System Device Tree update: Bus Firewalls and Lopper
 
Cache coloring Xen Summit 2020
Cache coloring Xen Summit 2020Cache coloring Xen Summit 2020
Cache coloring Xen Summit 2020
 
Xen Cache Coloring: Interference-Free Real-Time System
Xen Cache Coloring: Interference-Free Real-Time SystemXen Cache Coloring: Interference-Free Real-Time System
Xen Cache Coloring: Interference-Free Real-Time System
 
Dom0less - Xen Developer Summit 2019
Dom0less  - Xen Developer Summit 2019Dom0less  - Xen Developer Summit 2019
Dom0less - Xen Developer Summit 2019
 
Xen Project for ARM Servers
Xen Project for ARM ServersXen Project for ARM Servers
Xen Project for ARM Servers
 
Xen and OpenStack
Xen and OpenStackXen and OpenStack
Xen and OpenStack
 
XDS15: Project Raisin
XDS15: Project RaisinXDS15: Project Raisin
XDS15: Project Raisin
 
OpenStack and Xen
OpenStack and XenOpenStack and Xen
OpenStack and Xen
 

Recently uploaded

Lecture 2 - software testing SE 412.pptx
Lecture 2 - software testing SE 412.pptxLecture 2 - software testing SE 412.pptx
Lecture 2 - software testing SE 412.pptx
TaghreedAltamimi
 
E-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet DynamicsE-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet Dynamics
Hornet Dynamics
 
What next after learning python programming basics
What next after learning python programming basicsWhat next after learning python programming basics
What next after learning python programming basics
Rakesh Kumar R
 
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
Łukasz Chruściel
 
SMS API Integration in Saudi Arabia| Best SMS API Service
SMS API Integration in Saudi Arabia| Best SMS API ServiceSMS API Integration in Saudi Arabia| Best SMS API Service
SMS API Integration in Saudi Arabia| Best SMS API Service
Yara Milbes
 
Measures in SQL (SIGMOD 2024, Santiago, Chile)
Measures in SQL (SIGMOD 2024, Santiago, Chile)Measures in SQL (SIGMOD 2024, Santiago, Chile)
Measures in SQL (SIGMOD 2024, Santiago, Chile)
Julian Hyde
 
socradar-q1-2024-aviation-industry-report.pdf
socradar-q1-2024-aviation-industry-report.pdfsocradar-q1-2024-aviation-industry-report.pdf
socradar-q1-2024-aviation-industry-report.pdf
SOCRadar
 
UI5con 2024 - Bring Your Own Design System
UI5con 2024 - Bring Your Own Design SystemUI5con 2024 - Bring Your Own Design System
UI5con 2024 - Bring Your Own Design System
Peter Muessig
 
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Łukasz Chruściel
 
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian CompaniesE-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
Quickdice ERP
 
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, FactsALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
Green Software Development
 
Modelling Up - DDDEurope 2024 - Amsterdam
Modelling Up - DDDEurope 2024 - AmsterdamModelling Up - DDDEurope 2024 - Amsterdam
Modelling Up - DDDEurope 2024 - Amsterdam
Alberto Brandolini
 
一比一原版(USF毕业证)旧金山大学毕业证如何办理
一比一原版(USF毕业证)旧金山大学毕业证如何办理一比一原版(USF毕业证)旧金山大学毕业证如何办理
一比一原版(USF毕业证)旧金山大学毕业证如何办理
dakas1
 
UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
UI5con 2024 - Keynote: Latest News about UI5 and it’s EcosystemUI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
Peter Muessig
 
GreenCode-A-VSCode-Plugin--Dario-Jurisic
GreenCode-A-VSCode-Plugin--Dario-JurisicGreenCode-A-VSCode-Plugin--Dario-Jurisic
GreenCode-A-VSCode-Plugin--Dario-Jurisic
Green Software Development
 
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdfTop Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
VALiNTRY360
 
Unveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdfUnveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdf
brainerhub1
 
Mobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona InfotechMobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona Infotech
Drona Infotech
 
Oracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptxOracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptx
Remote DBA Services
 
Energy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina JonuziEnergy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina Jonuzi
Green Software Development
 

Recently uploaded (20)

Lecture 2 - software testing SE 412.pptx
Lecture 2 - software testing SE 412.pptxLecture 2 - software testing SE 412.pptx
Lecture 2 - software testing SE 412.pptx
 
E-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet DynamicsE-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet Dynamics
 
What next after learning python programming basics
What next after learning python programming basicsWhat next after learning python programming basics
What next after learning python programming basics
 
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
 
SMS API Integration in Saudi Arabia| Best SMS API Service
SMS API Integration in Saudi Arabia| Best SMS API ServiceSMS API Integration in Saudi Arabia| Best SMS API Service
SMS API Integration in Saudi Arabia| Best SMS API Service
 
Measures in SQL (SIGMOD 2024, Santiago, Chile)
Measures in SQL (SIGMOD 2024, Santiago, Chile)Measures in SQL (SIGMOD 2024, Santiago, Chile)
Measures in SQL (SIGMOD 2024, Santiago, Chile)
 
socradar-q1-2024-aviation-industry-report.pdf
socradar-q1-2024-aviation-industry-report.pdfsocradar-q1-2024-aviation-industry-report.pdf
socradar-q1-2024-aviation-industry-report.pdf
 
UI5con 2024 - Bring Your Own Design System
UI5con 2024 - Bring Your Own Design SystemUI5con 2024 - Bring Your Own Design System
UI5con 2024 - Bring Your Own Design System
 
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
 
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian CompaniesE-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
 
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, FactsALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
 
Modelling Up - DDDEurope 2024 - Amsterdam
Modelling Up - DDDEurope 2024 - AmsterdamModelling Up - DDDEurope 2024 - Amsterdam
Modelling Up - DDDEurope 2024 - Amsterdam
 
一比一原版(USF毕业证)旧金山大学毕业证如何办理
一比一原版(USF毕业证)旧金山大学毕业证如何办理一比一原版(USF毕业证)旧金山大学毕业证如何办理
一比一原版(USF毕业证)旧金山大学毕业证如何办理
 
UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
UI5con 2024 - Keynote: Latest News about UI5 and it’s EcosystemUI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
 
GreenCode-A-VSCode-Plugin--Dario-Jurisic
GreenCode-A-VSCode-Plugin--Dario-JurisicGreenCode-A-VSCode-Plugin--Dario-Jurisic
GreenCode-A-VSCode-Plugin--Dario-Jurisic
 
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdfTop Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
 
Unveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdfUnveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdf
 
Mobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona InfotechMobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona Infotech
 
Oracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptxOracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptx
 
Energy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina JonuziEnergy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina Jonuzi
 

Safety-Certifying Open Source Software: The Case of the Xen Hypervisor

  • 1. [Public] Copyright (2023) Advanced Micro Devices, Inc. Safety-Certifying OSS Software : The case of Xen • May 10th , 2023 • Stefano Stabellini & Senthil K Rajagopal
  • 2. [Public] Copyright (2023) Advanced Micro Devices, Inc. Functional safety definition • Safety critical embedded software applications are developed for systems whose failures contribute to hazards in the system for safety of life and environment. • A functionally safe or safety critical system has a safety function which maintains or transitions the system to safe state. Safety function can be implemented by combination of programmable electrical / electronic hardware and software. • Safety certifications (IEC 61508, ISO 26262 etc..) • Strict coding guidelines (MISRA C) • Strict verification & validation (Testing) requirements • Strict software process requirements
  • 3. [Public] Copyright (2023) Advanced Micro Devices, Inc. Functional safety definition “Functional safety is part of the overall safety that depends on a system or equipment operating correctly in response to its inputs.” (IEC 61508) “Absence of unreasonable risk due to hazards caused by malfunctioning behavior of E/E systems” (ISO 26262) “Safety is freedom from unacceptable risk” (ISO 14971) Safety is all about doing the job right with good engineering practices
  • 4. [Public] Copyright (2023) Advanced Micro Devices, Inc. Functional safety compliance • Functional safety standards provide engineering guidelines to achieve functional safety for programmable electrical / electronics hardware, software and the overall system. • Safety standards like IEC 61508 and ISO 26262 recommend V model-based development flow for hardware (ASIC / SoC/ FPGA) and software. • Safety standards also provide options to qualify pre-existing software by satisfying certain engineering requirements – Tailored software safety lifecycle by retroactive engineering. Copyright (2023) Advanced Micro Devices, Inc.
  • 5. [Public] Copyright (2023) Advanced Micro Devices, Inc. Functional safety compliance – V model for newly developed software Specification of software safety requirements Software architectural design Software unit design and implementation Software unit verification Software integration and verification Testing of the embedded software Technical safety concept System and item integration and testing Software verification Software testing Unit verification System and item verification V model-based safety software development flow to develop software from the scratch The following is the software development flow (V model) for safety related applications according to ISO 26262:
  • 6. [Public] Copyright (2023) Advanced Micro Devices, Inc. Functional safety compliance for Pre-existing software • Safety standards also provide options to qualify pre-existing software by satisfying certain engineering requirements – Tailored software safety lifecycle by retroactive engineering. IEC 61508-3, 7.4.2.12 Route 3s ISO 26262-8, Clause 12
  • 7. [Public] Copyright (2023) Advanced Micro Devices, Inc. Embedded Hypervisor – Xen • Xen is the AMD Open-Source reference hypervisor for embedded and automotive • Both ARM and AMD x86 • AMD has an in-house engineering team to develop, enhance, and support Xen for embedded and automotive • Xen is delivered to customers today as reference and is supported by Forum, Premium Technical support, and engineering • We have many customers using Xen on ARM in production which require hard-real time isolation between VMs (Xen cache coloring) Copyright (2023) Advanced Micro Devices, Inc.
  • 8. [Public] Copyright (2023) Advanced Micro Devices, Inc. Xen : Open-source community Contributions to Xen by Company • Xen Project is an Open-Source project under the Linux Foundation • Well known and widely used in the industry​ • Extremely strong review process and security process​ • AMD x86 and ARM architectures already fully supported • Xen is widely used in datacenter, cloud, client devices and more • The Xen Open-Source Community is a diverse multi- vendor community​ • Maintainers from Amazon, ARM, Citrix, AMD, SuSE, and more​ • Independent panel of experts with 15+ years of experience • AMD has a team working closely with the upstream project • Healthy long-term maintenance of the project Copyright (2023) Advanced Micro Devices, Inc.
  • 9. [Public] Copyright (2023) Advanced Micro Devices, Inc. Xen: Open-Source Community 9 Several security-focused projects and products based on Xen, including QUBES OS Copyright (2023) Advanced Micro Devices, Inc.
  • 10. [Public] Copyright (2023) Advanced Micro Devices, Inc. Xen Hypervisor Rigorous Quality Process • Xen has an extremely strong quality and validation process already in place • Rigorous review process famous industry-wide • Sometimes it is "too hard" to get patches accepted in Xen due to the strict review process • Strong security process to handle security vulnerabilities with responsible disclosure • Xen Security Process is best-in-class; OpenStack and other projects' security processes based on Xen’s • Security and isolation are top priority of the project • Traceability of commits: all communication done in public on xen-devel, with archives going back 20+ years • Every commit is tested on a variety of hardware by 2 CI-loops before reaching the “master” branch • Xen is already widely deployed in critical production environments • Datacenter & Cloud: Amazon AWS, Rackspace, Citrix XenServer, Vates (multi-tenancy, AMD x86) • Desktop: QubesOS, OpenXT (AMD x86 highly secure environments; mitigate common cause failures) • Embedded: Xilinx Petalinux (ARM hard real-time isolation with cache coloring) Copyright (2023) Advanced Micro Devices, Inc.
  • 11. [Public] Copyright (2023) Advanced Micro Devices, Inc. Safety certifying Xen Hypervisor • AMD is working on making Xen safety-certifiable for AMD platforms (ARM & AMD x86 ) • IEC 61508 SIL 3 (Systematic Capability 3 ) & ISO 26262 ASIL D • Certification based on Xen upstream community processes and upstream codebase • Not working with a private fork • Ability to update the certification with limited efforts for newer Xen releases • Certification docs & artifacts available for AMD customers • Xen upstream community alignment with safety certifications requirements • MISRA C • Public interfaces documentation • Gitlab-CI testing Copyright (2023) Advanced Micro Devices, Inc.
  • 12. [Public] Copyright (2023) Advanced Micro Devices, Inc. Safety certification scope of Xen Hypervisor • Scope: IEC 61508 SIL 3 & ISO 26262 ASIL D • Safety certifications for both Xen on ARM and AMD x86 • Stable AMD x86 hardware and ARM hardware platforms • Core components in Xen • x86: AMD-v, AMD-Vi, HPET, vPCI • ARM: SMMUv3, Arch Timer, Hypervisor Extensions, vPCI • Xen enabling components for VM-to-VM communication and PV Drivers • grant table (memory sharing) • event channels (notifications) • No OS/hypervisor dependencies • Dom0less/Hyperlaunch for both ARM and x86 • Domain creation done by Xen at boot based on provided configuration • Dom0 is not required; Out of Scope. HW HW partition HW partition Xen Safe OS QM Linux access access
  • 13. [Public] Copyright (2023) Advanced Micro Devices, Inc. Xen hypervisor as a pre-existing software component shall take the following routes for the safety certification: Xen Hypervisor safety certification route Established Open Source Development Process Established Security Practices Tailored software safety lifecycle IEC 61508-3, 7.4.2.12 Route 3s– Assessment of non-compliant development ISO 26262-8, Clause 12 – Qualification of software components Organizational Supporting Processes Independent Functional safety assessment Xen Hypervisor Safety case Certified IEC 61508 SC 3 (Element level SIL 3) ISO 26262 ASIL D Xen Safe Hypervisor
  • 14. [Public] Copyright (2023) Advanced Micro Devices, Inc. Xen Hypervisor safety certification plan Xen Hypervisor software safety certification ISO 26262:2018, Element level ASIL D IEC 61508, Edition 2 Systematic Capability 3 (SIL 3) Phase I Safety Concept Review Phase II Final Assessment
  • 15. [Public] Copyright (2023) Advanced Micro Devices, Inc. Xen Hypervisor safety certification plan Phase I Safety Concept Approval Safety concept review Assessment of functional safety management • Software safety requirements • Software architecture specification • Verification & validation plan (high level) • Software verification plan • Software validation plan • Software tools classification • Safety assessment plan • Safety plan • Software requirements management plan • Project management plan • Document management system • Software development process • Continuous quality improvement strategy • Software configuration management plan • Software change management plan • Competence management plan • Organizational safety culture tracking sheet • Product security compliance
  • 16. [Public] Copyright (2023) Advanced Micro Devices, Inc. Safety analysis Software tools qualification • Software FMEA report Phase II Final Assessment • Software tools qualification reports Implementation / Coding • MISRA C (based) Coding guidelines • Coding guidelines conformance report • Code review evidence Software verification • Software Verification specification • Software Verification report Software validation • Software validation specification • Software validation report • Traceability reports User guide & safety manuals • General software user guide • Software safety manual for IEC 61508 & ISO 26262 Safety case • Safety case Xen Hypervisor safety certification plan
  • 17. [Public] Copyright (2023) Advanced Micro Devices, Inc. Software safety engineering work products & evidence S.No Work Products & Evidence Purpose 1 Software Safety Requirements (SSR) List of all functional requirements of the software 2 Software Architecture Specification (SAS) Document describes all the interfaces and design corresponding to the functional requirements 3 Coding: • MISRA C Coding guidelines • MISRA C Coding guidelines conformance matrix / code review report Implementing (new features) and / or refactoring the code to meet good coding practices such as MISRA C. 4 Software Verification : • Software Verification Plan (Test Plan) • Software Test Specification • Software Test Report To ensure all the developed software modules function correctly with their dependencies as per the specification. The test scope shall cover testing of all the interfaces, dynamic (e.g. code coverage), static testing (e.g. control / data flow) , performance test, regression test, hardware test & fault injection test. 5 Software Validation : • Software Validation Plan (Test Plan) • Software Validation Test Specification • Software Validation Test Report • Traceability Reports To ensure the developed software meets its original requirements and intended usage. The test scope shall cover requirements test and testing the assumptions of usage. Report also shall be generated to show the traceability between requirements and the test results. 6 Tools Analysis : Software Tools Classification & Qualification Report To ensure tools used in development such as compiler and other testing tool do not introduce any faults (bugs) in the target software, software tools are analyzed, classified and qualified (if required) for the usage. 7 Software Failure Analysis : Software Failure Mode Analysis (Software FMEA) Report with Mitigations To ensure no additional hidden silent failures in the software, possible failures are identified, and mitigations are implemented or proposed. 8 Process Control: Plan documents for document / change/ configuration control and project management To ensure quality software is developed using standard software engineering metric. 9 Safety Management: Safety plan, Training plan, safety manual and safety case documents To meet the requirements of safety standards, assessment authority and customers.
  • 18. [Public] Copyright (2023) Advanced Micro Devices, Inc. Software safety engineering work estimate • Pre-existing software (open-source and in- house) which has good development process in place can be taken for safety certification. • There will approximately be 65 % of effort in verification & validation tests and safety analysis. • There will approximately be 35 % of effort in documentation. • Experience says pre-existing software with approximately 50K LoC can be made for safety compliance in 24 to 30 months time frame. More tests and quality documentation are good for any software project. 65% 35% ENGINEERING EFFORT Testing Documentation Copyright (2023) Advanced Micro Devices, Inc.
  • 19. [Public] Copyright (2023) Advanced Micro Devices, Inc. Xen Hypervisor safety certification deliverables S.No Deliverables Phase 1 Xen safety concept report Completion of safety concept review phase 2 Xen safety certificate Completion of final assessment 3 Report to the certificate with high details and results Completion of final assessment 4 Technical report Completion of final assessment Assessment Deliverables Customer Package by AMD Copyright (2023) Advanced Micro Devices, Inc.
  • 20. [Public] Copyright (2023) Advanced Micro Devices, Inc. Xen Hypervisor safety certification - Periodic audits • Assessment body may conduct re-audit after the certification of the software product as per the requirements of the assessment body • The frequency of the audit shall be negotiated – E.g. once in 12-24 months • Impact analysis shall be performed in case of any product updates • Impact analysis shall be performed by the engineering team and shall be reviewed by the safety manager and assessor • Based on the output of the impact analysis, the need and scope of reassessment will be decided
  • 21. [Public] Copyright (2023) Advanced Micro Devices, Inc. The Xen path to safety: Impact on the Xen Community • Xen entering environments where safety is a requirement • Proof that Xen is safety-certifiable paves the way for others in the community to safety-certify Xen • Concrete positive impact to the Xen Open Source project: • More robust coding guidelines with MISRA C • Better documentation • Much more testing Copyright (2023) Advanced Micro Devices, Inc.
  • 22. [Public] Copyright (2023) Advanced Micro Devices, Inc. Safety/Community Alignment: MISRA C • MISRA C: coding guidelines for safe and secure C programming • The goal is to improve the codebase -- MISRA C compliance is never at the expense of quality • MISRA C adoption in OSS needs to be for the benefit for the Open Source project and its community • Involve the community in evaluating MISRA C guidelines • Select the rules that make sense for your project • Adopt the rules as part of your project’s coding style • Use MISRA C code checkers to automatically scan new patches for MISRA C violations • Make code reviews easier • Helps contributors write better code Copyright (2023) Advanced Micro Devices, Inc.
  • 23. [Public] Copyright (2023) Advanced Micro Devices, Inc. Safety/Community Alignment: MISRA C 23 • MISRA C Tailoring completed: ~140 rules considered relevant for Xen​ • MISRA C Rules adoption in progress ~38/140 rules ​ • Xen is already following many MISRA C rules, just not officially​ → Add Xen Rules we already follow to CODING_STYLE​ • Evaluate the remaining​ MISRA C rules for adoption • Deviations are sometimes required • Alternative strategies to address the underlying issues identified by MISRA C are sometimes possible • MISRA C Deviation strategy • Deviations are intentional and documented exceptions to the rule​ • Tag deviations with in-code comments so that MISRA C scanners will “ignore” them​ • Document the reason for the deviation appropriately in documenting-violations.rst • A tool is provided to convert the Xen deviation tag into the tool-specific tag • we can support multiple tools with a single tag Xen code with Xen tag Xen code with cppcheck tag /* SAF-1-safe R8.6 linker defined symbols */ extern char _start[], _end[], start[]; Copyright (2023) Advanced Micro Devices, Inc.
  • 24. [Public] Copyright (2023) Advanced Micro Devices, Inc. ▪ MISRA C checkers are fundamental for spotting violations in new contributions ▪ MISRA C checkers integration with Xen Project Gitlab CI/CD in-progress Safety/Community Alignment: MISRA C
  • 25. [Public] Copyright (2023) Advanced Micro Devices, Inc. Safety/Community Alignment: Documentation • Safety requires detailed documentation of interfaces, architectures, and expected behaviors • Helps OSS users adopting the software • Helps contributors find their ways around codebase • Helps maintainers keep supported interfaces stable • Dcumentation of Xen public interfaces in progress • Hypercalls • Boot configurations • Virtual hardware • Physical hardware • Documentation of key interfaces already exists but might need improvement • Use Doxygen / RST and keep the document under GIT revision next to the code • Easier to maintain • Easier to keep in sync with the code • Use the same contribution and maintenance model as the Xen codebase • Maintainers to require documentation updates when a Xen interface changes Copyright (2023) Advanced Micro Devices, Inc.
  • 26. [Public] Copyright (2023) Advanced Micro Devices, Inc. Safety/Community Alignment: Testing • Safety requires all features and interfaces to be tested • Testing directly improve the quality and reliability of OSS releases • Better testing leads to fewer bugs • Enhance and Extend the existing Gitlab CI/CD infrastructure with more tests • 118 Gitlab tests including build tests and runtime tests • Of the runtime tests 5 tests are running on real hardware, ARM & x86 • The remaining runtime tests are running on QEMU as emulating environment • Community member can contribute both tests and also gitlab-runners to run real hardware tests • To help the community • To verify that Xen keeps running on their platforms of choice • Require tests updates when interfaces change • Proposal: require addition of new Gitlab-CI tests for any new Xen feature? Copyright (2023) Advanced Micro Devices, Inc.
  • 27. [Public] Copyright (2023) Advanced Micro Devices, Inc. Conclusions • Safety certifiability of upstream Open Source software is possible -- Xen has an example • It greatly helps if the upstream project has good quality processes already in place • The Open Source community needs to get behind Safety as a goal for the project • It is key to get community buy-in • Safety is not about paperwork but actual safety of the codebase • Codebase improvements, protecting against common errors • Far better testing • Clear and comprehensive documentation Copyright (2023) Advanced Micro Devices, Inc.
  • 29. [Public] Copyright (2023) Advanced Micro Devices, Inc.