WEBVTT

00:00.000 --> 00:07.000
Okay, that looks green.

00:07.000 --> 00:10.000
Thanks a lot for the kind introduction.

00:10.000 --> 00:12.000
That's actually good to know.

00:12.000 --> 00:14.000
I didn't know that you were involved in all of this.

00:14.000 --> 00:17.000
Yes, this is basically part of the story where this all comes from.

00:17.000 --> 00:21.000
My name is Markus Hainel, and as you can see, I'm with CanConcept.

00:21.000 --> 00:23.000
I was fighting a bit with myself.

00:23.000 --> 00:27.000
What I'm going to talk here about because people said,

00:27.000 --> 00:31.000
I'm so sorry we haven't heard so long about it and make a talk.

00:31.000 --> 00:32.000
Tell us what's new.

00:32.000 --> 00:34.000
And there's a lot of new things.

00:34.000 --> 00:38.000
But still, since I can't tell everything, because I don't know everything.

00:38.000 --> 00:41.000
I tried to limit myself to the stuff I work on a daily basis.

00:41.000 --> 00:44.000
And part of that is the safety and security.

00:44.000 --> 00:48.000
And I'm trying to touch on some other points that are new in L.F.R.E.land as well.

00:48.000 --> 00:49.000
That was new.

00:49.000 --> 00:52.000
There have been a lot of new developments since then.

00:52.000 --> 00:56.000
I'm trying to pick some that might be of interest to everyone.

00:56.000 --> 00:59.000
So we have now a risk drive support in L.F.R.E.

00:59.000 --> 01:03.000
I think that was released last year or the year before,

01:03.000 --> 01:05.000
including the hypervisor extensions.

01:05.000 --> 01:09.000
There is also now, I think, Adam, there's hardware, right?

01:09.000 --> 01:12.000
Recently, so finally you can also use it.

01:12.000 --> 01:16.000
We've had it before, but only with the emulation stuff.

01:16.000 --> 01:18.000
But now you can also use it.

01:18.000 --> 01:23.000
We have the micro hypervisor, which actually is bringing this whole thing that you know as L.F.R.E.

01:23.000 --> 01:27.000
as the micro kernel, with all of the abstractions, with all of the features.

01:27.000 --> 01:29.000
To the cortex R world.

01:29.000 --> 01:31.000
So it's not the cortex M's.

01:31.000 --> 01:35.000
It just talked about, but the cortex R is basically the same problem.

01:35.000 --> 01:37.000
They don't have an MMU.

01:37.000 --> 01:41.000
They have an MPU and reported this to the system.

01:41.000 --> 01:46.000
We did quite a lot of work on extending the variety of support in our system.

01:46.000 --> 01:51.000
So UVM M is our virtual machine monitor, and we have a lot of work going into this.

01:51.000 --> 01:58.000
This is one of the main things that is a selling point for a micro kernel based hypervisor and operating system.

01:58.000 --> 02:01.000
That you have these abstract interfaces that you can tell your users.

02:01.000 --> 02:03.000
Well, it doesn't matter what your hardware is.

02:03.000 --> 02:07.000
You have your system developed against the virtual interface, and everything's nice.

02:07.000 --> 02:13.000
Which is the hardware vendor that all stays the same for you, wherever that's possible.

02:13.000 --> 02:19.000
So one of the things we recently internally demoed is that we have a virtual GPU demo running,

02:19.000 --> 02:22.000
where you have two instances.

02:22.000 --> 02:28.000
For example, Android and Linux running in parallel and sharing the GPU, which is really nice demo.

02:28.000 --> 02:33.000
When you can see a theory showing an Android and Linux and one of them runs Angry Birds,

02:33.000 --> 02:35.000
which is always the demo you do.

02:35.000 --> 02:40.000
The other news is that we are on quite a few new system platforms.

02:40.000 --> 02:43.000
It doesn't really matter to name them.

02:43.000 --> 02:49.000
There's an IMX95. There's the ARCURS from Renezas. There's the NXP hardware.

02:49.000 --> 02:52.000
All of this kind of ties into this automotive story, right?

02:52.000 --> 02:56.000
Because that's one of our major customers as a company.

02:56.000 --> 03:04.000
But for our E, it's also since last year, or even three years ago, we run on ARM system ready platforms.

03:04.000 --> 03:10.000
So if you have something like a graviton, if you have an ARM Neoverse, like an Adlink system,

03:10.000 --> 03:15.000
you can just boot it and it runs. It's an ARM 64-UFU platform, and we have support for this now.

03:15.000 --> 03:18.000
Which is pretty amazing, I think.

03:18.000 --> 03:28.000
When it comes to the other part, it's all about how can we make others believe us that our system is safe and secure, right?

03:28.000 --> 03:35.000
It's not just about building a safe and secure system in security certified systems for a long time.

03:35.000 --> 03:43.000
The first product that was actually certified by a customer of ours with L-4E was certified for Schlüssel.

03:43.000 --> 03:51.000
Not more for the Indians, so it's the lowest ranking in German confidentiality in 2013.

03:51.000 --> 03:55.000
So we worked with a customer to get this system certified.

03:55.000 --> 04:01.000
This continued in 2017 with having a geheim, this is the second level.

04:01.000 --> 04:05.000
So it's kind of like secret, but you're not allowed to translate it. It's geheim.

04:05.000 --> 04:11.000
So we got this certification in 2017, or better a customer product that is.

04:11.000 --> 04:19.000
The story was always about this, you get a certification for an appliance, so you build a box, you put it somewhere, and this gets a certification.

04:19.000 --> 04:23.000
And if you build a new box, you need a new certification.

04:23.000 --> 04:35.000
Since we had a lot of cases in queries into getting this done in 2024, we finalized something that our namely that we got operating system on its own.

04:35.000 --> 04:39.000
Accredited to be to be geheim certified.

04:39.000 --> 04:43.000
Oh, it's called geheim accredited.

04:43.000 --> 04:51.000
And this means that it's the only operating system out there, and it's open source that you can actually use in a geheim context for the German government, for example.

04:51.000 --> 04:57.000
The other thing is that last year we got these two certifications.

04:57.000 --> 04:59.000
The night thing is with the ASL certification.

04:59.000 --> 05:07.000
This is the automotive safety certification, so it's called ASLB, because it's an intermediate certification which makes sense for the types of systems.

05:07.000 --> 05:10.000
This is to be used on.

05:10.000 --> 05:17.000
You kind of get a little two certification for free, which is the industrial safety certification.

05:18.000 --> 05:21.000
And as I said, the EL for plastic certification is imminent.

05:21.000 --> 05:28.000
We're still waiting for the final, okay, but all the documents have been handed in and barring any further requests.

05:28.000 --> 05:31.000
We should get it soon.

05:31.000 --> 05:37.000
So now this is kind of my, have been my day-to-day business in the last five years.

05:37.000 --> 05:44.000
And then they go ahead and tell you, you need to test this, and you tell them, but it's unreachable on this platform.

05:44.000 --> 05:53.000
This is really hard to get into the mindset of the people that you have generic software that has actually generic code that sometimes doesn't matter on a specific platform.

05:53.000 --> 06:12.000
And we did all of this, we certified this together with ElectroBit who did a huge sponsoring job on this and worked together with us as a safety element out of context, which means you can use FRIE, which from our component point of view is the kernel itself and the root picture.

06:12.000 --> 06:18.000
You can use them in a safety context, and then you can build your system on top of it.

06:18.000 --> 06:21.000
Let's do it like that.

06:21.000 --> 06:27.000
And the nice thing is that all of this flew back into the open socials.

06:27.000 --> 06:33.000
So we did a lot of processes looking into interfaces, or they were defined to they have unexpected behavior.

06:33.000 --> 06:40.000
Not necessarily bugs, but stuff where the developer might imagine that something behaves differently than it does in reality.

06:40.000 --> 06:44.000
And actually we found a few of those instances where you said, yeah, it's not a bug.

06:44.000 --> 06:49.000
It doesn't break security, it doesn't break safety, but it's not obvious.

06:49.000 --> 06:58.000
And if you don't know about this, you might actually write an application that in the end makes wrong assumptions about the system behavior, and that's cannot be safely used.

06:58.000 --> 07:02.000
So these are things that really disproved forward, right?

07:02.000 --> 07:08.000
It's a lot of documents, it's a lot of paper, but you also gain a lot from it.

07:08.000 --> 07:13.000
Besides all of these document stuff, you have also this nice topic.

07:13.000 --> 07:16.000
Static analyzes and compiler warnings.

07:16.000 --> 07:22.000
So there are a few standards, and actually the ISO standard doesn't prescribe what you have to do.

07:22.000 --> 07:31.000
You need to have some zane rulework of static analyzes and of checkers that you employ to make sure that this is all zane.

07:31.000 --> 07:35.000
The standard way to do is to use a standard rule set.

07:35.000 --> 07:46.000
Back when we started the project, the industry standard rules, that's where things like MISRAC++208 or the Autosaw rules.

07:46.000 --> 07:53.000
They have a large set of rules, and a lot of them don't make a lot of sense for an operating system.

07:53.000 --> 08:00.000
It's really hard because they tell you things to not do, which from a user length perspective is totally zane.

08:00.000 --> 08:08.000
You shouldn't do the zane and change the cost of changing a rule would be higher than keeping the code as it is.

08:08.000 --> 08:14.000
For example, when somebody tells you to change all of your types in your code and all of the comparisons or whatever,

08:14.000 --> 08:22.000
the risk that you introduce errors is just so much user than the gain that you get from this that you would usually not do this.

08:22.000 --> 08:26.000
So you would follow an approach where you say, okay, for new code, we try to adhere to this.

08:26.000 --> 08:33.000
For existing code, we keep it as the certification agencies usually accept this if it's very recent, right?

08:33.000 --> 08:45.000
Because we tried for some of the MISRA rules to implement them, and if you just go through it and do a lengthed like a second replace of stuff that MISRA thinks it's not okay, you will introduce bugs.

08:45.000 --> 08:48.000
We had cases like this.

08:48.000 --> 08:55.000
We have all of this warning free. I think for most of us those projects or for many of them, this actually comes as a given right.

08:55.000 --> 08:59.000
Usually people don't write code that has warnings. Neither do we.

08:59.000 --> 09:02.000
We enable all of these standard warnings and a bit more.

09:02.000 --> 09:08.000
Some of these are actually also basically just showing stuff that MISRA implement, right?

09:08.000 --> 09:12.000
Things that the compiler can check easily.

09:13.000 --> 09:17.000
Nice anecdotes about static analyzers can be found a lot.

09:17.000 --> 09:26.000
Because there are a large number of solutions on the market and they are usually quite good for the demo cases.

09:26.000 --> 09:31.000
The thing is that many of those are tailored towards small embedded projects, right?

09:31.000 --> 09:37.000
Where you have 20 C files and compile them together into one single binary and then you have this and that's it.

09:37.000 --> 09:41.000
And it gets challenging when you want to check a whole operating system.

09:41.000 --> 09:48.000
You have libraries that are shared between components where you have to justify arrows in the checker and need to tell this is wrong.

09:48.000 --> 09:54.000
And now you need to tell it for every program that uses this library because the tool actually doesn't support you with this.

09:54.000 --> 09:55.000
There's a lot of this stuff.

09:55.000 --> 10:04.000
We had a lot of cases where we actually found in testing on other cases things where we thought this should have been found by a static analyzer.

10:04.000 --> 10:06.000
A null pointer check that was missing.

10:06.000 --> 10:10.000
And the static analyzer could have told us and it actually didn't turn out anything right.

10:10.000 --> 10:17.000
So our experience is static analyzers can be useful to find issues and we did find a few.

10:17.000 --> 10:22.000
If we compare this to the incredible amount of white list entries we had to do.

10:22.000 --> 10:28.000
Where we had to tell the analyzer know this is actually correct code, this is fine.

10:28.000 --> 10:36.000
The effort would have been better spent in more testing or reviewing the code but that's the way it is.

10:36.000 --> 10:47.000
There are also rules that are that are really hard to implement in general that don't make a lot of sense and sometimes the static analyzer actually don't implement them correctly.

10:47.000 --> 10:55.000
So we just got to sometimes as a statement yes it's broken with quality managed and safety applications next to each other.

10:55.000 --> 11:00.000
And for the safety components you needed a lot more.

11:00.000 --> 11:08.000
So we also needed to specify requirements so it's not enough to say you have these interfaces and the code implements the interfaces.

11:08.000 --> 11:19.000
You need to be traceable what part of the code implements what part of your system for what reason and especially this what reason is reflected into the requirements.

11:19.000 --> 11:32.000
So you have things like I need to be able to share memory between applications or to to so high level requirements I need to be able to communicate between applications.

11:32.000 --> 11:43.000
So you break that down and you need an IPC gate and our system design and then you break that down you need to be able to bind to the IPC gate you need to be able to call it and so on and then you break that down again.

11:43.000 --> 11:55.000
So this is quite a lot the high level stuff was about a hundred requirements the lower level ones 525 all of this is linked to the source code all of it is linked to tests so each requirement needs a test.

11:55.000 --> 12:12.000
And as you can see in the last bullet point we wrote about a hundred tests so this is really the code 100 code blocks that are test we used to get as a framework and this this boils down to about 7000 test instances that we run every time we change anything in the system to make sure that it still works.

12:13.000 --> 12:24.000
It's about a hundred thirty thousand lines of test code and total about half of these tests are kernel unit tests so they they really need to test the kernel internally.

12:24.000 --> 12:33.000
The reason for this basically comes up on the next slide and this is kind of a hard requirement we always try it if we kind of avoid it we can't.

12:33.000 --> 12:39.000
Turns out on you need coverage and while the ISO standard doesn't say you need a hundred percent coverage.

12:39.000 --> 12:47.000
The third of fire says well if you don't have a hundred you need to go with a good reason by the remaining part it's not violating user safety guarantees and.

12:47.000 --> 12:58.000
This basically means you need a hundred plus white lists and white lists need to be very spare you sparsely used because otherwise people won't believe you that this is really really safe.

12:58.000 --> 13:08.000
So all of these tests and all of these requirements were done to get the kernel to a hundred percent code coverage on the platform that was the target for the customers this was the.

13:08.000 --> 13:18.000
S32G in this case and we actually got it done and there's a lot interesting anecdotes to be told about this as well coverage is hard.

13:18.000 --> 13:31.000
We try to use open we have us on very smart people in the company that that actually made use of this so you can extract all of this information in the binary and you can then get information such as that this part.

13:31.000 --> 13:42.000
Yes, it's in the coverage report and GCC would have also given you this but LVM also tells you that this is no longer in the final binary and this makes it believable that we don't need to cover it.

13:42.000 --> 14:00.000
It's also extended the tooling and the HTML generation with all on white listing because that's the thing I mentioned before right you need to rationalize everything that you don't cover so for example if we have this generic iq manager implementation and we say okay on this platform you always have.

14:00.000 --> 14:12.000
And and iq chip right then then it doesn't make sense to have this check so we wait the right list entry in total that was 314 white list entries which which I think for for a total of.

14:12.000 --> 14:28.000
13,000 lines of code it's quite it's quite okay right it's blocks it could be large blocks but it usually isn't right it's usually three lines four lines five lines and we needed to optimize the code for the generation for this.

14:29.000 --> 14:43.000
The nice thing is that our customer actually uses this so we had now have a safe hypervisor and they use this to make Linux safe because my argument would be if you don't need to do this for all for this for Linux.

14:43.000 --> 14:51.000
You might get it done if you throw enough people at it but unless you get the Linux developers to follow a process that keeps this in zoom.

14:51.000 --> 14:59.000
You will be lost it moves too fast you cannot follow up with all of these artifacts you need some other way to ensure the safety of a Linux application.

14:59.000 --> 15:05.000
And our customers or electro bit actually uses this to build something called safe Linux.

15:05.000 --> 15:20.000
Or eb corpus linux for safety it's called they basically use the hypervisor that safety certified and our virtual machine monitor and introspect the Linux to make sure that if there's any safety violation in a Linux safety application happening.

15:20.000 --> 15:35.000
That you can trigger a handler that can actually handle this problem and for SLB that's actually enough so you get all of the benefits of having having safety into Linux by just certifying the hypervisor which is a nice thing.

15:35.000 --> 15:42.000
And in principle all of this anyone could do using just the system that's out there on GitHub.

15:43.000 --> 15:52.000
Okay I'm nearly over time already so the micro hypervisor thing I have to left I promise to tell a bit about this.

15:53.000 --> 16:02.000
It's basically the thing Edward said we reported this to the Cortex R platform basically means no MMUs we use MPUs to protect applications we have.

16:02.000 --> 16:09.000
We remove some because these platforms are very stringent memory requirements so we did a lot of work in optimizing this whole system.

16:09.000 --> 16:22.000
And all of this makes this makes this very flexible so let's give this you can good slide later on what's under horizon usability is one of the main topics we now have native FRE cross tool chains they have been.

16:22.000 --> 16:34.000
They are being worked on and will be published soon which means you can just have a cross compiler that just like you would call F the gcc minus min gv you can have an FRE.

16:34.000 --> 16:41.000
And we have a rast cross compiler that's out now we have adequate support under horizon etc.

16:41.000 --> 16:48.000
The challenges are keeping the certification alive and even though we have contributors that are not interested in safety.

16:48.000 --> 16:59.000
And if anybody has good ideas how this can be done we are currently working on our own internal processes but we would value any feedback from the community that might want to contribute to a system how they see this.

16:59.000 --> 17:10.000
We obviously want developers to write requirements and documentation and test to the last degree for every aspect they contribute.

17:10.000 --> 17:12.000
And that's it for now. Sorry.

17:12.000 --> 17:14.000
Thank you.