Linux Can Finally Run Your Car's Safety Systems and Driver-Assistance Features (arstechnica.com) 44
An anonymous reader quotes a report from Ars Technica: There's a new Linux distro on the scene today, and it's a bit specialized. Its development was led by the automotive electronics supplier Elektrobit, and it's the first open source OS that complies with the automotive industry's functional safety requirements. [...] With Elektrobit's EB corbos Linux for Safety Applications (that sure is a long name), there's an open source Linux distro that finally fits the bill, having just been given the thumbs up by the German organization TUV Nord. (It also complies with the IEC 61508 standard for safety applications.) "The beauty of our concept is that you don't even need to safety-qualify Linux itself," said Moritz Neukirchner, a senior director at Elektrobit overseeing SDVs. Instead, an external safety monitor runs in a hypervisor, intercepting and validating kernel actions.
"When you look at how safety is typically being done, look at communication -- you don't safety-certify the communication specs or Ethernet stack, but you do a checker library on top, and you have a hardware anchor for checking down below, and you insure it end to end but take everything in between out of the certification path. And we have now created a concept that allows us to do exactly that for an operating system," Neukirchner told me. "So in the end, since we take Linux out of the certification path and make it usable in a safety-related context, we don't have any problems in keeping up to speed with the developer community," he explained. "Because if you start it off and say, 'Well, we're going to do Linux as a one-shot for safety,' you're going to have the next five patches and you're off [schedule] again, especially with the security regulation that's now getting toward effect now, starting in July with the UNECE R155 that requires continuous cybersecurity management vulnerability scanning for all software that ends up in the vehicle."
"In the end, we see roughly 4,000 kernel security patches within eight years for Linux. And this is the kind of challenge that you're being put up to if you want to participate in that speed of innovation of an open source community as rich as that of Linux and now want to combine this with safety-related applications," Neukirchner said. Elektrobit developed EB corbos Linux for Safety Applications together with Canonical, and together they will share the maintenance of keeping it compliant with safety requirements over time.
"When you look at how safety is typically being done, look at communication -- you don't safety-certify the communication specs or Ethernet stack, but you do a checker library on top, and you have a hardware anchor for checking down below, and you insure it end to end but take everything in between out of the certification path. And we have now created a concept that allows us to do exactly that for an operating system," Neukirchner told me. "So in the end, since we take Linux out of the certification path and make it usable in a safety-related context, we don't have any problems in keeping up to speed with the developer community," he explained. "Because if you start it off and say, 'Well, we're going to do Linux as a one-shot for safety,' you're going to have the next five patches and you're off [schedule] again, especially with the security regulation that's now getting toward effect now, starting in July with the UNECE R155 that requires continuous cybersecurity management vulnerability scanning for all software that ends up in the vehicle."
"In the end, we see roughly 4,000 kernel security patches within eight years for Linux. And this is the kind of challenge that you're being put up to if you want to participate in that speed of innovation of an open source community as rich as that of Linux and now want to combine this with safety-related applications," Neukirchner said. Elektrobit developed EB corbos Linux for Safety Applications together with Canonical, and together they will share the maintenance of keeping it compliant with safety requirements over time.
Finally! (Score:5, Funny)
Re: (Score:3)
Now my car can run Emacs. :-)
And I know this is a Linux milestone, but I wouldn't be surprised if NetBSD ran on cars like 20 years ago, right after being ported to a toaster (Google it) -- the bread kind, not Cylon, though that wouldn't surprise me either.
Re: (Score:3)
Q: Why did the Linux car not run? (Score:1, Funny)
Q: Why did the Linux car not run?
A: There were no drivers for it.
Microsoft car. (Score:1)
Q: Why did the die hard Linux user overheat in the Microsoft car?
A: He didn't know how to open Windows.
Re: (Score:2)
I'm waiting until my car runs in Emacs. =)
What if it Freezes? (Score:2)
How can the hypervisor ensure that the services maintained by the Linux subsystem continue if the Linux subsystem freezes or halts?
VxWorks (Score:3)
I'd imagine it works the same way VxWorks does, which is what most car companies use (along with, sometimes, QNX.)
Re: (Score:3)
I ran more than 50 Linux machines in my life, guess what: the "stable" non-experimental distros practically never freeze, unless there is a hardware issue. This just doesn't happen.
Just make sure you are running stable kernel and stable software and Linux is more stable than a ton of rock.
Re: (Score:2)
There is one thing which will stop Linux in its tracks. NFS issues. A glitch with NFS, even if a server is mounted with an interruptible hard mount or (ugh) a soft mount can cause a kernel to completely hang and require a hard power cycle.
I think it is interesting, using the hypervisor as a watchdog timer. This is a useful idea in a lot more applications. For example, ATMs, digital signage, or other items which should just run without interruption.
Re: (Score:1)
If this is really such a big issue (which I doubt), just don't use NFS on embedded critical systems. Problem solved.
Re: (Score:1)
Is this were SunOS networking via LanMan I could see this, but NFS? Who uses NFS in 2024? OK, Who outside of BSD users do that in 2024?
Both my previous employers, one a large government-run nuclear physics laboratory and the other a big-10 university. What are the options other than NFS?
Re: (Score:2)
You would be surprised. Many VMWare shops use NFS as a backing store protocol because a good NAS can get near parity with an iSCSI or fiber channel deployment, and a NFS server can have multiple controllers for redundancy. Using link aggregation, if a NIC drops or a switch drops, it won't affect disk I/O. Plus, because NFS relies on the server's filesystem, having something like ZFS on the backend goes far with data integrity.
There are also issues with SMB/CIFS. I know that in some environments (especia
Re: (Score:2)
There is one thing which will stop Linux in its tracks. NFS issues. A glitch with NFS, even if a server is mounted with an interruptible hard mount or (ugh) a soft mount can cause a kernel to completely hang and require a hard power cycle.
Two decades ago NFS shared a workqueue with some essential kernel subsystems such as keyboard input and NFS getting stuck could indeed render a machine inoperable. NFS now has its own workqueues and that can't happen. So you are indulging in a bit of twenty years out of date muckraking.
Freeze, halt, or crash? (Score:2)
Freeze: Okay, except your air conditioning turns on full blast.
Halt: Possibly okay, if there's nobody behind you and you can handle the g-forces of going from 60 to 0 in 1ms.
Crash: File an insurance claim.
Re: (Score:2)
Re: (Score:3)
How can the hypervisor ensure that the services maintained by the Linux subsystem continue if the Linux subsystem freezes or halts?
By NOT running a GUI (or games for that matter) on top of that Auto-Linux you avoid many risk points that can cause the system to freeze.
I have numerous headless (no GUI, no display) systems running 24x7 for years on end and they have never once frozen up. All of them run easily downloadable and widely available free Linux distributions.
My secret is this: run the absolute minimum server daemons & applications that you need, AND, lock off that system from the external world as such as possible (unless
Re: (Score:2)
I had a hard frozen sshd two days ago on a Linux VM, but I think my hoster may have screwed up there and sabotaged the filesystem doing a backup (which I did not tell them to do and which I am not paying for). Apache was still up on the box though. Fixed by reboot. Other than that, the last freeze I had on anything Linux was when I told the kernel a wrong memory size on the kernel commandline about 10 years ago.
Re: (Score:2)
I had a hard frozen sshd two days ago on a Linux VM, but I think my hoster may have screwed up there and sabotaged the filesystem doing a backup (which I did not tell them to do and which I am not paying for). Apache was still up on the box though. Fixed by reboot. Other than that, the last freeze I had on anything Linux was when I told the kernel a wrong memory size on the kernel commandline about 10 years ago.
That is a very good track record ... compared to anything Windoze.
I will echo what you posted by saying the greatest risk to most Linux systems are users and SysAdmins. I have personal experience with that last one having once borked one of my own systems.
Re: (Score:2)
I will echo what you posted by saying the greatest risk to most Linux systems are users and SysAdmins. I have personal experience with that last one having once borked one of my own systems.
Indeed. Just as the worst IT security risks on Linux are SysAdmins and users as well.
I think what happened on my system is that they deferred all writes and with all the idiots trying ssh logins the log-queue backed up, thus stopping the respective sshd childs. When I tried to reboot, the admin tool told me "locked (backup)". At least my ticket got processed within a few minutes. Hence not a Linux issue but a SysAdmin screwing up. At least now I know my secondary DNS and MTA actually work in a real-world ou
Re: (Score:2)
Network equipment often runs some version of Linux, including big iron stuff like Cisco Nexus. And they are running a watchdog, which works similar to a dead-man's-switch in a train engine: If it does not get activated in regular intervals, it restarts vital services or even the whole system.
RTOS (Score:2)
Re: (Score:3)
Linux in general is not, but there've been projects to adapt it, including RTLinux and PREEMPT_RT
Re: (Score:3)
Don't generalise. There are plenty of scenarios requiring safety certified software lawyers that don't require the precision of an RTOS. We're not talking about deploying airbags here. Many applications in a car already are too complex (e.g. machine vision) to be baked into firmware on an RTOS. Yeah this won't replace your ECU, or your airbag system, but there there is far more to a modern car.
Re:RTOS (Score:4, Insightful)
Even airbags probably don't require an RTOS, you just want to fire them as soon as possible, and a collision takes a long time in compute terms. An RTOS is designed for consistent timing, not fast timing, and the use cases are actually fairly narrow and not what most people expect.
Re: (Score:3)
The point of RTOS is not about time taken to compute, it's about certainty in the computational outcome. It's about knowing that your entire logic processing will take 75 milliseconds and will consistently be 75milliseconds every 75milliseconds for the entire operational life of that device.
Your airbag is an ASIL-D certified device. It has multiple microcontrollers processing in parallel in realtime and is programmed in a language that ensure the defined state of your system is known at every point in its o
Re: (Score:1)
Even airbags probably don't require an RTOS, you just want to fire them as soon as possible, and a collision takes a long time in compute terms. An RTOS is designed for consistent timing, not fast timing, and the use cases are actually fairly narrow and not what most people expect.
The timing is in fact rather important. There is a time component to the inflation of the airbag, especially in modern vehicles that have them not only in the steering wheel but also for your head and sometimes your legs. Coordination of the inflation of these multiple systems has to be done to ensure they are deflating but not yet too deflated to serve their purpose by the time the person hits them.
Re: (Score:2)
Re: (Score:2)
Robert Love submitted Preempt/Real Time patches to the Linux Kernel over 20 years ago
No (Score:2)
I don't need any car with a Linux operating system.
CANBUS is bad enough as it is.
Re: (Score:2)
What's wrong with canbus? The only time I ever had a car with issues was due to water leaking and corroding something.
Re: (Score:2)
Well, there you go.
Re: (Score:2)
Well that settles it then. No more electronics in cars because they can get wet.
Re: (Score:2)
Weeeeellllll... Maybe Musk should pay attention to the guy: https://www.theregister.com/20... [theregister.com]
Re: (Score:1)
I'd actually prefer far fewer electronics and electrical systems in general in cars because it harms their long-term repairability and artificially shortens their useful lives by many years.
You see many classical cars that have been rebuilt or repaired from the 50s, 60s, 70s, but you will not see the same for any car built in the last 25-30 years, and certainly never a car built in the last 10, because of the over-reliance on complex microcontroller control of things that have no need for them.
A couple year
Re: (Score:2)
Yep. More than ever, I miss my 1991 Isuzu Trooper.
Re: (Score:1)
You don't see any 10 year old cars rebuilt because they are barely out of warranty and are still running fine. The technology is vastly superior in that respect to what it was in the decades you mention.
...
You're argument that your new car can't be serviced is bunk, you haven't needed to and if you did, the dealer probably paid for it.
Thank you for pointing out that my very real first hand experience didn't happen and isn't valid. I paid for the replacement of the light because it was broken while loading things into the back of the car, not via failure. Incedentally that model car (a Ford Focus) had constant shifting problems related to the transmission control computer which would destroy the transmission over time. My old 3-speed on a mid-90s Neon was operated entirely mechanically via vacuum pressure from the engine. Never had a prob
No, it can not. (Score:5, Informative)
This Linux has been certified up to ASIL-B (ASIL 2).
To completely control all aspects of a car, you need ASIL-D (ASIL 4).
Links:
https://www.elektrobit.com/pro... [elektrobit.com]
https://en.wikipedia.org/wiki/... [wikipedia.org]