OSADL Project: Safety Critical Linux

Safety Critical Linux - Working Group Proposal by Nicholas Mc Guire

Virtualization

As a safety case needs to cover all safety critical components in a system, virtualization technologies have been seen as a key option to reduce the scope of the certification effort to a minimum. As a second, an equally important capability, virtualization has been seen as a critical technology to allow legacy management - especially in the safety critical domain cost of development is high, and consequently preserving existing software components critical for practical application of such a safe computing platform. A further, to be researched, aspect of virtualization is virtual redundancy/diversity which is of interest for the safety critical industry as it carries the potential for significant savings - though this approach has not yet be endorsed by the safety community.

Key virtualization technologies available in the OSS filed are:

• L4/L4Linux:
  Micro-kernel approach based on the L4 specification, with L4Linux running as a user-space server. This approach provides full machine initialization independent of the GPOS running on the platform.
• XtratuM:
  Nano-kernel approach built on top of GNU/Linux, machine initialization is left to the GPOS assuming initialization is done during non-safety critical operation. The nano-kernel is loaded as kernel module and allows concurrent independent domains to exist on a single hardware platform with GNU/Linux as the root-domain.
• Jaluna:
  A continuation of the Chorus micro-kernel project, built on top of GNU/Linux as the root-domain. System initialization is provided by GNU/Linux the chorus micro-kernel is loaded from Linux to provide a OS abstraction layer.

An in depth evaluation of these technologies, there safety qualities and there limitations needs to be conducted during the investigation phase and should be one of the published outputs of this working group. Also the principal approach of utilizing OSS virtualization technologies needs to be assessed taking the demands of a safety-case into account.

It should be noted that recent developments in mainstream on virtualization, notable KVM and lguest, combined with RT-preempt [] capabilities due make it feasible that mainstream virtualization could prove a suitable technology for safety critical system architecture design - this investigation effort is though at its very start (started May 23 2007) and has not yet been conclusive. In principle we do see a clear advantage in utilizing mainstream Linux if possible and not relying on low level (and invasive) patches.