From: Linus Walleij <linus.walleij@linaro.org>
To: tiejunc@vmware.com
Cc: ksummit-discuss@lists.linuxfoundation.org
Subject: Re: [Ksummit-discuss] [TECH TOPIC] A Safety-critical Linux system architecture
Date: Wed, 12 Sep 2018 12:35:07 +0200 [thread overview]
Message-ID: <CACRpkdb8c51RABEVhn5tibVxiqTDBRXJ5A5wU5nDfubr6p3nMw@mail.gmail.com> (raw)
In-Reply-To: <BY1PR0501MB14623C8F42765E4852FD5A39C51B0@BY1PR0501MB1462.namprd05.prod.outlook.com>
On Wed, Sep 12, 2018 at 3:18 AM Tiejun Chen <tiejunc@vmware.com> wrote:
> software contexts need to be certified according to different specifications
> like ARINC 653, Automotive Safety Integrity Level, and so on. So we
> need to explore making Linux itself certified.
There is a bunch of these certifications and specifications. Many of them
include manual review of "all code on the system", which is why several
approaches to this includes stripping down the kernel source to only
the code (after removing all Kconfig buzz and ifdefs) that will compile
and run on the target.
This should of course be possible to integrate into the existing Linux
build system, like "make sources" that would create a reduced
kernel tree that will also compile (russian matroska dolls come to
mind). I think such projects exist in Japan but I haven't heard from
them recently.
My pet peeve is that the review process appears to be something
along the lines that a "certified person/consultant" who has training
in this standard is supposed to review all the code for safety, so
after reviewing IMO we should work on (A) making sure that these
reviews and comments and the exact lines of the kernel and which
version/commit ID of it it pertains to is made public and (B) that the
review persons statement be merged into the kernel git log as
some kind of annotation along the lines of:
Reviewed-for-ISO-26262-by: Linus Walleij <linus.walleij@linaro.org>
This way we can help the safety community by making the safety
critical review process more open and public, and also making these
reviewers put their personal names behind it.
If they also propose patches and follow up on them: even better.
The idea is not (as one could maybe think) that of public shaming
for all the stuff these people invariably are going to miss, but to
create a space where they can learn about the kernel and the
weaknesses pertaining to safety critical deployments and also
spread this knowledge to kernel maintainers instead of keeping
it all in their private safety engineering bubble.
Yours,
Linus Walleij
next prev parent reply other threads:[~2018-09-12 10:35 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-12 1:18 Tiejun Chen
2018-09-12 10:35 ` Linus Walleij [this message]
2018-09-12 16:29 ` Darren Hart
2018-09-13 3:13 ` Tiejun Chen
2018-09-13 7:57 ` Linus Walleij
2018-09-13 9:50 ` Greg KH
2018-09-16 11:30 ` Tiejun Chen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CACRpkdb8c51RABEVhn5tibVxiqTDBRXJ5A5wU5nDfubr6p3nMw@mail.gmail.com \
--to=linus.walleij@linaro.org \
--cc=ksummit-discuss@lists.linuxfoundation.org \
--cc=tiejunc@vmware.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox