Open Source Summit Europe 2022

Embedded build systems (buildroot, openembedded AKA yocto) have everything that is needed to compose the OS on which the embedded application will run. However, to develop a product, there are a number of things that the developer will still need to take care of (and find out how to do in that specific build system), even though the solutions for them are pretty generic. After giving a brief overview of the current state of buildroot and openembedded, this talk will discuss the missing links: persistence and factory reset, per-device provisioning, updates, and verified boot. Tools exist for all of those, and buildroot and openembedded provide those tools, but they don't come out of the box.

“Secure boot” is not one size fits all, but rather there are different implementations on different platforms. For Tegra platforms, secure boot involves a one-time only burning of keys into the on-device fuses. We’ll share the lessons learned from turning a board into a lovely paperweight as well as the reliable approach we used to confidently secure boot into the vendor’s Ubuntu based OS before creating our own Yocto Project built OS. For disk encryption with LUKS and dm-crypt, we extended our approach of testing the vendor’s OS before moving on to creating our own. The added complexity of unique passphrases derived from disk UUIDs and per-device HW-derived keys was an interesting challenge. We attempted to stay as close to the vendor's tools (luks-srv and luks-srv-app) and design as we could, to hopefully future proof the implementation for newer releases of Linux for Tegra. Extending to A/B flashing for OTA updates (e.g. rauc or mender) added additional challenges, especially when trying to generalize the approach for the meta-tegra community. The end solution must address the bootloader, initramfs, kernel command line, /etc/crypttab, /etc/fstab and more. Add in the complexity of the partition table layout and flashing tools for Tegra platforms and you are in for a wild ride.

During this presentation, the listener will learn how software dinosaurs (meant positively) like Debian can be combined with modern tools like Ansible, git and Mender by applying best practices like GitOps and infrastructure as code. The outcome will be a highly scalable, robust and traceable embedded fleet setup that is easy to operate with a reduced number of tools at a global scale using a modest server infrastructure. During the presentation a concrete example of managing an individual IoT device will be shown. The IoT device will furthermore receive an automatically built OS image that gets dispatched over the air. Hardware-in-the-loop testing guarantees the quality of the OS image. Finally a sample IoT fleet of seven devices (5 Raspberry Pis, 1 Compulab IoT gateway, 1 Variscite SOM on a development board) will be managed using a git repository instead of a typical IoT fleet management tool. The presentation done by Matthias Lüscher shall encourage the audience to discover tools and best practices from other domains and apply them successfully to embedded projects.

At ELC 2020, we presented our concept of securing the boot phase of updatable embedded devices leveraging UEFI Secure Boot. Applying this concept to a real 64-bit ARM device revealed some surprising rough edges lurking around the corners. In this talk, we dive into these issues and present solutions found while the journey. We explain how to adopt the pre-integration of an Over-the-Air Update method combined with Secure Boot that has been upstreamed to the Civil Infrastructure Platform project. In particular UEFI-based Secure Boot via U-Boot, hardening U-Boot for that, building unified kernel images with device tree override options, and creating a read-only rootfs with persistent overlays plus their integrity protection is covered. Although the pre-integration is done with the Debian-based embedded system builder Isar, the concepts and solutions presented are generic and easily transferable to other (meta-)distributions.

There are many things to do when designing a new embedded product. All of them will have an impact on the final security of the product, including: hardware features, the choice of the operating system to use, update system and policies and more. In this talk, Marta is going to give practical advice on choosing software packages for your next product. She will also list common errors. The discussion will be rich in examples from the Eclipse Oniro project and the Yocto Project ecosystem in general, and will include a number of tools available from OpenSSF and other sources. Some of the questions she will answer are: - Should I use a general-purpose distribution, build my own, or a specialized one? - How to choose between software modules doing the same thing? - How to find out if a software package is supported? Maintained? And what's the difference? - Why do I need an update system? - Should I enable secure boot?

This BoF provides an open forum for the embedded Linux community to ask questions and discuss issues with Yocto Project and OpenEmbedded principals.

While reading the title, you may think “Yet another Linux based operating system for space!” But it is not like that. We are aware of the fact that most companies made custom Linux based operating systems, and that is why we are here with the Linux4Space project. The current situation regarding Linux in space is similar to what it was about years ago in the automotive industry before activities such as Automotive Grade Linux emerged. The main goal of the Linux4Space mission is to create a reference Linux distribution as an open standard based on the requirements defined by the stakeholders in the space industry. Now we are looking for stakeholders interested to define and collect requirements and use cases. We are presenting the Linux4Space requirements initial release. The requirements have been gathered in cooperation with the Czech Aerospace Research Centre and the Institute of Experimental and Applied Physics of Czech Technical University in Prague, both of which already maintain working Linux based CubeSat in orbit. The presentation offers in-depth information about the Linux4Space project it provides details about the project phases and their principal goals. We are open to collaborating with anyone who may be interested in any kind of Linux space application.

Is your root file system read-only for whatever reason, but you still need RW access to certain directories? Perhaps also store application files between reboots? OverlayFS could be one of the solutions to this problem. In his talk Vyacheslav will share his experience on how OverlayFS can come in handy and cover its various use cases in Yocto Project. He will also provides some thoughts on designing the system that utilizes this feature, as well as try to demonstrate the limitations and corner cases.