Zephyr: Raising the Bar

Setting standards for security and open source software management

The Linux Foundation has worked hard in recent years to bring many of its projects together for Internet of things (IoT) and embedded uses. Now, it has several cohesive frameworks ranging from telecom networks, large-scale application life cycle management and Industry 4.0, to industrial edge computing, edge-cloud containers, lightweight IoT edge data analytics and integrated smart homes. It also has a real-time operating system (RTOS) called Zephyr for small devices such as hearing aids.

One of the main reasons for this push is that many industrial suppliers are keen on powering their devices and systems with open-source software. This avoids being locked into a single supplier for the long in-service life typically seen in industrial systems, often reaching 15, 20 or even 30 years. The existence of a large community of developers brings peace of mind about durability, longer-term development and bug fixes.

With such a strong push on industrial and embedded uses, the Linux Foundation has focussed on ensuring professional software development processes are applied, and on software quality and security. Anyone planning to run multiple factories or healthcare devices on open-source software needs to be confident it’s not going to let them down. As it has gone through this process, the foundation found the range of users and contributors expanding, with the engagement and commitment of contributors growing in tandem.

I recently had the chance to catch up with Kate Stewart, vice president of dependable embedded systems at the Linux Foundation, who talked me through how this is playing out for the Zephyr operating system.

The Zephyr Project is five years old. It was set up to provide a small, modular, scalable, secure RTOS for use in resource-constrained machines based on various chip architectures. The project has 28 companies as members; this sounds modest, but it’s a blue-chip list that includes Facebook, FiWare, Google, Intel, Linaro, Nordic Semiconductor, SiFive, Texas Instruments and Wind River. Zephyr has more than 1,380 contributors and recently held its first full developer summit in June 2021, with 700 people taking part. These contributors are active developers, and the project has seen 55,000 code commits — the highest number ever for an open-source RTOS.

Zephyr is used in a wide range of devices such as Oticon hearing aids, Adero tracking devices, Gnarbox SSD enclosures, Rigado IoT gateways, Point home alarms, ProGlove bar-code scanners and Anicare reindeer trackers. There’s strong interest in it for an array of consumer, industrial and medical devices.

The way the Zephyr Project is being run is especially interesting in this context, according to Ms Stewart. A long-term support version was released in April 2020, guaranteeing 10 years of support; a second long-term support release was just announced in October 2021. This is incredibly important because of the long in-service lives for industrial systems, and because long support isn’t offered often enough with commercial systems.

There’s also a move toward functional safety certification for use in devices serving industries including aerospace, medical, automotive, nuclear, railways and so on. This is something that hasn’t been done for open-source software before; the perception that development is unpredictable means safety almost by definition can’t be guaranteed. Leading members of the Zephyr community are addressing this by freezing certain subsets of the modular operating system, carrying out full test and documentation exercises and implementing more rigorous development processes for any subsequent updates.

Functional safety certification is a complicated area, with sector-specific requirements alongside the generic International Electrotechnical Commission (IEC) 61508 standard. The second long-term support version will be submitted for IEC 61508 certification in the next year or two.

Another major area is security. Industrial IoT has a poor reputation for security overall, and we’ve seen several large-scale vulnerabilities arise from widespread use of older software modules. One way Zephyr is addressing this is by having a vulnerability alert registry, open to all suppliers that use the software and backed by a response team who works to fix any problems.

Stronger security is also provided through a software bill of materials. The difficulty in the market often lies in knowing which builds of software have the module that contains the vulnerability, and what specific version it is. Sometimes this is tracked by individual suppliers, but it’s generally better to have a central registry that records exactly which modules were used in each build of the software as it was configured. So, with the latest release of Zephyr, the Linux Foundation can now automatically produce a software bill of materials for each build of the operating system. There’s a cost to this centralized approach — but that cost is much lower than thousands of individual suppliers trying to do it for themselves.

These are good examples of open-source software bodies adopting commercial development practices, so their software can be widely adopted in all industrial sectors. Illustrating this, in 2019 Zephyr earned a gold best practice badge from the Core Infrastructure Initiative — a collaborative programme for strengthening cybersecurity adopted by more than 2,000 open-source projects. Zephyr is one of only seven Linux Foundation projects to have reached this accreditation.

This shift toward open-source software for industrial use is a massive change in the market. Industrial systems are traditionally closed and proprietary software stacks tied to hardware providers, so the move to IoT and connected systems isn’t only changing the architecture of the systems, it’s also radically changing the way the machines are built internally.

Like the shift between 2005 and 2010 from early smartphones with their own operating systems to a market built on iOS and Android platforms, industrial IoT is in the early stages of a fundamental transition that’s reshaping the tech sector and some layers of the supply landscape.