New generation of car combines an incredible software complexity with a full Internet connectivity. As a result cybersecurity and IDS become a “must have feature” of modern software defined vehicle. Nevertheless even if within new generation of connected cars hardware resources significantly improved; embedded software capabilities remains very different from what is possible in a data centre or cloud context. When traditional IDS tend to duplicate network traffic to run detection algorithms based on well-known attack signatures; this embedded IDS architecture proposes a very different architecture that leverage Linux kernel probes to detect unexpected behaviours. This with a minimal impact on the running system and without duplication of network traffic.

 

 Deploying An Embedded Distro Build Factory With Ansible And Proxmox Lessons Learned

With redpesk, we provide customers the ability to cross-build an embedded, CentOS Stream-based Linux distribution in the cloud. This requires a significant infrastructure: Koji/RPM builders, Angular-based WebUI, Gitlab forge, network and RPM package dependency management, Qemu test lab management, all need to come together and be connected, in a mix of Qemu virtual machines and LXC containers. Fortunately, Ansible and Proxmox comes to the rescue to manage this complexity.

In this talk, we'll present our architecture of a self-contained CI/CD environment in the cloud, to cross-build RPM packages and Linux images. We will then dive into the specifics of using Ansible to drive Proxmox and deploy a mix of Packer-built Qemu virtual machines and LXC containers. Those provide a full Koji build system (hub and builders), an Angular frontend, Go backend, a Gitlab forge as well as network isolation/firewalling and a Qemu virtual target lab. We'll continue with lessons learned from doing these deployments for multiple customers. We will finish describing solutions we are currently working on, like Ansible AWX, to address the challenges of doing it at scale and increase automation.

This talk was presented at FOSDEM 2022 in the Infra Management Devroom

Slides: [click here]

Videos: [click here for MP4] [click here for WEBM]

After presenting key constraints of new cybersecurity standards UN R155/R156 regulations, the session presents how redpesk open source stack helps to address those concerns, especially with it secured-by-design architecture.

The UNECE WP.29 regulation R155 for Cyber Security Management and R156 for Software Updates have been adopted in 2021 by UNECE’s World Forum for Harmonization of Vehicle Regulations. This means that cybersecurity is now non-negotiable for accessing the market in more than 60 countries, starting in July 2022.

The open source secured-by-design stack redpesk helps to fulfill regulatory requirements by providing:

  • MAC-enabled Linux distribution (SMACK/SELinux)
  • secure microservices architecture
  • integration with RTOS for safety
  • Innovative container engine fitted for embedded
  • LTS on full car life (approx. 20 years)
  • SOTA support

 Talk presented at FOSDEM 2022

Slides: [click here]

Video: [click here]

With the exponential grows of software complexity, to keep under control the cost and time of critical embedded application development, a continuous testing infrastructure is a must have feature.

Not only software tests should be run early and automatically each time a developer push a new code commit in the system. But furthermore, as developers typically never get enough physical board to test from, it is a key to initially run tests in a virtualized environment. Nevertheless we should keep enough real hardware in the loop to limit virtualization/reality deviation and ensure developers can transparently move tests from virtualization to the real world.

This presentation shows how virtualization may ensure early code integration to reduce development/testing cycle, while at the same time keeping track with real hardware, to ensure that application is also running correctly on final production device. Finally it gives a feedback on the different challenges Iot.bzh faced while deploying its solution of continuous tests. Then focuses on the way virtualization and real targets can be combined to offer to developers a complete and efficient CI infrastructure.

This talk was presented at Automotive Linux Summit and at FOSDEM 2022

Slides: [click here]

Video: [click here]

OSXP 2021 Connected ships and data flows from the on board sensor to the cloud

The modern, connected, embedded Linux IoT device is facing a fundamental problem: the more connected it gets, the more cybersecurity threats it faces. Data link reliability, especially in the marine case, also makes it hard to efficiently push sensor data to the cloud.

This talk shows how to implement a reliable sensor data path from a marine IoT device running the redpesk embedded distribution to the cloud. It starts with lessons learned from real-world use cases: sending data from thousands of sensors to a cloud backend served by a choppy connection. It then dives into the IoT.bzh microservice framework, its security model (based on SMACK and SELinux) and how we coupled it with RedisTimeSeries.

Those, in addition to an OpenID Connect service, allows to securely and selectively funnel data from that target to the cloud. The talk concludes with a proposal on how this open infrastructure can be used by the community at large.

This talk was presented at Open Source Experience 2021 (direct link to session)

Slides: [click here]

Archived Publications