Core Infrastructure Initiative (CII) awards Zephyr with Gold Best Practice Badge for driving security, quality and stability of open source software

SAN FRANCISCO – April 17, 2019 –The Zephyr™ Project, an open source project at the Linux Foundation that aims to build a secure and flexible real-time operating system (RTOS) for the Internet of Things (IoT), today announced a technical milestone with the first Long Term Support (LTS) release. The Zephyr 1.14 LTS release, which has been developed by the diverse Zephyr community of almost 500 contributors, will offer vendors a customizable operating system that supports product longevity, security and interoperability.

In today’s technology landscape, developers have a plethora of choices for platforms, boards and other components. They are challenged to create secure products that integrate with other proprietary and legacy solutions. With the Zephyr LTS, developers aren’t locked into a particular architecture, back-end platform or cloud provider and will have the freedom to choose from an ecosystem of hardware.

“The Zephyr LTS release allows product developers to focus on innovation rather than the common and standard operating system layers,” said Anas Nashif, the Zephyr Project Chair of the Technical Steering Committee (TSC). “Products based on the LTS release will benefit from a maintained code base throughout their development and deployment lifecycle. The LTS will serve as the baseline for the auditable version of Zephyr, which will benefit both the maintained LTS and development branches.”

The LTS code release represents a major milestone on the Zephyr technical roadmap. One of the goals of the LTS is to stabilize the Application Programming Interfaces (APIs) so that a consistent foundation for applications is created for the operating system. Other key features for this release include:

• Support for more than 160 board configurations spanning 8 architectures
• A reimplemented Timing system that simplifies drivers and reduces typical kernel build size by hundreds of bytes
• A new experimental BLE split software controller for supporting multiple BLE radio hardware architectures
• Major updates to the logging and shell subsystem with support for multiple back-ends, integration of logging into the shell, and delayed log processing
• A new west tool for managing multiple repositories and enhanced support for flashing and debugging
• Added support for application user mode, application memory partitions, and hardware stack protection in ARMv8-m

The Zephyr TSC is actively working towards safety certifications with the International Electrotechnical Commission (IEC) and the International Organization for Standardization (ISO). The project plans to submit key parts of the Zephyr kernel and operating system services based on the LTS release for safety certification. These certifications are important as they indicate a product has undergone careful review and testing and is deemed trustworthy in safety-related systems. More information about the plans for functional safety can be found in this blog.

Additionally, the Zephyr Project earned the Core Infrastructure Initiative (CII) Gold Best Practice Badge, which means it is following best practices and conformance in driving secure software development in open source. The Core Infrastructure Initiative is a collaborative, pre-emptive program and approach for strengthening cyber security that has been adopted by more than 2000 projects. The CII Best Practices Badge is a rigorous assessment of an open source project’s processes and infrastructure. The Zephyr Project is one of three open source projects that has achieved the gold badge status.

More than 160 Board Configurations Supported

Hosted by the Linux Foundation, the Zephyr Project aims to establish a neutral community where silicon vendors, Original Equipment Manufacturers (OEMs), Original Design Manufacturer (ODMs) and Independent Software Vendor (ISVs) can contribute technology to reduce the cost and accelerate time to market for developing the billions of IoT devices. Project member companies include Antmicro, Foundries.io, Intel, Linaro, Linino.org, Nordic Semiconductor, NXP, Oticon, SiFive, Synopsys and Texas Instruments among others.

Zephyr offers the smallest memory footprint and a secure and flexible RTOS that extends functionality of IoT devices. It is a customizable, embedded open source platform that works with multiple hardware architectures. The dedication and talent of the growing Zephyr technical community has resulted in rapid expansion in board support as well as attracting an average of 20 new contributors each month.

Currently, Zephyr supports more than 160 board configurations comprising of different architectures including: ARC, ARM, NIOS II, RISCV32, x86, x86_64 and XTENSA processor families. For the complete list of boards and details, visit the Zephyr Github page.

“Community driven Zephyr development is creating an open source ecosystem that is fueling IoT innovation and seeing exciting new products emerging,” said Kate Stewart, Senior Director of Strategic Programs at the Linux Foundation. “We’re excited to see the flexibility and functionality of the Zephyr RTOS being used in award-winning products such as smart wearables from ProGlove and Intellinium, and new intelligent tagging systems like Adero.” 

To learn more about the products that use Zephyr RTOS, visit the Zephyr website and blog.

About the Zephyr™ Project

The Zephyr Project is a small, scalable real-time operating system for use on resource-constrained systems supporting multiple architectures. To learn more, please visitwww.zephyrproject.org.

About the Linux Foundation

Founded in 2000, the Linux Foundation is supported by more than 1,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, and more.  The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit us atlinuxfoundation.org.

# # #

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page: https://www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

When we started the Zephyr project,  we knew at some point in the future, we’d want to incorporate having periodic Long Term Support (LTS) releases.  Now that we’re close to the launch of Zephyr’s first LTS, it’s a good time to reflect on the benefits an LTS provides and why the project is doing this.

Since the project launch, the Zephyr code base has been evolving rapidly, as developers joined in and have been participating in shaping Zephyr into something that suits the products they want to create on top of it.   From Linux, and other open source projects, we’ve learned that having an LTS is an excellent tool for companies who don’t want to be tracking the latest development code base, but want a supported operating system to use when creating products.  When companies put out products they need to support them for a specific, often extended periods of time. By basing a product on an LTS, a company can take advantage of the shared support providing security and severe functional fixes as issues are discovered over time.  

One of the goals of this LTS has been stabilizing the Application Programming Interfaces (APIs).   By testing and stabilizing these interfaces to the operating system, we create a sound and stable foundation for applications.   The Zephyr Project’s Technical Steering Committee (TSC) explicitly decided on using 2 quarters for developing this release last October, so that the APIs could be stabilized and the code base could be prepared for creating an auditable version.

For Zephyr to make a development release,  the number of known bugs must be less than an agreed upon threshold, but for an LTS this threshold is even stricter.  For an LTS, no high-severity bugs, only 20 medium-severity and 50 low-severity are allowed. A regular development release did not have criteria on the number of low-severity bugs permitted. The more bugs we squeeze out of the code base before the release,  the better.

The LTS release will be maintained and have security fixes back-ported onto it, for at least the next two years. It is not a target for new features or substantial improvements,  that’s what the next development releases are for (which will resume on their quarterly cadence after this release is made), but is going to be a stable base that the project can use as a foundation to start to pursue getting the Zephyr code base certified to comply with safety and security standards. If severe or security-related bugs are found during the process of going through certifications,  they will be fixed in the LTS, as well as in the main development code base.

Stay tuned for more details about Zephyr’s new LTS release. In the meantime, to learn more about Zephyr’s release processes,  documentation is available at: https://docs.zephyrproject.org/latest/development_process/release_process.html and questions are welcome on Zephyr’s slack channels.