Wind River also advances its commitment to the open source ecosystem by joining the project as a Silver Member

SAN FRANCISCO, September 13, 2021 On the heels of its 5th anniversary and inaugural Developer Summit, the Zephyr™ Project today announces a major milestone with more than 1,000 contributors and 55,000 commits. Zephyr, an open source project at the Linux Foundation that builds a safe, secure and flexible real-time operating system (RTOS) for resource-constrained devices, also welcomes Antmicro as a Platinum member and Wind River as a Silver member.

Zephyr RTOS unites companies, developers and end users around the world to ensure balanced collaboration and feedback to evolve and meet the needs of its community. This innovative relationship among stakeholders advances the Zephyr Project’s support of new hardware, developer tools, sensors, and drivers, while maximizing the functionality of devices that run applications developed using the Zephyr OS.

“The number of contributors to an open source project is one of the best measures of its relevance to the open source community,” said Barna Ibrahim, Chair of the Zephyr Project Marketing Group and Strategic Partner Development Lead at Google. “Today’s announcement represents one more step in our open source journey and increased role in the advocacy, use and contribution across the Zephyr ecosystem. Ultimately, this strong ecosystem will help build secure and safe products across the globe.”

Evidence that momentum will continue growing for the project include:

Commitment to Zephyr

Today, the Zephyr Project announces that long-time member Antmicro has doubled down on its commitment by upgrading its membership to Platinum. Peter Gielda, CEO of Antmicro, will join the Zephyr Governing Board.

Additionally, Wind River joined the project as a Silver member. Other project member companies include Adafruit, AVSystem, BayLibre, Eclipse Foundation, Facebook, Fiware, Foundries.io, Golioth, Google, Intel, Laird Connectivity, Linaro, Memfault, Nordic Semiconductor, NXP, Oticon, Parasoft, Pat-Eta Electronics, RISC-V, SiFive, Synopsys and teenage engineering, among others.

“We are delighted to welcome Peter Gielda to the Governing Board,” said Joel Stapleton, Chair of the Zephyr Project Governing Board and Principal Engineering Manager at Nordic Semiconductor. “Antmicro has already contributed so much to Zephyr with board support, demos and documentation. We look forward to working more closely with them and strengthening our community.”

“An active member of the project since its early days, Antmicro has been pioneering the use of Zephyr in several fields, including FPGAs and the RISC-V architecture, in both hard and soft implementations,“ said Peter Gielda, CEO at Antmicro and now Member of the Zephyr Project Governing Board. “Building on top of our work combining TensorFlow Lite Micro, Zephyr and Renode for machine learning development we join our customers and partners Google, Intel, NXP and Nordic Semiconductor in a leadership position in Zephyr to strengthen the vendor-neutral RTOS option for the open source hardware, software and AI solutions that we develop.”

“As we move towards an intelligent systems future, it will become increasingly important to collect and process data at the intelligent edge in real time,” said Amar Parmar, Senior Director, Solution Partners at Wind River. “For resource-constrained devices, Zephyr can be at the heart of where this data originates. Zephyr Project has fostered a vibrant and growing community addressing the technical requirements to deploy a new generation of devices, aligned with modern development practices and tooling. As an original contributor to the code base and an active member of the community, we look forward to continued collaboration.”

To learn more about Zephyr RTOS, visit the Zephyr website and blog.

About the Zephyr™ Project

The Zephyr Project is an open source, scalable real-time operating system (RTOS) supporting multiple hardware architectures. To learn more, please visit www.zephyrproject.org.

About the Linux Foundation

Founded in 2000, the Linux Foundation is supported by more than 1,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, and more.  The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

###

Backed by many of the world’s largest companies for more than a decade, SPDX formally becomes an internationally recognized ISO/IEC JTC 1 standard during a transformational time for software and supply chain security

SAN FRANCISCO, September 9, 2021 – The Linux Foundation, Joint Development Foundation, and the SPDX community, today announced the Software Package Data Exchange® (SPDX®) specification has been published as ISO/IEC 5962:2021 and recognized as the international open standard for security, license compliance, and other software supply chain artifacts. ISO/IEC JTC 1 is an independent, non-governmental standards body. 

Intel, Microsoft, Siemens, Sony, Synopsys, VMware, and WindRiver are just a small sample of the companies already using SPDX to communicate Software Bill of Materials (SBOM) information in policies or tools to ensure compliant, secure development across global software supply chains. 

“SPDX plays an important role in building more trust and transparency in how software is created, distributed, and consumed throughout supply chains. The transition from a de-facto industry standard to a formal ISO/IEC JTC 1 standard positions SPDX for dramatically increased adoption in the global arena,” said Jim Zemlin, executive director, the Linux Foundation. “SPDX is now perfectly positioned to support international requirements for software security and integrity across the supply chain.” 

Between eighty and ninety percent (80%-90%) of a modern application is assembled from open source software components. An SBOM accounts for the software components contained in an application — open source, proprietary, or third-party — and details their provenance, license, and security attributes. SBOMs are used as a part of a foundational practice to track and trace components across software supply chains. SBOMs also help to proactively identify software issues and risks and establish a starting point for their remediation.

SPDX results from ten years of collaboration from representatives across industries, including the leading Software Composition Analysis (SCA) vendors – making it the most robust, mature, and adopted SBOM standard. 

“As new use cases have emerged in the software supply chain over the last decade, the SPDX community has demonstrated its ability to evolve and extend the standard to meet the latest requirements. This really represents the power of collaboration on work that benefits all industries,” said Kate Stewart, SPDX tech team co-lead. “SPDX will continue to evolve with open community input, and we invite everyone, including those with new use cases, to participate in SPDX’s evolution and securing the software supply chain.”  

For more information on how to participate in and benefit from SPDX, please visit: https://spdx.dev.

To learn more about how companies and open source projects are using SPDX, recordings from the “Building Cybersecurity into the Software Supply Chain” Town Hall that was held on August 18th are available and can be viewed at: https://events.linuxfoundation.org/supply-chain-town-hall/ 

ISO/IEC JTC 1 is an independent, non-governmental international organization based in Geneva, Switzerland. Its membership represents more than 165 national standards bodies with experts who share knowledge and develop voluntary, consensus-based, market-relevant international standards that support innovation and provide solutions to global challenges.

Supporting Comments

Intel

“Software security and trust are critical to our Industry’s success. Intel has been an early participant in the development of the SPDX specification and utilizes SPDX both internally and externally for a number of software use-cases,” said Melissa Evers, Vice President – Software and Advanced Technology Group, General Manager of Strategy to Execution, Intel.

Microsoft

“Microsoft has adopted SPDX as our SBOM format of choice for software we produce,” says Adrian Diglio, Principal Program Manager of Software Supply Chain Security at Microsoft. “SPDX SBOMs make it easy to produce U.S. Presidential Executive Order compliant SBOMs, and the direction that SPDX is taking with the design of their next gen schema will help further improve the security of the software supply chain.”

Siemens

“With ISO/IEC 5962:2021 we have the first official standard for metadata of software packages. It’s natural that SPDX is that standard, as it’s been the de facto standard for a decade. This will make license compliance in the supply chain much easier, especially because several open source tools like FOSSology, ORT, scancode, and sw360 already support SPDX,” said Oliver Fendt, senior manager, open source at Siemens. 

Sony

”The Sony team uses various approaches to managing open source compliance and governance,” says Hisashi Tamai, Senior Vice President, Deputy President of R&D Center, Representative of the Software Strategy Committee, Sony Group Corporation. “An example is the use of an OSS management template sheet that is based on SPDX Lite, a compact subset of the SPDX standard. It is important for teams to be able to quickly review the type, version, and requirements of software, and using a clear standard is a key part of this process.”

Synopsys

“The Black Duck team from Synopsys has been involved with SPDX since its inception, and I personally had the pleasure of coordinating the activities of the project’s leadership for more than a decade. Representatives from scores of companies have contributed to the important work of developing a standard way of describing and communicating the content of a software package,” said Phil Odence, General Manager, Black Duck Audits.

VMware

“SPDX is the essential common thread among tools under the Automating Compliance Tooling (ACT) Umbrella. SPDX enables tools written in different languages and for different software targets to achieve coherence and interoperability around SBOM production and consumption. SPDX is not just for compliance, either; the well-defined and ever-evolving spec is also able to represent security and supply chain implications. This is incredibly important for the growing community of SBOM tools as they aim to thoroughly represent the intricacies of modern software,” said Rose Judge, ACT TAC Chair and open source engineer at VMware.

Wind River

“The SPDX format greatly facilitates the sharing of software component data across the supply chain. Wind River has been providing a Software Bill of Materials (SBOM) to its customers using the SPDX format for the past 8 years. Often customers will request SBOM data in a custom format. Standardizing on SPDX has enabled us to deliver a higher quality SBOM at a lower cost,” said Mark Gisi, Wind River Open Source Program Office Director and OpenChain Specification Chair.

About SPDX

SPDX is an open standard for communicating software bill of material information, including provenance, license, security, and other related information. SPDX reduces redundant work by providing common formats for organizations and communities to share important data, thereby streamlining and improving compliance, security, and dependability. For more information, please visit us at spdx.org.

###

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page:  https://www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

Media Contact

Jennifer Cloer

for the Linux Foundation

503-867-2304

jennifer@storychangesculture.com

Four-plus years of collaboration, 190+ contributors, 8 million+ container downloads, new retail project ORRA, EdgeX Ready, and foundation for future, long-term support pave the way for Ireland release

SAN FRANCISCOAugust 3, 2021 EdgeX Foundry, a project under the LF Edge umbrella organization within the Linux Foundation, today announced it’s Ireland release. Focused on edge/IoT solutions, EdgeX Foundry’s second major release overhauls API sets, removes technical debt, provides more message-based communications, and simplifies and secures interface for adopters and developers, making the platform significantly easier to use and more reliable. 

“As a leading stage 3 project under LF Edge, the EdgeX Ireland release has expanded use cases across retail, building automation, smart cities, process control, and manufacturing,” said Arpit Joshipura, general manager, Networking, Edge & IoT, at the Linux Foundation. “It’s a key to standardizing IoT frameworks across market verticals.”

“This release sets in motion the opportunity for EdgeX to offer its first ever LTS or long-term support release as soon as the fall.  This is a significant commitment on the part of our open-source community to all adopters that says we stand with you, prepared to help support your use of EdgeX in real world, scalable, production deployments,” said Jim White, chief technical officer,  IoTech,  and EdgeX Foundry Technical Steering Committee Chair. 

Ireland Feature Highlights

  • Standardized and modernized northbound and southbound APIs enrich ease of interoperability across the IoT framework
  • Advanced security is built into the APIs, message bus, and internal architecture of EdgeX
  • New device services (southbound) and new app services (northbound) included in Ireland are also inherently secure (e.g., GPIO, CoAP, LLRP, UART)

Commercialization & Use Case Highlights

  • Open Retail Reference Architecture (ORRA): a new sub-project that provides a common deployment platform for edge-based  solutions and IoT devices. ORRA is a collaboration with fellow LF Edge projects Open Horizon and Secure Device Onboard, incubated by EdgeX Foundry.
  • The new Edgex Ready program highlights users and organizations that have integrated their offerings with solutions leveraging EdgeX;  a precursor to a community certification program. Learn how to become EdgeX Ready through the project’s Wiki page

Learn more about Ireland’s feature enhancements in this blog post

Plans for the next EdgeX release, codenamed ‘Jakarta’ are expected in Q4’ of 2021. 

For more information about LF Edge and its projects, visit https://www.lfedge.org/

About the Linux Foundation

Founded in 2000, the Linux Foundation is supported by more than 1,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, and more.  The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page: https://www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

Additional Quotes and Community Support

”Beechwoods Software has been a contributing member of EdgeX Foundry since its inception and chairs the Certification Working Group. EdgeX technology is at the core of our EOS IoT Edge platform offering for which we are readying our version 2 release based on the latest EdgeX code base. Beechwoods is pleased with the growing momentum of EdgeX Foundry and look forward to continuing our support and collaboration,” said Michael Daulerio, Vice President of Marketing and Business Development at Beechwoods Software, Inc.

“Canonical is a founding member of the EdgeX Foundry project and has provided technical leadership in the technical steering committee from day one. The Ireland (aka 2.0) release of EdgeX introduces much improved V2 REST APIs, a transition to a secure message bus for data ingestion, and many additional improvements to the security of EdgeX. The cross-company cooperation that contributed to the success and timeliness of this release once again demonstrates the power of open source development. Snaps of the Ireland release of EdgeX are available from the Snap Store using the new 2.0 track, and can be used to build secure enterprise-grade EdgeX deployments using Ubuntu Core 20,” said Tony Espy, technical architect / IoT & Devices, Canonical, and at-large  EdgeX Foundry TSC member. 

“EdgeX Foundry continues to serve as the basis for our Edge Xpert product.  As such, we see the release of EdgeX 2.0 as critical to our company’s success in support of our customers.  It provides the ability for IOTech to add new features and add more value given the new APIs, support for more messaging and overall simplifications of the platform.  On top of that, the move toward an LTS release in the fall based on EdgeX 2.0 is an important milestone of support shown by the EdgeX community.  LTS tells adopters like IOTech that the EdgeX ecosystem stands behind them and is there to provide a scalable, reliable, and robust platform that can be used in production ready solutions,” said Keith Steele, CEO, IOTech Systems. 

Resources:

AVSystem, Golioth, Pat-Eta Electronics, RISC-V International and RISE Research Institutes of Sweden joins Zephyr’s global open source RTOS ecosystem

SAN FRANCISCO, June 3, 2021 The Zephyr™ Project,an open source project at the Linux Foundation that builds a safe, secure and flexible real-time operating system (RTOS) for resource-constrained devices, continues to gain momentum with its 5th anniversary this year. To celebrate the milestone, the Zephyr Project is hosting its inaugural Zephyr Developer Summit on June 8-10. The virtual event, which is free to attend, features several Zephyr leaders presenting real-world use cases, best practices, tutorials and more.

Happy 5th Anniversary

Launched in 2016 by the Linux Foundation, the Zephyr Project has continued to grow its technical community each year. Today, almost 1,000 contributors have helped the project surpass 50,000 commits building advanced support for multiple architectures such as ARC, Arm, Intel, Nios, RISC-V, SPARC and Tensilica and more than 250 boards.

The first-ever Zephyr Developer Summit will offer community members a chance to learn more about the fastest growing RTOS in an informal educational environment.

“We are kicking off our first Developer Summit with an impressive line-up of Zephyr thought leaders and ambassadors for the growing Zephyr community of contributors and users.” said Joel Stapleton, Chair of the Zephyr Project Governing Board and Principal Engineer Manager at Nordic Semiconductor. “The strength of engagement the project has with its members and IoT solution providers reflects the importance of open source efforts to build secure and safe embedded technologies for increasingly connected applications in industrial, smart home, wearables and energy; and for computing platforms integrating microcontrollers with ever-increasing capabilities and functions.”

Sample summit sessions include power management, USB support, motor control; user presentations that showcase Zephyr with Renode and TensorFlow Lite and  RISC-V and contributor spotlights for securing MCUBoot, using OPC UA, energy-efficient device testing and developing hardware. Proposals were reviewed by the Programming Committee, which includes Anas Nashif, Intel; Carles Cufi, Nordic Semiconductor; Jonathan Beri, Golioth; Keith Short, Google; Maureen Helm, NXP; and Olof Johansson, Facebook. To see the complete schedule, click here. The registration deadline is June 4, click here to register.

The U.S. Executive Order on Cybersecurity

Less than a month ago, the United States White House released an Executive Order on Improving the Nation’s Cybersecurity that addressed the malicious cyber attacks that have become more frequent in the last few years. In a blog, the Linux Foundation responded how Zephyr RTOS, along with several other projects, has already built some of the support needed for a more secure future. Zephyr is able to generate Software Bill of Materials (SBOMs) automatically during the build and this capability will be available in the upcoming 2.6 release. It is one of the few open source projects that is a CVE Numbering Authority(CNA) and has an active Project Security Incident Response Team(PSIRT) that manages responsible disclosure of vulnerabilities to product makers. 

Product creators using zephyr can sign up for free to be notified of vulnerabilities.  

“SBOMs can communicate details about a software package’s contents, being able to understand exactly which source files are included in a resource constrained software image is key to understanding if it may be vulnerable to an exploit,” said Kate Stewart, Vice President of Dependable Embedded Systems at the Linux Foundation. “SBOMs created by manual processes can often be incomplete, incorrect or out-of-date as a software package advances. By being able to generate the SBOM during the build, and take it to the source file level, not just the component level, better diagnosis and detection of vulnerable states is possible and addresses some of the best practices  mentioned in the EO. Zephyr is being used today in thousands of wearables and other products with constrained environments. By automatically creating SBOMs during builds, the development process becomes easier, more efficient and improves maintainability in field.”

Zephyr’s Growing Ecosystem

Today, the Zephyr Project also welcomes AVSystem, Golioth, Pat-Eta Electronics, RISC-V and RISE Research Institutes of Sweden to its global RTOS ecosystem. These new members join Adafruit, Antmicro, BayLibre, Eclipse Foundation, Facebook, Fiware, Foundries.io, Google, Intel, Laird Connectivity, Linaro, Memfault, Nordic Semiconductor, NXP, Oticon, Parasoft, SiFive, Synopsys and teenage engineering, among others.

“We see amazing opportunities for IoT deployments involving resource-constrained devices operating in cellular LPWA networks,” said Marcin Nagy, Product Director for IoT, AVSystem. “We are sure that combining the Zephyr RTOS with our expertise in the Lightweight M2M standard will contribute to the acceleration of secure and standards-based IoT launches.”

“We can speak at length about the technical merits of Zephyr – the kernel design, native networking, scalable board support model and so on – but the largest differentiator is the community,” says Jonathan Beri, CEO of Golioth. “From chipset vendors to ecosystem players, it feels like we’re rising the tide for everyone to make the most secure & reliable open source RTOS in the market and we couldn’t be more excited to contribute to the project and community.”

“We are happy to be part of the Zephyr Project and hope to bring it more into the academic environment, especially within STEM (Science Technology, Engineering and Mathematics),” said Sanyaade Adekoya, Developer, Programmer and Lecturer at Pat-Eta Electronics. “It has been challenging to bring RTOSes within the academic research sector and getting them in the hands of undergraduate learners. Our research extends the use of Zephyr RTOS in IoT, Edge Computing, Robotics, Smart and Wearable devices. The Zephyr Project will be a driving platform for our students that will make it easier for them to create ideas, projects, innovations and more. We look forward to showcasing our students’ Zephyr-related projects. ”

“RISC-V and Zephyr were both designed to drive innovation in the hardware space with open source technologies that are accessible to everyone,” said Mark Himelstein, CTO of RISC-V. “Many of our members are already taking advantage of the flexibility of RISC-V and Zephyr to design end-to-end open source solutions for resource-constrained devices. We look forward to collaborating with the Zephyr Project to offer even more opportunities for the open source community to innovate.”

“Zephyr RTOS enables us to rapidly prototype Thread wireless networks and is an excellent research platform for our work in IoT security,” said Samuel Lindemer, Research Engineer at RISE Research Institutes of Sweden. “The interactive shell and configuration menu make it intuitive for new users, and the open-source community support is unparalleled.”

To learn more about Zephyr RTOS, visit the Zephyr website and blog.

About the Zephyr™ Project

The Zephyr Project is a small, scalable real-time operating system for use on resource-constrained systems supporting multiple architectures. To learn more, please visit www.zephyrproject.org.

About the Linux Foundation

Founded in 2000, the Linux Foundation is supported by more than 1,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, and more.  The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

###

Our communities take security seriously and have been instrumental in creating the tools and standards that every organization needs to comply with the recent US Executive Order

Overview

The US White House recently released its Executive Order (EO) on Improving the Nation’s Cybersecurity (along with a press call) to counter “persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy.”

In this post, we’ll show what the Linux Foundation’s communities have already built that support this EO and note some other ways to assist in the future. But first, let’s put things in context.

The Linux Foundation’s Open Source Security Initiatives In Context

We deeply care about security, including supply chain (SC) security. The Linux Foundation is home to some of the most important and widely-used OSS, including the Linux kernel and Kubernetes. The LF’s previous Core Infrastructure Initiative (CII) and its current Open Source Security Foundation (OpenSSF) have been working to secure OSS, both in general and in widely-used components. The OpenSSF, in particular, is a broad industry coalition “collaborating to secure the open source ecosystem.”

The Software Package Data Exchange (SPDX) project has been working for the last ten years to enable software transparency and the exchange of software bill of materials (SBOM) data necessary for security analysis. SPDX, recognized and implemented as ISO/IEC standard 5962:2021, is supported by global companies with massive supply chains, and has a large open and closed source tooling support ecosystem. SPDX already meets the requirements of the executive order for SBOMs.

Finally, several LF foundations have focused on the security of various verticals. For example,  LF Public Health and LF Energy have worked on security in their respective sectors. Our cloud computing industry collaborating within CNCF has also produced a guide for supporting software supply chain best practices for cloud systems and applications.

Given that context, let’s look at some of the EO statements (in the order they are written) and how our communities have invested years in open collaboration to address these challenges.

Best Practices

The EO 4(b) and 4(c) says that

The “Secretary of Commerce [acting through NIST] shall solicit input from the Federal Government, private sector, academia, and other appropriate actors to identify existing or develop new standards, tools, and best practices for complying with the standards, procedures, or criteria [including] criteria that can be used to evaluate software security, include criteria to evaluate the security practices of the developers and suppliers themselves, and identify innovative tools or methods to demonstrate conformance with secure practices [and guidelines] for enhancing software supply chain security.” Later in EO 4(e)(ix) it discusses “attesting to conformity with secure software development practices.”

The OpenSSF’s CII Best Practices badge project specifically identifies best practices for OSS, focusing on security and including criteria to evaluate the security practices of developers and suppliers (it has over 3,800 participating projects). LF is also working with SLSA (currently in development) as potential additional guidance focused on addressing supply chain issues further.

Best practices are only useful if developers understand them, yet most software developers have never received education or training in developing secure software. The LF has developed and released its Secure Software Development Fundamentals set of courses available on edX to anyone at no cost. The OpenSSF Best Practices Working Group (WG) actively works to identify and promulgate best practices. We also provide a number of specific standards, tools, and best practices, as discussed below.

Encryption and Data Confidentiality

The EO 3(d) requires agencies to adopt “encryption for data at rest and in transit.” Encryption in transit is implemented on the web using the TLS (“https://”) protocol, and Let’s Encrypt is the world’s largest certificate authority for TLS certificates.

In addition, the LF Confidential Computing Consortium is dedicated to defining and accelerating the adoption of confidential computing. Confidential computing protects data in use (not just at rest and in transit) by performing computation in a hardware-based Trusted Execution Environment. These secure and isolated environments prevent unauthorized access or modification of applications and data while in use.

Supply Chain Integrity

The EO 4(e)(iii) states a requirement for

 “employing automated tools, or comparable processes, to maintain trusted source code supply chains, thereby ensuring the integrity of the code.” 

The LF has many projects that support SC integrity, in particular:

  • in-toto is a framework specifically designed to secure the integrity of software supply chains.
  • The Update Framework (TUF) helps developers maintain the security of software update systems, and is used in production by various tech companies and open source organizations.  
  • Uptane is a variant of TUF; it’s an open and secure software update system design which protects software delivered over-the-air to the computerized units of automobiles.
  • sigstore is a project to provide a public good / non-profit service to improve the open source software supply chain by easing the adoption of cryptographic software signing (of artifacts such as release files and container images) backed by transparency log technologies (which provide a tamper-resistant public log). 
  • OpenChain (ISO 5230) is the International Standard for open source license compliance. Application of OpenChain requires identification of OSS components. While OpenChain by itself focuses more on licenses, that identification is easily reused to analyze other aspects of those components once they’re identified (for example, to look for known vulnerabilities).

Software Bill of Materials (SBOMs) support supply chain integrity; our SBOM work is so extensive that we’ll discuss that separately.

Software Bill of Materials (SBOMs)

Many cyber risks come from using components with known vulnerabilities. Known vulnerabilities are especially concerning in key infrastructure industries, such as the national fuel pipelines,  telecommunications networks, utilities, and energy grids. The exploitation of those vulnerabilities could lead to interruption of supply lines and service, and in some cases, loss of life due to a cyberattack.

One-time reviews don’t help since these vulnerabilities are typically found after the component has been developed and incorporated. Instead, what is needed is visibility into the components of the software environments that run these key infrastructure systems, similar to how food ingredients are made visible.

A Software Bill of Materials (SBOM) is a nested inventory or a list of ingredients that make up the software components used in creating a device or system. This is especially critical as it relates to a national digital infrastructure used within government agencies and in key industries that present national security risks if penetrated. The use of SBOMs would improve understanding of the operational and cyber risks of those software components from their originating supply chain.

The EO has extensive text about requiring a software bill of materials (SBOM) and tasks that depend on SBOMs:

  • EO 4(e) requires providing a purchaser an SBOM “for each product directly or by publishing it on a public website” and “ensuring and attesting… the integrity and provenance of open source software used within any portion of a product.” 
  • It also requires tasks that typically require SBOMs, e.g., “employing automated tools, or comparable processes, that check for known and potential vulnerabilities and remediate them, which shall operate regularly….” and “maintaining accurate and up-to-date data, provenance (i.e., origin) of software code or components, and controls on internal and third-party software components, tools, and services present in software development processes, and performing audits and enforcement of these controls on a recurring basis.” 
  • EO 4(f) requires publishing “minimum elements for an SBOM,” and EO 10(j) formally defines an SBOM as a “formal record containing the details and supply chain relationships of various components used in building software…  The SBOM enumerates [assembled] components in a product… analogous to a list of ingredients on food packaging.”

The LF has been developing and refining SPDX for over ten years; SPDX is used worldwide and is approved as ISO/IEC International Standard 5962:2021.  SPDX is a file format that identifies the software components within a larger piece of computer software and metadata such as the licenses of those components. SPDX 2.2 already supports the current guidance from the National Telecommunications and Information Administration (NTIA) for minimum SBOM elements. Some ecosystems have ecosystem-specific conventions for SBOM information, but SPDX can provide information across all arbitrary ecosystems.

SPDX is real and in use today, with increased adoption expected in the future. For example:

  • An NTIA “plugfest” demonstrated ten different producers generating SPDX. SPDX supports acquiring data from different sources (e.g., source code analysis, executables from producers, and analysis from third parties). 
  • A corpus of some LF projects with SPDX source SBOMs is available. 
  • Various LF projects are working to generate binary SBOMs as part of their builds, including yocto and Zephyr
  • To assist with further SPDX adoption, the LF is paying to write SPDX plugins for major package managers.

Vulnerability Disclosure

No matter what, some vulnerabilities will be found later and need to be fixed. EO 4(e)(viii) requires “participating in a vulnerability disclosure program that includes a reporting and disclosure process.” That way, vulnerabilities that are found can be reported to the organizations that can fix them. 

The CII Best Practices badge passing criteria requires that OSS projects specifically identify how to report vulnerabilities to them. More broadly, the OpenSSF Vulnerability Disclosures Working Group is working to help “mature and advocate well-managed vulnerability reporting and communication” for OSS. Most widely-used Linux distributions have a robust security response team, but the Alpine Linux distribution (widely used in container-based systems) did not. The Linux Foundation and Google funded various improvements to Alpine Linux, including a security response team.

We hope that the US will update its Vulnerabilities Equities Process (VEP) to work more cooperatively with commercial organizations, including OSS projects, to share more vulnerability information. Every vulnerability that the US fails to disclose is a vulnerability that can be found and exploited by attackers. We would welcome such discussions.

Critical Software

It’s especially important to focus on critical software — but what is critical software? EO 4(g) requires the executive branch to define “critical software,” and 4(h) requires the executive branch to “identify and make available to agencies a list of categories of software and software products… meeting the definition of critical software.”

Linux Foundation and the Laboratory for Innovation Science at Harvard (LISH) developed the report Vulnerabilities in the Core,’ a Preliminary Report and Census II of Open Source Software, which analyzed the use of OSS to help identify critical software. The LF and LISH are in the process of updating that report. The CII identified many important projects and assisted them, including OpenSSL (after Heartbleed), OpenSSH,  GnuPG, Frama-C, and the OWASP Zed Attack Proxy (ZAP). The OpenSSF Securing Critical Projects Working Group has been working to better identify critical OSS projects and to focus resources on critical OSS projects that need help. There is already a first-cut list of such projects, along with efforts to fund such aid.

Internet of Things (IoT)

Unfortunately, internet-of-things (IoT) devices often have notoriously bad security. It’s often been said that “the S in IoT stands for security.” 

EO 4(s) initiates a pilot program to “educate the public on the security capabilities of Internet-of-Things (IoT) devices and software development practices [based on existing consumer product labeling programs], and shall consider ways to incentivize manufacturers and developers to participate in these programs.” EO 4(t) states that such “IoT cybersecurity criteria” shall “reflect increasingly comprehensive levels of testing and assessment.”

The Linux Foundation develops and is home to many of the key components of IoT systems. These include:

  • The Linux kernel, used by many IoT devices. 
  • The yocto project, which creates custom Linux-based systems for IoT and embedded systems. Yocto supports full reproducible builds. 
  • EdgeX Foundry, which is a flexible OSS framework that facilitates interoperability between devices and applications at the IoT edge, and has been downloaded millions of times. 
  • The Zephyr project, which provides a real-time operating system (RTOS) used by many for resource-constrained IoT devices and is able to generate SBOM’s automatically during build. Zephyr is one of the few open source projects that is a CVE Numbering Authority.
  • The seL4 microkernel, which is the most assured operating system kernel in the world; it’s notable for its comprehensive formal verification.

Security Labeling

EO 4(u) focuses on identifying:

“secure software development practices or criteria for a consumer software labeling program [that reflects] a baseline level of secure practices, and if practicable, shall reflect increasingly comprehensive levels of testing and assessment that a product may have undergone [and] identify, modify, or develop a recommended label or, if practicable, a tiered software security rating system.”

The OpenSSF’s CII Best Practices badge project (noted earlier) specifically identifies best practices for OSS development, and is already tiered (passing, silver, and gold). Over 3,800 projects currently participate.

There are also a number of projects that relate to measuring security and/or broader quality:

Conclusion

The Linux Foundation (LF) has long been working to help improve the security of open source software (OSS), which powers systems worldwide. We couldn’t do this without the many contributions of time, money, and other resources from numerous companies and individuals; we gratefully thank them all.  We are always delighted to work with anyone to improve the development and deployment of open source software, which is important to us all.

David A. Wheeler, Director of Open Source Supply Chain Security at the Linux Foundation

Linux Foundation Blog Post Abstract Graphic

Every month there seems to be a new software vulnerability showing up on social media, which causes open source program offices and security teams to start querying their inventories to see how FOSS components they use may impact their organizations. 

Frequently this information is not available in a consistent format within an organization for automatic querying and may result in a significant amount of email and manual effort. By exchanging software metadata in a standardized software bill of materials (SBOM) format between organizations, automation within an organization becomes simpler, accelerating the discovery process and uncovering risk so that mitigations can be considered quickly. 

In the last year, we’ve also seen standards like OpenChain (ISO/IEC 5320:2020) gain adoption in the supply chain. Customers have started asking for a bill of materials from their suppliers as part of negotiation and contract discussions to conform to the standard. OpenChain has a focus on ensuring that there is sufficient information for license compliance, and as a result, expects metadata for the distributed components as well. A software bill of materials can be used to support the systematic review and approval of each component’s license terms to clarify the obligations and restrictions as it applies to the distribution of the supplied software and reduces risk. 

Kate Stewart, VP, Dependable Embedded Systems, The Linux Foundation, will host a complimentary mentorship webinar entitled Generating Software Bill Of Materials on Thursday, March 25 at 7:30 am PST. This session will work through the minimum elements included in a software bill of materials and detail the reasoning behind why those elements are included. To register, please click here

There are many ways this software metadata can be shared. The common SBOM document format options (SPDX, SWID, and CycloneDX) will be reviewed so that the participants can better understand what is available for those just starting. 

This mentorship session will work through some simple examples and then guide where to find the next level of details and further references. 

At the end of this session, participants will be on a secure footing and a path towards the automated generation of SBOMs as part of their build and release processes in the future. 

Zephyr also Welcomes Laird Connectivity and teenage engineering to its Open Source RTOS Ecosystem

SAN FRANCISCO, June 25, 2020 The Zephyr™ Project, an open source project at the Linux Foundation that builds a safe, secure and flexible real-time operating system (RTOS) for the Internet of Things (IoT) in space-constrained devices, announces continued momentum by marking critical milestones for security and product-ready maturity.

Earlier this year, the NCC Group, a global expert in cyber security and risk mitigation, notified the Zephyr Project of a number of security issues found as part of their independent research into the security posture of Zephyr. The research, which was driven by growing interest from their clients, found Zephyr to be a mature, and a highly active and growing project with increasing market share. The May 2020 report outlines the issues discovered in detail and acknowledges the proactive work of the Zephyr Project Security Committee to fix these issues and follow-up on recommendations of the report.  Priority fixes have been backported into Zephyr’s Long Term Support (LTS) and a maintenance release published. Learn more about Zephyr’s security assessment and response in this blog.

“The Zephyr Project brings together a community of experts to participate on all aspects of the solution, from the standards to adopt, policies and processes to follow, and methodologies for build, test, maintenance, distribution and incident response,” said Joel Stapleton, Zephyr Project Governing Board Chair and Technical Product Manager at Nordic Semiconductor. “Our aim is to make a solution that developers can trust for the lifecycle of their products. This third party research and our security team’s swift and proactive response to the vulnerabilities is the strength of open source and a testament to this community.”

The Zephyr community of more than 700 contributors recently launched the Zephyr 2.3.0 release. The 2.3.0 release includes integration with the Trusted Firmware M open source Trusted Execution Environment framework, which implements Arm’s Platform Security Architecture specification. Zephyr has long included support for Arm’s TrustZone hardware, including being able to target the secure side of the firmware, but by adding integration with the standard Trusted Firmware M project, it now also offers the option to combine TF-M and Zephyr to create a PSA-certified solution. Learn more about Zephyr 2.3.0 in this blog.

Product Makers Need Security

The Zephyr RTOS is unique as it is vendor-neutral, with a scope from multi-architecture board support packages, to cloud connectivity for IoT products. Several high-profile products have leveraged Zephyr including Intellinium Safety Shoes, ProGlove and HereO Core Box.

In fact, during this pandemic, Zephyr community members are doing their best to help find solutions to various challenges. For example, Adafruit has volunteered to make Personal Protection Equipment (PPE) and other medical devices. The Phytec Distance Tracker, which features Nordic Semiconductor technology, Bluetooth Low Energy (BLE), Ultra-wideband (UWB) and Zephyr RTOS, tracks distance measurement between two or more people. With this product, businesses will be able to help employees maintain and track the 6-feet distance between others.

As a sign of commitment to developers like these, the Zephyr Project created a form that will notify product makers, who are not currently members, of vulnerabilities that may impact their products during the embargo window. Zephyr Project members receive this information already. To learn more about Zephyr’s commitment to product makers or to sign up for the notifications, click here.

A Growing IoT Ecosystem

Today, the Zephyr Project welcomes Laird Connectivity and teenage engineering to its growing IoT ecosystem. The new members join Adafruit, Antmicro, Eclipse Foundation, Foundries.io, Intel, Linaro, Nordic Semiconductor, NXP®, Oticon, SiFive, Synopsys, Texas Instruments and more to create an open hardware and software ecosystem using the Zephyr OS.

“Developers have many options when it comes to selecting an RTOS for embedded microcontrollers, but the Zephyr Project is one of the fastest growing open-source and broadly contributed RTOS projects of its kind,” said Jonathan Kaye, Senior Director, Product Management at Laird Connectivity.  “Joining the Zephyr Project allows Laird Connectivity to deliver more design flexibility than ever across our wireless modules, IoT Devices and Gateways. Our customers can leverage community support, better device security, high performance in resource-light environments, and license-free use for commercial applications. And by using one shared platform, they can build a highly reusable code base that rapidly accelerates their IoT development with Laird Connectivity products.”

“teenage engineering is developing embedded products in a wide range of complexity: from single core Cortex-M0 to multicore and multiprocessor systems with totals of up to 5 different mcu’s from various vendors,” said David Eriksson Head of Hardware at teenage engineering. “Our goal is to build the perfect multi-chip system where we capture what each breed of processor does best and allow them to work together in harmony. With Zephyr, we can develop anywhere. We make sure that code can run on host as well as device, and that interconnectivity is platform agnostic allowing a mix of real hardware and desktop emulation. We prefer to develop with open tools, so Zephyr is really the only sane choice for an RTOS where it is possible to achieve true transparency on all layers of the stack. We are happy to become members of The Linux Foundation and the Zephyr Project and to take part in shaping and influencing the future of embedded systems.”

In April, Zephyr celebrated 40,000 commits on Github and has now completed more than 41,000 to date with support for more than 200 boards.

Open Source Summit

The Zephyr Project will be present at the Linux Foundation’s Open Source Summit Virtual event on June 29-July 2. Several members will be giving presentations that include Zephyr including a keynote by Kate Stewart about open source in safety critical applications on July 1 at 9 am CST. Additional talks will be given by Zephyr project members from the Eclipse Foundation, Intel and Linaro. Learn more here.

Additionally, on July 2 from 2-3:30 pm, Zephyr will host a Mini-Summit that will offer an overview to the RTOS, introduction to west, how Bluetooth works with Zephyr and insight into security, safety certification and a product use case. Registration is free for OSS + ELC attendees. Learn more here.

To learn more about Zephyr RTOS, visit the Zephyr website and blog.

About the Zephyr™ Project

The Zephyr Project is a small, scalable real-time operating system for use on resource-constrained systems supporting multiple architectures. To learn more, please visit www.zephyrproject.org.

About the Linux Foundation

Founded in 2000, the Linux Foundation is supported by more than 1,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, and more.  The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

###

Latest release includes new features for audio, connectivity, security, OTA and speech recognition

SAN FRANCISCO, CA, April 22, 2020 — Automotive Grade Linux (AGL), an open source project developing a shared software platform for in-vehicle technology, today announced the latest code release of the AGL platform, UCB 9.0, also known under the codename “Itchy Icefish.”

Developed through a joint effort by dozens of member companies, the AGL Unified Code Base (UCB) is an open source software platform that can serve as the de facto industry standard for infotainment, telematics and instrument cluster applications. 

“The AGL platform continues to evolve and mature based on input and requirements from automakers, several of which are currently using AGL in production vehicles” said Dan Cauchy, Executive Director of Automotive Grade Linux at the Linux Foundation. “This latest code release includes audio, connectivity and security enhancements, improvements to speech recognition, and many HTML5 demo apps.” 

Many AGL members have already started integrating the UCB into their production plans. The 2020 Subaru Outback and Subaru Legacy uses open source software from the AGL UCB, Mercedes-Benz Vans is using AGL as a foundation for a new onboard operating system for its commercial vehicles, and Toyota’s AGL-based infotainment system is now in Toyota and Lexus vehicles globally.

UCB 9.0/Itchy Icefish includes an operating system, middleware and application framework. New updates to the AGL platform include:

  • Over-the-Air (OTA): Update for ostree (SOTA)
  • Application Framework: improvements including implementing Token Logic based security
  • Speech Recognition: Alexa Auto SDK 2.0; improved Speech-API and voiceagent integration; new open source version of display cards for Speech Recognition
  • Audio: enhancements to PipeWire and WirePlumber
  • Connectivity: improved networking support and network settings; reworked bluetooth APIs and extended to pbap and map protocols
  • HTML5 Apps: security converted to using Token Logic; HTML5-only image available using Web App Manager (WAM) and Chromium; HTML Demo apps available for Home Screen, Launcher, Dashboard, Settings, Media Player, Mixer, HVAC, and Chromium Browser
  • Instrument Cluster: QML Reference Apps: Steering Wheel Controls via LIN to IVI Apps, refreshed Instrument Cluster app that includes CAN messages from Steering Wheel/IVI
  • Board Support Package updates: Renesas RCar3 BSPs updated to v3.21 (M3/H3, E3, Salvator); enhanced support for SanCloud BeagleBone Enhanced + Automotive Cape support; i.MX6 using etnaviv (cubox-i target); enhanced Raspberry Pi 4 support

The full list of additions and enhancements to UCB 9.0 can be found here.

###

About Automotive Grade Linux (AGL)
Automotive Grade Linux is a collaborative open source project that is bringing together automakers, suppliers and technology companies to accelerate the development and adoption of a fully open software stack for the connected car. With Linux at its core, AGL is developing an open platform from the ground up that can serve as the de facto industry standard to enable rapid development of new features and technologies. Although initially focused on In-Vehicle-Infotainment (IVI), AGL is the only organization planning to address all software in the vehicle, including instrument cluster, heads up display, telematics, advanced driver assistance systems (ADAS) and autonomous driving. The AGL platform is available to all, and anyone can participate in its development. Automotive Grade Linux is hosted at the Linux Foundation. Learn more at automotivelinux.org.

About the Linux Foundation
Founded in 2000, the Linux Foundation is supported by more than 1,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js and more. The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at LinuxFoundation.org. 

Media Inquiries
Emily Olin
Automotive Grade Linux, the Linux Foundation 

SAN FRANCISCO, March 31, 2020 — Automotive Grade Linux (AGL), a collaborative cross-industry effort developing an open source platform for connected car technologies, announces three new members: MERA, Mocana, and Osaka NDS.

“With the support of 11 major automakers, we are increasingly seeing more vehicles in production with AGL,” said Dan Cauchy, Executive Director of Automotive Grade Linux at the Linux Foundation. “We look forward to working with all of our new members as we continue to expand the AGL platform and the global ecosystem of products and services that support it.”

AGL is an open source project at the Linux Foundation that is bringing together automakers, suppliers and technology companies to accelerate the development and adoption of a fully open, shared software platform for all technology in the vehicle, from infotainment to autonomous driving. Sharing a single software platform across the industry reduces fragmentation and accelerates time-to-market by encouraging the growth of a global ecosystem of developers and application providers that can build a product once and have it work for multiple automakers.

New Member Quotes:

MERA
“MERA, as a software development company, has been using open source software for many years, bringing best in class solutions to its customers in various industries like ICT, Industrial IoT, Automotive, FinTech and others,” said Dmitry Oshmarin, CTO of MERA. “As experts in embedded software development, especially in the Linux environments, we plan to contribute to Automotive Grade Linux. At the same time, we will leverage this new experience to help our customers to benefit from using AGL in their products.”

Mocana
“Automotive manufacturers and suppliers are connecting a broadening range of systems and devices onboard vehicles to deliver mission-critical safety capabilities as well as significantly enhance the user experience. Many of these on-board systems also incorporate virtualized systems or containers to streamline and scale the delivery of key functionalities,” said Dave Smith, President of Mocana. “This increase in connectivity provides additional insight into the performance and reliability of systems to improve system performance and safety, as well as minimize downtime and reduce maintenance costs. Unfortunately, it also introduces new cybersecurity risks and ways for hackers to attack these on-board systems to compromise their safety and uptime – and generate inaccurate alerts, messaging and data. We plan to design plug-n-play solutions that integrate with the AGL platform to enable scalable, end-to-end security, to protect any AGL-based systems on-board connected or autonomous vehicles.”

Osaka NDS
“Osaka NDS CO.,Ltd is leader in developing, deploying and supporting commercial and industrial embedded Linux solutions and services, and we are excited about joining the AGL community,” states Yutaka Toida, Osaka NDS’s Director. “We look forward to working with other AGL members as we continue to expand the AGL platform to support new mobility solutions and connected car applications.”

###

About Automotive Grade Linux (AGL)
Automotive Grade Linux is a collaborative open source project that is bringing together automakers, suppliers and technology companies to accelerate the development and adoption of a fully open software stack for the connected car. With Linux at its core, AGL is developing an open platform from the ground up that can serve as the de facto industry standard to enable rapid development of new features and technologies. Although initially focused on In-Vehicle-Infotainment (IVI), AGL is the only organization planning to address all software in the vehicle, including instrument cluster, heads up display, telematics, advanced driver assistance systems (ADAS) and autonomous driving. The AGL platform is available to all, and anyone can participate in its development. Automotive Grade Linux is hosted at the Linux Foundation. Learn more at automotivelinux.org.

Media Inquiries
Emily Olin

LAS VEGAS – CES 2020, January 7, 2020Automotive Grade Linux (AGL), a cross-industry effort developing an open source platform for all connected car technologies, today announced that the Subaru Starlink infotainment platform on the all-new 2020 Subaru Outback and the 2020 Subaru Legacy uses open source software from the AGL Unified Code Base (UCB) platform.

Subaru Starlink on the 2020 Subaru Outback

“Using AGL’s open source software allows us to easily customize the user experience and integrate new features, creating an integrated cockpit entertainment system that is more enjoyable for drivers,” said Mr. Naoyoshi Morita, General Manager of Electronic Product Design Dept. of Subaru Corporation. “We believe that shared software development through Automotive Grade Linux benefits the entire industry, and we look forward to our continued involvement and collaboration with other automakers and suppliers.”

AGL is supported by more than 150 members, including 11 automakers, who are working together to develop the AGL Unified Code Base (UCB) platform, a shared software platform that can serve as the de facto industry standard for infotainment, telematics, and instrument cluster applications. Sharing an open platform allows for code reuse and a more efficient development process as developers and suppliers can build once and have a product work for multiple automakers.

“Subaru has been an AGL member for many years, and we are very excited to see them use AGL in production,” said Dan Cauchy, Executive Director of Automotive Grade Linux. “The AGL platform continues to gain traction, and we expect to see more automakers using it in production in the years to come.”

AGL BOOTH AT CES 2020
The AGL booth at CES 2020 in the Westgate Hotel Pavilion, booth 1815, features 19+ demos by AGL members showing infotainment, instrument cluster, autonomous driving, security, connectivity, and other applications running on the AGL open source software platform.

The AGL booth will be open to the public during CES show hours and during the AGL Evening Reception & Demo Showcase on Wednesday, January 8, from 6:00 – 8:00 pm PT. Additional details and registration for the Evening Reception are available here.

Media and analysts are also invited to attend an AGL Media Happy Hour at CES on Tuesday, January 7, from 3:00 – 5:00 pm PT in the AGL booth. Please RSVP here.

###

About Automotive Grade Linux (AGL)
Automotive Grade Linux is a collaborative open source project that is bringing together automakers, suppliers and technology companies to accelerate the development and adoption of a fully open software stack for the connected car. With Linux at its core, AGL is developing an open platform from the ground up that can serve as the de facto industry standard to enable rapid development of new features and technologies. Although initially focused on In-Vehicle-Infotainment (IVI), AGL is the only organization planning to address all software in the vehicle, including instrument cluster, heads up display, telematics, advanced driver assistance systems (ADAS) and autonomous driving. The AGL platform is available to all, and anyone can participate in its development. Learn more: https://www.automotivelinux.org/

Automotive Grade Linux is a Collaborative Project at The Linux Foundation. Linux Foundation Collaborative Projects are independently funded software projects that harness the power of collaborative development to fuel innovation across industries and ecosystems. www.linuxfoundation.org

###

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page: https://www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

Media Inquiries
Emily Olin