Nov 04, 2024 ‐ 16:00 UTC

Host:

• Philipp Ahmann

Participants:

• Daniel Weingaertner
• Alfred Strauch
• Steven Carbno
• Gabriele Paoloni
• Nicole Pappler (joins 5:25)

Regrets:

• Kate Stewart

Attended Recently

• Sebastian Hetze

• Karen Bennet

• Guy Lunardi

• Andreas Bartelt

• Thomas Mittelstädt

• Stewart Hildebrand

• Olivier Charrier

• Walt Miner

Topics & Notes:

Check past action items

• Previous meeting notes: https://github.com/elisa-tech/wg-systems/wiki/Sep-30,-2024-%E2%80%90-15:00-UTC
• AI-Philipp: Draw a picture which shows the interaction of all the initiatives currently around (CRA, Eclipse Automotive Process SIG, ELISA)
• AI-Philipp: Draw a picture illustrating the project proposal in a graphical way.
• AI-Sebastian: Involvement of DIN can also be interesting. Sebastian will take a first contact.
  • Contact initiated, but no response so far.
• AI: Invite the epam people to tell a bit about their work and planned activities.

Project Proposal: Good Quality Practices in Open Source [cont.]

• Text brought from gdoc to github wiki md file: https://github.com/elisa-tech/wg-systems/wiki/Software-Quality-Good-Practices-in-Open-Source-%E2%80%90-Proposal
• Linux Foundation Europe follow up Nov 12th
• Discuss with Eclipse SDV Process SIG on Nov 18th (positive response by Leonardo)
• Need to prepare and re-check material as preparation for the meetings.

Discussions during OSS Japan

• AGL, Zephyr, ELISA project representatives
• Bosch, Aisin, Panasonic, Toyota, Honda, Volvo from Automotive
• Few additional people in audience
• Discussion about AGL + ELISA future topics.
  • VirtIO important.
    • Follow-up on plumbers presentation for formal language specification
    • What would "safe usage" of VirtIO mean. (E2E protection, communication methodology, Graphics sharing)
  • Graphics is still unclear, but "Unified HMI" is a topic of interest for AGL members. https://github.com/unified-hmi
• In case AGL members show more interest, this could mean sharing their use case and requirements.
• Remark: Currently there is a proposal on a middleware solution called Eclipse Safe Open Vehicle Core (SCORE).
  • https://projects.eclipse.org/proposals/eclipse-safe-open-vehicle-core
  • Build an image based on these components and AGL (yocto) to create a meaningful BOM for this.
  • https://wiki.automotivelinux.org/agl-distro/release-notes
  • AGL releases include an SBOM for the yocto part. What additional information is needed for a system perspective?
    • Also AGL SBOM is just Yocto and does not include Xen, Zephyr, µC BOM or what ever else is part of the "system"
    • AGL has no information on HBOM for the Hardware.

GitHub CI & SBOM database

• OSS complying to "regulatory requirements" (kept vague explicitly)
• ELISA might be able to use GitHub server resources running on ARM
• ELISA Systems WG builds could be executed on ARM servers as a Qemu image
• Initial idea to work on (implementation view):
  • Bring the existing ZCU102 example into a generic ARM64 qemu image running on ARM server.
  • Replace peta-Linux by AGL.
  • Add stack elements from SCORE (eclipse-safe-open-vehicle-core) to promote SDV use case
  • Have a boot test for the generated image running on the server.
  • Generate an SBOM (Software) for the system elements Xen, Zephyr and Linux (yocto)
  • Store SBOM results in a database
  • Create same artifacts based on new Pull Requests.
  • Consider how to treat the Hardware and have a HBOM part in the system composition
    • How to track which hardware was used on the server being a virtual machine on a physical server.
• Initial idea to work on SPDX view to work on to create data:
  • We need to define what a "System" actually means!
    • A system is a representation of included elements that are defined in other SBOMs. A computer system is defined as the integration of hardware, software, peripheral devices, data, and networking components. Together they perform computing tasks and facilitate user interaction. A system captures operational information such as relationships between the network, data, connections, and potentially operating systems ultimately enabling the performance of a wide range of tasks from basic computing to complex data analysis. The system is used to group components to define functionality or services. The grouping of services and functions impacts the definition and operation of a computing environment.
  • What can get into a prototype system BOM (without being complete)
    • Involve also the bootloader parts and the interfacing (ACPI vs. DTS) https://www.kernel.org/doc/html/v6.4-rc7/arm64/acpi_object_usage.html
  • Hardware BOM:
    • Virtual machines are considered as virtual hardware.
    • What generated the virtual hardware and what is the virtual network driver.
  • https://www.cisa.gov/sites/default/files/2023-04/sbom-types-document-508c.pdf includes additional BOMs (maybe to early to have this as SPDX material for the database PoC)
    • Build Supply Chain BOM is a different topic, and not for the initial scope

AoB

• System BOM + SPDX for Safety to get to agenda again in November (when 3.0 to be in yocto).
• Red Hat will present BASIL https://github.com/elisa-tech/basil at the Eclipse SDV at the TAC (Technical Advisory Committee) Tuesday 19th 12:00 UTC.
  • (This week presentation is about Sphinx Needs by Useblocks)